CVE-2014-5206 : The do_remount function in fs/namespace.c in the Linux kernel through 3.16.1 does not maintain the MNT_LOCK

The do_remount function in fs/namespace.c in the Linux kernel through 3.16.1 does not maintain the MNT_LOCK_READONLY bit across a remount of a bind mount, which allows local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms via a "mount -o remount" command within a user namespace.

Published 2014-08-18 11:15:27

Updated 2023-08-25 15:26:48

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2014-5206

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2014-5206

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2014-5206

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-5206

http://www.ubuntu.com/usn/USN-2317-1

USN-2317-1: Linux kernel (Trusty HWE) vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/69214

Linux Kernel CVE-2014-5206 Local Security Bypass Vulnerability
Third Party Advisory;VDB Entry
http://www.ubuntu.com/usn/USN-2318-1

USN-2318-1: Linux kernel vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=1129662

1129662 – (CVE-2014-5206, CVE-2014-5207) CVE-2014-5206 CVE-2014-5207 kernel: mount flags handling during remount
Issue Tracking;Patch;Third Party Advisory

CVEs referencing this url
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a6138db815df5ee542d848318e5dae681590fccd

kernel/git/torvalds/linux.git - Linux kernel source tree
Patch;Vendor Advisory
http://www.openwall.com/lists/oss-security/2014/08/13/4

oss-security - Re: CVE Request: ro bind mount bypass using user namespaces
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/torvalds/linux/commit/a6138db815df5ee542d848318e5dae681590fccd

mnt: Only change user settable mount flags in remount · torvalds/linux@a6138db · GitHub
Patch;Third Party Advisory

Products affected by CVE-2014-5206

Linux » Linux Kernel
Versions from including (>=) 3.8 and before (<) 3.10.55
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 3.11 and before (<) 3.12.27
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 3.15 and before (<) 3.16.3
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 3.13 and before (<) 3.14.19
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
Matching versions

Vulnerability Details : CVE-2014-5206

Exploit prediction scoring system (EPSS) score for CVE-2014-5206

CVSS scores for CVE-2014-5206

CWE ids for CVE-2014-5206

References for CVE-2014-5206

Products affected by CVE-2014-5206