CVE-2016-1583 — HIGH (7.8) — White Hats Nepal

Q: How severe is CVE-2016-1583?

CVE-2016-1583 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-1583?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Novell Suse Linux Enterprise Software Development Kit, Novell Suse Linux Enterprise Debuginfo, Novell Suse Linux Enterprise Desktop, Novell Suse Linux Enterprise Live Patching.

Vulnerability Description

The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Linux	Linux Kernel	>= 2.6.19, < 3.18.54
Novell	Suse Linux Enterprise Software Development Kit	11.0
Novell	Suse Linux Enterprise Debuginfo	11.0
Novell	Suse Linux Enterprise Desktop	12.0
Novell	Suse Linux Enterprise Live Patching	12.0
Novell	Suse Linux Enterprise Module For Public Cloud	12
Novell	Suse Linux Enterprise Server	11.0
Novell	Suse Linux Enterprise Workstation Extension	12.0
Canonical	Ubuntu Linux	12.04
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-119

References

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2f36dbVendor Advisory
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f5364cVendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00027.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00056.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00003.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00008.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00009.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00014.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00016.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00018.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00019.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2016-1583?

CVE-2016-1583 is a vulnerability with a CVSS score of 7.8 (HIGH). The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vector...

How severe is CVE-2016-1583?

CVE-2016-1583 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-1583?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Novell Suse Linux Enterprise Software Development Kit, Novell Suse Linux Enterprise Debuginfo, Novell Suse Linux Enterprise Desktop, Novell Suse Linux Enterprise Live Patching.