Vulnerability Details : CVE-2014-8159
The InfiniBand (IB) implementation in the Linux kernel package before 2.6.32-504.12.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly restrict use of User Verbs for registration of memory regions, which allows local users to access arbitrary physical memory locations, and consequently cause a denial of service (system crash) or gain privileges, by leveraging permissions on a uverbs device under /dev/infiniband/.
Vulnerability category: Denial of service
Products affected by CVE-2014-8159
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-8159
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 33 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-8159
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.9
|
MEDIUM | AV:L/AC:M/Au:N/C:C/I:C/A:C |
3.4
|
10.0
|
NIST |
CWE ids for CVE-2014-8159
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8159
-
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00011.html
[security-announce] SUSE-SU-2015:1491-1: important: Live patch for the LMailing List;Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0726.html
RHSA-2015:0726 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0870.html
RHSA-2015:0870 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0674.html
RHSA-2015:0674 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0782.html
RHSA-2015:0782 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0803.html
RHSA-2015:0803 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securitytracker.com/id/1032224
Linux Kernel Input Validation Flaw in Infiniband Lets Local Users Deny Service or Gain Elevated Privileges - SecurityTrackerThird Party Advisory;VDB Entry
-
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
Juniper Networks - 2015-10 Security Bulletin: CTPView: Multiple Vulnerabilities in CTPViewThird Party Advisory
-
http://www.securityfocus.com/bid/73060
Linux Kernel CVE-2014-8159 Local Privilege Escalation VulnerabilityThird Party Advisory;VDB Entry
-
http://www.ubuntu.com/usn/USN-2528-1
USN-2528-1: Linux kernel vulnerability | Ubuntu security noticesThird Party Advisory
-
http://www.debian.org/security/2015/dsa-3237
Debian -- Security Information -- DSA-3237-1 linuxThird Party Advisory
-
http://www.ubuntu.com/usn/USN-2529-1
USN-2529-1: Linux kernel (Utopic HWE) vulnerability | Ubuntu security noticesThird Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152747.html
[SECURITY] Fedora 22 Update: kernel-4.0.0-0.rc4.git0.1.fc22Mailing List;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1181166
1181166 – (CVE-2014-8159) CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory accessIssue Tracking;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-2527-1
USN-2527-1: Linux kernel (Trusty HWE) vulnerability | Ubuntu security noticesThird Party Advisory
-
http://www.ubuntu.com/usn/USN-2526-1
USN-2526-1: Linux kernel vulnerability | Ubuntu security noticesThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00009.html
[security-announce] SUSE-SU-2015:1489-1: important: Live patch for the LMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00004.html
[security-announce] SUSE-SU-2015:1478-1: important: Security update forMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00008.html
[security-announce] SUSE-SU-2015:1488-1: important: Live patch for the LMailing List;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-2530-1
USN-2530-1: Linux kernel vulnerability | Ubuntu security noticesThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0751.html
RHSA-2015:0751 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00007.html
[security-announce] SUSE-SU-2015:1487-1: important: Live patch for the LMailing List;Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0695.html
RHSA-2015:0695 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0783.html
RHSA-2015:0783 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0919.html
RHSA-2015:0919 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.ubuntu.com/usn/USN-2525-1
USN-2525-1: Linux kernel vulnerability | Ubuntu security noticesThird Party Advisory
-
http://www.ubuntu.com/usn/USN-2561-1
USN-2561-1: Linux kernel (OMAP4) vulnerabilities | Ubuntu security noticesThird Party Advisory
Jump to