IoTInspectorReport - SEC Consult · IoTInspectorReportforIoTInspector Date:2019-05-15 2.3Plugins...

IoT Inspector Reportfor

IoT Inspector

Version: 1.0Date: 2019-05-15Confidentiality class: Strictly Confidential

This report is strictly confidential and intended for internal, confidential use by the customer.The recipient is obligated to ensure that the highly confidential contents are kept secret onbehalf of the organization. The recipient assumes responsibility for further distribution ofthis document. Furthermore, the security check is only an immediate evaluation of the situa-tion at the time the check was performed. An evaluation of future security levels or possiblefuture risks or vulnerabilities may not be derived from it.

Copyright ©2019 SEC Technologies

Contents

1 Management Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.1 Products/Firmware in Scope 5

2.2 Analysis Methodology 5

2.3 Plugins 52.3.1 SSH authorized_keys detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.3.2 CVE database lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.3.3 X.509 Certificate detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.3.4 Software component detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.3.5 Configuration vulnerability detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.6 Hardcoded password detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.7 Non-unique X.509 certificates and SSH host keys detection “House of Keys” . . . . 72.3.8 Information leakage detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.9 Management protocol detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.10 No results found information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.3.11 Private Key detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.3.12 Unwanted software detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.3.13 Version based vulnerability detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.3.14 Pattern based vulnerability detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.4 Frequently Asked Questions 9

3 Result Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4.1 Cisco RV340 Dual WAN Gigabit VPN Router 124.1.1 Firmware version 1.0.02.16 (ID: f6f7d05ba22e196b) . . . . . . . . . . . . . . . . . . . . . . . 12

1. Management Summary

This is a automatically generated report by IoT Inspector, an IoT security analysis framework.The results documented in this report are entirely based on automated analysis of particu-lar firmware files. No testing on live devices has been performed. This reports covers oneproduct consisting of 0 firmware versions.Seven vulnerabilities with risk “High” were found. Three vulnerabilities with risk “Medium”were found. Two vulnerabilities with risk “Low” were found.

2. Approach

2.1 Products/Firmware in Scope

The following products and firmware versions are covered by this report:• Cisco RV340 Dual WANGigabit VPN Router (Router)

2.2 Analysis Methodology

IoT Inspector uses static anddynamic analysis (planned) techniques to find vulnerabilities. El-ements such as archives, filesystems and compressed data in uploaded firmware is extractedand imported into a database. Later on plugins are used to analyze the data.

2.3 Plugins

IoT Inspector uses plugins to extract information from firmware. This chapter describes theplugins that were used to analyze the firmware in scope.

2.3.1 SSH authorized_keys detectionDetects entries in SSH authorized_keys files in the firmware filesystem.

2.3.2 CVE database lookupReferences version information against the NIST National Vulnerability Database (NVD) feed. The feed is updated hourly. The risk of each vulnerability is based on the CVSS v2 basescore provided by NIST. This plugin is capable of detecting 2506 vulnerabilities in total.Note: The “prev” XML argument in the NVD feed (Version 1.2.1) is not parsed at themoment.This causes false-negatives.

2.3.3 X.509 Certificate detectionDetects X.509 certificates in the firmware filesystem. The following certificate types are de-tected:

• PEM encoded certificates in the following formats:– BEGIN CERTIFICATE

https://linux.die.net/man/1/ssh

https://nvd.nist.gov/

https://www.first.org/cvss/v2/guide

https://www.first.org/cvss/v2/guide

IoT Inspector Report for IoT InspectorDate: 2019-05-15 2.3 Plugins

– BEGIN TRUSTED CERTIFICATE– BEGIN X509 CERTIFICATE

• DER/ASN1 encoded certificates• DER/ASN1 encoded certificates in HEX-encoded form

2.3.4 Software component detectionDetects software components in the firmware filesystem and extracts version information.Release dates are available for some software. The following software components are de-tected:

• AllegroSoft RomPager• Boa• Boa (Hydra Modification)• Broadcom CMS/libcms• Broadcom bcmupnpd• BusyBox (Release dates available)• Dnsmasq• Dropbear SSH (Release dates available)• GNU Bash• GNU glibc (Release dates available)• Intel SDK for UPnP devices• KCodes AIRPLAY• KCodes BONJOUR• KCodes FTP• KCodes NetUSB• KCodes PRINT• KCodes SMB• Linux Kernel (Release dates available)• Linux Kernel (Release dates available)• MiniIGD• MiniUPnPd• NCC / Leobox• Network Time Foundation ntpd (Release dates available)• OpenSSH• OpenSSL (Release dates available)• PHP• PHP/FI• Portable SDK for UPnP Devices• Ralink Wireless Driver• Samba• SerComm scfmgr• curl• curl• hostapd• lighttpd• mini_httpd• uClibc (Release dates available)• uClibc (Release dates available)• uhttpd• wpa_supplicant

©SEC Technologies Strictly Confidential of 210


• xmldbc embedded PHP (ephp)

2.3.5 Configuration vulnerability detectionDetects vulnerabilities in system configuration.

• Dangerous service launch: System launches dropbear, telnetor sshdduringboot. De-tection only via rcS and inetd.conf files for now.

• Insecure Android build configuration. Performs checks on the Androiddefault.propsfile.

2.3.6 Hardcoded password detectionDetects hardcoded passwords in the fimware filesystem. The following types of passwordsare detected:

• Linux crypt(3) DES hashes• Linux crypt(3) type 1 hashes (MD5)• Linux crypt(3) type 5 hashes (SHA-256)• Linux crypt(3) type 6 hashes (SHA-512)• Users with empty passwords in passwd and shadow files

2.3.7 Non-unique X.509 certificates and SSH host keys detection “House of Keys”Detects non unique X.509 certificates or SSH host keys in firmware.

References• VU#566724 in CERT-CC Vulnerability Notes Database• SEC Consult Blog Post

2.3.8 Information leakage detectionDetects information artifacts that are unintentionally leaked during the firmware develop-ment/build process. Information such as internal hostnames, IPs, URLs and usernames. Thisinformation is useful for an attacker in an information gathering phase of an attack againstthe organization who develops the firmware. This information could be used in further at-tacks. The following types of information is detected:

• SVN Repositories: Information leakage through Apache Subversion (SVN) files.• VIM swap files: Information leakage through VIM editor swap files.

2.3.9 Management protocol detectionDetects implementations of management protocols. The following protocols are detected:

• DLNA (Digital Living Network Alliance Protocol)• Dahua “Lechange” P2P Platform• Dahua “easy4ip” P2P Platform• Goolink P2P Platform• Gwelltimes “Cloud-Links” Platform• HNAP (Home Network Administration Protocol)• Macro-video Monitoring Platform• ONVIF• Ozvision Cloud Platform• PPPP P2P Platform• TR-064 (LAN-Side DSL CPE Configuration)


http://manpages.courier-mta.org/htmlman3/crypt.3.html

https://www.kb.cert.org/vuls/id/566724

http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html


• TR-069 (CPE WAN Management Protocol “CWMP”)• ThroughTek TUTK Kalay Platform a.k.a. IOTC• UPnP (Universal Plug and Play)• Uniview “EZCloud” P2P Platform• Wi-Fi Protected Setup (WPS)• Xiongmai “XMeye” P2P Platform

2.3.10 No results found informationProvides some further information for cases where no results were found during the pluginanalysis.

2.3.11 Private Key detectionDetects RSA/DSA private keys in the firmware filesystem. The following private key types aredetected:

• PEM encoded private keys in the following formats:– BEGIN PRIVATE KEY– BEGIN RSA PRIVATE KEY– BEGIN DSA PRIVATE KEY– BEGIN X509 CERTIFICATE

• DER/ASN1 encoded private keys• DER/ASN1 encoded private keys in HEX-encoded form• Dropbear SSH host keys• Encrypted private keys if decryption is possible (wordlist attack)

Not detected:• Encryped PKCS#8 encoded private keys

2.3.12 Unwanted software detectionDetects software that enables an attacker to do vulnerability analysis and post exploitation.The following software is detected:

• GNU Debugger (gdb)• GNU Debugger (gdbserver)• tcpdump

2.3.13 Version based vulnerability detectionDetects vulnerabilities based on version information found in the firmware. The followingvulnerabilities are detected:

• AllegroSoft RomPager: Cookie processing vulnerability “Misfortune Cookie”• AllegroSoft RomPager: Cross-Site scripting• AllegroSoft RomPager: Denial of Service• Dnsmasq: Multiple Buffer overflows, Denial of Service, Information Disclosure• GNU Bash: GNU Bash shell executes commands in exported functions in environmentvariables “Shellshock”

• GNU glibc: __nss_hostname_digits_dots() buffer overflow “GHOST”• GNU glibc: getaddrinfo() buffer overflow• Intel SDK for UPnP devices: Multiple buffer overflows• Linux Kernel: Privilege Escalation “Half-Nelson”• Linux Kernel: Privilege Escalation “Mempodipper”• Linux Kernel: Privilege Escalation “pp_key”


IoT Inspector Report for IoT InspectorDate: 2019-05-15 2.4 Frequently Asked Questions

• Linux Kernel: Privilege Escalation “sock_sendpage”• MiniUPnPd: Buffer overflow• OpenSSL: TLS heartbeat extension read overflow information disclosure “Heartbleed”• Portable SDK for UPnP Devices: Multiple buffer overflows

2.3.14 Pattern based vulnerability detectionDetects vulnerabilities based onpatterns found in the firmware. The following vulnerabilitiesare detected:

• AMX Batman Backdoor Account• AMX BlackWidow Backdoor Account• Boa MFT Backdoor• D-Link router_info.xml Local File Inclusion• Gongjin Electronics (T&W) webproc.cgi• KCodes NetUSB Remote Kernel Stack Buffer Overflow• Linksys getstinfo.cgi WPA Key Disclosure• MiniIGD OS Command Injection• NETGEAR BRS_netgear_success.html Authentication Bypass• NETGEAR downloadFile.php authentication bypass• NETGEAR/Linksys VPN Router SQL Injection• Tenda Backdoor• Ubiquiti Networks pingtest_action.cgi Command Injection• Zyxel / Huawei WiMAX CPE Authentication Bypass

2.4 Frequently Asked Questions

Does IoT Inspector replace security audits of embedded devices?IoT Inspector is intended towork alongside traditional, manual security audits. It comeswithcomprehensive vulnerability detection capabilities and provides instant results. These re-sults give insight into the security posture of a product. IoT Inspector provides continuouscoverage for uploaded firmware. You will receive alerts as soon as a new vulnerability is de-tected by IoT inspector (planned).Vulnerabilities found in traditional, manual security audits can be integrated into IoT Inspec-tor plugins. These vulnerabilities can then be detected in all firmwares covered by IoT In-spector. This allows organisations to check if the results of one particular security audit areapplicable to other products in their inventory.

IoT Inspectordetectedhundredsofvulnerabilitiesaffectingoutdatedcomponentsin my firmware inventory. Are they exploitable?Proving that a vulnerability is not exploitable is oftentimes much harder than just updatingthe component to the most recent version. Our recommendation is to spend time/effort onfixing vulnerabilities rather than determining under which conditions they are exploitable.This minimizes the risk of having exploitable vulnerabilities in firmware.


3. Result Overview

Findings are classified according to severity as High, Medium, Low or Information. Thisreflects the likely impact of each issue.Findings are also classified according to confidence as Certain, Firm or Tentative. This re-flects the reliability of the technique that was used to identify the vulnerability. Table 3.1shows the numbers of findings identified in different categories.

Table 3.1: Finding summaryConfidence

Certain Firm Tentative TotalHigh 0 1 6 7Medium 0 0 3 3Low 2 0 0 2

Severity

Information 3 1 0 4

Table 3.2 shows the most common vulnerabilities overall. Vulnerability totals are calculatedon a per firmware basis. Findings with severity Information are not included. Top 10 findingsonly.

Table 3.2: Vulnerability totals on a per firmware basis (Top 10 findings only)Vulnerabiliy Totalcurl CVE entries (short form) 1Unwanted software: tcpdump 1Unwanted software: GNU Debugger (gdb) 1OpenSSL CVE entries (short form) 1MiniUPnPd CVE entries (short form) 1Linux Kernel Privilege Escalation “pp_key” 1Linux Kernel CVE entries (short form) 1Hardcoded password hashes 1GNU glibc getaddrinfo() buffer overflow 1GNU glibc CVE entries (short form) 1

IoT Inspector Report for IoT InspectorDate: 2019-05-15

Table 3.3 shows vulnerabilies on a per firmware basis. Findings with severity Information arenot included.

# Vulnerability Severity Confidence PageCisco RV340 Dual WANGigabit VPN RouterFirmware version 1.0.02.16 (ID: f6f7d05ba22e196b)

12

1 BusyBox CVE entries (short form) High Tentative 122 curl CVE entries (short form) High Tentative 153 GNU glibc CVE entries (short form) High Tentative 244 GNU glibc getaddrinfo() buffer overflow High Tentative 375 Hardcoded password hashes High Firm 386 Linux Kernel CVE entries (short form) High Tentative 397 MiniUPnPd CVE entries (short form) High Tentative 1798 Dnsmasq CVE entries (short form) Medium Tentative 1809 Linux Kernel Privilege Escalation “pp_key” Medium Tentative 18110 OpenSSL CVE entries (short form) Medium Tentative 18211 Unwanted software: GNU Debugger (gdb) Low Certain 18512 Unwanted software: tcpdump Low Certain 186


4. Results

This chapter contains the results of the analysis.

4.1 Cisco RV340 Dual WAN Gigabit VPN Router

4.1.1 Firmware version 1.0.02.16 (ID: f6f7d05ba22e196b)Firmware version 1.0.02.16 released on 2019-01-01. The original file names of the firmwareare:The firmware was uploaded on .The operating system of the firmware is likely based on Linux. The CPU architecture of thefirmware is likely ARM.

BusyBox CVE entries (short form)

Finding ID 1Severity HighConfidence Tentative

The firmware contains BusyBox versions affected by seven published vulnerabilities. Forbrevity several vulnerabilities in BusyBox are summarized in this short form vulnerability. Theseverity of this vulnerability is determined by the vulnerability with the highest risk.

CVE-ID Description Severity Vulnerableversion(s)

CVE-2016-2148Published on2017-02-09

Heap-based buffer overflow in the DHCPclient (udhcpc) in BusyBox before 1.25.0allows remote attackers to have unspec-ified impact via vectors involving OP-TION_6RD parsing.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 1.23.2

Continued on next page

IoT Inspector Report for IoT InspectorDate: 2019-05-15 4.1 Cisco RV340 Dual WAN Gigabit VPN Router

Table 4.1 – Continued from previous pageCVE-ID Description Severity Vulnerable

version(s)CVE-2016-6301Published on2016-12-09

The recv_and_process_client_pkt func-tion in networking/ntpd.c in busybox al-lows remote attackers to cause a denialof service (CPU and bandwidth consump-tion) via a forged NTP packet, which trig-gers a communication loop.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 1.23.2


huft_build in archival/libarchive/decom-press_gunzip.c in BusyBox before 1.27.2misuses a pointer, causing segfaults andan application crash during an unzip op-eration on a specially crafted ZIP file.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 1.23.2


Integer overflow in the DHCP client (ud-hcpc) in BusyBox before 1.25.0 allows re-mote attackers to cause a denial of ser-vice (crash) via a malformed RFC1035-encodeddomain name,which triggers anout-of-bounds heap write.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 1.23.2

CVE-2017-16544Published on2017-11-20

In the add_match function in libbb/li-needit.c in BusyBox through 1.27.2, thetab autocomplete feature of the shell,used to get a list of filenames in a direc-tory, does not sanitize filenames and re-sults in executing any escape sequence inthe terminal. This could potentially resultin code execution, arbitrary file writes, orother attacks.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 1.23.2






An issue was discovered in BusyBoxbefore 1.30.0. An out of bounds read inudhcp components (consumed by theDHCP server, client, and relay) allowsa remote attacker to leak sensitive in-formation from the stack by sending acrafted DHCP message. This is relatedto verification in udhcp_get_option()in networking/udhcp/common.c that4-byte options are indeed 4 bytes.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 1.23.2


An issue was discovered in BusyBoxthrough 1.30.0. An out of bounds readin udhcp components (consumed by theDHCP server, client, and/or relay) mightallow a remote attacker to leak sensitiveinformation from the stack by sendinga crafted DHCP message. This is relatedto assurance of a 4-byte length whendecoding DHCP_SUBNET. NOTE: thisissue exists because of an incomplete fixfor CVE-2018-20679.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 1.23.2



curl CVE entries (short form)


The firmware contains curl versions affected by 35 published vulnerabilities. For brevity sev-eral vulnerabilities in curl are summarized in this short form vulnerability. The severity of thisvulnerability is determined by the vulnerability with the highest risk.



The fix_hostname function in cURL andlibcurl 7.37.0 through 7.41.0 does notproperly calculate an index, which allowsremote attackers to cause a denial of ser-vice (out-of-bounds read or write andcrash) or possibly have other unspecifiedimpact via a zero-length host name, asdemonstrated by “http://:80” and “:80.”According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 7.40.0


The sanitize_cookie_path function incURL and libcurl 7.31.0 through 7.41.0does not properly calculate an index,which allows remote attackers to causea denial of service (out-of-bounds writeand crash) or possibly have other unspec-ified impact via a cookie path containingonly a double-quote character.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 7.40.0


The libcurl API function called curl_maprintf() before version 7.51.0 can betricked into doing a double-free due to anunsafe size_tmultiplication, on systemsusing 32 bit size_t variables.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 7.40.0


The functionread_data() in security.c incurl before version 7.51.0 is vulnerable tomemory double free.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 7.40.0






The ‘globbing’ feature in curl before ver-sion 7.51.0 has a flaw that leads to integeroverflow and out-of-bounds read via usercontrolled input.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 7.40.0


The verify_certificate function in lib/vtl-s/schannel.c in libcurl 7.30.0 through7.51.0, when built for Windows CE usingthe schannel TLS backend, allows remoteattackers to obtain sensitive information,cause a denial of service (crash), or pos-sibly have unspecified other impact via awildcard certificate name, which triggersan out-of-bounds read.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 7.40.0


The NTLM authentication feature in curland libcurl before 7.57.0 on 32-bit plat-forms allows attackers to cause a denialof service (integer overflow and resultantbuffer overflow, and application crash) orpossibly have unspecified other impactvia vectors involving long user and pass-word fields.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 7.40.0


The FTP wildcard function in curl andlibcurl before 7.57.0 allows remote attack-ers to cause a denial of service (out-of-bounds read and application crash) orpossibly have unspecified other impactvia a string that ends with an ‘[’ character.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 7.40.0






Curl versions 7.33.0 through 7.61.1 arevulnerable to a buffer overrun in the SASLauthentication code that may lead to de-nial of service.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 7.40.0


cURL and libcurl 7.10.6 through 7.41.0does not properly re-use NTLM connec-tions, which allows remote attackers toconnect as other users via an unauthenti-cated request, a similar issue toCVE-2014-0015.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0


cURL and libcurl 7.10.6 through 7.41.0 donot properly re-use authenticated Nego-tiate connections, which allows remoteattackers to connect as other users via arequest.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0


The default configuration for cURL andlibcurl before 7.42.1 sends custom HTTPheaders to both the proxy and destina-tion server, which might allow remoteproxy servers to obtain sensitive informa-tion by reading the header contents.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0


cURL and libcurl 7.40.0 through 7.42.1send the HTTP Basic authentication cre-dentials for a previous connection whenreusing a reset (curl_easy_reset) connec-tion handle to send a request to the samehost name, which allows remote attack-ers to obtain sensitive information via un-specified vectors.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0






The smb_request_state function in cURLand libcurl 7.40.0 through 7.42.1 allowsremote SMB servers to obtain sensitive in-formation frommemory or cause a denialof service (out-of-bounds read and crash)via crafted length and offset values.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0


cURL before 7.47.0 onWindows allows at-tackers towrite to arbitrary files in the cur-rentworkingdirectory on adifferent drivevia a colon in a remote file name.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0


The ConnectionExists function in lib/url.cin libcurl before 7.47.0 does not properlyre-use NTLM-authenticated proxy con-nections, which might allow remote at-tackers to authenticate as other users viaa request, a similar issue to CVE-2014-0015.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0


Multiple untrusted search path vulnera-bilities in cURL and libcurl before 7.49.1,when built with SSPI or telnet is en-abled, allow local users to execute arbi-trary code and conduct DLL hijacking at-tacks via a Trojan horse (1) security.dll, (2)secur32.dll, or (3) ws2_32.dll in the appli-cation or current working directory.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 7.40.0






A flaw was found in curl before version7.51. If cookie state is written into acookie jar file that is later read back andused for subsequent requests, amaliciousHTTP server can inject new cookies for ar-bitrary domains into said cookie jar.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0


A flaw was found in curl before version7.51.0 When re-using a connection, curlwas doing case insensitive comparisonsof user nameandpasswordwith theexist-ing connections. Thismeans that if an un-used connection with proper credentialsexists for a protocol that has connection-scoped credentials, an attacker can causethat connection to be reused if s/heknows the case-insensitive version of thecorrect password.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0


Thebase64encode function in curl beforeversion 7.51.0 is prone to a buffer beingunder allocated in 32bit systems if it re-ceives at least 1Gb as input via CURLOPT_USERNAME.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 7.40.0


The curl_getdate function in curl be-fore version 7.51.0 is vulnerable to an outof bounds read if it receives an input withone digit short.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0


A flaw was found in curl before version7.51.0. The way curl handles cookies per-mits other threads to trigger a use-after-free leading to information disclosure.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0






curl before version 7.51.0 doesn’t parsethe authority component of the URL cor-rectly when the host name part endswith a ‘#’ character, and could insteadbe tricked into connecting to a differenthost. This may have security implicationsif you for example use an URL parser thatfollows the RFC to check for allowed do-mains before using curl to request them.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0


curl before version 7.51.0 uses outdatedIDNA 2003 standard to handle Interna-tional Domain Names and this may leadusers to potentially and unknowinglyissue network transfer requests to thewrong host.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0


curl before version 7.52.0 is vulnerableto a buffer overflow when doing a largefloating point output in libcurl’s imple-mentation of the printf() functions. Ifthere are any application that accepts aformat string from the outside withoutnecessary input filtering, it could allow re-mote attacks.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0


curl before version 7.52.1 is vulnerable toan uninitialized random in libcurl’s inter-nal function that returns agood32bit ran-dom value. Having a weak or virtuallynon-existent randomvaluemakes theop-erations that use it vulnerable.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0






The verify_certificate function in lib/vtl-s/schannel.c in libcurl 7.30.0 through7.51.0, when built for Windows CE usingthe schannel TLS backend, makes it eas-ier for remote attackers to conduct man-in-the-middle attacks via a crafted wild-card SAN in a server certificate, as demon-strated by “*.com.”According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0

CVE-2017-1000101Published on2017-10-05

curl supports “globbing” of URLs, inwhich a user can pass a numerical rangeto have the tool iterate over those num-bers to do a sequence of transfers. Inthe globbing function that parses the nu-merical range, there was an omission thatmade curl read a byte beyond the end ofthe URL if given a carefully crafted, or justwrongly written, URL. The URL is stored ina heap based buffer, so it could then bemade to wrongly read something else in-stead of crashing. An example of a URLthat triggers the flaw would be http://ur%20[0-60000000000000000000.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0


curl before 7.53.0 has an incorrect TLSCertificate Status Request extension fea-ture that asks for a fresh proof of theserver’s certificate’s validity in the codethat checks for a test success or failure.It ends up always thinking there’s validproof, even when there is none or if theserver doesn’t support the TLS extensionin question. This could lead to users notdetecting when a server’s certificate goesinvalid or otherwise be mislead that theserver is in a better shape than it is in real-ity. This flaw also exists in the commandline tool (–cert-status).According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0






In curl before 7.54.1 on Windows andDOS, libcurl’s default protocol function,which is the logic that allows an applica-tion to set which protocol libcurl shouldattempt to use when given a URLwithouta scheme part, had a flaw that could leadto it overwriting a heap based memorybufferwith sevenbytes. If thedefault pro-tocol is specified to be FILE or a file: URLlacks two slashes, the given “URL” startswith a drive letter, and libcurl is built forWindows or DOS, then libcurl would copythe path 7 bytes off, so that the end ofthe given path would write beyond themalloc buffer (7 bytes being the length inbytes of the ascii string “file://”).According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0

CVE-2018-1000121Published on2018-03-14

A NULL pointer dereference exists in curl7.21.0 to and including curl 7.58.0 in theLDAP code that allows an attacker tocause a denial of serviceAccording to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0

CVE-2018-1000122Published on2018-03-14

A buffer over-read exists in curl 7.20.0 toand including curl 7.58.0 in the RTSP+RTPhandling code that allows an attacker tocause a denial of service or informationleakageAccording to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0






curl version curl 7.20.0 to and includingcurl 7.59.0 contains a CWE-126: BufferOver-read vulnerability in denial of ser-vice that can result in curl can be trickedinto reading data beyond the end of aheap based buffer used to store down-loaded RTSP content.. This vulnerabilityappears to have been fixed in curl < 7.20.0and curl >= 7.60.0.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0

CVE-2018-16842Published on2018-10-31

Curl versions 7.14.1 through 7.61.1 arevulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() functionthat may result in information exposureand denial of service.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 7.40.0


The (1) mbed_connect_step1 func-tion in lib/vtls/mbedtls.c and (2)polarssl_connect_step1 function inlib/vtls/polarssl.c in cURL and libcurlbefore 7.49.0, when using SSLv3 ormaking a TLS connection to a URL thatuses a numerical IP address, allow remoteattackers to spoof servers via an arbitraryvalid certificate.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Low 7.40.0



GNU glibc CVE entries (short form)


Thefirmware containsGNUglibc versions affectedby44publishedvulnerabilities. Forbrevityseveral vulnerabilities in GNUglibc are summarized in this short form vulnerability. The sever-ity of this vulnerability is determined by the vulnerability with the highest risk.



The posix_spawn_file_actions_addopenfunction in glibc before 2.20 does notcopy its path argument in accordancewith the POSIX specification, which al-lows context-dependent attackers to trig-ger use-after-free vulnerabilities.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 2.19


The nss_dns implementation of getnet-byname in GNU C Library (aka glibc) be-fore 2.21, when the DNS backend in theName Service Switch configuration is en-abled, allows remote attackers to cause adenial of service (infinite loop) by sendingapositive answerwhile a network name isbeing process.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 2.19


Multiple stack-based buffer overflows inthe GNU C Library (aka glibc or libc6)before 2.23 allow context-dependent at-tackers to cause a denial of service (appli-cation crash) or possibly execute arbitrarycode via a long argument to the (1) nan,(2) nanf, or (3) nanl function.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 2.19






nscd in the GNU C Library (aka glibcor libc6) before version 2.20 does notcorrectly compute the size of an inter-nal buffer when processing netgroup re-quests, possibly leading to an nscd dae-mon crash or code execution as the userrunning nscd.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 2.19


The ADDW macro in stdio-common/vfscanf.c in the GNU C Library(aka glibc or libc6) before 2.21 doesnot properly consider data-type sizeduring memory allocation, which allowscontext-dependent attackers to causea denial of service (buffer overflow) orpossibly have unspecified other impactvia a long line containing wide charactersthat are improperly handled in a wscanfcall.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 2.19


The get_contents function innss_files/files-XXX.c in the Name ServiceSwitch (NSS) in GNU C Library (aka glibcor libc6) before 2.20 might allow localusers to cause a denial of service (heapcorruption) or gain privileges via a longline in the NSS files database.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 2.19


Integer overflow in theGNUCLibrary (akaglibc or libc6) before 2.23 allows context-dependent attackers to cause a denial ofservice (application crash) or possibly ex-ecute arbitrary code via the size argu-ment to the __hcreate_r function, whichtriggers out-of-bounds heap-memory ac-cess.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 2.19






Stack-based buffer overflow in thecatopen function in the GNU C Library(aka glibc or libc6) before 2.23 allowscontext-dependent attackers to cause adenial of service (application crash) orpossibly execute arbitrary code via a longcatalog name.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 2.19

CVE-2017-1000366Published on2017-06-19

glibc contains a vulnerability that allowsspecially crafted LD_LIBRARY_PATH val-ues to manipulate the heap/stack, caus-ing them to alias, potentially resulting inarbitrary codeexecution. Pleasenote thatadditional hardening changes have beenmade to glibc to prevent manipulation ofstack and heap memory but these issuesare not directly exploitable, as such theyhave not been given a CVE. This affectsglibc 2.25 and earlier.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 2.19

CVE-2017-15670Published on2017-10-20

The GNU C Library (aka glibc or libc6)before 2.27 contains an off-by-one errorleading to a heap-based buffer overflowin the glob function in glob.c, related tothe processing of home directories usingthe ~ operator followed by a long string.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 2.19

CVE-2017-15804Published on2017-10-22

The glob function in glob.c in the GNUC Library (aka glibc or libc6) before 2.27contains a buffer overflow during un-escaping of user names with the ~ opera-tor.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 2.19






elf/dl-load.c in the GNU C Library (akaglibc or libc6) 2.19 through 2.26 mis-handles RPATH and RUNPATH contain-ing $ORIGIN for a privileged (setuid orAT_SECURE) program, which allows lo-cal users to gain privileges via a Tro-jan horse library in the current work-ing directory, related to the fillin_rpathand decompose_rpath functions. Thisis associated with misinterpretion of anempty RPATH/RUNPATH token as the “./”directory. NOTE: this configuration ofRPATH/RUNPATH for a privileged pro-gram is apparently very uncommon;mostlikely, no such program is shipped withany common Linux distribution.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 2.19

CVE-2018-1000001Published on2018-01-31

In glibc 2.26 and earlier there is confu-sion in theusageof getcwd() by realpath()which can be used to write before thedestination buffer leading to a buffer un-derflow and potential code execution.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 2.19

CVE-2018-11236Published on2018-05-18

stdlib/canonicalize.c in the GNU C Li-brary (aka glibc or libc6) 2.27 and earlier,when processing very long pathname ar-guments to the realpath function, couldencounter an integer overflow on 32-bitarchitectures, leading to a stack-basedbuffer overflow and, potentially, arbitrarycode execution.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 2.19






An integer overflow in the implementa-tion of the posix_memalign in mema-lign functions in the GNU C Library (akaglibc or libc6) 2.26 and earlier could causethese functions to return a pointer to aheap area that is too small, potentiallyleading to heap corruption.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 2.19


In the GNU C Library (aka glibc or libc6)through 2.29, proceed_next_nodein posix/regexec.c has a heap-basedbuffer over-read via an attempted case-insensitive regular-expression match.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 2.19


In the GNU C Library (aka glibc or libc6)before 2.28, parse_reg_exp in posix/reg-comp.c misparses alternatives, which al-lows attackers to cause a denial of service(assertion failure and application exit) ortrigger an incorrect result by attemptinga regular-expression match.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19


The send_dg function in re-solv/res_send.c in GNU C Library(aka glibc or libc6) before 2.20 does notproperly reuse file descriptors, whichallows remote attackers to send DNSqueries to unintended locations via alarge number of requests that trigger acall to the getaddrinfo function.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 2.19






Multiple directory traversal vulnerabili-ties in GNU C Library (aka glibc or libc6)before 2.20 allow context-dependent at-tackers to bypass ForceCommand restric-tions and possibly have other unspecifiedimpact via a .. (dot dot) in a (1) LC_*, (2)LANG, or other locale environment vari-able.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19


GNU C Library (aka glibc) before 2.20allows context-dependent attackers tocause a denial of service (out-of-boundsread and crash) via a multibyte charac-ter value of “0xffff” to the iconv functionwhen converting (1) IBM933, (2) IBM935,(3) IBM937, (4) IBM939, or (5) IBM1364 en-coded data to UTF-8.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19


DB_LOOKUP in nss_files/files-XXX.c in theName Service Switch (NSS) in GNU C Li-brary (aka glibc or libc6) 2.21 and earlierdoes not properly check if a file is open,which allows remote attackers to causea denial of service (infinite loop) by per-forming a look-up on a database whileiterating over it, which triggers the filepointer to be reset.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19






The ADDW macro in stdio-common/vfscanf.c in the GNU C Library(aka glibc or libc6) before 2.21 doesnot properly consider data-type sizeduring a risk-management decision foruse of the alloca function, which mightallow context-dependent attackers tocause a denial of service (segmentationviolation) or overwrite memory locationsbeyond the stack boundary via a longline containing wide characters that areimproperly handled in a wscanf call.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 2.19


Buffer overflow in the gethostbyname_rand other unspecified NSS functions inthe GNU C Library (aka glibc or libc6) be-fore 2.22 allows context-dependent at-tackers to cause a denial of service (crash)or execute arbitrary code via a craftedDNS response, which triggers a call witha misaligned buffer.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19


res_query in libresolv in glibc before 2.25allows remote attackers to cause a denialof service (NULL pointer dereference andprocess crash).According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19






Multiple stack-based buffer overflows inthe (1) send_dg and (2) send_vc func-tions in the libresolv library in the GNUC Library (aka glibc or libc6) before 2.23allow remote attackers to cause a de-nial of service (crash) or possibly exe-cute arbitrary code via a crafted DNS re-sponse that triggers a call to the getad-drinfo function with the AF_UNSPEC orAF_INET6 address family, related to per-forming “dual A/AAAA DNS queries” andthe libnss_dns.so.2 NSS module.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19


The strftime function in theGNUCLibrary(aka glibc or libc6) before 2.23 allowscontext-dependent attackers to cause adenial of service (application crash) orpossibly obtain sensitive information viaan out-of-range time value.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19


Integer overflow in the strxfrm functionin the GNU C Library (aka glibc or libc6)before 2.21 allows context-dependent at-tackers to cause a denial of service (crash)or possibly execute arbitrary code via along string, which triggers a stack-basedbuffer overflow.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19






Integer overflow in the_IO_wstr_overflow function in li-bio/wstrops.c in the GNU C Library(aka glibc or libc6) before 2.22 allowscontext-dependent attackers to causea denial of service (application crash)or possibly execute arbitrary code viavectors related to computing a size inbytes, which triggers a heap-based bufferoverflow.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 2.19


The fnmatch function in the GNU C Li-brary (aka glibc or libc6) before 2.22might allowcontext-dependent attackersto cause a denial of service (applicationcrash) via a malformed pattern, whichtriggers an out-of-bounds read.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19

CVE-2016-10228Published on2017-03-02

The iconv program in the GNU C Library(aka glibc or libc6) 2.25 and earlier, wheninvoked with the -c option, enters an infi-nite loop when processing invalid multi-byte input sequences, leading to a denialof service.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19

CVE-2016-10739Published on2019-01-21

In the GNU C Library (aka glibc or libc6)through 2.28, the getaddrinfo functionwould successfully parse a string thatcontained an IPv4 address followed bywhitespace and arbitrary characters,which could lead applications to incor-rectly assume that it had parsed a validstring, without the possibility of embed-ded HTTP headers or other potentiallydangerous substrings.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 2.19






Stack-based buffer overflow in thenss_dns implementation of the get-netbyname function in GNU C Library(aka glibc) before 2.24 allows context-dependent attackers to cause a denial ofservice (stack consumption and applica-tion crash) via a long name.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 2.19


Memory leak in the __res_vinit func-tion in the IPv6 name server manage-ment code in libresolv in GNU C Library(aka glibc or libc6) before 2.24 allowsremote attackers to cause a denial ofservice (memory consumption) by lever-aging partial initialization of internal re-solver data structures.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19


The makecontext function in the GNU CLibrary (aka glibc or libc6) before 2.25creates execution contexts incompatiblewith the unwinder on ARM EABI (32-bit)platforms, which might allow context-dependent attackers to cause a denial ofservice (hang), as demonstrated by appli-cations compiled using gccgo, related tobacktrace generation.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19

CVE-2017-12132Published on2017-08-01

The DNS stub resolver in the GNU C Li-brary (aka glibc or libc6) before version2.26, when EDNS support is enabled, willsolicit large UDP responses from nameservers, potentially simplifying off-pathDNS spoofing attacks due to IP fragmen-tation.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19






Use-after-free vulnerability in theclntudp_call function in sunrpc/-clnt_udp.c in the GNU C Library (akaglibc or libc6) before 2.26 allows remoteattackers to have unspecified impact viavectors related to error path.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 2.19

CVE-2017-15671Published on2017-10-20

The glob function in glob.c in the GNUC Library (aka glibc or libc6) before 2.27,when invoked with GLOB_TILDE, couldskip freeing allocatedmemory when pro-cessing the ~ operator with a long username, potentially leading to a denial ofservice (memory leak).According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19

CVE-2018-11237Published on2018-05-18

An AVX-512-optimized implementationof themempcpy function in the GNUC Li-brary (aka glibc or libc6) 2.27 and earliermay write data beyond the target buffer,leading to a buffer overflow in __mem-pcpy_avx512_no_vzeroupper.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 2.19

CVE-2018-19591Published on2018-12-04

In the GNU C Library (aka glibc or libc6)through 2.28, attempting to resolve acrafted hostname via getaddrinfo() leadsto the allocation of a socket descriptorthat is not closed. This is related to theif_nametoindex() function.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.19






In the GNU C Library (akaglibc or libc6) through 2.29,check_dst_limits_calc_pos_1 inposix/regexec.c has UncontrolledRecursion, as demonstrated by‘(\227|)(\1\1|t1|\\2537)+’ in grep.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 2.19


The string component in the GNU CLibrary (aka glibc or libc6) through2.28, when running on the x32 archi-tecture, incorrectly attempts to use a64-bit register for size_t in assemblycodes, which can lead to a segmenta-tion fault or possibly unspecified otherimpact, as demonstrated by a crash in__memmove_avx_unaligned_erms insysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 2.19


** DISPUTED ** In the GNU C Li-brary (aka glibc or libc6) through2.29, check_dst_limits_calc_pos_1 inposix/regexec.c has Uncontrolled Recur-sion, as demonstrated by ’(|)(\1\1)*’ ingrep, a different issue than CVE-2018-20796. NOTE: the software maintainerdisputes that this is a vulnerability be-cause the behavior occurs only with acrafted pattern.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 2.19






The process_envvars function in elf/rtld.cin the GNU C Library (aka glibc orlibc6) before 2.23 allows local users tobypass a pointer-guarding protectionmechanism via a zero value of theLD_POINTER_GUARD environment vari-able.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 2.19


In the GNU C Library (aka glibc or libc6)through 2.29, the memcmp function forthe x32 architecture can incorrectly re-turn zero (indicating that the inputs areequal) because the RDX most significantbit is mishandled.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 2.19



GNU glibc getaddrinfo() buffer overflow


The firmware contains GNU glibc versions affected by getaddrinfo() buffer overflow. Vul-nerable version 2.19 of GNU glibc was found in the firmware. The vulnerability affects GNUglibc versions 2.9 through 2.22 and was published on 2016-02-17. The version matches onefile in the firmware. The version information was obtained from the following file:

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/libc-2.19.so

References• CVE-2015-7547 in NIST National Vulnerability Database (NVD)• VU#457759 in CERT-CC Vulnerability Notes Database


https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547



Hardcoded password hashes

Finding ID 5Severity HighConfidence Firm

Five distinct passwordswere found in the firmware. Depending onwhich services are startedat runtime, an attacker can log in via the serial port (physical access required), Telnet and/orSSH.Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/confd/cdb/config_init.xml contains the followinghardcodedpass-words:

Password Hash Plaintext User name(s)

$1$5Q5b/7cc$xyslIcrVzIq0Jc75RfDRw1(Type: MD5 (Unix)) guest$1$UxUxowL4$DEDAVDke5lVeqzk0Rj2oW1 (Type: MD5 (Unix)) cisco

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/confd/fxs/_tailf-common.fxs.extracted/7FC contains the fol-lowing hardcoded passwords:


$1$fB$ndk2z/PIS0S1SvzWLqTJb.(Type: MD5 (Unix)) N/A

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/confd/yang/tailf-common.yang contains the followinghardcodedpasswords:


$1$fB$ndk2z/PIS0S1SvzWLqTJb.(Type: MD5 (Unix)) N/A

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/shadow contains the following hardcoded passwords:


$1$hPNSjUZA$7eKqEpqVYltt9xJ6f0OGf0 (Type: MD5 (Unix)) N/A root$1$.AAm0iJ4$na9wZwly9pSrdS8MhcGKw/(Type: MD5 (Unix)) N/A admin



Linux Kernel CVE entries (short form)


The firmware contains Linux Kernel versions affected by 512 published vulnerabilities. Forbrevity several vulnerabilities in Linux Kernel are summarized in this short form vulnerability.The severity of this vulnerability is determined by the vulnerability with the highest risk.



The Direct Rendering Manager (DRM)subsystem in the Linux kernel through 4.xmishandles requests for Graphics Execu-tionManager (GEM) objects, which allowscontext-dependent attackers to cause adenial of service (memory consumption)via an application that processes graphicsdata, as demonstrated by JavaScript codethat creates many CANVAS elements forrendering by Chrome or Firefox.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8


Heap-basedbuffer overflow in theprivatewireless extensions IOCTL implementa-tion in wlan_hdd_wext.c in the WLAN(aka Wi-Fi) driver for the Linux kernel 3.xand 4.x, as used in Qualcomm InnovationCenter (QuIC) Android contributions forMSM devices and other products, allowsattackers to gain privileges via a craftedapplication that establishes a packet fil-ter.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8






Stack-based buffer overflow in theSET_WPS_IE IOCTL implementation inwlan_hdd_hostapd.c in the WLAN (akaWi-Fi) driver for the Linux kernel 3.x and4.x, as used in Qualcomm InnovationCenter (QuIC) Android contributionsfor MSM devices and other products,allows attackers to gain privileges via acrafted application that uses a long WPSIE element.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


The WLAN (aka Wi-Fi) driver for the Linuxkernel 3.x and 4.x, as used in QualcommInnovation Center (QuIC) Android contri-butions for MSM devices and other prod-ucts, does not verify authorization for pri-vate SET IOCTL calls, which allows attack-ers to gain privileges via a crafted applica-tion, related to wlan_hdd_hostapd.c andwlan_hdd_wext.c.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8


The KEYS subsystem in the Linux ker-nel before 4.4 allows local users togain privileges or cause a denial ofservice (BUG) via crafted keyctl com-mands that negatively instantiate a key,related to security/keys/encrypted-keys/encrypted.c, securi-ty/keys/trusted.c, and securi-ty/keys/user_defined.c.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






Theovl_setattr function in fs/overlayfs/in-ode.c in the Linux kernel through 4.3.3attempts to merge distinct setattr opera-tions, which allows local users to bypassintended access restrictions and modifythe attributes of arbitrary overlay files viaa crafted application.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


The nf_nat_redirect_ipv4 function innet/netfilter/nf_nat_redirect.c in theLinux kernel before 4.4 allows remoteattackers to cause a denial of service(NULL pointer dereference and systemcrash) or possibly have unspecified otherimpact by sending certain IPv4 packetsto an incompletely configured interface,a related issue to CVE-2003-1604.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


drivers/infiniband/hw/cxgb3/iwch_cm.cin the Linux kernel before 4.5 does notproperly identify error conditions, whichallows remote attackers to executearbitrary code or cause a denial of service(use-after-free) via crafted packets.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


The hub_activate function in drivers/us-b/core/hub.c in the Linux kernel before4.3.5 does not properly maintain a hub-interface data structure, which allowsphysically proximate attackers to cause adenial of service (invalid memory accessand system crash) or possibly have un-specified other impact by unplugging aUSB hub device.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8






The __ext4_journal_stop function infs/ext4/ext4_jbd2.c in the Linux kernelbefore 4.3.3 allows local users to gainprivileges or cause a denial of service(use-after-free) by leveraging improperaccess to a certain error field.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


Double free vulnerability in thesg_common_write function in driver-s/scsi/sg.c in the Linux kernel before 4.4allows local users to gain privileges orcause a denial of service (memory cor-ruption and system crash) by detaching adevice during an SG_IO ioctl call.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


Race condition in kernel/events/core.c inthe Linux kernel before 4.4 allows localusers to gain privileges or cause a de-nial of service (use-after-free) by leverag-ing incorrect handling of an swevent datastructure during a CPU unplug operation.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8


The tty_set_termios_ldisc function indrivers/tty/tty_ldisc.c in the Linux kernelbefore 4.5 allows local users to obtainsensitive information from kernel mem-ory by reading a tty data structure.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


arch/arm/kernel/sys_oabi-compat.c inthe Linux kernel before 4.4 allows localusers to gain privileges via a crafted (1)F_OFD_GETLK, (2) F_OFD_SETLK, or (3)F_OFD_SETLKW command in an fcntl64system call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






The join_session_keyring function in se-curity/keys/process_keys.c in the Linuxkernel before 4.4.1 mishandles object ref-erences in a certain error case, whichallows local users to gain privileges orcause adenial of service (integer overflowanduse-after-free) via crafted keyctl com-mands.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


Integer overflow in lib/asn1_decoder.c inthe Linux kernel before 4.6 allows localusers to gain privileges via crafted ASN.1data.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2016-10044Published on2017-02-07

The aio_mount function in fs/aio.c in theLinux kernel before 4.7.7 does not prop-erly restrict execute access, which makesit easier for local users to bypass intendedSELinux WˆX policy restrictions, and con-sequently gain privileges, via an io_setupsystem call.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2016-10150Published on2017-02-06

Use-after-free vulnerability in thekvm_ioctl_create_device function invirt/kvm/kvm_main.c in the Linux kernelbefore 4.8.13 allows host OS users tocause a denial of service (host OS crash)or possibly gain privileges via craftedioctl calls on the /dev/kvm device.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8






udp.c in the Linux kernel before 4.5 al-lows remote attackers to execute arbi-trary code via UDP traffic that triggers anunsafe second checksum calculation dur-ing execution of a recv system call withthe MSG_PEEK flag.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8


The overlayfs implementation in theLinux kernel through 4.5.2 does notproperly maintain POSIX ACL xattr data,which allows local users to gain privilegesby leveraging a group-writable setgiddirectory.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


The overlayfs implementation in theLinux kernel through 4.5.2 does not prop-erly restrict themount namespace, whichallows local users to gain privileges bymounting an overlayfs filesystem on topof a FUSE filesystem, and then executinga crafted setuid program.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


The ecryptfs_privileged_open function infs/ecryptfs/kthread.c in the Linux kernelbefore 4.6.3 allows local users to gainprivileges or cause a denial of service(stack memory consumption) via vectorsinvolving crafted mmap calls for /procpathnames, leading to recursive page-fault handling.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8






The tcp_cwnd_reduction function innet/ipv4/tcp_input.c in the Linux kernelbefore 4.3.5 allows remote attackers tocause a denial of service (divide-by-zeroerror and system crash) via crafted TCPtraffic.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


The netfilter subsystem in the Linux ker-nel through 4.5.2 does not validate cer-tain offset fields, which allows local usersto gain privileges or cause a denial ofservice (heap memory corruption) via anIPT_SO_SET_REPLACE setsockopt call.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


Integer overflow in thext_alloc_table_info function in net/netfil-ter/x_tables.c in the Linux kernel through4.5.2 on 32-bit platforms allows localusers to gain privileges or cause a denialof service (heap memory corruption) viaan IPT_SO_SET_REPLACE setsockopt call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


The IPv6 stack in the Linux kernel before4.3.3 mishandles options data, which al-lows local users togainprivileges or causea denial of service (use-after-free and sys-tem crash) via a crafted sendmsg systemcall.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8






The usbip_recv_xbuff function in driver-s/usb/usbip/usbip_common.c in theLinux kernel before 4.5.3 allows remoteattackers to cause a denial of service(out-of-bounds write) or possibly haveunspecified other impact via a craftedlength value in a USB/IP packet.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


arch/x86/kvm/vmx.c in the Linux ker-nel through 4.6.3 mishandles the APICvon/off state, which allows guest OS usersto obtain direct APIC MSR access on thehost OS, and consequently cause a denialof service (host OS crash) or possibly ex-ecute arbitrary code on the host OS, viax2APIC mode.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


The replace_map_fd_with_map_ptrfunction in kernel/bpf/verifier.c in theLinux kernel before 4.5.5 does not prop-erly maintain an fd data structure, whichallows local users to gain privileges orcause a denial of service (use-after-free)via crafted BPF instructions that referencean incorrect file descriptor.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


The InfiniBand (aka IB) stack in the Linuxkernel before 4.5.3 incorrectly relies onthe write system call, which allows localusers to cause a denial of service (kernelmemorywrite operation) or possibly haveunspecified other impact via a uAPI inter-face.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8






drivers/media/v4l2-core/videobuf2-v4l2.c in the Linux kernel before 4.5.3allows local users to cause a denial ofservice (kernel memory write operation)or possibly have unspecified other im-pact via a crafted number of planes in aVIDIOC_DQBUF ioctl call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


Use-after-free vulnerability in mm/per-cpu.c in the Linux kernel through 4.6 al-lows local users to cause a denial of ser-vice (BUG) or possibly have unspecifiedother impact via crafted use of themmapand bpf system calls.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


Use-after-free vulnerability in driver-s/net/ppp/ppp_generic.c in the Linuxkernel before 4.5.2 allows local usersto cause a denial of service (memorycorruption and system crash, or spinlock)or possibly have unspecified other im-pact by removing a network namespace,related to the ppp_register_net_channeland ppp_unregister_channel functions.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


The get_rock_ridge_filename function infs/isofs/rock.c in the Linux kernel before4.5.5mishandlesNM (aka alternate name)entries containing \0 characters, whichallows local users to obtain sensitive in-formation from kernel memory or possi-bly have unspecified other impact via acrafted isofs filesystem.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8






The tipc_nl_publ_dump function innet/tipc/socket.c in the Linux kernelthrough 4.6 does not verify socket exis-tence, which allows local users to cause adenial of service (NULL pointer derefer-ence and system crash) or possibly haveunspecified other impact via a dumpitoperation.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


The compat IPT_SO_SET_REPLACE andIP6T_SO_SET_REPLACE setsockopt im-plementations in the netfilter subsystemin the Linux kernel before 4.6.3 allowlocal users to gain privileges or cause adenial of service (memory corruption)by leveraging in-container root accessto provide a crafted offset value thattriggers an unintended decrement.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


The start_thread function in arch/pow-erpc/kernel/process.c in the Linux kernelthrough 4.6.3 on powerpc platforms mis-handles transactional state, which allowslocal users to cause a denial of service(invalid process state or TM Bad Thingexception, and system crash) or possiblyhaveunspecifiedother impact by startingand suspending a transaction before anexec system call.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8






Multiple heap-based buffer overflowsin the hiddev_ioctl_usage function indrivers/hid/usbhid/hiddev.c in the Linuxkernel through 4.6.3 allow local users tocause a denial of service or possibly haveunspecified other impact via a crafted (1)HIDIOCGUSAGES or (2) HIDIOCSUSAGESioctl call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


The apparmor_setprocattr function in se-curity/apparmor/lsm.c in the Linux kernelbefore 4.6.5 does not validate the buffersize, which allows local users to gain priv-ileges by triggering an AppArmor setpro-cattr hook.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


The IP stack in the Linux kernel through4.8.2 allows remote attackers to causea denial of service (stack consumptionand panic) or possibly have unspecifiedother impact by triggering use of theGRO path for large crafted packets, asdemonstrated by packets that containonly VLANheaders, a related issue to CVE-2016-8666.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8


Use-after-free vulnerability in the__sys_recvmmsg function in net/socket.cin the Linux kernel before 4.5.2 allowsremote attackers to execute arbitrarycode via vectors involving a recvmmsgsystem call that is mishandled duringerror processing.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8






The arcmsr_iop_message_xfer functionin drivers/scsi/arcmsr/arcmsr_hba.c inthe Linux kernel through 4.8.2 doesnot restrict a certain length field,which allows local users to gain priv-ileges or cause a denial of service(heap-based buffer overflow) via anARCMSR_MESSAGE_WRITE_WQBUFFERcontrol code.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


Use-after-free vulnerability in thedisk_seqf_stop function in block/-genhd.c in the Linux kernel before 4.7.1allows local users to gain privileges byleveraging the execution of a certain stopoperation even if the corresponding startoperation had failed.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


Race condition in the get_task_iopriofunction in block/ioprio.c in the Linux ker-nel before 4.6.6 allows local users to gainprivileges or cause a denial of service(use-after-free) via a crafted ioprio_getsystem call.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8


Use-after-free vulnerability in theffs_user_copy_worker function in driver-s/usb/gadget/function/f_fs.c in the Linuxkernel before 4.5.3 allows local users togain privileges by accessing an I/O datastructure after a certain callback call.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8






The xc2028_set_config function indrivers/media/tuners/tuner-xc2028.c inthe Linux kernel before 4.6 allows localusers to gain privileges or cause a denialof service (use-after-free) via vectorsinvolving omission of the firmware namefrom a certain data structure.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


The as-soc_array_insert_into_terminal_nodefunction in lib/assoc_array.c in the Linuxkernel before 4.5.3 does not checkwhether a slot is a leaf, which allows localusers to obtain sensitive informationfrom kernel memory or cause a denial ofservice (invalid pointer dereference andout-of-bounds read) via an applicationthat uses associative-array data struc-tures, as demonstrated by the keyutilstest suite.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


The tipc_msg_build function innet/tipc/msg.c in the Linux kernelthrough 4.8.11 does not validate therelationship between the minimumfragment length and the maximumpacket size, which allows local usersto gain privileges or cause a denial ofservice (heap-based buffer overflow)by leveraging the CAP_NET_ADMINcapability.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






Integer overflow in themem_check_range function in driver-s/infiniband/sw/rxe/rxe_mr.c in the Linuxkernel before 4.9.10 allows local usersto cause a denial of service (memorycorruption), obtain sensitive informationfrom kernel memory, or possibly haveunspecified other impact via a writeor read request involving the “RDMAprotocol over infiniband” (aka Soft RoCE)technology.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


Race condition in net/packet/af_packet.cin the Linux kernel through 4.8.12 allowslocal users to gain privileges or cause adenial of service (use-after-free) by lever-aging the CAP_NET_RAW capability tochange a socket version, related to thepacket_set_ring and packet_setsockoptfunctions.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


The IP stack in the Linux kernel before 4.6allows remote attackers to cause a denialof service (stack consumption and panic)or possibly haveunspecifiedother impactby triggering use of the GRO path forpackets with tunnel stacking, as demon-strated by interleaved IPv4 headers andGRE headers, a related issue to CVE-2016-7039.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8






drivers/vfio/pci/vfio_pci.c in the Linuxkernel through 4.8.11 allows local usersto bypass integer overflow checks, andcause a denial of service (memory corrup-tion) or have unspecified other impact,by leveraging access to a vfio PCI devicefile for a VFIO_DEVICE_SET_IRQS ioctl call,aka a “state machine confusion bug.”According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


Race condition in the ion_ioctl func-tion in drivers/staging/android/ion/ion.cin the Linux kernel before 4.6 allows lo-cal users to gain privileges or cause a de-nial of service (use-after-free) by callingION_IOC_FREE on two CPUs at the sametime.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8


security/keys/big_key.c in the Linux ker-nel before 4.8.7 mishandles unsuccess-ful crypto registration in conjunctionwithsuccessful key-type registration, whichallows local users to cause a denial ofservice (NULL pointer dereference andpanic) or possibly have unspecified otherimpact via a crafted application that usesthe big_key data type.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8


The sctp_sf_ootb function in net/sct-p/sm_statefuns.c in the Linux kernel be-fore 4.8.8 lacks chunk-length checking forthe first chunk, which allows remote at-tackers to cause a denial of service (out-of-bounds slab access) or possibly haveunspecifiedother impact via crafted SCTPdata.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8






The blk_rq_map_user_iov function inblock/blk-map.c in the Linux kernelbefore 4.8.14 does not properly restrictthe type of iterator, which allows localusers to read or write to arbitrary kernelmemory locations or cause a denial ofservice (use-after-free) by leveragingaccess to a /dev/sg device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


The ring_buffer_resize function in ker-nel/trace/ring_buffer.c in the profilingsubsystem in the Linux kernel before 4.6.1mishandles certain integer calculations,which allows local users to gain privilegesby writing to the /sys/kernel/debug/trac-ing/buffer_size_kb file.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


The sock_setsockopt function in net/-core/sock.c in the Linux kernel before4.8.14 mishandles negative values ofsk_sndbuf and sk_rcvbuf, which allowslocal users to cause a denial of service(memory corruption and system crash) orpossibly have unspecified other impactby leveraging the CAP_NET_ADMINcapability for a crafted setsockopt systemcall with the (1) SO_SNDBUFFORCE or (2)SO_RCVBUFFORCE option.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






Race condition in thesnd_pcm_period_elapsed functionin sound/core/pcm_lib.c in the ALSAsubsystem in the Linux kernel before4.7 allows local users to cause a denialof service (use-after-free) or possiblyhave unspecified other impact via acrafted SNDRV_PCM_TRIGGER_STARTcommand.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


Race condition in the netlink_dump func-tion in net/netlink/af_netlink.c in theLinux kernel before 4.6.3 allows localusers to cause a denial of service (dou-ble free) or possibly have unspecifiedother impact via a crafted applicationthat makes sendmsg system calls, lead-ing to a free operation associated with anew dump that started earlier than antic-ipated.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


The icmp6_send function innet/ipv6/icmp.c in the Linux kernelthrough 4.8.12 omits a certain checkof the dst data structure, which allowsremote attackers to cause a denial ofservice (panic) via a fragmented IPv6packet.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8






Linux kernel: heap out-of-bounds inAF_PACKET sockets. This new issue isanalogous to previously disclosed CVE-2016-8655. In both cases, a socket op-tion that changes socket state may racewith safety checks in packet_set_ring.Previously with PACKET_VERSION. Thistime with PACKET_RESERVE. The solutionis similar: lock the socket for the up-date. This issue may be exploitable, wedid not investigate further. As this is-sue affects PF_PACKET sockets, it requiresCAP_NET_RAW in the process names-pace. But note thatwith user namespacesenabled, any process can create a names-pace in which it has CAP_NET_RAW.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-1000251Published on2017-09-12

The native Bluetooth stack in the LinuxKernel (BlueZ), starting at the Linux ker-nel version 2.6.32 and up to and including4.13.1, are vulnerable to a stack overflowvulnerability in the processing of L2CAPconfiguration responses resulting in Re-mote code execution in kernel space.

High 4.1.8

CVE-2017-1000363Published on2017-07-17

Linux drivers/char/lp.c Out-of-BoundsWrite. Due to a missing bounds check,and the fact that parport_ptr integer isstatic, a ‘secure boot’ kernel commandline adversary (can happen due tobootloader vulns, e.g. Google Nexus 6’sCVE-2016-10277, where due to a vulner-ability the adversary has partial controlover the command line) can overflow theparport_nr array in the following code,by appending many (>LP_NO) ‘lp=none’arguments to the command line.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






The Linux Kernel imposes a size re-striction on the arguments and en-vironmental strings passed throughRLIMIT_STACK/RLIM_INFINITY (1/4 of thesize), but does not take the argumentand environment pointers into account,which allows attackers to bypass thislimitation. This affects Linux Kernelversions 4.11.5 and earlier. It appearsthat this feature was introduced in theLinux Kernel version 2.6.23.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-1000370Published on2017-06-19

The offset2lib patch as used in the LinuxKernel contains a vulnerability that allowsa PIE binary to be execve()’ed with 1GBof arguments or environmental stringsthen the stack occupies the address0x80000000 and the PIE binary ismappedabove 0x40000000 nullifying the protec-tion of the offset2lib patch. This affectsLinux Kernel version 4.11.5 and earlier.This is a different issue than CVE-2017-1000371. This issue appears to be limitedto i386 based systems.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-10661Published on2017-08-19

Race condition in fs/timerfd.c in the Linuxkernel before 4.10.15 allows local usersto gain privileges or cause a denial of ser-vice (list corruption or use-after-free) viasimultaneous file-descriptor operationsthat leverage improper might_cancelqueueing.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8






The sanity_check_raw_super function infs/f2fs/super.c in the Linux kernel before4.11.1 does not validate the segmentcount, which allows local users to gainprivileges via unspecified vectors.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-10663Published on2017-08-19

The sanity_check_ckpt function infs/f2fs/super.c in the Linux kernel before4.12.4 does not validate the blkoff andsegno arrays, which allows local users togain privileges via unspecified vectors.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-10810Published on2017-07-04

Memory leak in the vir-tio_gpu_object_create function indrivers/gpu/drm/virtio/virtgpu_object.cin the Linux kernel through 4.11.8 allowsattackers to cause a denial of service(memory consumption) by triggeringobject-initialization failures.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8

CVE-2017-11176Published on2017-07-12

The mq_notify function in the Linux ker-nel through 4.11.9 does not set the sockpointer to NULL upon entry into the retrylogic. During a user-space close of aNetlink socket, it allows attackers to causea denial of service (use-after-free) or pos-sibly have unspecified other impact.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-11473Published on2017-07-20

Buffer overflow in themp_override_legacy_irq() functionin arch/x86/kernel/acpi/boot.c in theLinux kernel through 4.12.2 allows localusers to gain privileges via a crafted ACPItable.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






The __skb_flow_dissect function in net/-core/flow_dissector.c in the Linux kernelbefore 4.3 does not ensure that n_proto,ip_proto, and thoff are initialized, whichallows remote attackers to cause a denialof service (system crash) or possibly ex-ecute arbitrary code via a single craftedMPLS packet.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8

CVE-2017-14497Published on2017-09-15

The tpacket_rcv function in net/pack-et/af_packet.c in the Linux kernel be-fore 4.13 mishandles vnet headers, whichmight allow local users to cause a denialof service (buffer overflow, and disk andmemory corruption) or possibly have un-specified other impact via crafted systemcalls.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-15115Published on2017-11-15

The sctp_do_peeloff function in net/sct-p/socket.c in the Linux kernel before 4.14does not check whether the intendednetns is used in a peel-off action, whichallows local users to cause a denial of ser-vice (use-after-free and system crash) orpossibly have unspecified other impactvia crafted system calls.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-15951Published on2017-10-28

The KEYS subsystem in the Linux ker-nel before 4.13.10 does not correctly syn-chronize the actions of updating versusfinding a key in the “negative” state toavoid a race condition, which allows localusers to cause a denial of service or pos-sibly have unspecified other impact viacrafted system calls.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8






The usb_serial_console_disconnect func-tion in drivers/usb/serial/console.c in theLinux kernel before 4.13.8 allows localusers to cause a denial of service (use-after-free and system crash) or possi-bly have unspecified other impact via acrafted USB device, related to disconnec-tion and failed setup.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-16526Published on2017-11-04

drivers/uwb/uwbd.c in the Linux kernelbefore 4.13.6 allows local users to cause adenial of service (general protection faultand system crash) or possibly have un-specified other impact via a crafted USBdevice.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-16527Published on2017-11-04

sound/usb/mixer.c in the Linuxkernel before 4.13.8 allows localusers to cause a denial of service(snd_usb_mixer_interrupt use-after-freeand system crash) or possibly haveunspecified other impact via a craftedUSB device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-16528Published on2017-11-04

sound/core/seq_device.c in the Linuxkernel before 4.13.4 allows localusers to cause a denial of service(snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly haveunspecified other impact via a craftedUSB device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






The snd_usb_create_streams function insound/usb/card.c in the Linux kernel be-fore 4.13.6 allows local users to cause adenial of service (out-of-bounds read andsystem crash) or possibly have unspeci-fiedother impact via a craftedUSBdevice.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-16530Published on2017-11-04

The uas driver in the Linux kernel before4.13.6 allows local users to cause a denialof service (out-of-bounds read and sys-tem crash) or possibly have unspecifiedother impact via a crafted USB device, re-lated to drivers/usb/storage/uas-detect.hand drivers/usb/storage/uas.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-16531Published on2017-11-04

drivers/usb/core/config.c in the Linuxkernel before 4.13.6 allows local usersto cause a denial of service (out-of-bounds read and system crash) orpossibly have unspecified other impactvia a crafted USB device, related tothe USB_DT_INTERFACE_ASSOCIATIONdescriptor.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-16532Published on2017-11-04

The get_endpoints function in driver-s/usb/misc/usbtest.c in the Linux ker-nel through 4.13.11 allows local users tocause a denial of service (NULL pointerdereference and system crash) or possi-bly have unspecified other impact via acrafted USB device.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8






The usbhid_parse function indrivers/hid/usbhid/hid-core.c in theLinux kernel before 4.13.8 allows localusers to cause a denial of service (out-of-bounds read and system crash) orpossibly have unspecified other impactvia a crafted USB device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-16534Published on2017-11-04

The cdc_parse_cdc_header function indrivers/usb/core/message.c in the Linuxkernel before 4.13.6 allows local users tocause a denial of service (out-of-boundsread and system crash) or possibly haveunspecified other impact via a craftedUSB device.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-16535Published on2017-11-04

The usb_get_bos_descriptor function indrivers/usb/core/config.c in the Linuxkernel before 4.13.10 allows local users tocause a denial of service (out-of-boundsread and system crash) or possibly haveunspecified other impact via a craftedUSB device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-16536Published on2017-11-04

The cx231xx_usb_probe function indrivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through4.13.11 allows local users to cause adenial of service (NULL pointer derefer-ence and system crash) or possibly haveunspecified other impact via a craftedUSB device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






The imon_probe function in drivers/me-dia/rc/imon.c in the Linux kernel through4.13.11 allows local users to cause adenialof service (NULL pointer dereference andsystem crash) or possibly have unspeci-fiedother impact via a craftedUSBdevice.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-16538Published on2017-11-04

drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernelthrough 4.13.11 allows local users tocause a denial of service (general protec-tion fault and system crash) or possiblyhave unspecified other impact via acrafted USB device, related to a missingwarm-start check and incorrect attachtiming (dm04_lme2510_frontend_attachversus dm04_lme2510_tuner).According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-16643Published on2017-11-08

The parse_hid_report_descriptor func-tion in drivers/input/tablet/gtco.c inthe Linux kernel before 4.13.11 allowslocal users to cause a denial of service(out-of-bounds read and system crash) orpossibly have unspecified other impactvia a crafted USB device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-16644Published on2017-11-08

The hdpvr_probe function indrivers/media/usb/hdpvr/hdpvr-core.c inthe Linux kernel through 4.13.11 allowslocal users to cause a denial of service(improper error handling and systemcrash) or possibly have unspecified otherimpact via a crafted USB device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






The ims_pcu_get_cdc_union_descfunction in drivers/input/misc/ims-pcu.cin the Linux kernel through 4.13.11allows local users to cause a denialof service (ims_pcu_parse_cdc_dataout-of-bounds read and system crash) orpossibly have unspecified other impactvia a crafted USB device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-16646Published on2017-11-08

drivers/media/usb/dvb-usb/dib0700_devices.c in the Linuxkernel through 4.13.11 allows local usersto cause a denial of service (BUG and sys-tem crash) or possibly have unspecifiedother impact via a crafted USB device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-16647Published on2017-11-08

drivers/net/usb/asix_devices.c in theLinux kernel through 4.13.11 allows localusers to cause a denial of service (NULLpointer dereference and system crash) orpossibly have unspecified other impactvia a crafted USB device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-16648Published on2017-11-08

The dvb_frontend_free function indrivers/media/dvb-core/dvb_frontend.cin the Linux kernel through 4.13.11 allowslocal users to cause a denial of service(use-after-free and system crash) or pos-sibly have unspecified other impact via acrafted USB device. NOTE: the functionwas later renamed __dvb_frontend_free.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






The usbnet_generic_cdc_bind functionin drivers/net/usb/cdc_ether.c in theLinux kernel through 4.13.11 allowslocal users to cause a denial of service(divide-by-zero error and system crash) orpossibly have unspecified other impactvia a crafted USB device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-16650Published on2017-11-08

The qmi_wwan_bind function in driver-s/net/usb/qmi_wwan.c in the Linux ker-nel through 4.13.11 allows local users tocause a denial of service (divide-by-zeroerror and system crash) or possibly haveunspecified other impact via a craftedUSB device.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-16912Published on2018-01-31

The “get_pipe()” function (drivers/us-b/usbip/stub_rx.c) in the Linux Kernelbefore version 4.14.8, 4.9.71, and 4.4.114allows attackers to cause a denial of ser-vice (out-of-bounds read) via a speciallycrafted USB over IP packet.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8

CVE-2017-16913Published on2018-01-31

The “stub_recv_cmd_submit()” function(drivers/usb/usbip/stub_rx.c) in the LinuxKernel before version 4.14.8, 4.9.71, and4.4.114 when handling CMD_SUBMITpackets allows attackers to cause a denialof service (arbitrary memory allocation)via a specially crafted USB over IP packet.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8






The “stub_send_ret_submit()” function(drivers/usb/usbip/stub_tx.c) in the LinuxKernel before version 4.14.8, 4.9.71,4.1.49, and 4.4.107 allows attackers tocause a denial of service (NULL pointerdereference) via a specially crafted USBover IP packet.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8

CVE-2017-16939Published on2017-11-24

The XFRM dump policy implementationin net/xfrm/xfrm_user.c in the Linuxkernel before 4.13.11 allows local users togain privileges or cause a denial of service(use-after-free) via a crafted SO_RCVBUFsetsockopt system call in conjunctionwith XFRM_MSG_GETPOLICY Netlinkmessages.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-16995Published on2017-12-27

The check_alu_op function in ker-nel/bpf/verifier.c in the Linux kernelthrough 4.14.8 allows local users to causea denial of service (memory corruption)or possibly have unspecified otherimpact by leveraging incorrect signextension.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-16996Published on2017-12-27

kernel/bpf/verifier.c in the Linux kernelthrough 4.14.8 allows local users to causea denial of service (memory corruption)or possibly haveunspecifiedother impactby leveraging register truncationmishan-dling.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8






The mm_init function in kernel/fork.c inthe Linux kernel before 4.12.10 does notclear the ->exe_file member of a newprocess’s mm_struct, allowing a local at-tacker to achieve a use-after-free or possi-bly have unspecified other impact by run-ning a specially crafted program.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-17558Published on2017-12-12

The usb_destroy_configuration functionin drivers/usb/core/config.c in the USBcore subsystem in the Linux kernelthrough 4.14.5 does not consider themaximum number of configurations andinterfaces before attempting to releaseresources, which allows local users tocause a denial of service (out-of-boundswrite access) or possibly have unspecifiedother impact via a crafted USB device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-17805Published on2017-12-21

The Salsa20 encryption algorithm inthe Linux kernel before 4.14.8 does notcorrectly handle zero-length inputs,allowing a local attacker able to usethe AF_ALG-based skcipher interface(CONFIG_CRYPTO_USER_API_SKCIPHER)to cause a denial of service (uninitialized-memory free and kernel crash) or haveunspecified other impact by execut-ing a crafted sequence of system callsthat use the blkcipher_walk API. Boththe generic implementation (cryp-to/salsa20_generic.c) and x86 implemen-tation (arch/x86/crypto/salsa20_glue.c)of Salsa20 were vulnerable.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






The HMAC implementation (crypto/h-mac.c) in the Linux kernel before 4.14.8does not validate that the underlyingcryptographic hash algorithm is un-keyed, allowing a local attacker able touse the AF_ALG-based hash interface(CONFIG_CRYPTO_USER_API_HASH)and the SHA-3 hash algorithm (CON-FIG_CRYPTO_SHA3) to cause a kernelstack buffer overflow by executing acrafted sequence of system calls thatencounter a missing SHA-3 initialization.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2017-17852Published on2017-12-27

kernel/bpf/verifier.c in the Linux kernelthrough 4.14.8 allows local users to causea denial of service (memory corruption)or possibly haveunspecifiedother impactby leveraging mishandling of 32-bit ALUops.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-17853Published on2017-12-27

kernel/bpf/verifier.c in the Linux kernelthrough 4.14.8 allows local users to causea denial of service (memory corruption)or possibly haveunspecifiedother impactby leveraging incorrect BPF_RSH signedbounds calculations.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-17854Published on2017-12-27

kernel/bpf/verifier.c in the Linux kernelthrough 4.14.8 allows local users to causea denial of service (integer overflow andmemory corruption) or possibly have un-specified other impact by leveraging un-restricted integer values for pointer arith-metic.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8






kernel/bpf/verifier.c in the Linux kernelthrough 4.14.8 allows local users to causea denial of service (memory corruption)or possibly haveunspecifiedother impactby leveraging improper use of pointers inplace of scalars.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-17856Published on2017-12-27

kernel/bpf/verifier.c in the Linux kernelthrough 4.14.8 allows local users to causea denial of service (memory corruption)or possibly haveunspecifiedother impactby leveraging the lack of stack-pointeralignment enforcement.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-17857Published on2017-12-27

The check_stack_boundary function inkernel/bpf/verifier.c in the Linux kernelthrough 4.14.8 allows local users to causea denial of service (memory corruption)or possibly haveunspecifiedother impactby leveragingmishandling of invalid vari-able stack read operations.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-18075Published on2018-01-24

crypto/pcrypt.c in the Linux kernelbefore 4.14.13 mishandles freeing in-stances, allowing a local user able toaccess the AF_ALG-based AEAD interface(CONFIG_CRYPTO_USER_API_AEAD)and pcrypt (CONFIG_CRYPTO_PCRYPT)to cause a denial of service (kfree ofan incorrect pointer) or possibly haveunspecified other impact by executing acrafted sequence of system calls.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






drivers/input/serio/i8042.c in the Linuxkernel before 4.12.4 allows attackers tocause a denial of service (NULL pointerdereference and systemcrash) or possiblyhave unspecified other impact becausethe port->exists value can change after itis validated.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2017-18174Published on2018-02-11

In the Linux kernel before 4.7,the amd_gpio_remove function indrivers/pinctrl/pinctrl-amd.c calls thepinctrl_unregister function, leading to adouble free.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8

CVE-2017-18218Published on2018-03-05

In drivers/net/ethernet/hisilicon/hn-s/hns_enet.c in the Linux kernel before4.13, local users can cause a denialof service (use-after-free and BUG) orpossibly have unspecified other impactby leveraging differences in skb handlingbetween hns_nic_net_xmit_hw andhns_nic_net_xmit.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


Race condition in drivers/tty/n_hdlc.c inthe Linux kernel through 4.10.1 allows lo-cal users to gain privileges or cause a de-nial of service (double free) by setting theHDLC line discipline.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8






Integer overflow in the vc4_get_bcl func-tion in drivers/gpu/drm/vc4/vc4_gem.cin the VideoCore DRM driver in the Linuxkernel before 4.9.7 allows local users tocause a denial of service or possibly haveunspecifiedother impact via a crafted sizevalue in a VC4_SUBMIT_CL ioctl call.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


Race condition in thesctp_wait_for_sndbuf function innet/sctp/socket.c in the Linux kernelbefore 4.9.11 allows local users to causea denial of service (assertion failure andpanic) via a multithreaded applicationthat peels off an association in a certainbuffer-full state.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


Race condition in kernel/events/core.cin the Linux kernel before 4.9.7 allowslocal users to gain privileges via a craftedapplication that makes concurrentperf_event_open system calls for movinga software group into a hardware context.NOTE: this vulnerability exists because ofan incomplete fix for CVE-2016-6786.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


The dccp_rcv_state_process func-tion in net/dccp/input.c in the Linuxkernel through 4.9.11 mishandlesDCCP_PKT_REQUEST packet data struc-tures in the LISTEN state, which allowslocal users to obtain root privilegesor cause a denial of service (doublefree) via an application that makes anIPV6_RECVPKTINFO setsockopt systemcall.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






The ip_cmsg_recv_checksum function innet/ipv4/ip_sockglue.c in the Linux ker-nel before 4.10.1 has incorrect expecta-tions about skb data layout, which al-lows local users to cause a denial of ser-vice (buffer over-read) or possibly haveunspecified other impact via crafted sys-tem calls, as demonstrated by use ofthe MSG_MORE flag in conjunction withloopback UDP transmission.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


The sg_ioctl function in drivers/scsi/sg.cin the Linux kernel through 4.10.4 allowslocal users to cause a denial of service(stack-based buffer overflow) or possiblyhave unspecified other impact via a largecommand size in an SG_NEXT_CMD_LENioctl call, leading to out-of-bounds writeaccess in the sg_write function.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


The vmw_surface_define_ioctlfunction in drivers/gpu/dr-m/vmwgfx/vmwgfx_surface.c in theLinux kernel through 4.10.6 does notvalidate addition of certain levels data,which allows local users to trigger aninteger overflow and out-of-boundswrite, and cause a denial of service(system hang or crash) or possibly gainprivileges, via a crafted ioctl call for a/dev/dri/renderD* device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






The packet_set_ring function in net/-packet/af_packet.c in the Linux kernelthrough 4.10.6 does not properly vali-date certain block-size data, which al-lows local users to cause a denial of ser-vice (integer signedness error and out-of-bounds write), or gain privileges (ifthe CAP_NET_RAW capability is held), viacrafted system calls.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


Use-after-free vulnerability in fs/crypto/in the Linux kernel before 4.10.7 allowslocal users to cause a denial of service(NULL pointer dereference) or possiblygain privileges by revoking keyring keysbeing used for ext4, f2fs, or ubifs encryp-tion, causingcryptographic transformob-jects to be freed prematurely.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


In the Linux kernel before version 4.12,Kerberos 5 tickets decoded when usingthe RXRPC keys incorrectly assumes thesize of a field. This could lead to thesize-remainingvariablewrappingand thedata pointer going over the end of thebuffer. This could possibly lead to mem-ory corruption and possible privilege es-calation.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8






The ipxitf_ioctl function innet/ipx/af_ipx.c in the Linux kernelthrough 4.11.1 mishandles referencecounts, which allows local users to causea denial of service (use-after-free) orpossibly have unspecified other impactvia a failed SIOCGIFADDR ioctl call for anIPX interface.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


The brcmf_cfg80211_mgmt_tx func-tion in drivers/net/wireless/broad-com/brcm80211/brcmfmac/cfg80211.cin the Linux kernel before 4.12.3 allowslocal users to cause a denial of service(buffer overflow and system crash) orpossibly gain privileges via a craftedNL80211_CMD_FRAME Netlink packet.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


crypto/ahash.c in the Linux kernelthrough 4.10.9 allows attackers to causea denial of service (API operation callingits own callback, and infinite recursion)by triggering EBUSY on a full queue.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


The NFSv2/NFSv3 server in the nfsdsubsystem in the Linux kernel through4.10.11 allows remote attackers to cause adenial of service (system crash) via a longRPC reply, related to net/sunrpc/svc.c,fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8






The mm subsystem in the Linux kernelthrough 4.10.10 does not properly en-force the CONFIG_STRICT_DEVMEM pro-tection mechanism, which allows localusers to read or write to kernel mem-ory locations in the first megabyte (andbypass slab-allocation access restrictions)via an application that opens the /de-v/mem file, related to arch/x86/mm/init.cand drivers/char/mem.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


TheNFSv2 andNFSv3 server implementa-tions in the Linux kernel through 4.10.13lack certain checks for the end of a buffer,which allows remote attackers to triggerpointer-arithmetic errors or possibly haveunspecified other impact via crafted re-quests, related to fs/nfsd/nfs3xdr.c andfs/nfsd/nfsxdr.c.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8


The NFSv4 server in the Linux kernel be-fore 4.11.3 does not properly validatethe layout type when processing theNFSv4 pNFS GETDEVICEINFO or LAYOUT-GET operand in a UDP packet from a re-mote attacker. This type value is uninitial-izeduponencounteringcertain error con-ditions. This value is used as an array in-dex for dereferencing, which leads to anOOPS and eventually a DoS of knfsd anda soft-lockup of the whole system.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8






The dccp_disconnect function in net/d-ccp/proto.c in the Linux kernel through4.14.3 allows local users to gain privilegesor cause a denial of service (use-after-free) via an AF_UNSPEC connect systemcall during the DCCP_LISTEN state.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


The saa7164_bus_get function indrivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.11.5allows local users to cause a denial ofservice (out-of-bounds array access) orpossibly have unspecified other impactby changing a certain sequence-numbervalue, aka a “double fetch” vulnerability.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


The inet_csk_clone_lock function innet/ipv4/inet_connection_sock.c in theLinux kernel through 4.10.15 allowsattackers to cause a denial of service(double free) or possibly have unspeci-fied other impact by leveraging use ofthe accept system call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


The IPv6 fragmentation implementationin the Linux kernel through 4.11.1 doesnot consider that thenexthdr fieldmaybeassociated with an invalid option, whichallows local users to cause a denial ofservice (out-of-bounds read and BUG) orpossibly have unspecified other impactvia crafted socket and send system calls.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8






The sctp_v6_create_accept_sk functionin net/sctp/ipv6.c in the Linux kernelthrough 4.11.1 mishandles inheritance,which allows local users to cause a de-nial of service or possibly have unspeci-fied other impact via crafted system calls,a related issue to CVE-2017-8890.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


The dccp_v6_request_recv_sock func-tion in net/dccp/ipv6.c in the Linux kernelthrough 4.11.1 mishandles inheritance,which allows local users to cause a denialof service or possibly have unspecifiedother impact via crafted system calls, arelated issue to CVE-2017-8890.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


The tcp_v6_syn_recv_sock function innet/ipv6/tcp_ipv6.c in the Linux kernelthrough 4.11.1 mishandles inheritance,which allows local users to cause a de-nial of service or possibly have unspeci-fied other impact via crafted system calls,a related issue to CVE-2017-8890.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


The snd_msnd_interrupt function insound/isa/msnd/msnd_pinnacle.c inthe Linux kernel through 4.11.7 allowslocal users to cause a denial of service(over-boundary access) or possibly haveunspecified other impact by changingthe value of a message queue headpointer between two kernel reads of thatvalue, aka a “double fetch” vulnerability.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






The snd_msndmidi_input_read functionin sound/isa/msnd/msnd_midi.c in theLinux kernel through 4.11.7 allows localusers to cause a denial of service (over-boundary access) or possibly have un-specified other impact by changing thevalue of a message queue head pointerbetween two kernel reads of that value,aka a “double fetch” vulnerability.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


The intr function in sound/oss/m-snd_pinnacle.c in the Linux kernelthrough 4.11.7 allows local users tocause a denial of service (over-boundaryaccess) or possibly have unspecifiedother impact by changing the value of amessage queue head pointer betweentwo kernel reads of that value, aka a“double fetch” vulnerability.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


The Linux kernel before ver-sion 4.11 is vulnerable to a NULLpointer dereference in fs/cifs/cifsen-crypt.c:setup_ntlmv2_rsp() that allowsan attacker controlling a CIFS server tokernel panic a client that has this servermounted, because an empty TargetInfofield in an NTLMSSP setup negotiationresponse is mishandled during sessionrecovery.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8






The do_get_mempolicy function inmm/mempolicy.c in the Linux kernelbefore 4.12.9 allows local users to causea denial of service (use-after-free) orpossibly have unspecified other impactvia crafted system calls.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


A flaw was found in the Linux 4.x kernel’simplementation of 32-bit syscall interfacefor bridging. This allowed a privilegeduser to arbitrarily write to a limited rangeof kernel memory.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2018-10880Published on2018-07-25

Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4filesystem code when mounting andwriting to a crafted ext4 image inext4_update_inline_data(). An attackercould use this to cause a system crashand a denial of service.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


The ext4_iget function in fs/ext4/inode.cin the Linux kernel through 4.15.15 mis-handles the case of a root directorywith a zero i_links_count, which allowsattackers to cause a denial of service(ext4_process_freed_data NULL pointerdereference and OOPS) via a crafted ext4image.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8






The ext4_valid_block_bitmap functionin fs/ext4/balloc.c in the Linux kernelthrough 4.15.15 allows attackers to causea denial of service (out-of-bounds readand system crash) via a crafted ext4image because balloc.c and ialloc.c donot validate bitmap block numbers.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


The ext4_fill_super function infs/ext4/super.c in the Linux kernelthrough 4.15.15 does not always initializethe crc32c checksum driver, which allowsattackers to cause a denial of service(ext4_xattr_inode_hash NULL pointerdereference and system crash) via acrafted ext4 image.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


The ext4_xattr_check_entries function infs/ext4/xattr.c in the Linux kernel through4.15.15 does not properly validate xattrsizes, which causes misinterpretation of asize as an error code, and consequentlyallows attackers to cause a denial of ser-vice (get_acl NULL pointer dereferenceand system crash) via a crafted ext4 im-age.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8

CVE-2018-11506Published on2018-05-28

The sr_do_ioctl function in drivers/sc-si/sr_ioctl.c in the Linux kernel through4.16.12 allows local users to cause adenialof service (stack-basedbuffer overflow)orpossibly have unspecified other impactbecause sense buffers have different sizesat the CDROM layer and the SCSI layer, asdemonstrated by a CDROMREADMODE2ioctl call.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8






In net/socket.c in the Linux kernelthrough 4.17.1, there is a race conditionbetween fchownat and close in caseswhere they target the same socket filedescriptor, related to the sock_closeand sockfs_setattr functions. fchownatdoes not increment the file descriptorreference count, which allows close toset the socket to NULL during fchownat’sexecution, leading to a NULL pointerdereference and system crash.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8

CVE-2018-12714Published on2018-06-25

An issue was discovered in the Linuxkernel through 4.17.2. The filter pars-ing in kernel/trace/trace_events_filter.ccould be called with no filter, which isan N=0 case when it expected at leastone line to have been read, thus mak-ing the N-1 index invalid. This allowsattackers to cause a denial of service(slab out-of-bounds write) or possiblyhave unspecified other impact via craftedperf_event_openandmmapsystemcalls.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8

CVE-2018-13406Published on2018-07-06

An integer overflow in theuvesafb_setcmap function in driver-s/video/fbdev/uvesafb.c in the Linuxkernel before 4.17.4 could result in localattackers being able to crash the kernelor potentially elevate privileges becausekmalloc_array is not used.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






An issue was discovered in the Linux ker-nel through 4.17.10. There is an invalidpointer dereference in __del_reloc_root()in fs/btrfs/relocation.c when mounting acrafted btrfs image, related to removingreloc rb_trees when reloc control has notbeen initialized.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8

CVE-2018-14610Published on2018-07-27

An issue was discovered in the Linuxkernel through 4.17.10. There is out-of-bounds access in write_extent_buffer()when mounting and operating a craftedbtrfs image, because of a lack of ver-ification that each block group has acorresponding chunk at mount time,within btrfs_read_block_groups infs/btrfs/extent-tree.c.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8

CVE-2018-14611Published on2018-07-27

An issue was discovered in the Linuxkernel through 4.17.10. There is a use-after-free in try_merge_free_space()when mounting a crafted btrfs image,because of a lack of chunk type flagchecks in btrfs_check_chunk_valid infs/btrfs/volumes.c.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8

CVE-2018-14612Published on2018-07-27

An issue was discovered in the Linuxkernel through 4.17.10. There isan invalid pointer dereference inbtrfs_root_node() when mountinga crafted btrfs image, because of alack of chunk block group mappingvalidation in btrfs_read_block_groupsin fs/btrfs/extent-tree.c, and a lack ofempty-tree checks in check_leaf infs/btrfs/tree-checker.c.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8






An issue was discovered in the Linuxkernel through 4.17.10. There isan invalid pointer dereference inio_ctl_map_page() when mounting andoperating a crafted btrfs image, becauseof a lack of block group item validationin check_leaf_item in fs/btrfs/tree-checker.c.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8

CVE-2018-14614Published on2018-07-27

An issue was discovered in theLinux kernel through 4.17.10.There is an out-of-bounds accessin __remove_dirty_segment() infs/f2fs/segment.c when mountingan f2fs image.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8

CVE-2018-14615Published on2018-07-27

An issue was discovered in the Linuxkernel through 4.17.10. There is a bufferoverflow in truncate_inline_inode() infs/f2fs/inline.c when umounting an f2fsimage, because a length value may benegative.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8

CVE-2018-14616Published on2018-07-27

An issue was discovered in theLinux kernel through 4.17.10. Thereis a NULL pointer dereference infscrypt_do_page_crypto() in fs/cryp-to/crypto.c when operating on a file in acorrupted f2fs image.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8






An issue was discovered in the Linux ker-nel through 4.17.10. There is a NULLpointer dereference and panic in hf-splus_lookup() in fs/hfsplus/dir.c whenopening a file (that is purportedly a hardlink) in an hfs+ filesystem that has mal-formed catalog data, and is mountedread-only without a metadata directory.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8

CVE-2018-14619Published on2018-08-30

A flaw was found in the crypto subsys-tem of the Linux kernel before versionkernel-4.15-rc4. The “null skcipher” wasbeingdroppedwheneach af_alg_ctxwasfreed instead of when the aead_tfm wasfreed. This can cause the null skcipher tobe freed while it is still in use leading to alocal user being able to crash the systemor possibly escalate privileges.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2018-14678Published on2018-07-28

An issue was discovered in the Linuxkernel through 4.17.11, as used in Xenthrough 4.11.x. The xen_failsafe_callbackentry point in arch/x86/entry/entry_64.Sdoes not properlymaintain RBX,which al-lows local users to cause a denial of ser-vice (uninitializedmemory usage and sys-tem crash). Within Xen, 64-bit x86 PVLinux guest OS users can trigger a guestOS crash or possibly gain privileges.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8






An issue was discovered in yurex_read indrivers/usb/misc/yurex.c in the Linux ker-nel before 4.17.7. Local attackers coulduse user access read/writes with incorrectbounds checking in the yurex USB driverto crash the kernel or potentially escalateprivileges.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2018-16882Published on2019-01-03

A use-after-free issue was found inthe way the Linux kernel’s KVM hy-pervisor processed posted interruptswhen nested(=1) virtualization is en-abled. In nested_get_vmcs12_pages(),in case of an error while processingposted interrupt address, it unmapsthe ‘pi_desc_page’ without resetting‘pi_desc’ descriptor address, which islater used in pi_test_and_clear_on(). Aguest user/process could use this flawto crash the host kernel resulting in DoSor potentially gain privileged access toa system. Kernel versions before 4.14.91and before 4.19.13 are vulnerable.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2018-17182Published on2018-09-19

An issue was discovered in theLinux kernel through 4.18.8. Thevmacache_flush_all function in mm/v-macache.c mishandles sequence numberoverflows. An attacker can trigger a use-after-free (and possibly gain privileges)via certain thread creation, map, unmap,invalidation, and dereference operations.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






An issue was discovered in the Linuxkernel before 4.19.9. The USB subsys-tem mishandles size checks during thereading of an extra descriptor, relatedto __usb_get_extra_descriptor in driver-s/usb/core/usb.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2018-20669Published on2019-03-21

An issue where a provided ad-dress with access_ok() is notchecked was discovered ini915_gem_execbuffer2_ioctl in driver-s/gpu/drm/i915/i915_gem_execbuffer.cin the Linux kernel through 4.19.13. Alocal attacker can craft a malicious IOCTLfunction call to overwrite arbitrary kernelmemory, resulting in a Denial of Serviceor privilege escalation.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8

CVE-2018-20784Published on2019-02-22

In the Linux kernel before 4.20.2, ker-nel/sched/fair.c mishandles leaf cfs_rq’s,which allows attackers to cause adenial of service (infinite loop in up-date_blocked_averages) or possibly haveunspecified other impact by inducing ahigh load.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8

CVE-2018-20836Published on2019-05-07

An issue was discovered in the Linuxkernel before 4.20. There is a racecondition in smp_task_timedout()and smp_task_done() in drivers/sc-si/libsas/sas_expander.c, leading to ause-after-free.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8






In the Linux kernel through 4.14.13, therds_message_alloc_sgs() function doesnot validate a value that is used duringDMA page allocation, leading to a heap-based out-of-boundswrite (related to therds_rdma_extra_size function in net/rd-s/rdma.c).According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


The tcp_v6_syn_recv_sock function innet/ipv6/tcp_ipv6.c in the Linux kernelthrough 4.14.11 allows attackers to causea denial of service (slab out-of-boundswrite) or possibly have unspecified otherimpact via vectors involving TLS.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8


The irda_setsockopt function in net/ir-da/af_irda.c and later in drivers/stag-ing/irda/net/af_irda.c in the Linux kernelbefore 4.17 allows local users to causea denial of service (ias_object use-after-free and system crash) or possibly haveunspecified other impact via an AF_IRDAsocket.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


The blkcg_init_queue function inblock/blk-cgroup.c in the Linux kernelbefore 4.11 allows local users to cause adenial of service (double free) or possiblyhave unspecified other impact by trig-gering a creation failure.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






The udl_fb_mmap function in drivers/g-pu/drm/udl/udl_fb.c at the Linux kernelversion 3.4 and up to and including 4.15has an integer-overflow vulnerability al-lowing local users with access to the udl-drmfb driver to obtain full read and writepermissions on kernel physical pages, re-sulting in a code execution in kernelspace.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8


Incorrect buffer length handling in thencp_read_kernel function in fs/ncpfs/nc-plib_kernel.c in the Linux kernel through4.15.11, and in drivers/staging/ncpfs/nc-plib_kernel.c in the Linux kernel 4.16-rcthrough 4.16-rc6, could be exploited bymalicious NCPFS servers to crash the ker-nel or execute code.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

High 4.1.8

CVE-2019-10125Published on2019-03-27

An issue was discovered in aio_poll() infs/aio.c in the Linux kernel through 5.0.4.A file may be released by aio_poll_wake()if an expected event is triggered immedi-ately (e.g., by the close of a pair of pipes)after the return of vfs_poll(), and this willcause a use-after-free.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8

CVE-2019-11487Published on2019-04-24

The Linux kernel before 5.1-rc5 al-lows page->_refcount reference countoverflow, with resultant use-after-freeissues, if about 140 GiB of RAM ex-ists. This is related to fs/fuse/dev.c,fs/pipe.c, fs/splice.c, include/linux/mm.h,include/linux/pipe_fs_i.h, kernel/trace/-trace.c, mm/gup.c, and mm/hugetlb.c. Itcan occur with FUSE requests.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






An issue was discovered in theLinux kernel before 5.0.7. A NULLpointer dereference can occur whenmegasas_create_frame_pool() fails inmegasas_alloc_cmds() in drivers/sc-si/megaraid/megaraid_sas_base.c. Thiscauses a Denial of Service, related to ause-after-free.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8

CVE-2019-11811Published on2019-05-07

An issue was discovered in the Linuxkernel before 5.0.4. There is a use-after-free upon attempted read accessto /proc/ioports after the ipmi_simodule is removed, related to driver-s/char/ipmi/ipmi_si_intf.c, driver-s/char/ipmi/ipmi_si_mem_io.c, anddrivers/char/ipmi/ipmi_si_port_io.c.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8

CVE-2019-11815Published on2019-05-08

An issue was discovered inrds_tcp_kill_sock in net/rds/tcp.c inthe Linux kernel before 5.0.8. There is arace condition leading to a use-after-free,related to net namespace cleanup.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8






An issue was discovered incan_can_gw_rcv in net/can/gw.c inthe Linux kernel through 4.19.13. TheCAN frame modification rules allow bit-wise logical operations that can be alsoapplied to the can_dlc field. The privi-leged user “root” with CAP_NET_ADMINcan create a CAN frame modificationrule that makes the data length codea higher value than the available CANframe data size. In combination with aconfigured checksum calculation wherethe result is stored relatively to the endof the data (e.g. cgw_csum_xor_rel) thetail of the skb (e.g. frag_list pointer inskb_shared_info) can be rewritten whichfinally can cause a system crash. Becauseof a missing check, the CAN driversmay write arbitrary content beyond thedata registers in the CAN controller’sI/O memory when processing can-gwmanipulated outgoing frames.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


In the Linux kernel through 4.20.11,af_alg_release() in crypto/af_alg.c ne-glects to set a NULL value for a certainstructure member, which leads to ause-after-free in sockfs_setattr.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8


In the Linux Kernel before versions 4.20.8and 4.19.21 a use-after-free error in the“sctp_sendmsg()” function (net/sctp/-socket.c) when handling SCTP_SENDALLflag can be exploited to corrupt memory.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

High 4.1.8






A memory leak in the kernel_read_filefunction in fs/exec.c in the Linux kernelthrough 4.20.11 allows attackers to causea denial of service (memory consump-tion) by triggering vfs_read failures.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 4.1.8


In the Linux kernel before 4.20.5,attackers can trigger a drivers/char/ip-mi/ipmi_msghandler.c use-after-freeand OOPS by arranging for certainsimultaneous execution of the code,as demonstrated by a “service ipmievdrestart” loop.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

High 4.1.8


Memory leak indrivers/media/video/videobuf-core.cin the videobuf subsystem in the Linuxkernel 2.6.x through 4.x allows local usersto cause a denial of service (memoryconsumption) by leveraging /dev/videoaccess for a series of mmap calls thatrequire new allocations, a differentvulnerability than CVE-2007-6761. NOTE:as of 2016-06-18, this affects only 11drivers that have not been updated touse videobuf2 instead of videobuf.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The Linux kernel before 4.4.1 allows lo-cal users to bypass file-descriptor limitsand cause a denial of service (memoryconsumption) by sendingeachdescriptorover a UNIX socket before closing it, re-lated to net/unix/af_unix.c and net/unix/-garbage.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






Use-after-free vulnerability in net/u-nix/af_unix.c in the Linux kernel before4.3.3 allows local users to bypass in-tended AF_UNIX socket permissionsor cause a denial of service (panic) viacrafted epoll_ctl calls.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The snd_compr_tstamp function insound/core/compress_offload.c in theLinux kernel through 4.7, as used inAndroid before 2016-08-05 on Nexus 5and 7 (2013) devices, does not properlyinitialize a timestamp data structure,which allows attackers to obtain sensitiveinformation via a crafted application,aka Android internal bug 28770164 andQualcomm internal bug CR568717.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8


The ethtool_get_wol function in net/-core/ethtool.c in the Linux kernel through4.7, as used in Android before 2016-08-05onNexus 5 and 7 (2013) devices, does notinitialize a certaindata structure,whichal-lows local users to obtain sensitive infor-mation via a crafted application, aka An-droid internal bug 28803952 and Qual-comm internal bug CR570754.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 4.1.8


Memory leak in thecuse_channel_release function infs/fuse/cuse.c in the Linux kernel before4.4 allows local users to cause a denialof service (memory consumption) orpossibly have unspecified other impactby opening /dev/cuse many times.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The prepend_path function in fs/d-cache.c in the Linux kernel before 4.2.4does not properly handle rename actionsinside a bind mount, which allows localusers to bypass an intended containerprotection mechanism by renaming adirectory, related to a “double-chrootattack.”According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The virtnet_probe function in driver-s/net/virtio_net.c in the Linux kernelbefore 4.2 attempts to support aFRAGLIST feature without proper mem-ory allocation, which allows guest OSusers to cause a denial of service (bufferoverflow and memory corruption) via acrafted sequence of fragmented packets.

Medium 4.1.8


drivers/usb/serial/whiteheat.c in theLinux kernel before 4.2.4 allows phys-ically proximate attackers to cause adenial of service (NULL pointer deref-erence and OOPS) or possibly haveunspecified other impact via a craftedUSB device. NOTE: this ID was incorrectlyused for an Apache Cordova issue thathas the correct ID of CVE-2015-8320.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The sctp_init function in net/sctp/pro-tocol.c in the Linux kernel before 4.2.3has an incorrect sequence of protocol-initialization steps, which allows localusers to cause a denial of service (panicor memory corruption) by creating SCTPsockets before all of the steps have fin-ished.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The KVM subsystem in the Linux ker-nel through 4.2.6, and Xen 4.3.x through4.6.x, allows guest OS users to cause adenial of service (host OS panic or hang)by triggering many #AC (aka AlignmentCheck) exceptions, related to svm.c andvmx.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The __rds_conn_create function innet/rds/connection.c in the Linux kernelthrough 4.2.3 allows local users to causea denial of service (NULL pointer deref-erence and system crash) or possiblyhave unspecified other impact by using asocket that was not properly bound.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


arch/x86/kvm/x86.c in the Linux kernelbefore 4.4 does not reset the PIT countervalues during state restoration, whichallows guest OS users to cause a de-nial of service (divide-by-zero error andhost OS crash) via a zero value, re-lated to the kvm_vm_ioctl_set_pit andkvm_vm_ioctl_set_pit2 functions.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The aiptek_probe function in drivers/in-put/tablet/aiptek.c in the Linux kernel be-fore 4.4 allows physically proximate at-tackers to cause a denial of service (NULLpointer dereference and system crash) viaa crafted USB device that lacks endpoints.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The keyctl_read_key function in securi-ty/keys/keyctl.c in the Linux kernel before4.3.4 does not properly use a semaphore,which allows local users to cause a denialof service (NULL pointer dereference andsystem crash) or possibly have unspeci-fied other impact via a crafted applicationthat leverages a race condition betweenkeyctl_revoke and keyctl_read calls.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The clie_5_attach function in driver-s/usb/serial/visor.c in the Linux kernelthrough 4.4.1 allows physically proximateattackers to cause a denial of service(NULL pointer dereference and systemcrash) or possibly have unspecified otherimpact by inserting a USB device thatlacks a bulk-out endpoint.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


Race condition in the IPC object imple-mentation in the Linux kernel through4.2.3 allows local users to gain privilegesby triggering an ipc_addid call that leadsto uid and gid comparisons against unini-tialized data, related to msg.c, shm.c, andutil.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The slhc_init function in drivers/net/s-lip/slhc.c in the Linux kernel through 4.2.3does not ensure that certain slot numbersare valid, which allows local users to causea denial of service (NULL pointer derefer-ence and system crash) via a crafted PPPI-OCSMAXCID ioctl call.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






Race condition in the rds_sendmsg func-tion in net/rds/sendmsg.c in the Linuxkernel before 4.3.3 allows local users tocause a denial of service (NULL pointerdereference and system crash) or possi-bly have unspecified other impact by us-ing a socket that was not properly bound.NOTE: this vulnerability exists because ofan incomplete fix for CVE-2015-6937.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The KVM subsystem in the Linux ker-nel through 4.2.6, and Xen 4.3.x through4.6.x, allows guest OS users to cause a de-nial of service (host OS panic or hang) bytriggering many #DB (aka Debug) excep-tions, related to svm.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The networking implementation in theLinux kernel through 4.3.3, as used in An-droid and other products, does not val-idate protocol identifiers for certain pro-tocol families, which allows local users tocause a denial of service (NULL functionpointer dereference and system crash)or possibly gain privileges by leveragingCLONE_NEWUSER support to execute acrafted SOCK_RAW application.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The PCI backend driver in Xen, when run-ning on an x86 system and using Linux3.1.x through 4.3.x as the driver domain,allows local guest administrators to hitBUG conditions and cause a denial of ser-vice (NULL pointer dereference and hostOS crash) by leveraging a system with ac-cess to a passed-throughMSI or MSI-X ca-pablephysical PCI device anda crafted se-quence of XEN_PCI_OP_* operations, aka“Linux pciback missing sanity checks.”According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


** DISPUTED ** kernel/ptrace.c in theLinux kernel through4.4.1mishandles uidand gid mappings, which allows localusers to gain privileges by establishing auser namespace, waiting for a root pro-cess to enter that namespace with an un-safe uid or gid, and then using the ptracesystem call. NOTE: the vendor states“there is no kernel bug here.”According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


fs/nfs/nfs4proc.c in the NFS client in theLinux kernel before 4.2.2 does not prop-erly initialize memory for migration re-covery operations, which allows remoteNFS servers to cause a denial of service(NULL pointer dereference and panic) viacrafted network traffic.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 4.1.8


net/sctp/sm_sideeffect.c in the Linux ker-nel before 4.3 does not properly man-age the relationship between a lock anda socket, which allows local users to causea denial of service (deadlock) via a craftedsctp_accept call.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The fuse_fill_write_pages function in fs/-fuse/file.c in the Linux kernel before 4.4 al-lows local users to cause a denial of ser-vice (infinite loop) via a writev system callthat triggers a zero length for the first seg-ment of an iov.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The signal implementation in the Linuxkernel before 4.3.5 on powerpc platformsdoes not check for an MSR with both theS and T bits set, which allows local usersto cause a denial of service (TM Bad Thingexception and panic) via a crafted appli-cation.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The tm_reclaim_thread function inarch/powerpc/kernel/process.c in theLinux kernel before 4.4.1 on powerpcplatforms does not ensure that TMsuspend mode exists before proceedingwith a tm_reclaim call, which allows localusers to cause a denial of service (TM BadThing exception and panic) via a craftedapplication.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The ioresources_init function in ker-nel/resource.c in the Linux kernelthrough 4.7, as used in Android before2016-08-05 on Nexus 6 and 7 (2013)devices, uses weak permissions for/proc/iomem, which allows local usersto obtain sensitive information by read-ing this file, aka Android internal bug28814213 and Qualcomm internal bugCR786116. NOTE: the permissions maybe intentional in most non-Androidcontexts.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8


fs/overlayfs/copy_up.c in the Linux ker-nel before 4.2.6 uses an incorrect cleanupcode path, which allows local users tocause adenial of service (dentry referenceleak) via filesystem operations on a largefile in a lower overlayfs layer.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


crypto/algif_skcipher.c in the Linux ker-nel before 4.4.2 does not verify that asetkey operation has been performed onan AF_ALG socket before an accept sys-tem call is processed, which allows localusers to cause a denial of service (NULLpointer dereference and system crash) viaa crafted application that does not supplya key, related to the lrw_crypt function incrypto/lrw.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






Race condition in the tty_ioctl functionin drivers/tty/tty_io.c in the Linux kernelthrough 4.4.1 allows local users to obtainsensitive information from kernel mem-ory or cause a denial of service (use-after-free and system crash) by making a TI-OCGETD ioctl call during processing of aTIOCSETD ioctl call.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The LIST_POISON feature in include/lin-ux/poison.h in the Linux kernel before 4.3,as used in Android 6.0.1 before 2016-03-01, does not properly consider the rela-tionship to the mmap_min_addr value,which makes it easier for attackers to by-pass a poison-pointer protection mecha-nism by triggering the use of an uninitial-ized list entry, aka Android internal bug26186802, a different vulnerability thanCVE-2015-3636.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 4.1.8

CVE-2016-10088Published on2016-12-30

The sg implementation in the Linux ker-nel through 4.9 does not properly restrictwrite operations in situations where theKERNEL_DS option is set, which allows lo-cal users to read or write to arbitrary ker-nel memory locations or cause a denial ofservice (use-after-free) by leveraging ac-cess to a /dev/sg device, related to block-/bsg.c and drivers/scsi/sg.c. NOTE: thisvulnerability exists because of an incom-plete fix for CVE-2016-9576.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






crypto/mcryptd.c in the Linux kernelbefore 4.8.15 allows local users tocause a denial of service (NULL pointerdereference and system crash) by usingan AF_ALG socket with an incompat-ible algorithm, as demonstrated bymcryptd(md5).According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2016-10200Published on2017-03-07

Race condition in the L2TPv3 IP Encap-sulation feature in the Linux kernel be-fore 4.8.14 allows local users to gain priv-ileges or cause a denial of service (use-after-free) by making multiple bind sys-tem calls without properly ascertainingwhether a socket has the SOCK_ZAPPEDstatus, related to net/l2tp/l2tp_ip.c andnet/l2tp/l2tp_ip6.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2016-10208Published on2017-02-06

The ext4_fill_super function infs/ext4/super.c in the Linux kernelthrough 4.9.8 does not properly vali-date meta block groups, which allowsphysically proximate attackers to cause adenial of service (out-of-bounds read andsystem crash) via a crafted ext4 image.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2016-10318Published on2017-04-04

A missing authorization check in thefscrypt_process_policy function infs/crypto/policy.c in the ext4 and f2fsfilesystem encryption support in theLinux kernel before 4.7.4 allows a user toassign an encryption policy to a directoryowned by a different user, potentiallycreating a denial of service.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8






** DISPUTED ** An issue was discoveredin the Linux kernel through 4.17.2. Sincethe page allocator does not yield CPU re-sources to the owner of the oom_lockmutex, a local unprivileged user can triv-ially lock up the system forever by wast-ing CPU resources from the page alloca-tor (e.g., via concurrent page fault events)when the global OOM killer is invoked.NOTE: the softwaremaintainer has not ac-cepted certain proposed patches, in partbecause of a viewpoint that “the underly-ing problem is non-trivial to handle.”According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2016-10741Published on2019-02-01

In the Linux kernel before 4.9.3, fs/xf-s/xfs_aops.c allows local users to cause adenial of service (system crash) becausethere is a race condition between di-rect andmemory-mapped I/O (associatedwith a hole) that is handledwith BUG_ONinstead of an I/O failure.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


nfsd in the Linux kernel through 4.6.3 al-lows local users to bypass intended file-permission restrictions by setting a POSIXACL, related to nfs2acl.c, nfs3acl.c, andnfs4acl.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The asn1_ber_decoder function inlib/asn1_decoder.c in the Linux ker-nel before 4.3 allows attackers tocause a denial of service (panic) viaan ASN.1 BER file that lacks a publickey, leading to mishandling by thepublic_key_verify_signature function incrypto/asymmetric_keys/public_key.c.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






Race condition in arch/x86/mm/tlb.c inthe Linux kernel before 4.4.1 allows localusers to gain privileges by triggering ac-cess to a paging structure by a differentCPU.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The atl2_probe function in driver-s/net/ethernet/atheros/atlx/atl2.c in theLinux kernel through 4.5.2 incorrectlyenables scatter/gather I/O, which allowsremote attackers to obtain sensitiveinformation from kernel memory byreading packet data.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8


The create_fixed_stream_quirk functionin sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel before4.5.1 allows physically proximate attack-ers to cause a denial of service (NULLpointer dereference or double free, andsystem crash) via a crafted endpointsvalue in a USB device descriptor.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The ati_remote2_probe function indrivers/input/misc/ati_remote2.c in theLinux kernel before 4.5.1 allows physicallyproximate attackers to cause a denial ofservice (NULL pointer dereference andsystem crash) via a crafted endpointsvalue in a USB device descriptor.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The powermate_probe function in driver-s/input/misc/powermate.c in the Linuxkernel before 4.5.1 allows physically prox-imate attackers to cause a denial of ser-vice (NULL pointer dereference and sys-tem crash) via a crafted endpoints valuein a USB device descriptor.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The gtco_probe function in drivers/in-put/tablet/gtco.c in the Linux kernelthrough 4.5.2 allows physically proximateattackers to cause a denial of service(NULL pointer dereference and systemcrash) via a crafted endpoints value in aUSB device descriptor.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The iowarrior_probe function in driver-s/usb/misc/iowarrior.c in the Linux ker-nel before 4.5.1 allows physically proxi-mate attackers to cause a denial of ser-vice (NULL pointer dereference and sys-tem crash) via a crafted endpoints valuein a USB device descriptor.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


Double free vulnerability in thesnd_usbmidi_create function insound/usb/midi.c in the Linux kernelbefore 4.5 allows physically proximateattackers to cause a denial of service(panic) or possibly have unspecifiedother impact via vectors involving aninvalid USB descriptor.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The snd_seq_ioctl_remove_events func-tion in sound/core/seq/seq_clientmgr.cin the Linux kernel before 4.4.1 does notverify FIFO assignment before proceed-ing with FIFO clearing, which allows lo-cal users to cause a denial of service(NULL pointer dereference and OOPS) viaa crafted ioctl call.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


Race condition in the queue_delete func-tion in sound/core/seq/seq_queue.c inthe Linux kernel before 4.4.1 allows localusers to cause a denial of service (use-after-free and system crash) bymaking anioctl call at a certain time.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The snd_timer_interrupt function insound/core/timer.c in the Linux kernelbefore 4.4.1 does not properly maintaina certain linked list, which allows localusers to cause a denial of service (racecondition and system crash) via a craftedioctl call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


sound/core/timer.c in theLinuxkernel be-fore 4.4.1 uses an incorrect type ofmutex,which allows local users to cause a denialof service (race condition, use-after-free,and system crash) via a crafted ioctl call.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






sound/core/timer.c in theLinuxkernel be-fore 4.4.1 employs a locking approachthat does not consider slave timer in-stances, which allows local users to causea denial of service (race condition, use-after-free, and system crash) via a craftedioctl call.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


sound/core/timer.c in theLinuxkernel be-fore 4.4.1 retains certain linked lists af-ter a close or stop action, which allowslocal users to cause a denial of service(system crash) via a crafted ioctl call, re-lated to the (1) snd_timer_close and (2)_snd_timer_stop functions.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The Linux kernel before 4.5 allows localusers to bypass file-descriptor limits andcause a denial of service (memory con-sumption) by leveraging incorrect track-ing of descriptor ownership and sendingeach descriptor over a UNIX socket beforeclosing it. NOTE: this vulnerability existsbecause of an incorrect fix for CVE-2013-4312.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The treo_attach function in drivers/us-b/serial/visor.c in the Linux kernel before4.5 allows physically proximate attackersto cause a denial of service (NULL pointerdereference and systemcrash) or possiblyhave unspecified other impact by insert-ing a USB device that lacks a (1) bulk-in or(2) interrupt-in endpoint.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






fs/pipe.c in the Linux kernel before 4.5does not limit the amount of unread datain pipes, which allows local users to causea denial of service (memory consump-tion) by creating many pipes with non-default sizes.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The aufs module for the Linux kernel 3.xand 4.x does not properly restrict themount namespace, which allows localusers to gain privileges by mounting anaufs filesystem on top of a FUSE filesys-tem, and then executing a crafted setuidprogram.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The aufs module for the Linux kernel 3.xand 4.x does not properlymaintain POSIXACL xattr data, which allows local usersto gain privileges by leveraging a group-writable setgid directory.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The trace_writeback_dirty_page imple-mentation in include/trace/events/write-back.h in the Linux kernel before 4.4improperly interacts with mm/migrate.c,which allows local users to cause a denialof service (NULL pointer dereference andsystem crash) or possibly have unspeci-fied other impact by triggering a certainpage move.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The mct_u232_msr_to_state functionin drivers/usb/serial/mct_u232.c in theLinux kernel before 4.5.1 allows physicallyproximate attackers to cause a denialof service (NULL pointer dereferenceand system crash) via a crafted USBdevice without two interrupt-in endpointdescriptors.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


drivers/usb/serial/cypress_m8.c in theLinux kernel before 4.5.1 allows physicallyproximate attackers to cause a denial ofservice (NULL pointer dereference andsystem crash) via a USB device withoutboth an interrupt-in and an interrupt-out endpoint descriptor, related tothe cypress_generic_port_probe andcypress_open functions.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The acm_probe function indrivers/usb/class/cdc-acm.c in theLinux kernel before 4.5.1 allows phys-ically proximate attackers to cause adenial of service (NULL pointer deref-erence and system crash) via a USBdevice without both a control and a dataendpoint descriptor.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The digi_port_init function in drivers/us-b/serial/digi_acceleport.c in the Linuxkernel before 4.5.1 allows physicallyproximate attackers to cause a denial ofservice (NULL pointer dereference andsystem crash) via a crafted endpointsvalue in a USB device descriptor.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The arch_pick_mmap_layout function inarch/x86/mm/mmap.c in the Linux ker-nel through 4.5.2 does not properly ran-domize the legacy base address, whichmakes it easier for local users to de-feat the intended restrictions on theADDR_NO_RANDOMIZE flag, and bypassthe ASLR protection mechanism for asetuid or setgid program, by disablingstack-consumption resource limits.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The ims_pcu_parse_cdc_data function indrivers/input/misc/ims-pcu.c in the Linuxkernel before 4.5.1 allows physically prox-imate attackers to cause a denial of ser-vice (system crash) via a USB device with-out both a master and a slave interface.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The msr_mtrr_valid function inarch/x86/kvm/mtrr.c in the Linuxkernel before 4.6.1 supports MSR 0x2f8,which allows guest OS users to read orwrite to the kvm_arch_vcpu data struc-ture, and consequently obtain sensitiveinformation or cause a denial of service(system crash), via a crafted ioctl call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The key_reject_and_link function insecurity/keys/key.c in the Linux kernelthrough 4.6.3 does not ensure that acertain data structure is initialized, whichallows local users to cause a denial of ser-vice (system crash) via vectors involvinga crafted keyctl request2 command.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The llc_cmsg_rcv function in net/ll-c/af_llc.c in the Linux kernel before 4.5.5does not initialize a certain data structure,which allows attackers to obtain sensitiveinformation from kernel stack memoryby reading a message.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8


The BPF subsystem in the Linux kernelbefore 4.5.5mishandles reference counts,which allows local users to cause a denialof service (use-after-free) or possibly haveunspecified other impact via a crafted ap-plication on (1) a system with more than32 Gb of memory, related to the programreference count or (2) a 1 Tb system, re-lated to the map reference count.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The x25_negotiate_facilities function innet/x25/x25_facilities.c in the Linux ker-nel before 4.5.5 does not properly initial-ize a certain data structure, which allowsattackers to obtain sensitive informationfrom kernel stackmemory via an X.25 CallRequest.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 4.1.8


fs/pnode.c in the Linux kernel before 4.5.4does not properly traverse amount prop-agation tree in a certain case involving aslave mount, which allows local users tocause a denial of service (NULL pointerdereference and OOPS) via a crafted se-ries of mount system calls.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The IPT_SO_SET_REPLACE setsockopt im-plementation in the netfilter subsystemin the Linux kernel before 4.6 allows lo-cal users to cause a denial of service (out-of-bounds read) or possibly obtain sensi-tive information from kernel heap mem-ory by leveraging in-container root accessto provide a craftedoffset value that leadsto crossing a ruleset blob boundary.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The rds_inc_info_copy function in net/rd-s/recv.c in the Linux kernel through 4.6.3does not initialize a certain structuremember, which allows remote attackersto obtain sensitive information from ker-nel stackmemory by reading anRDSmes-sage.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 4.1.8


Memory leak in the airspy_probe func-tion in drivers/media/usb/airspy/airspy.cin the airspyUSBdriver in the Linux kernelbefore 4.7 allows local users to cause ade-nial of service (memory consumption) viaa crafted USB device that emulates manyVFL_TYPE_SDRor VFL_TYPE_SUBDEVde-vices and performs many connect anddisconnect operations.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


arch/powerpc/kvm/book3s_hv_rmhandlers.Sin the Linux kernel through 4.7on PowerPC platforms, when CON-FIG_KVM_BOOK3S_64_HV is enabled,allows guest OS users to cause a denial ofservice (host OS infinite loop) by makinga H_CEDE hypercall during the existenceof a suspended transaction.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






net/ipv4/tcp_input.c in the Linux ker-nel before 4.7 does not properly deter-mine the rate of challenge ACK segments,which makes it easier for remote attack-ers to hijack TCP sessions via a blind in-window attack.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 4.1.8


Race condition in the vop_ioctl functionin drivers/misc/mic/vop/vop_vringh.c intheMIC VOP driver in the Linux kernel be-fore 4.6.1 allows local users to obtain sen-sitive information from kernel memory orcause a denial of service (memory corrup-tion and system crash) by changing a cer-tain header, aka a “double fetch” vulnera-bility.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


fs/overlayfs/dir.c in the OverlayFS filesys-tem implementation in the Linux kernelbefore 4.6 does not properly verify theupper dentry before proceeding with un-link and rename system-call processing,which allows local users to cause a denialof service (system crash) via a rename sys-tem call that specifies a self-hardlink.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The filesystem layer in the Linux kernelbefore 4.5.5 proceeds with post-renameoperations after an OverlayFS file is re-named to a self-hardlink, which allows lo-cal users to cause a denial of service (sys-tem crash) via a rename system call, re-lated to fs/namei.c and fs/open.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






fs/namespace.c in the Linux kernel before4.9 does not restrict how many mountsmay exist in a mount namespace, whichallows local users to cause a denial ofservice (memory consumption and dead-lock) via MS_BIND mount system calls,as demonstrated by a loop that triggersexponential growth in the number ofmounts.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


drivers/infiniband/ulp/srpt/ib_srpt.c inthe Linux kernel before 4.5.1 allows localusers to cause a denial of service (NULLpointer dereference and system crash)by using an ABORT_TASK command toabort a device write operation.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


Race condition in the ioctl_send_fib func-tion in drivers/scsi/aacraid/commctrl.c inthe Linux kernel through 4.7 allows localusers to cause a denial of service (out-of-bounds access or system crash) by chang-ing a certain size value, aka a “doublefetch” vulnerability.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


Race condition in theioctl_file_dedupe_range function infs/ioctl.c in the Linux kernel through 4.7allows local users to cause a denial ofservice (heap-based buffer overflow) orpossibly gain privileges by changing acertain count value, aka a “double fetch”vulnerability.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The tcp_check_send_head function in in-clude/net/tcp.h in the Linux kernel before4.7.5 does not properly maintain certainSACK state after a failed data copy, whichallows local users to cause a denial ofservice (tcp_xmit_retransmit_queue use-after-free and system crash) via a craftedSACK option.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The proc_keys_show function in securi-ty/keys/proc.c in the Linux kernel through4.8.2, when the GNU Compiler Collection(gcc) stack protector is enabled, uses anincorrect buffer size for certain timeoutdata, which allows local users to cause adenial of service (stack memory corrup-tion and panic) by reading the /proc/keysfile.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The hid_input_field function indrivers/hid/hid-core.c in the Linuxkernel before 4.6 allows physicallyproximate attackers to obtain sensitiveinformation from kernel memory orcause a denial of service (out-of-boundsread) by connecting a device, as demon-strated by a Logitech DJ receiver.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8


Race condition in the environ_read func-tion in fs/proc/base.c in the Linux kernelbefore 4.5.4 allows local users to obtainsensitive information from kernel mem-ory by reading a /proc/*/environ file dur-ing a process-setup time interval in whichenvironment-variable copying is incom-plete.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The nfnetlink_rcv_batch function innet/netfilter/nfnetlink.c in the Linuxkernel before 4.5 does not check whethera batch message’s length field is largeenough, which allows local users toobtain sensitive information from kernelmemory or cause a denial of service(infinite loop or out-of-bounds read)by leveraging the CAP_NET_ADMINcapability.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8


The x86_decode_insn function inarch/x86/kvm/emulate.c in the Linuxkernel before 4.8.7, when KVM is enabled,allows local users to cause a denial ofservice (host OS crash) via a certainuse of a ModR/M byte in an undefinedinstruction.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


drivers/firewire/net.c in the Linux kernelbefore 4.8.7, in certain unusual hardwareconfigurations, allows remote attackersto execute arbitrary code via crafted frag-mented packets.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The TCP stack in the Linux kernel be-fore 4.8.10 mishandles skb truncation,which allows local users to cause a de-nial of service (system crash) via a craftedapplication that makes sendto systemcalls, related to net/ipv4/tcp_ipv4.c andnet/ipv6/tcp_ipv6.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The hash_accept function in crypto/al-gif_hash.c in the Linux kernel before 4.3.6allows local users to cause a denial of ser-vice (OOPS) by attempting to trigger useof in-kernel hash algorithms for a socketthat has received zero bytes of data.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through 4.8.11does not ensure that memory is allocatedfor limb data, which allows local users tocause a denial of service (stack memorycorruption and panic) via an add_key sys-tem call for an RSA key with a zero expo-nent.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


Stack-based buffer overflow in thebrcmf_cfg80211_start_ap func-tion in drivers/net/wireless/broad-com/brcm80211/brcmfmac/cfg80211.cin the Linux kernel before 4.7.5 allowslocal users to cause a denial of service(system crash) or possibly have un-specified other impact via a long SSIDInformation Element in a command to aNetlink socket.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The XFS subsystem in the Linux kernelthrough 4.8.2 allows local users to causea denial of service (fdatasync failure andsystem hang) by using the vfs syscallgroup in the trinity program, related toa “page lock order bug in the XFS seekhole/data implementation.”According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






drivers/vfio/pci/vfio_pci_intrs.c in theLinux kernel through 4.8.11 misusesthe kzalloc function, which allows localusers to cause a denial of service (integeroverflow) or have unspecified otherimpact by leveraging access to a vfio PCIdevice file.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The cgroup offline implementation in theLinux kernel through 4.8.11 mishandlescertain drain operations, which allows lo-cal users to cause a denial of service(system hang) by leveraging access to acontainer environment for executing acrafted application, as demonstrated bytrinity.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


Multiple memory leaks in error paths infs/xfs/xfs_attr_list.c in the Linux kernelbefore 4.5.1 allow local users to cause adenial of service (memory consumption)via crafted XFS filesystem operations.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The netfilter subsystem in the Linux ker-nel before 4.9 mishandles IPv6 reassem-bly, which allows local users to cause adenial of service (integeroverflow, out-of-bounds write, and GPF) or possibly haveunspecified other impact via a craftedapplication that makes socket, connect,and writev system calls, related tonet/ipv6/netfilter/nf_conntrack_reasm.candnet/ipv6/netfilter/nf_defrag_ipv6_hooks.c.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






KVM in the Linux kernel before 4.8.12,when I/O APIC is enabled, does not prop-erly restrict the VCPU index, which al-lows guest OS users to gain host OSprivileges or cause a denial of service(out-of-bounds array access and hostOS crash) via a crafted interrupt re-quest, related to arch/x86/kvm/ioapic.cand arch/x86/kvm/ioapic.h.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2017-1000112Published on2017-10-05

Linux kernel: Exploitable memory cor-ruption due to UFO to non-UFO pathswitch. When building a UFO packetwith MSG_MORE __ip_append_data()calls ip_ufo_append_data() to append.However in between two send() calls,the append path can be switched fromUFO to non-UFO one, which leads toa memory corruption. In case UFOpacket lengths exceeds MTU, copy =maxfraglen - skb->len becomes negativeon the non-UFO path and the branch toallocate new skb is taken. This triggersfragmentation and computation offraggap = skb_prev->len - maxfraglen.Fraggap can exceed MTU, causingcopy = datalen - transhdrlen - fraggapto become negative. Subsequentlyskb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present inIPv6 code. The bug was introduced ine89e9cf539a2 (“[IPv4/IPv6]: UFO Scatter-gather approach”) on Oct 18 2005.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






An issue was discovered in the size ofthe stack guard page on Linux, specifi-cally a 4k stack guard page is not suffi-ciently large and can be “jumped” over(the stackguardpage is bypassed), this af-fects Linux Kernel versions 4.11.5 and ear-lier (the stackguard page was introducedin 2010).According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2017-1000405Published on2017-11-30

The Linux Kernel versions 2.6.38through 4.14 have a problematic useof pmd_mkdirty() in the touch_pmd()function inside the THP implementa-tion. touch_pmd() can be reached byget_user_pages(). In such case, the pmdwill become dirty. This scenario breaksthe new can_follow_write_pmd()’s logic- pmd can become dirty without goingthrough a COW cycle. This bug is notas severe as the original “Dirty cow”because an ext4 file (or any other regularfile) cannot be mapped using THP. Nev-ertheless, it does allow us to overwriteread-only huge pages. For example, thezero huge page and sealed shmem filescan be overwritten (since their mappingcan be populated using THP). Note thatafter the first write page-fault to the zeropage, it will be replaced with a new fresh(and zeroed) thp.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The make_response function indrivers/block/xen-blkback/blkback.cin the Linux kernel before 4.11.8 allowsguest OS users to obtain sensitive in-formation from host OS (or other guestOS) kernel memory by leveraging thecopying of uninitialized padding fields inXen block-interface response structures,aka XSA-216.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-11600Published on2017-07-24

net/xfrm/xfrm_policy.c in theLinux kernel through 4.12.3, whenCONFIG_XFRM_MIGRATE is en-abled, does not ensure that thedir value of xfrm_userpolicy_id isXFRM_POLICY_MAX or less, which allowslocal users to cause a denial of service(out-of-bounds access) or possiblyhave unspecified other impact via anXFRM_MSG_MIGRATE xfrm Netlink mes-sage.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-12146Published on2017-09-08

The driver_override implementation indrivers/base/platform.c in the Linux ker-nel before 4.12.1 allows local users to gainprivileges by leveraging a race conditionbetween a read operation and a store op-eration that involve different overrides.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






A security flaw was discovered in thenl80211_set_rekey_data() function innet/wireless/nl80211.c in the Linux kernelthrough 4.13.3. This function does notcheck whether the required attributesare present in a Netlink request. Thisrequest can be issued by a user with theCAP_NET_ADMIN capability and mayresult in a NULL pointer dereference andsystem crash.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-12168Published on2017-09-20

The access_pmu_evcntr function inarch/arm64/kvm/sys_regs.c in the Linuxkernel before 4.8.11 allows privilegedKVM guest OS users to cause a denialof service (assertion failure and host OScrash) by accessing the PerformanceMonitors Cycle Count Register (PMCC-NTR).According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-12188Published on2017-10-11

arch/x86/kvm/mmu.c in the Linux kernelthrough 4.13.5, when nested virtualisa-tion is used, does not properly traverseguest pagetable entries to resolve a guestvirtual address, which allows L1 guest OSusers to execute arbitrary code on thehostOS or cause a denial of service (incor-rect index during page walking, and hostOS crash), aka an “MMU potential stackbuffer overrun.”According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The bio_map_user_iov andbio_unmap_user functions in block-/bio.c in the Linux kernel before 4.13.8do unbalanced refcounting when aSCSI I/O vector has small consecutivebuffers belonging to the same page. Thebio_add_pc_page function merges theminto one, but the page reference is neverdropped. This causes a memory leakand possible system lockup (exploitableagainst the host OS by a guest OS user, ifa SCSI disk is passed through to a virtualmachine) due to an out-of-memorycondition.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-12192Published on2017-10-12

The keyctl_read_key function in securi-ty/keys/keyctl.c in the Key Managementsubcomponent in the Linux kernel before4.13.5 does not properly consider thata key may be possessed but negativelyinstantiated, which allows local users tocause a denial of service (OOPS and sys-temcrash) via a craftedKEYCTL_READop-eration.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2017-12193Published on2017-11-22

The as-soc_array_insert_into_terminal_nodefunction in lib/assoc_array.c in the Linuxkernel before 4.13.11 mishandles nodesplitting, which allows local users tocause a denial of service (NULL pointerdereference and panic) via a craftedapplication, as demonstrated by thekeyring key type, and key addition andlink creation operations.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The acpi_ds_create_operands() functionin drivers/acpi/acpica/dsutils.c in theLinux kernel through 4.12.9 does notflush the operand cache and causes akernel stack dump, which allows localusers to obtain sensitive informationfrom kernel memory and bypass theKASLR protection mechanism (in thekernel through 4.9) via a crafted ACPItable.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-14051Published on2017-08-31

An integer overflow in theqla2x00_sysfs_write_optrom_ctl func-tion in drivers/scsi/qla2xxx/qla_attr.c inthe Linux kernel through 4.12.10 allowslocal users to cause a denial of service(memory corruption and system crash)by leveraging root access.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-14106Published on2017-09-01

The tcp_disconnect function innet/ipv4/tcp.c in the Linux kernelbefore 4.12 allows local users to cause adenial of service (__tcp_select_windowdivide-by-zero error and system crash) bytriggering a disconnect within a certaintcp_recvmsg code path.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-14340Published on2017-09-15

The XFS_IS_REALTIME_INODE macro infs/xfs/xfs_linux.h in the Linux kernel be-fore 4.13.2 does not verify that a filesys-tem has a realtime device, which allowslocal users to cause a denial of service(NULL pointer dereference and OOPS) viavectors related to setting an RHINHERITflag on a directory.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The iscsi_if_rx function in drivers/sc-si/scsi_transport_iscsi.c in the Linuxkernel through 4.13.2 allows local usersto cause a denial of service (panic) byleveraging incorrect length validation.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-15102Published on2017-11-15

The tower_probe function in drivers/us-b/misc/legousbtower.c in the Linux ker-nel before 4.8.1 allows local users (whoare physically proximate for inserting acrafted USB device) to gain privileges byleveraging a write-what-where conditionthat occurs after a race condition and aNULL pointer dereference.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2017-15116Published on2017-11-30

The rngapi_reset function in crypto/rng.cin the Linux kernel before 4.2 allows at-tackers to cause a denial of service (NULLpointer dereference).According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2017-15127Published on2018-01-14

A flaw was found in thehugetlb_mcopy_atomic_pte func-tion in mm/hugetlb.c in the Linux kernelbefore 4.13. A superfluous implicitpage unlock for VM_SHARED hugetlbfsmapping could trigger a local denial ofservice (BUG).According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-15128Published on2018-01-14

A flaw was found in thehugetlb_mcopy_atomic_pte func-tion in mm/hugetlb.c in the Linux kernelbefore 4.13.12. A lack of size check couldcause a denial of service (BUG).According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






A use-after-free vulnerability was foundin network namespaces code affectingthe Linux kernel before 4.14.11. Thefunction get_net_ns_by_id() in net/-core/net_namespace.c does not checkfor the net::count value after it has founda peer network in netns_ids idr, whichcould lead to double free and memorycorruption. This vulnerability could allowan unprivileged local user to inducekernelmemory corruption on the system,leading to a crash. Due to the nature ofthe flaw, privilege escalation cannot befully ruled out, although it is thought tobe unlikely.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-15265Published on2017-10-16

Race condition in the ALSA subsys-tem in the Linux kernel before 4.13.8allows local users to cause a denial ofservice (use-after-free) or possibly haveunspecified other impact via crafted/dev/snd/seq ioctl calls, related tosound/core/seq/seq_clientmgr.c andsound/core/seq/seq_ports.c.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-15274Published on2017-10-12

security/keys/keyctl.c in the Linux kernelbefore 4.11.5 does not consider the caseof a NULL payload in conjunction witha nonzero length value, which allows lo-cal users to cause a denial of service(NULL pointer dereference and OOPS) viaa crafted add_key or keyctl system call,a different vulnerability than CVE-2017-12192.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The KEYS subsystem in the Linux ker-nel through 4.13.7 mishandles use ofadd_key for a key that already exists butis uninstantiated, which allows local usersto cause a denial of service (NULL pointerdereference and system crash) or possi-bly have unspecified other impact via acrafted system call.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2017-15306Published on2017-11-06

The kvm_vm_ioctl_check_extensionfunction in arch/powerpc/kvm/pow-erpc.c in the Linux kernel before 4.13.11allows local users to cause a denial of ser-vice (NULL pointer dereference and sys-tem crash) via a KVM_CHECK_EXTENSIONKVM_CAP_PPC_HTM ioctl call to /de-v/kvm.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-15649Published on2017-10-20

net/packet/af_packet.c in the Linux ker-nel before 4.13.6 allows local users to gainprivileges via crafted system calls thattrigger mishandling of packet_fanoutdata structures, because of a racecondition (involving fanout_add andpacket_do_bind) that leads to a use-after-free, a different vulnerability thanCVE-2017-6346.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The init_new_context function inarch/x86/include/asm/mmu_context.hin the Linux kernel before 4.12.10 doesnot correctly handle errors from LDTtable allocation when forking a newprocess, allowing a local attacker toachieve a use-after-free or possibly haveunspecified other impact by running aspecially crafted program. This vulner-ability only affected kernels built withCONFIG_MODIFY_LDT_SYSCALL=y.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-17448Published on2017-12-07

net/netfilter/nfnetlink_cthelper.c in theLinux kernel through 4.14.4 does notrequire the CAP_NET_ADMIN capabil-ity for new, get, and del operations,which allows local users to bypass in-tended access restrictions because thenfnl_cthelper_list data structure is sharedacross all net namespaces.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2017-17450Published on2017-12-07

net/netfilter/xt_osf.c in the Linux ker-nel through 4.14.4 does not requirethe CAP_NET_ADMIN capability foradd_callback and remove_callback oper-ations, which allows local users to bypassintended access restrictions because thext_osf_fingers data structure is sharedacross all net namespaces.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-17712Published on2017-12-16

The raw_sendmsg() function innet/ipv4/raw.c in the Linux kernelthrough 4.14.6 has a race condition ininet->hdrincl that leads to uninitializedstack pointer usage; this allows a localuser to execute code and gain privileges.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






kernel/bpf/verifier.c in the Linux kernelthrough4.14.8 ignores unreachable code,even though it would still be processedby JIT compilers. This behavior, alsoconsidered an improper branch-pruninglogic issue, could possibly be used by lo-cal users for denial of service.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2017-17975Published on2017-12-30

Use-after-free in the usbtv_probe func-tion in drivers/media/usb/usbtv/usbtv-core.c in the Linux kernel through 4.14.10allows attackers to cause a denial of ser-vice (system crash) or possibly have un-specified other impact by triggering fail-ure of audio registration, because a kfreeof the usbtv data structure occurs dur-ing a usbtv_video_free call, but the us-btv_video_fail label’s code attempts toboth access and free this data structure.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2017-18193Published on2018-02-22

fs/f2fs/extent_cache.c in the Linux ker-nel before 4.13 mishandles extent trees,which allows local users to cause a denialof service (BUG) via an application withmultiple threads.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2017-18200Published on2018-02-26

The f2fs implementation in theLinux kernel before 4.14 mishandlesreference counts associated withf2fs_wait_discard_bios calls, whichallows local users to cause a denial ofservice (BUG), as demonstrated by fstrim.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The __oom_reap_task_mm function inmm/oom_kill.c in the Linux kernel be-fore 4.14.4 mishandles gather operations,which allows attackers to cause a denialof service (TLBentry leakoruse-after-free)or possibly haveunspecifiedother impactby triggering a copy_to_user call within acertain time window.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2017-18208Published on2018-03-01

The madvise_willneed function in mm/-madvise.c in the Linux kernel before4.14.4 allows local users to cause a denialof service (infinite loop) by triggering useof MADVISE_WILLNEED for a DAX map-ping.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2017-18221Published on2018-03-07

The __munlock_pagevec function inmm/mlock.c in the Linux kernel before4.11.4 allows local users to cause adenial of service (NR_MLOCK accountingcorruption) via crafted use of mlockalland munlockall system calls.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-18222Published on2018-03-08

In the Linux kernel before 4.12, HisiliconNetwork Subsystem (HNS) does not con-sider the ETH_SS_PRIV_FLAGS case whenretrieving sset_count data, which allowslocal users to cause a denial of service(buffer overflow andmemory corruption)or possibly have unspecified other im-pact, as demonstrated by incompatibil-ity betweenhns_get_sset_count andeth-tool_get_strings.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






fs/f2fs/segment.c in the Linux kernel be-fore 4.13 allows local users to cause a de-nial of service (NULL pointer dereferenceand panic) by using a noflush_mergeoption that triggers a NULL value for aflush_cmd_control data structure.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2017-18249Published on2018-03-26

The add_free_nid function infs/f2fs/node.c in the Linux kernel be-fore 4.12 does not properly track anallocated nid, which allows local users tocause a denial of service (race condition)or possibly have unspecified other im-pact via concurrent threads.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-18255Published on2018-03-31

Theperf_cpu_time_max_percent_handlerfunction in kernel/events/core.c in theLinux kernel before 4.11 allows local usersto cause a denial of service (integer over-flow) or possibly have unspecified otherimpact via a large value, as demonstratedby an incorrect sample-rate calculation.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2017-18257Published on2018-04-04

The __get_data_block function infs/f2fs/data.c in the Linux kernel before4.11 allows local users to cause a denialof service (integer overflow and loop)via crafted use of the open and fallocatesystem calls with an FS_IOC_FIEMAPioctl.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The arch_timer_reg_read_stable macroin arch/arm64/include/asm/arch_timer.hin theLinuxkernel before4.13allows localusers to cause a denial of service (infiniterecursion) bywriting to a file under /sys/k-ernel/debug in certain circumstances, asdemonstrated by a scenario involvingdebugfs, ftrace, PREEMPT_TRACER, andFUNCTION_GRAPH_TRACER.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2017-18360Published on2019-01-31

In change_port_settings in drivers/us-b/serial/io_ti.c in the Linux kernel before4.11.3, local users could cause a denialof service by division-by-zero in the se-rial device layer by trying to set very highbaud rates.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The load_segment_descriptor imple-mentation in arch/x86/kvm/emulate.c inthe Linux kernel before 4.9.5 improperlyemulates a “MOV SS, NULL selector”instruction, which allows guest OS usersto cause a denial of service (guest OScrash) or gain guest OS privileges via acrafted application.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The nested_vmx_check_vmptr functionin arch/x86/kvm/vmx.c in the Linux ker-nel through 4.9.8 improperly emulatesthe VMXON instruction, which allowsKVML1guestOSusers to cause adenial ofservice (host OS memory consumption)by leveraging the mishandling of pagereferences.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






A flaw was found in the Linux kernel’shandling of clearing SELinux attributeson /proc/pid/attr files before 4.9.10. Anempty (null) write to this file can crash thesystem by causing the system to attemptto access unmapped kernel memory.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The ping_unhash function innet/ipv4/ping.c in the Linux kernelthrough 4.10.8 is too late in obtaininga certain lock and consequently cannotensure that disconnect function callsare safe, which allows local users tocause a denial of service (panic) byleveraging access to the protocol valueof IPPROTO_ICMP in a socket system call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The vc4_get_bcl function in drivers/g-pu/drm/vc4/vc4_gem.c in the VideoCoreDRM driver in the Linux kernel before4.9.7 does not set an errno value uponcertain overflow detections, which al-lows local users to cause a denial of ser-vice (incorrect pointer dereference andOOPS) via inconsistent size values in aVC4_SUBMIT_CL ioctl call.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The do_shmat function in ipc/shm.c inthe Linux kernel through 4.9.12 does notrestrict the address calculated by a cer-tain rounding operation, which allows lo-cal users to map page zero, and conse-quently bypass a protection mechanismthat exists for the mmap system call, bymaking crafted shmget and shmat sys-tem calls in a privileged context.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The ipv4_pktinfo_prepare function innet/ipv4/ip_sockglue.c in the Linuxkernel through 4.9.9 allows attackers tocause a denial of service (system crash)via (1) an application that makes craftedsystem calls or possibly (2) IPv4 trafficwith invalid IP options.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8


The tcp_splice_read function innet/ipv4/tcp.c in the Linux kernelbefore 4.9.11 allows remote attackers tocause a denial of service (infinite loopand soft lockup) via vectors involving aTCP packet with the URG flag.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8


The LLC subsystem in the Linux kernel be-fore 4.9.13 does not ensure that a cer-tain destructor exists in required circum-stances, which allows local users to causea denial of service (BUG_ON) or possiblyhave unspecified other impact via craftedsystem calls.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


Race condition in net/packet/af_packet.cin the Linux kernel before 4.9.13 allows lo-cal users to cause a denial of service (use-after-free) or possibly have unspecifiedother impact via a multithreaded appli-cation that makes PACKET_FANOUT set-sockopt system calls.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The hashbin_delete function in net/ir-da/irqueue.c in the Linux kernel before4.9.13 improperly manages lock drop-ping, which allows local users to causea denial of service (deadlock) via craftedoperations on IrDA devices.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


net/sctp/socket.c in the Linux kernelthrough 4.10.1 does not properly re-strict association peel-off operationsduring certain wait states, which allowslocal users to cause a denial of service(invalid unlock and double free) viaa multithreaded application. NOTE:this vulnerability exists because of anincorrect fix for CVE-2017-5986.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


Race condition in kernel/ucount.c in theLinux kernel through 4.10.2 allows lo-cal users to cause a denial of service(use-after-free and system crash) or pos-sibly have unspecified other impact viacrafted system calls that leverage cer-tain decrement behavior that causes in-correct interaction between put_ucountsand get_ucounts.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The vmw_surface_define_ioctlfunction in drivers/gpu/dr-m/vmwgfx/vmwgfx_surface.c in theLinux kernel through 4.10.5 does notcheck for a zero value of certain levelsdata, which allows local users to cause adenial of service (ZERO_SIZE_PTR deref-erence, and GPF and possibly panic) via acrafted ioctl call for a /dev/dri/renderD*device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The cp_report_fixup function indrivers/hid/hid-cypress.c in the Linuxkernel 4.x before 4.9.4 allows physicallyproximate attackers to cause a denial ofservice (integer underflow) or possiblyhave unspecified other impact via acrafted HID report.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The TCP stack in the Linux ker-nel through 4.10.6 mishandles theSCM_TIMESTAMPING_OPT_STATS fea-ture, which allows local users to obtainsensitive information from the kernel’sinternal socket data structures or causea denial of service (out-of-bounds read)via crafted system calls, related to net/-core/skbuff.c and net/socket.c.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The vmw_gb_surface_define_ioctlfunction in drivers/gpu/dr-m/vmwgfx/vmwgfx_surface.c in theLinux kernel through 4.10.7 does notvalidate certain levels data, which allowslocal users to cause a denial of service(system hang) via a crafted ioctl call for a/dev/dri/renderD* device.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The KEYS subsystem in the Linuxkernel before 4.10.13 allows localusers to cause a denial of service(memory consumption) via a series ofKEY_REQKEY_DEFL_THREAD_KEYRINGkeyctl_set_reqkey_keyring calls.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


Heap-based buffer overflow in driver-s/net/macsec.c in the MACsec modulein the Linux kernel through 4.10.12allows attackers to cause a denial ofservice or possibly have unspecifiedother impact by leveraging the use of aMAX_SKB_FRAGS+1 size in conjunctionwith the NETIF_F_FRAGLIST feature,leading to an error in the skb_to_sgvecfunction.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






A flaw was found in the Linux kernel be-fore version 4.12 in the way the KVMmodule processed the trap flag(TF) bit inEFLAGS during emulation of the syscallinstruction, which leads to a debug ex-ception(#DB) being raised in the gueststack. A user/process inside a guest coulduse this flaw to potentially escalate theirprivileges inside the guest. Linux guestsare not affected by this.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


Race condition in the fsnotify implemen-tation in the Linux kernel through 4.12.4allows local users to gain privileges orcause a denial of service (memory corrup-tion) via a crafted application that lever-ages simultaneous execution of the ino-tify_handle_event and vfs_rename func-tions.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The ip6_find_1stfragopt function innet/ipv6/output_core.c in the Linuxkernel through 4.12.3 allows local usersto cause a denial of service (integeroverflow and infinite loop) by leveragingthe ability to open a raw socket.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The NFSv4 implementation in the Linuxkernel through 4.11.1 allows local users tocause a denial of service (resource con-sumption) by leveraging improper chan-nel callback shutdown when unmount-ing an NFSv4 filesystem, aka a “modulereference and kernel daemon” leak.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The crypto_skcipher_init_tfm functionin crypto/skcipher.c in the Linux kernelthrough 4.11.2 relies on a setkey functionthat lacks a key-size check, which allowslocal users to cause a denial of service(NULL pointer dereference) via a craftedapplication.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The __ip6_append_data function innet/ipv6/ip6_output.c in the Linux kernelthrough 4.11.3 is too late in checkingwhether an overwrite of an skb datastructure may occur, which allows localusers to cause a denial of service (systemcrash) via crafted system calls.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The vmw_gb_surface_define_ioctlfunction (accessible viaDRM_IOCTL_VMW_GB_SURFACE_CREATE)in drivers/gpu/dr-m/vmwgfx/vmwgfx_surface.c in theLinux kernel through 4.11.4 defines abackup_handle variable but does notgive it an initial value. If one attemptsto create a GB surface, with a previouslyallocated DMA buffer to be used asa backup buffer, the backup_handlevariable does not get written to andis then later returned to user space,allowing local users to obtain sensitiveinformation from uninitialized kernelmemory via a crafted ioctl call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






** DISPUTED ** Linux Kernel ver-sion 3.18 to 4.16 incorrectly han-dles an SG_IO ioctl on /dev/sg0 withdxfer_direction=SG_DXFER_FROM_DEVand an empty 6-byte cmdp. Thismay lead to copying up to 1000 ker-nel heap pages to the userspace.This has been fixed upstream inhttps://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824already. The problem has limited scope,as users don’t usually have permissions toaccess SCSI devices. On the other hand,e.g. the Nero user manual suggests doingchmod o+r+w /dev/sg* to make thedevices accessible. NOTE: third partiesdispute the relevance of this report, not-ing that the requirement for an attackerto have both the CAP_SYS_ADMIN andCAP_SYS_RAWIO capabilities makes it“virtually impossible to exploit.”According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8

CVE-2018-10021Published on2018-04-11

** DISPUTED ** drivers/scsi/lib-sas/sas_scsi_host.c in the Linux kernelbefore 4.16 allows local users to cause adenial of service (ata qc leak) by trigger-ing certain failure conditions. NOTE: athird party disputes the relevance of thisreport because the failure can only occurfor physically proximate attackers whounplug SAS Host Bus Adapter cables.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2018-10074Published on2018-04-12

The hi3660_stub_clk_probe function indrivers/clk/hisilicon/clk-hi3660-stub.cin the Linux kernel before 4.16 allowslocal users to cause a denial of service(NULL pointer dereference) by triggeringa failure of resource retrieval.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The xfs_dinode_verify function infs/xfs/libxfs/xfs_inode_buf.c in theLinux kernel through 4.16.3 allowslocal users to cause a denial of service(xfs_ilock_attr_map_shared invalidpointer dereference) via a crafted xfsimage.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2018-10323Published on2018-04-24

The xfs_bmap_extents_to_btree func-tion in fs/xfs/libxfs/xfs_bmap.c in theLinux kernel through 4.16.3 allowslocal users to cause a denial of service(xfs_bmapi_write NULL pointer derefer-ence) via a crafted xfs image.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


The netfilter subsystem in the Linux ker-nel through 4.15.7 mishandles the caseof a rule blob that contains a jump butlacks a user-defined chain, which allowslocal users to cause a denial of service(NULL pointer dereference) by leveragingthe CAP_NET_RAW or CAP_NET_ADMINcapability, related to arpt_do_tablein net/ipv4/netfilter/arp_tables.c,ipt_do_table innet/ipv4/netfilter/ip_tables.c,and ip6t_do_table innet/ipv6/netfilter/ip6_tables.c.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






A flaw was found in the way Linuxkernel KVM hypervisor before 4.18emulated instructions such assgdt/sidt/fxsave/fxrstor. It did notcheck current privilege(CPL) level whileemulating unprivileged instructions. Anunprivileged guest user/process coulduse this flaw to potentially escalateprivileges inside guest.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2018-10878Published on2018-07-26

Aflawwas found in the Linux kernel’s ext4filesystem. A local user can cause an out-of-bounds write and a denial of serviceor unspecified other impact is possible bymounting and operating a crafted ext4filesystem image.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2018-10879Published on2018-07-26

A flaw was found in the Linux kernel’sext4 filesystem. A local user can causea use-after-free in ext4_xattr_set_entryfunction and a denial of service or un-specified other impact may occur by re-naming a file in a crafted ext4 filesystemimage.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2018-10881Published on2018-07-26

Aflawwas found in the Linux kernel’s ext4filesystem. A local user can cause an out-of-bound access in ext4_get_group_infofunction, a denial of service, and a sys-tem crash by mounting and operating ona crafted ext4 filesystem image.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






A flaw was found in the Linux ker-nel’s ext4 filesystem. A local usercan cause an out-of-bounds write injbd2_journal_dirty_metadata(), a de-nial of service, and a system crash bymounting and operating on a craftedext4 filesystem image.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


In the flush_tmregs_to_thread functionin arch/powerpc/kernel/ptrace.c in theLinux kernel before 4.13.5, a guest ker-nel crash can be triggered from unprivi-leged userspace during a core dump ona POWER host due to a missing proces-sor feature check and an erroneous use oftransactional memory (TM) instructionsin the core dumppath, leading to a denialof service.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2018-10940Published on2018-05-09

The cdrom_ioctl_media_changedfunction in drivers/cdrom/cdrom.cin the Linux kernel before 4.16.6 al-lows local attackers to use a incorrectbounds check in the CDROM driverCDROM_MEDIA_CHANGED ioctl to readout kernel memory.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


kernel drivers before version 4.17-rc1 arevulnerable to a weakness in the Linuxkernel’s implementation of random seeddata. Programs, early in the boot se-quence, could use the data allocated forthe seed before it was sufficiently gener-ated.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 4.1.8






The etm_setup_aux function indrivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before4.10.2 allows attackers to cause a denialof service (panic) because a parameter isincorrectly used as a local variable.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


Linux kernel before version 4.16-rc7 isvulnerable to a null pointer dereferencein dccp_write_xmit() function in net/dc-cp/output.c in that allows a local user tocause a denial of service by a number ofcertain crafted system calls.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2018-12233Published on2018-06-12

In the ea_get function in fs/jfs/xattr.c inthe Linux kernel through 4.17.1, a mem-ory corruption bug in JFS can be trig-gered by calling setxattr twice with twodifferent extended attribute names onthe same file. This vulnerability can betriggered by an unprivileged user withthe ability to create files and execute pro-grams. A kmalloc call is incorrect, leadingto slab-out-of-bounds in jfs_xattr.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 4.1.8






An issue was discovered in theLinux kernel through 4.17.2.vbg_misc_device_ioctl() in driver-s/virt/vboxguest/vboxguest_linux.creads the same user data twice withcopy_from_user. The header part ofthe user data is double-fetched, and amalicious user thread can tamper withthe critical variables (hdr.size_in andhdr.size_out) in the header between thetwo fetches because of a race condition,leading to severe kernel errors, such asbuffer over-accesses. This bug can causea local denial of service and informationleakage.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2018-12904Published on2018-06-27

In arch/x86/kvm/vmx.c in the Linux ker-nel before 4.17.2, when nested virtualiza-tion is used, local attackers could causeL1 KVM guests to VMEXIT, potentially al-lowing privilege escalations and denial ofservice attacks due to lack of checking ofCPL.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2018-13093Published on2018-07-03

An issue was discovered in fs/xf-s/xfs_icache.c in the Linux kernel through4.17.3. There is a NULL pointer derefer-ence and panic in lookup_slow() on aNULL inode->i_ops pointer when doingpathwalks on a corrupted xfs image.This occurs because of a lack of propervalidation that cached inodes are freeduring allocation.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8






An issue was discovered in fs/xfs/libxf-s/xfs_attr_leaf.c in the Linux kernelthrough 4.17.3. An OOPS may oc-cur for a corrupted xfs image afterxfs_da_shrink_inode() is called with aNULL bp.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8

CVE-2018-13095Published on2018-07-03

An issue was discovered in fs/xfs/libxf-s/xfs_inode_buf.c in the Linux kernelthrough 4.17.3. A denial of service (mem-ory corruption and BUG) can occur for acorrupted xfs image upon encounteringan inode that is in extent format, but hasmore extents than fit in the inode fork.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8

CVE-2018-13096Published on2018-07-03

An issue was discovered in fs/f2fs/super.cin the Linux kernel through 4.17.3. A de-nial of service (out-of-boundsmemoryac-cess and BUG) can occur upon encoun-tering an abnormal bitmap size whenmounting a crafted f2fs image.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 4.1.8

CVE-2018-13097Published on2018-07-03

An issue was discovered in fs/f2fs/super.cin the Linux kernel through 4.17.3.There is an out-of-bounds read or adivide-by-zero error for an incorrectuser_block_count in a corrupted f2fsimage, leading to a denial of service(BUG).According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8






An issue was discovered in fs/f2fs/inode.cin the Linux kernel through 4.17.3. Adenial of service (slab out-of-boundsread and BUG) can occur for a mod-ified f2fs filesystem image in whichFI_EXTRA_ATTR is set in an inode.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8

CVE-2018-13099Published on2018-07-03

An issue was discovered in fs/f2fs/inline.cin the Linux kernel through 4.17.3. A de-nial of service (out-of-boundsmemoryac-cess and BUG) can occur for a modifiedf2fs filesystem image inwhich an inline in-ode contains an invalid reserved blkaddr.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 4.1.8

CVE-2018-13100Published on2018-07-03

An issue was discovered in fs/f2fs/super.cin the Linux kernel through 4.17.3, whichdoes not properly validate secs_per_zonein a corrupted f2fs image, as demon-strated by a divide-by-zero error.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 4.1.8

CVE-2018-13405Published on2018-07-06

The inode_init_owner function in fs/in-ode.c in the Linux kernel through 4.17.4allows local users to create files with anunintended group ownership, in a sce-nario where a directory is SGID to a cer-tain group and is writable by a user whois not a member of that group. Here,the non-member can trigger creation of aplain file whose group ownership is thatgroup. The intended behavior was thatthe non-member can trigger creation ofa directory (but not a plain file) whosegroup ownership is that group. The non-member can escalate privileges by mak-ing the plain file executable and SGID.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






The Linux kernel before 4.15-rc8 wasfound to be vulnerable to a NULLpointer dereference bug in the__netlink_ns_capable() function inthe net/netlink/af_netlink.c file. A localattacker could exploit this when a netnamespace with a netnsid is assignedto cause a kernel panic and a denial ofservice.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2018-14734Published on2018-07-30

drivers/infiniband/core/ucma.c in theLinux kernel through 4.17.11 allowsucma_leave_multicast to access a certaindata structure after a cleanup stepin ucma_process_join, which allowsattackers to cause a denial of service(use-after-free).According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2018-15471Published on2018-08-17

An issue was discovered inxenvif_set_hash_mapping indrivers/net/xen-netback/hash.c inthe Linux kernel through 4.18.1, as usedin Xen through 4.11.x and other prod-ucts. The Linux netback driver allowsfrontends to control mapping of requeststo request queues. When processing arequest to set or change this mapping,some input validation (e.g., for an integeroverflow) was missing or flawed, leadingto OOB access in hash handling. A mali-cious or buggy frontend may cause the(usually privileged) backend to make outof bounds memory accesses, potentiallyresulting in one or more of privilegeescalation, Denial of Service (DoS), orinformation leaks.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






An issue was discovered in the Linux ker-nel before 4.8. Incorrect access checkingin overlayfs mounts could be used by lo-cal attackers to modify or truncate files inthe underlying filesystem.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2018-17972Published on2018-10-04

An issue was discovered in theproc_pid_stack function in fs/proc/base.cin the Linux kernel through 4.18.11.It does not ensure that only root mayinspect the kernel stack of an arbitrarytask, allowing a local attacker to exploitracy stack unwinding and leak kernel taskstack contents.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2018-18281Published on2018-10-30

Since Linux kernel version 3.2, themremap() syscall performs TLB flushes af-ter dropping pagetable locks. If a syscallsuch as ftruncate() removes entries fromthe pagetables of a task that is in themiddle of mremap(), a stale TLB entrycan remain for a short time that permitsaccess to a physical page after it hasbeen released back to the page allocatorand reused. This is fixed in the followingkernel versions: 4.9.135, 4.14.78, 4.18.16,4.19.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






In the Linux kernel through 4.19, ause-after-free can occur due to a racecondition between fanout_add fromsetsockopt and bind on an AF_PACKETsocket. This issue exists because of the15fe076edea787807a7cdc168df832544b58eba6incomplete fix for a race condition. Thecode mishandles a certain multithreadedcase involving a packet_do_bind unreg-ister action followed by a packet_notifierregister action. Later, packet_releaseoperates on only one of the two applica-ble linked lists. The attacker can achieveProgram Counter control.According to the vulnerability’s CVSSv2rating, the vulnerability can be exploitedremotely.

Medium 4.1.8

CVE-2018-18690Published on2018-10-26

In the Linux kernel before 4.17, a localattacker able to set attributes on an xfsfilesystem could make this filesystemnon-operational until the next mountby triggering an unchecked error con-dition during an xfs attribute change,because xfs_attr_shortform_addnamein fs/xfs/libxfs/xfs_attr.c mishandlesATTR_REPLACE operations with conver-sion of an attr from short to long form.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2018-19406Published on2018-11-21

kvm_pv_send_ipi inarch/x86/kvm/lapic.c in the Linuxkernel through 4.19.2 allows local usersto cause a denial of service (NULL pointerdereference and BUG) via crafted systemcalls that reach a situation where the apicmap is uninitialized.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The vcpu_scan_ioapic function inarch/x86/kvm/x86.c in the Linux kernelthrough 4.19.2 allows local users tocause a denial of service (NULL pointerdereference and BUG) via crafted systemcalls that reach a situation where ioapic isuninitialized.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2018-19824Published on2018-12-03

In the Linux kernel through 4.19.6, a lo-cal user could exploit a use-after-free inthe ALSA driver by supplying a maliciousUSB Sound device (with zero interfaces)that ismishandled in usb_audio_probe insound/usb/card.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


In the Linux kernel through 4.14.13, therds_cmsg_atomic function in net/rd-s/rdma.c mishandles cases where pagepinning fails or an invalid address is sup-plied, leading to an rds_atomic_free_opNULL pointer dereference.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


In the Linux kernel through 4.14.13,drivers/block/loop.c mishandleslo_release serialization, which allowsattackers to cause a denial of service(__lock_acquire use-after-free) or possi-bly have unspecified other impact.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






In the function sbusfb_ioctl_helper() indrivers/video/fbdev/sbuslib.c in the Linuxkernel through 4.15, an integer signed-ness error allows arbitrary informationleakage for the FBIOPUTCMAP_SPARCand FBIOGETCMAP_SPARC commands.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 4.1.8


Memory leak in the irda_bind functionin net/irda/af_irda.c and later in driver-s/staging/irda/net/af_irda.c in the Linuxkernel before 4.17 allows local usersto cause a denial of service (memoryconsumption) by repeatedly binding anAF_IRDA socket.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


The futex_requeue function in kernel/fu-tex.c in the Linux kernel before 4.14.15might allow attackers to cause a denialof service (integer overflow) or possiblyhave unspecified other impact by trigger-ing a negative wake or requeue value.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


In the Linux kernel through 4.15.4, thefloppy driver reveals the addresses ofkernel functions and global variablesusing printk calls within the functionshow_floppy in drivers/block/floppy.c.An attacker can read this informationfrom dmesg and use the addresses tofind the locations of kernel code and dataand bypass kernel security protectionssuch as KASLR.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The resv_map_release function inmm/hugetlb.c in the Linux kernelthrough 4.15.7 allows local users to causea denial of service (BUG) via a craftedapplication that makes mmap systemcalls and has a large pgoff argument tothe remap_file_pages system call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


** DISPUTED ** Race condition in thestore_int_with_restart() function inarch/x86/kernel/cpu/mcheck/mce.c inthe Linux kernel through 4.15.7 allowslocal users to cause a denial of service(panic) by leveraging root access towrite to the check_interval file in a/sys/devices/system/machinecheck/-machinecheck directory. NOTE: a thirdparty has indicated that this report is notsecurity relevant.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


Memory leak in the hwsim_new_radio_nlfunction in drivers/net/wireless/-mac80211_hwsim.c in the Linux kernelthrough 4.15.9 allows local users to causea denial of service (memory consump-tion) by triggering an out-of-array errorcase.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8

CVE-2019-11190Published on2019-04-12

The Linux kernel before 4.8 allowslocal users to bypass ASLR on setuidprograms (such as /bin/su) becauseinstall_exec_creds() is called too latein load_elf_binary() in fs/binfmt_elf.c,and thus the ptrace_may_access() checkhas a race condition when reading/proc/pid/stat.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8






The Siemens R3964 line discipline driverin drivers/tty/n_r3964.c in the Linux ker-nel before 5.0.8 has multiple race condi-tions.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8

CVE-2019-11599Published on2019-04-29

The coredump implementation inthe Linux kernel before 5.0.10 doesnot use locking or other mechanismsto prevent vma layout or vma flagschanges while it runs, which allowslocal users to obtain sensitive infor-mation, cause a denial of service, orpossibly have unspecified other impactby triggering a race condition withmmget_not_zero or get_task_mmcalls. This is related to fs/userfaultfd.c,mm/mmap.c, fs/proc/task_mmu.c, anddrivers/infiniband/core/uverbs_main.c.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


An infinite loop issue was found in thevhost_net kernel module in Linux Kernelup to and including v5.1-rc6, while han-dling incoming packets in handle_rx().It could occur if one end sends pack-ets faster than the other end can processthem. A guest user, maybe remote one,could use this flaw to stall the vhost_netkernel thread, resulting in a DoS scenario.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 4.1.8


The KVM implementation in the Linuxkernel through 4.20.5 has a Use-after-Free.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8






kernel/bpf/verifier.c in the Linux kernelbefore 4.20.6 performs undesirable out-of-bounds speculation on pointer arith-metic in various cases, including cases ofdifferent branches with different state orlimits to sanitize, leading to side-channelattacks.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Medium 4.1.8


In the Linux kernel through5.0.2, the function ino-tify_update_existing_watch() infs/notify/inotify/inotify_user.c ne-glects to call fsnotify_put_mark()with IN_MASK_CREATE after fsno-tify_find_mark(), which will cause amemory leak (aka refcount leak). Finally,this will cause a denial of service.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Medium 4.1.8


** DISPUTED ** Kernel Samepage Merg-ing (KSM) in the Linux kernel 2.6.32through 4.x does not prevent use of awrite-timing side channel, which allowsguest OS users to defeat the ASLR pro-tection mechanism on other guest OS in-stances via a Cross-VM ASL INtrospection(CAIN) attack. NOTE: the vendor states“Basically if you care about this attack vec-tor, disable deduplication.” Share-until-written approaches for memory conser-vation among mutually untrusting ten-ants are inherently detectable for infor-mation disclosure, and can be classifiedas potentially misunderstood behaviorsrather than vulnerabilities.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8






The key_gc_unused_keys function insecurity/keys/gc.c in the Linux kernelthrough 4.2.6 allows local users to causea denial of service (OOPS) via craftedkeyctl commands.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


The vivid_fb_ioctl function indrivers/media/platform/vivid/vivid-osd.c in the Linux kernel through 4.3.3does not initialize a certain structuremember, which allows local users toobtain sensitive information from kernelmemory via a crafted application.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


The dgnc_mgmt_ioctl function in driver-s/staging/dgnc/dgnc_mgmt.c in theLinux kernel through 4.3.3 does not ini-tialize a certain structure member, whichallows local users to obtain sensitiveinformation from kernel memory via acrafted application.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


fs/btrfs/inode.c in the Linux kernel before4.3.3 mishandles compressed inline ex-tents, which allows local users to obtainsensitivepre-truncation information froma file via a clone action.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8






The (1) pptp_bind and (2) pptp_connectfunctions in drivers/net/ppp/pptp.c inthe Linux kernel through 4.3.3 do not ver-ify an address length, which allows localusers to obtain sensitive information fromkernel memory and bypass the KASLRprotectionmechanism via a crafted appli-cation.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


The sco_sock_bind function in net/blue-tooth/sco.c in the Linux kernel before4.3.4 does not verify an address length,which allows local users to obtain sensi-tive information from kernelmemory andbypass the KASLR protection mechanismvia a crafted application.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


The mbcache feature in the ext2 andext4 filesystem implementations in theLinux kernel before 4.6 mishandles xattrblock caching, which allows local usersto cause a denial of service (soft lockup)via filesystemoperations in environmentsthat use many attributes, as demon-strated by Ceph and Samba.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


The rfcomm_sock_bind function innet/bluetooth/rfcomm/sock.c in theLinux kernel before 4.2 allows localusers to obtain sensitive information orcause a denial of service (NULL pointerdereference) via vectors involving a bindsystem call on a Bluetooth RFCOMMsocket.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8






The evm_verify_hmac function in se-curity/integrity/evm/evm_main.c in theLinux kernel before 4.5 does not properlycopy data, which makes it easier for lo-cal users to forge MAC values via a timingside-channel attack.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


The adjust_branches function in ker-nel/bpf/verifier.c in the Linux kernelbefore 4.5 does not consider the delta inthe backward-jump case, which allowslocal users to obtain sensitive informa-tion from kernel memory by creating apacket filter and then loading crafted BPFinstructions.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


sound/core/hrtimer.c in the Linux kernelbefore 4.4.1 does not prevent recursivecallback access, which allows local usersto cause a denial of service (deadlock) viaa crafted ioctl call.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


The IPv4 implementation in the Linux ker-nel before 4.5.2 mishandles destructionof device objects, which allows guest OSusers to cause a denial of service (hostOS networking outage) by arranging fora large number of IP addresses.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8






The proc_connectinfo function in driver-s/usb/core/devio.c in the Linux kernelthrough 4.6 does not initialize a certaindata structure, which allows local usersto obtain sensitive information from ker-nel stack memory via a crafted USBDE-VFS_CONNECTINFO ioctl call.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


The rtnl_fill_link_ifmap function in net/-core/rtnetlink.c in the Linux kernel be-fore 4.5.5 does not initialize a certaindata structure, which allows local users toobtain sensitive information from kernelstack memory by reading a Netlink mes-sage.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


The snd_timer_user_params function insound/core/timer.c in the Linux kernelthrough 4.6 does not initialize a certaindata structure, which allows local users toobtain sensitive information from kernelstack memory via crafted use of the ALSAtimer interface.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


sound/core/timer.c in the Linux kernelthrough 4.6 does not initialize certainr1 data structures, which allows localusers to obtain sensitive information fromkernel stack memory via crafted useof the ALSA timer interface, related tothe (1) snd_timer_user_ccallback and (2)snd_timer_user_tinterrupt functions.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8






The tipc_nl_compat_link_dump functionin net/tipc/netlink_compat.c in the Linuxkernel through 4.6.3 does not properlycopy a certain string, which allows localusers to obtain sensitive information fromkernel stackmemory by reading a Netlinkmessage.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


Race condition in the sclp_ctl_ioctl_sccbfunction in drivers/s390/char/sclp_ctl.c inthe Linux kernel before 4.6 allows localusers to obtain sensitive information fromkernel memory by changing a certainlength value, aka a “double fetch” vulner-ability.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


Race condition in the au-dit_log_single_execve_arg functionin kernel/auditsc.c in the Linux kernelthrough 4.7 allows local users to bypassintended character-set restrictions ordisrupt system-call auditing by changinga certain string, aka a “double fetch”vulnerability.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


Race condition in theec_device_ioctl_xcmd function indrivers/platform/chrome/cros_ec_dev.cin the Linux kernel before 4.7 allowslocal users to cause a denial of service(out-of-bounds array access) by changinga certain size value, aka a “double fetch”vulnerability.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8






The filesystem implementation in theLinux kernel through 4.8.2 preserves thesetgid bit during a setxattr call, which al-lows local users to gain group privilegesby leveraging the existence of a setgidprogramwith restrictions on execute per-missions.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


The __get_user_asm_ex macro inarch/x86/include/asm/uaccess.h in theLinux kernel before 4.7.5 does not ini-tialize a certain integer variable, whichallows local users to obtain sensitiveinformation from kernel stack memoryby triggering failure of a get_user_ex call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


arch/x86/kvm/vmx.c in the Linux kernelthrough4.9mismanages the #BP and#OFexceptions, which allows guest OS usersto cause a denial of service (guest OScrash) by declining to handle an excep-tion thrown by an L2 guest.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


It was discovered in the Linux kernelbefore 4.11-rc8 that root can gaindirect access to an internal keyring,such as ‘.dns_resolver’ in RHEL-7 or‘.builtin_trusted_keys’ upstream, byjoining it as its session keyring. Thisallows root to bypass module signatureverification by adding a new public keyof its own devising to the keyring.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8






arch/x86/kvm/emulate.c in the Linux ker-nel before 4.8.12 does not properly ini-tialize Code Segment (CS) in certain errorcases, which allows local users to obtainsensitive information from kernel stackmemory via a crafted application.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2017-1000252Published on2017-09-26

The KVM subsystem in the Linux kernelthrough 4.13.3 allows guest OS usersto cause a denial of service (assertionfailure, and hypervisor hang or crash)via an out-of bounds guest_irq value,related to arch/x86/kvm/vmx.c andvirt/kvm/eventfd.c.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8

CVE-2017-1000380Published on2017-06-17

sound/core/timer.c in theLinuxkernel be-fore 4.11.5 is vulnerable to a data racein the ALSA /dev/snd/timer driver result-ing in local users being able to read in-formation belonging to other users, i.e.,uninitialized memory contents may bedisclosed when a read and an ioctl hap-pen at the same time.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2017-11472Published on2017-07-20

The acpi_ns_terminate() function indrivers/acpi/acpica/nsutils.c in the Linuxkernel before 4.12 does not flush theoperand cache and causes a kernel stackdump, which allows local users to obtainsensitive information from kernel mem-ory and bypass the KASLR protectionmechanism (in the kernel through 4.9)via a crafted ACPI table.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8






The prepare_vmcs02 function inarch/x86/kvm/vmx.c in the Linux kernelthrough 4.13.3 does not ensure thatthe “CR8-load exiting” and “CR8-storeexiting” L0 vmcs02 controls exist in caseswhere L1 omits the “use TPR shadow”vmcs12 control, which allows KVM L2guest OS users to obtain read and writeaccess to the hardware CR8 register.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8

CVE-2017-13694Published on2017-08-25

The acpi_ps_complete_final_op() func-tion in drivers/acpi/acpica/psobject.c inthe Linux kernel through 4.12.9 does notflush the node and node_ext caches andcauses a kernel stack dump, which allowslocal users to obtain sensitive informa-tion from kernel memory and bypass theKASLR protection mechanism (in the ker-nel through 4.9) via a crafted ACPI table.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2017-13695Published on2017-08-25

The acpi_ns_evaluate() function in driver-s/acpi/acpica/nseval.c in the Linux ker-nel through 4.12.9 does not flush theoperand cache and causes a kernel stackdump, which allows local users to obtainsensitive information from kernel mem-ory and bypass the KASLR protectionmechanism (in the kernel through 4.9) viaa crafted ACPI table.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2017-14140Published on2017-09-05

The move_pages system call in mm/mi-grate.c in the Linux kernel before 4.12.9doesn’t check the effective uid of the tar-get process, enabling a local attacker tolearn the memory layout of a setuid exe-cutable despite ASLR.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8






The atyfb_ioctl function in driver-s/video/fbdev/aty/atyfb_base.c in theLinux kernel through 4.12.10 does notinitialize a certain data structure, whichallows local users to obtain sensitiveinformation from kernel stack memoryby reading locations associated withpadding bytes.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8

CVE-2017-14954Published on2017-10-02

The waitid implementation in ker-nel/exit.c in the Linux kernel through4.13.4 accesses rusage data structuresin unintended cases, which allows localusers to obtain sensitive information, andbypass the KASLR protectionmechanism,via a crafted system call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8

CVE-2017-14991Published on2017-10-04

The sg_ioctl function in drivers/sc-si/sg.c in the Linux kernel before 4.13.4allows local users to obtain sensitiveinformation from uninitialized ker-nel heap-memory locations via anSG_GET_REQUEST_TABLE ioctl call for/dev/sg0.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8

CVE-2017-15537Published on2017-10-17

The x86/fpu (Floating Point Unit) subsys-tem in the Linux kernel before 4.13.5,when a processor supports the xsave fea-ture but not the xsaves feature, doesnot correctly handle attempts to set re-served bits in the xstate header via theptrace() or rt_sigreturn() system call, al-lowing local users to read the FPU regis-ters of other processes on the system, re-lated to arch/x86/kernel/fpu/regset.c andarch/x86/kernel/fpu/signal.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8






The walk_hugetlb_range function inmm/pagewalk.c in the Linux kernel be-fore 4.14.2 mishandles holes in hugetlbranges, which allows local users to obtainsensitive information from uninitializedkernel memory via crafted use of themincore() system call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8

CVE-2017-17449Published on2017-12-07

The __netlink_deliver_tap_skb func-tion in net/netlink/af_netlink.c in theLinux kernel through 4.14.4, when CON-FIG_NLMON is enabled, does not restrictobservations of Netlink messages to asingle net namespace, which allows localusers to obtain sensitive informationby leveraging the CAP_NET_ADMINcapability to sniff an nlmon interface forall Netlink activity on the system.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8

CVE-2017-17741Published on2017-12-18

The KVM implementation in the Linuxkernel through 4.14.7 allows attackers toobtain potentially sensitive informationfrom kernel memory, aka a write_mmiostack-based out-of-bounds read, relatedto arch/x86/kvm/x86.c and include/-trace/events/kvm.h.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8






The KEYS subsystem in the Linux kernelbefore 4.14.6 omitted an access-controlcheck when adding a key to the cur-rent task’s “default request-key keyring”via the request_key() system call, allow-ing a local user to use a sequence ofcrafted system calls to add keys to akeyring with only Search permission (notWrite permission) to that keyring, relatedto construct_get_dest_keyring() in secu-rity/keys/request_key.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2017-17864Published on2017-12-27

kernel/bpf/verifier.c in the Linux kernelthrough 4.14.8 mishandles states_equalcomparisons between the pointer datatype and the UNKNOWN_VALUE datatype, which allows local users to obtainpotentially sensitive address information,aka a “pointer leak.”According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2017-18203Published on2018-02-27

The dm_get_from_kobject function indrivers/md/dm.c in the Linux kernel be-fore 4.14.3 allow local users to cause a de-nial of service (BUG) by leveraging a racecondition with __dm_destroy during cre-ation and removal of DM devices.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2017-18204Published on2018-02-27

The ocfs2_setattr function infs/ocfs2/file.c in the Linux kernel be-fore 4.14.2 allows local users to causea denial of service (deadlock) via DIOrequests.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8






In fs/ocfs2/cluster/nodemanager.c in theLinux kernel before 4.15, local users cancause a denial of service (NULL pointerdereference and BUG) because a requiredmutex is not used.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2017-18224Published on2018-03-12

In the Linux kernel before 4.15,fs/ocfs2/aops.c omits use of a semaphoreand consequently has a race conditionfor access to the extent tree during readoperations in DIRECTmode, which allowslocal users to cause a denial of service(BUG) by modifying a certain e_cposfield.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8

CVE-2017-18232Published on2018-03-15

The Serial Attached SCSI (SAS) implemen-tation in the Linux kernel through 4.15.9mishandles a mutex within libsas, whichallows local users to cause a denial ofservice (deadlock) by triggering certainerror-handling code.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2017-18270Published on2018-05-18

In the Linux kernel before 4.13.5, a localuser could create keyrings for other usersvia keyctl commands, setting unwanteddefaults or causing a denial of service.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8






The timer_create syscall implementationin kernel/time/posix-timers.c in the Linuxkernel before 4.14.8 doesn’t properlyvalidate the sigevent->sigev_notify field,which leads to out-of-bounds accessin the show_timer function (calledwhen /proc/$PID/timers is read). Thisallows userspace applications to readarbitrary kernel memory (on a kernelbuilt with CONFIG_POSIX_TIMERS andCONFIG_CHECKPOINT_RESTORE).According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


arch/x86/kvm/emulate.c in the Linux ker-nel through 4.9.3 allows local users toobtain sensitive information from ker-nel memory or cause a denial of service(use-after-free) via a crafted applicationthat leverages instruction emulation forfxrstor, fxsave, sgdt, and sidt.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


The klsi_105_get_line_state functionin drivers/usb/serial/kl5kusb105.c inthe Linux kernel before 4.9.5 placesuninitialized heap-memory contents intoa log entry upon a failure to read the linestatus, which allows local users to obtainsensitive information by reading the log.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


Off-by-one error in the pipe_advancefunction in lib/iov_iter.c in the Linux ker-nel before 4.9.5 allows local users to ob-tain sensitive information from uninitial-ized heap-memory locations in oppor-tunistic circumstances by reading from apipe after an incorrect buffer-release de-cision.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8






The simple_set_acl function in fs/-posix_acl.c in the Linux kernel before4.9.6 preserves the setgid bit during asetxattr call involving a tmpfs filesystem,which allows local users to gain groupprivileges by leveraging the existenceof a setgid program with restrictions onexecute permissions. NOTE: this vulnera-bility exists because of an incomplete fixfor CVE-2016-7097.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


The time subsystem in the Linuxkernel through 4.9.9, when CON-FIG_TIMER_STATS is enabled, allowslocal users to discover real PID values (asdistinguished from PID values inside aPID namespace) by reading the /proc/-timer_list file, related to the print_timerfunction in kernel/time/timer_list.c andthe __timer_stats_timer_set_start_infofunction in kernel/time/timer.c.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


fs/ext4/inode.c in the Linux kernel be-fore 4.6.2, when ext4 data=orderedmodeis used, mishandles a needs-flushing-before-commit list, which allows localusers to obtain sensitive information fromother users’ files in opportunistic circum-stances by waiting for a hardware reset,creating a new file, making write systemcalls, and reading this file.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8






Incorrect error handling in theset_mempolicy and mbind compatsyscalls in mm/mempolicy.c in the Linuxkernel through 4.10.9 allows local usersto obtain sensitive information fromuninitialized stack data by triggeringfailure of a certain bitmap operation.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


The edge_bulk_in_callback function indrivers/usb/serial/io_ti.c in the Linux ker-nel before 4.10.4 allows local users to ob-tain sensitive information (in the dmesgringbuffer and syslog) from uninitializedkernelmemory byusing a craftedUSBde-vice (posing as an io_ti USB serial device)to trigger an integer underflow.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


Theomninet_open function indrivers/us-b/serial/omninet.c in the Linux kernel be-fore 4.10.4 allows local users to cause adenial of service (tty exhaustion) by lever-aging reference count mishandling.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


The do_check function in kernel/bpf/ver-ifier.c in the Linux kernel before 4.11.1does not make the allow_ptr_leaks valueavailable for restricting the output of theprint_bpf_insn function, which allows lo-cal users to obtain sensitive address infor-mation via crafted bpf system calls.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8






The kernel_wait4 function in kernel/exit.cin the Linux kernel before 4.13, when anunspecified architecture and compiler isused, might allow local users to causea denial of service by triggering an at-tempted use of the -INT_MIN value.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2018-10124Published on2018-04-16

The kill_something_info function in ker-nel/signal.c in the Linux kernel before4.13, when an unspecified architectureand compiler is used, might allow localusers to cause a denial of service via anINT_MIN argument.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8


A flaw was found affecting the Linux ker-nel before version 4.17. By mmap()ing aFUSE-backed file onto a process’s mem-ory containing command line arguments(or environment strings), an attacker cancause utilities frompsutils or procps (suchas ps, w) or any other program whichmakes a read() call to the /proc//cmdline(or /proc//environ) files to block indefi-nitely (denial of service) or for some con-trolled time (as a synchronization primi-tive for other attacks).According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Low 4.1.8

CVE-2018-11508Published on2018-05-28

The compat_get_timex function in ker-nel/compat.c in the Linux kernel before4.16.9 allows local users to obtain sensi-tive information from kernel memory viaadjtimex.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8






An issue was discovered in the Linuxkernel through 4.17.3. An Integer Over-flow in kernel/time/posix-timers.c inthe POSIX timer code is caused by theway the overrun accounting works.Depending on interval and expirytime values, the overrun can be largerthan INT_MAX, but the accounting isint based. This basically makes theaccounting values, which are visibleto user space via timer_getoverrun(2)and siginfo::si_overrun, random. Forexample, a local user can cause a denialof service (signed integer overflow) viacrafted mmap, futex, timer_create, andtimer_settime system calls.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8

CVE-2018-13053Published on2018-07-02

The alarm_timer_nsleep function in ker-nel/time/alarmtimer.c in the Linux ker-nel through 4.17.3 has an integer over-flow via a large relative timeout becausektime_add_safe is not used.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2018-14656Published on2018-10-09

A missing address check in the callersof the show_opcodes() in the Linux ker-nel allows an attacker to dump the ker-nelmemory at an arbitrary kernel addressinto the dmesg log.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2018-15572Published on2018-08-20

The spectre_v2_select_mitigation func-tion in arch/x86/kernel/cpu/bugs.c in theLinux kernel before 4.18.1 does not al-ways fill RSB upon a context switch, whichmakes it easier for attackers to conductuserspace-userspace spectreRSB attacks.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8






arch/x86/kernel/paravirt.c in the Linuxkernel before 4.18.1 mishandles certainindirect calls, which makes it easier forattackers to conduct Spectre-v2 attacksagainst paravirtual guests.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2018-16658Published on2018-09-07

An issue was discovered in the Linux ker-nel before 4.18.6. An information leakin cdrom_ioctl_drive_status in drivers/c-drom/cdrom.c could be used by local at-tackers to read kernel memory because acast from unsigned long to int interfereswith bounds checking. This is similar toCVE-2018-10940.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2018-16862Published on2018-11-26

A security flawwas found in the Linux ker-nel in a way that the cleancache subsys-temclears an inodeafter thefinal file trun-cation (removal). The new file createdwith the same inodemay contain leftoverpages from cleancache and the old filedata instead of the new one.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8






arch/arm64/kvm/guest.c in KVM inthe Linux kernel before 4.18.12 onthe arm64 platform mishandles theKVM_SET_ON_REG ioctl. This is ex-ploitable by attackers who can createvirtual machines. An attacker can ar-bitrarily redirect the hypervisor flow ofcontrol (with full register control). Anattacker can also cause a denial of service(hypervisor panic) via an illegal exceptionreturn. This occurs because of insufficientrestrictions on userspace access to thecore register file, and because PSTATE.Mvalidation does not prevent unintendedexecution modes.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8

CVE-2018-18386Published on2018-10-17

drivers/tty/n_tty.c in the Linux kernel be-fore 4.14.11 allows local attackers (whoare able to access pseudo terminals) tohang/block further usage of any pseudoterminal devices due to an EXTPROC ver-sus ICANON confusion in TIOCINQ.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2018-18397Published on2018-12-12

The userfaultfd implementation in theLinux kernel before 4.19.7 mishandles ac-cess control for certain UFFDIO_ ioctlcalls, as demonstrated by allowing localusers to write data into holes in a tmpfsfile (if theuser has read-only access to thatfile, and that file contains holes), relatedto fs/userfaultfd.c and mm/userfaultfd.c.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8






An issue was discovered in the Linux ker-nel through 4.19. An information leakin cdrom_ioctl_select_disc in drivers/c-drom/cdrom.c could be used by local at-tackers to read kernel memory because acast from unsigned long to int interfereswith bounds checking. This is similar toCVE-2018-10940 and CVE-2018-16658.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8

CVE-2018-19854Published on2018-12-04

An issue was discovered in the Linuxkernel before 4.19.3. crypto_report_one()and related functions in cryp-to/crypto_user.c (the crypto userconfiguration API) do not fully ini-tialize structures that are copied touserspace, potentially leaking sensi-tive memory to user programs. NOTE:this is a CVE-2013-2547 regression butwith easier exploitability because theattacker does not need a capability(however, the system must have theCONFIG_CRYPTO_USER kconfig option).According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8

CVE-2018-19985Published on2019-03-21

The function hso_get_config_data indrivers/net/usb/hso.c in the Linux kernelthrough 4.19.8 reads if_num from theUSB device (as a u8) and uses it to indexa small array, resulting in an object out-of-bounds (OOB) read that potentiallyallows arbitrary read in the kernel addressspace.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8






An issue was discovered in the Linuxkernel before 4.18.11. The ipddp_ioctlfunction in drivers/net/appletalk/ipddp.callows local users to obtain sensitivekernel address information by lever-aging CAP_NET_ADMIN to read theipddp_route dev and next fields via anSIOCFINDIPDDPRT ioctl call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


The acpi_smbus_hc_add function indrivers/acpi/sbshc.c in the Linux kernelthrough 4.14.15 allows local users toobtain sensitive address information byreading dmesg data from an SBS HCprintk call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


The swiotlb_print_info function inlib/swiotlb.c in the Linux kernel through4.14.14 allows local users to obtainsensitive address information by readingdmesg data from a “software IO TLB”printk call.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


Thepcpu_embed_first_chunk function inmm/percpu.c in the Linux kernel through4.14.14 allows local users to obtain sen-sitive address information by readingdmesg data from a “pages/cpu” printkcall.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8






The aoedisk_debugfs_show functionin drivers/block/aoe/aoeblk.c in theLinux kernel through 4.16.4rc4 allowslocal users to obtain sensitive addressinformation by reading “ffree:” lines in adebugfs file.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


An issue was discovered in thefd_locked_ioctl function in driver-s/block/floppy.c in the Linux kernelthrough 4.15.7. The floppy driver willcopy a kernel pointer to user memoryin response to the FDGETPRM ioctl. Anattacker can send the FDGETPRM ioctland use the obtained kernel pointerto discover the location of kernel codeand data and bypass kernel securityprotections such as KASLR.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


Memory leak in thesas_smp_get_phy_events functionin drivers/scsi/libsas/sas_expander.cin the Linux kernel through 4.15.7allows local users to cause a denialof service (memory consumption)via many read accesses to files in the/sys/class/sas_phy directory, as demon-strated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


The unimac_mdio_probe function indrivers/net/phy/mdio-bcm-unimac.c inthe Linux kernel through 4.15.8 doesnot validate certain resource availability,which allows local users to cause a denialof service (NULL pointer dereference).According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8






The Linux kernel through 5.0.7, whenCONFIG_IA32_AOUT is enabled andia32_aout is loaded, allows local users tobypass ASLR on setuid a.out programs (ifany exist) because install_exec_creds()is called too late in load_aout_binary()in fs/binfmt_aout.c, and thus theptrace_may_access() check has a racecondition when reading /proc/pid/stat.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8

CVE-2019-11884Published on2019-05-11

The do_hidp_sock_ioctl function innet/bluetooth/hidp/sock.c in the Linuxkernel before 5.0.15 allows a local user toobtain potentially sensitive informationfrom kernel stack memory via a HIDP-CONNADD command, because a namefield may not end with a ‘\0’ character.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


A heap address information leakwhile us-ing L2CAP_GET_CONF_OPT was discov-ered in the Linux kernel before 5.1-rc1.

Low 4.1.8


A heap data infoleak inmultiple locationsincluding L2CAP_PARSE_CONF_RSP wasfound in the Linux kernel before 5.1-rc1.

Low 4.1.8






A race condition in perf_event_open()allows local attackers to leak sensi-tive data from setuid programs. Asno relevant locks (in particular thecred_guard_mutex) are held during theptrace_may_access() call, it is possible forthe specified target task to perform anexecve() syscall with setuid execution be-fore perf_event_alloc() actually attachesto it, allowing an attacker to bypassthe ptrace_may_access() check and theperf_event_exit_task(current) call that isperformed in install_exec_creds() duringprivileged execve() calls. This issueaffects kernel versions before 4.8.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


The mincore() implementation inmm/mincore.c in the Linux kernelthrough 4.19.13 allowed local attackersto observe page cache access patternsof other processes on the same system,potentially allowing sniffing of secretinformation. (Fixing this affects theoutput of the fincore program.) Limitedremote exploitation may be possible, asdemonstrated by latency differences inaccessing public files from an ApacheHTTP Server.According to the vulnerability’s CVSSv2rating, local access is necessary to exploitthe vulnerability.

Low 4.1.8


The KVM implementation in the Linuxkernel through 4.20.5 has an InformationLeak.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 4.1.8



MiniUPnPd CVE entries (short form)


The firmware contains MiniUPnPd versions affected by two published vulnerabilities. Forbrevity several vulnerabilities in MiniUPnPd are summarized in this short form vulnerability.The severity of this vulnerability is determined by the vulnerability with the highest risk.



Integer signedness error in MiniUPnPMiniUPnPc v1.4.20101221 through v2.0allows remote attackers to cause a de-nial of service or possibly have unspeci-fied other impact.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

High 1.9


The getHTTPResponse function in mini-wget.c in MiniUPnP 1.9 allows remote at-tackers to cause a denial of service (crash)via crafted headers that trigger an out-of-bounds read.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 1.9



Dnsmasq CVE entries (short form)

Finding ID 8Severity MediumConfidence Tentative

The firmware contains Dnsmasq versions affected by one published vulnerability. For brevityseveral vulnerabilities in Dnsmasq are summarized in this short form vulnerability. The sever-ity of this vulnerability is determined by the vulnerability with the highest risk.


CVE-2017-15107Published on2018-01-23

A vulnerability was found in the imple-mentation of DNSSEC in Dnsmasq up toand including 2.78. Wildcard synthe-sized NSEC records could be improperlyinterpreted to prove the non-existence ofhostnames that actually exist.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 2.78



Linux Kernel Privilege Escalation “pp_key”


The firmware contains Linux Kernel versions affected by Privilege Escalation “pp_key”. Vul-nerable version 4.1.8 of Linux Kernel was found in the firmware. The vulnerability affectsLinux Kernel versions 3.8.0 through versions lower than 4.4.1 andwas published on 2016-01-14. The version matches several files in the firmware. The version information was obtainedfrom the following files:

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/act_mirred.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/act_skbedit.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/arc4.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/auto_bridge.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/c2krv340_gpio_reset.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/cdc-acm.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/cdc-wdm.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/cdc_ether.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/cdc_ncm.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/cls_flow.ko

• 182 remaining elements truncated

References• CVE-2016-0728 in NIST National Vulnerability Database (NVD)• Perception Point: Analysis and Exploitation of a Linux Kernel Vulnerability (CVE-2016-0728)


https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0728

http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/

http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/


OpenSSL CVE entries (short form)


The firmware containsOpenSSL versions affected by six published vulnerabilities. For brevityseveral vulnerabilities in OpenSSL are summarized in this short form vulnerability. The sever-ity of this vulnerability is determined by the vulnerability with the highest risk.



During key agreement in a TLS hand-shake using a DH(E) based ciphersuite amalicious server can send a very largeprime value to the client. This willcause the client to spend an unreason-ably long period of time generating akey for this prime resulting in a hanguntil the client has finished. This couldbe exploited in a Denial Of Service at-tack. Fixed in OpenSSL 1.1.0i-dev (Af-fected 1.1.0-1.1.0h). Fixed in OpenSSL1.0.2p-dev (Affected 1.0.2-1.0.2o).According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 1.0.2o


The OpenSSL DSA signature algorithmhas been shown to be vulnerable to atiming side channel attack. An attackercould use variations in the signing algo-rithm to recover the private key. Fixedin OpenSSL 1.1.1a (Affected 1.1.1). Fixedin OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i).Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 1.0.2o






The OpenSSL RSA Key generation algo-rithm has been shown to be vulnerableto a cache timing side channel attack. Anattacker with sufficient access to mountcache timing attacks during the RSA keygeneration process could recover the pri-vate key. Fixed in OpenSSL 1.1.0i-dev(Affected 1.1.0-1.1.0h). Fixed in OpenSSL1.0.2p-dev (Affected 1.0.2b-1.0.2o).According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 1.0.2o


If an application encounters a fatal proto-col error and then calls SSL_shutdown()twice (once to send a close_notify, andonce to receive one) then OpenSSL canrespond differently to the calling appli-cation if a 0 byte record is received withinvalid padding compared to if a 0 byterecord is received with an invalid MAC.If the application then behaves differ-ently based on that in a way that is de-tectable to the remote peer, then thisamounts to a padding oracle that couldbe used to decrypt data. In order for thisto be exploitable “non-stitched” cipher-suites must be in use. Stitched cipher-suites are optimised implementations ofcertain commonlyusedciphersuites. Alsothe applicationmust call SSL_shutdown()twice even if a protocol error has occurred(applications should not do this but somedo anyway). Fixed in OpenSSL 1.0.2r (Af-fected 1.0.2-1.0.2q).According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Medium 1.0.2o






There is a carry propagating bug in theBroadwell-specific Montgomery multipli-cation procedure in OpenSSL 1.0.2 and1.1.0 before 1.1.0c that handles inputlengths divisible by, but longer than256 bits. Analysis suggests that attacksagainst RSA, DSA and DH private keysare impossible. This is because the sub-routine in question is not used in opera-tions with the private key itself and an in-put of the attacker’s direct choice. Other-wise the bug can manifest itself as tran-sient authentication and key negotiationfailures or reproducible erroneous out-come of public-key operations with spe-cially crafted input. AmongEC algorithmsonly Brainpool P-512 curves are affectedand one presumably can attack ECDH keynegotiation. Impact was not analyzed indetail, because pre-requisites for attackare considered unlikely. Namely multipleclients have to choose the curve in ques-tion and the server has to share the pri-vate key among them, neither of which isdefault behaviour. Even then only clientsthat chose the curve will be affected.According to the vulnerability’s CVSSv2 rat-ing, the vulnerability can be exploited re-motely.

Low 1.0.2o


Simultaneous Multi-threading (SMT) inprocessors can enable local users to ex-ploit software vulnerable to timing at-tacks via a side-channel timing attack on‘port contention’.According to the vulnerability’s CVSSv2 rat-ing, local access is necessary to exploit thevulnerability.

Low 1.0.2o



Unwanted software: GNU Debugger (gdb)

Finding ID 11Severity LowConfidence Certain

The unwanted software pattern for GNU Debugger (gdb) matches one file in the firmware.The GNU Debugger helps an attacker during the analysis of vulnerabilities, e.g. the creationof exploits for memory corruption vulnerabilities. If the GNU Debugger is not available, anattacker must compile and upload the GNU Debugger to the system before using it.This component is not required for the proper operation of the system.The file is:

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/bin/gdb

References• gdb(1) - Linux man page


https://linux.die.net/man/1/gdb


Unwanted software: tcpdump

Finding ID 12Severity LowConfidence Certain

The unwanted software pattern for tcpdump matches one file in the firmware.tcpdumpallows an attacker to sniff network traffic on the network interfaces of the system. Iftcpdump is not available, an attacker must compile and upload tcpdump to the system beforeusing it.The file is:

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/sbin/tcpdump

References• tcpdump(8) - Linux man page


https://linux.die.net/man/8/tcpdump


Management protocol: UPnP (Universal Plug and Play)

Finding ID 13Severity InformationConfidence Certain

The firmware seems to contain an implementation of the UPnP (Universal Plug and Play) pro-tocol.Universal Plug and Play (UPnP) is a set of networking protocols that permits networked de-vices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mo-bile devices to seamlessly discover each other’s presence on the network and establish func-tional network services for data sharing, communications, and entertainment. UPnP is in-tended for residential users and should not be used in enterprise environments.

Security track recordThe technology is based on XML/SOAP and HTTP as well as UDP (UPnP discovery protocol,SSDP). UPnP does not support authentication, instead all clients on the network are con-sidered trustworthy. Furthermore UPnP does not support encryption.From a security view, the most interesting functionality UPnP offers is NAT traversal. Clientscan request a UPnP-capable router (an UPnP Internet Gateway Device, IGD) to add a portmapping, making a local or IP/port accessible to the internet. Some implementations allowto set up port mapping to report IPs/ports. Another functionality of UPnP is to set the DNSserver of a UPnP-capable router.Multiple vulnerabilities have been found in the implementation of UPnP server components,ranging fromcommand injectionvulnerabilities tovariousmemory corruption issues (e.g. bufferoverflow vulnerabilities).On various devicesUPnP is exposedon theWAN interface,making it available to everyone onthe internet. The root cause is usually a misconfiguration by the device vendor. This allowsattackers to access hosts on the local network, or abuse devices as proxy servers by forward-ing a port to an IP-address on the internet.The files containing the implementation are:

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/bin/wps_monitor

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/bin/upnp_cp

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/lib/libbcmupnp.so

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/sbin/miniupnpd

References• Wikipedia Article: Universal Plug and Play• Rapid7 Blog Post: Security Flaws in Universal Plug and Play: Unplug. Don’t Play. • Rapid7 Whitepaper: Security Flaws in Universal Plug and Play: Unplug. Don’t Play. • VU#357851 in CERT-CC Vulnerability Notes Database• VU#922681 in CERT-CC Vulnerability Notes Database• VU#347812 in CERT-CC Vulnerability Notes Database


https://en.wikipedia.org/wiki/Universal_Plug_and_Play

https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play/

https://information.rapid7.com/rs/411-NAK-970/images/SecurityFlawsUPnP%20%281%29.pdf





Management protocol: Wi-Fi Protected Setup (WPS)


The firmware seems to contain an implementation of the Wi-Fi Protected Setup (WPS) pro-tocol.Wi-Fi Protected Setup (WPS; originally,Wi-Fi Simple Config) is a protocol designed to ease thetaskof settingupandconfiguring security onWi-Fi networks, including settingupencryptionand choosing a secure passphrase.WPS supports out-of-band configuration over Ethernet/UPnP (also NFC is mentioned in thespecification) or in-band configuration over Wi-Fi (IEEE 802.11/EAP). WPS is intended for res-idential users and should not be used in enterprise environments.

Security track recordDesign flaw: WPS suffers from a flaw in the protocol design that allows an attacker withinthe physical reach of a WPS-capable router to brute force a WPS PIN within, at most, 11.000attempts. The PIN allows the attacker retrieve the Wi-Fi configuration, including the WPApassphrase of a device or to change the Wi-Fi configuration. Some implementations haveintroduced a lock-downperiod that disabled the PIN authenticationmethod for longenoughto make the attack impractical.Implementation flaws: Multiple vulnerabilities have been found in the implementation ofWPS, ranging from command injection vulnerabilities to vulnerabilities related to the gen-eration of WPS PINs. Some devices use static PINs (same PIN every device), others use PINsderived from the device MAC address, others use an insecure Pseudorandom Number Gen-erator (PRNG) to generate the WPS PIN (“Pixie Dust” attack).The file containing the implementation is:

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/bin/wps_monitor

References• Wikipedia Article: Wi-Fi Protected Setup• Stefan Viehböck: Brute forcing Wi-Fi Protected Setup• VU#723755 in CERT-CC Vulnerability Notes Database• Kali Forums: WPS Pixie Dust Attack• RouterSecurity.org Article on WPS• Trustwave Spider Labs: Linksys OS command injection during WPS setup• SEC Consult Advisory: Vodafone EasyBox Default WPS PIN Algorithm Weakness• Github: reaver-wps-fork-t6x• Github: pixiewps• Github: bully


https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup

http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf


https://forums.kali.org/showthread.php?24286

https://www.routersecurity.org/wps.php

https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2018-004/?fid=10672

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130805-0_Vodafone_EasyBox_Default_WPS_PIN_Vulnerability_v10.txt

https://github.com/t6x/reaver-wps-fork-t6x

https://github.com/wiire-a/pixiewps

https://github.com/aanarchyy/bully


Software component detection

Finding ID 15Severity InformationConfidence Firm

The following software was found in the firmware:

Component Version Released

Broadcom bcmupnpd N/ABusyBox 1.23.2 03/2015curl 7.40.0Dnsmasq 2.78Dropbear SSH 2015.67 06/2015GNU glibc 2.19 02/2014Linux Kernel 4.1.8 09/2015MiniUPnPd 1.9OpenSSL 1.0.2o

Version information for Broadcom bcmupnpd ? was found in the following file:• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/lib/libbcmupnp.so

Version information for BusyBox 1.23.2 was found in the following files:• /openwrt-comcerto2000-hgw-rootfs-ubi_nand.img• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/bin/busybox

Version information for curl 7.40.0 was found in the following files:• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/bin/curl

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/lib/libcurl.so.4.3.0

Version information for Dnsmasq 2.78 was found in the following file:• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/sbin/dnsmasq

Version information for Dropbear SSH 2015.67 was found in the following file:• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/sbin/dropbear

Version information for GNU glibc 2.19 was found in the following file:• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/libc-2.19.so

Version information for Linux Kernel 4.1.8 was found in the following files:• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/act_mirred.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/act_skbedit.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/arc4.ko



• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/auto_bridge.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/c2krv340_gpio_reset.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/cdc-acm.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/cdc_ether.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/cdc_ncm.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/cdc-wdm.ko

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/lib/modules/4.1.8/cls_flow.ko

• 182 remaining elements truncatedVersion information for MiniUPnPd 1.9 was found in the following file:

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/sbin/miniupnpd

Version information for OpenSSL 1.0.2o was found in the following files:• /openwrt-comcerto2000-hgw-rootfs-ubi_nand.img• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/bin/openssl

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/lib/libcrypto.so.1.0.0

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/lib/libssl.so.1.0.0

• /_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/sbin/nginx



X.509 Certificates


The following certificates were found in the firmware:Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/lib/python2.7/site-packages/pnp/data/cco_ca.pem contains thefollowing certificate:

1 C=US, O=Cisco Systems, CN=Cisco RXC-R2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/lib/python2.7/site-packages/pnp/data/RootBundlerSigner.cercontains the following certificate:

1 O=Cisco, OU=Bundle Signing, CN=Trusted Root Store Signer

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/lib/python2.7/site-packages/pnp/data/crcam1.pem contains thefollowing certificate:

1 O=Cisco, CN=Cisco Root CA M1

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Atos_TrustedRoot_2011.crt contains the followingcer-tificate:

1 CN=Atos TrustedRoot 2011, O=Atos, C=DE

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/NetLock_Notary_Class_A_Root.crt contains the fol-lowing certificate:

1 C=HU, ST=Hungary, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok, CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/NetLock_Arany_Class_Gold_F_tan_s_tv_ny.crt con-tains the following certificate:

1 C=HU, L=Budapest, O=NetLock Kft., OU=Tan\xC3\xBAs\xC3\xADtv\xC3\xA1nykiad\xC3\xB3k(Certification Services), CN=NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/China_Internet_Network_Information_Center_EV_Certificates_Root.crt contains the following certificate:

1 C=CN, O=China Internet Network Information Center, CN=China Internet NetworkInformation Center EV Certificates Root

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/QuoVadis_Root_CA_2_G3.crt contains the followingcer-tificate:

1 C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3



Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Buypass_Class_3_CA_1.crt contains the followingcer-tificate:

1 C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 CA 1

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Global_Chambersign_Root_2008.crt contains the fol-lowing certificate:

1 C=EU, L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/ComSign_Secured_CA.crt contains the following cer-tificate:

1 CN=ComSign Secured CA, O=ComSign, C=IL

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Chambers_of_Commerce_Root_2008.crt contains the fol-lowing certificate:

1 C=EU, L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.crt contains thefollowing certificate:

1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/ApplicationCA_Japanese_Government.crt contains thefollowing certificate:

1 C=JP, O=Japanese Government, OU=ApplicationCA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Verisign_Class_4_Public_Primary_Certification_Authority_G3.crt contains the following certificate:

1 C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - Forauthorized use only, CN=VeriSign Class 4 Public Primary Certification Authority -G3

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/AddTrust_Low_Value_Services_Root.crt contains thefollowing certificate:

1 C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Class 1 CA Root

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/GeoTrust_Global_CA.crt contains the following cer-tificate:

1 C=US, O=GeoTrust Inc., CN=GeoTrust Global CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Buypass_Class_2_CA_1.crt contains the followingcer-tificate:



1 C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 CA 1

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Swisscom_Root_CA_2.crt contains the following cer-tificate:

1 C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/NetLock_Express_Class_C_Root.crt contains the fol-lowing certificate:

1 C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok, CN=NetLock Expressz (Class C) Tanusitvanykiado

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/GeoTrust_Primary_Certification_Authority_G3.crtcontains the following certificate:

1 C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/T_TeleSec_GlobalRoot_Class_3.crt contains the fol-lowing certificate:

1 C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSecGlobalRoot Class 3

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/DigiCert_Trusted_Root_G4.crt contains the follow-ing certificate:

1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/AffirmTrust_Premium_ECC.crt contains the followingcertificate:

1 C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/COMODO_RSA_Certification_Authority.crt contains thefollowing certificate:

1 C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSACertification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/certSIGN_ROOT_CA.crt contains the following certifi-cate:

1 C=RO, O=certSIGN, OU=certSIGN ROOT CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Go_Daddy_Root_Certificate_Authority_G2.crt con-tains the following certificate:

1 C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root CertificateAuthority - G2



Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/DigiCert_Assured_ID_Root_G2.crt contains the fol-lowing certificate:

1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/EE_Certification_Centre_Root_CA.crt contains thefollowing certificate:

1 C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA/[email protected]

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/TURKTRUST_Certificate_Services_Provider_Root_2007.crt contains the following certificate:

1 CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1, C=TR, L=Ankara, O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Aral\xC4\xB1k 2007

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/GlobalSign_Root_CA_R3.crt contains the followingcer-tificate:

1 OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Staat_der_Nederlanden_Root_CA.crt contains the fol-lowing certificate:

1 C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Camerfirma_Chambers_of_Commerce_Root.crt containsthe following certificate:

1 C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambersof Commerce Root

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Sonera_Class_2_Root_CA.crt contains the followingcertificate:

1 C=FI, O=Sonera, CN=Sonera Class2 CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Starfield_Class_2_CA.crt contains the followingcer-tificate:

1 C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/SwissSign_Platinum_CA_G2.crt contains the follow-ing certificate:

1 C=CH, O=SwissSign AG, CN=SwissSign Platinum CA - G2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/SwissSign_Gold_CA_G2.crt contains the followingcer-tificate:



1 C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/T_TeleSec_GlobalRoot_Class_2.crt contains the fol-lowing certificate:

1 C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSecGlobalRoot Class 2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Certum_Root_CA.crt contains the followingcertificate:

1 C=PL, O=Unizeto Sp. z o.o., CN=Certum CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Buypass_Class_3_Root_CA.crt contains the followingcertificate:

1 C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Security_Communication_RootCA2.crt contains the fol-lowing certificate:

1 C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2



Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Comodo_Secure_Services_root.crt contains the fol-lowing certificate:

1 C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Secure CertificateServices

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Secure_Global_CA.crt contains the following certifi-cate:

1 C=US, O=SecureTrust Corporation, CN=Secure Global CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Cybertrust_Global_Root.crt contains the followingcertificate:

1 O=Cybertrust, Inc, CN=Cybertrust Global Root

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/GeoTrust_Primary_Certification_Authority.crt con-tains the following certificate:

1 C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/GlobalSign_ECC_Root_CA_R5.crt contains the follow-ing certificate:



1 OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/AddTrust_Public_Services_Root.crt contains the fol-lowing certificate:

1 C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Public CA Root

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/COMODO_Certification_Authority.crt contains the fol-lowing certificate:

1 C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODOCertification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/StartCom_Certification_Authority.crt contains thefollowing certificate:

1 C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartComCertification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/NetLock_Business_Class_B_Root.crt contains the fol-lowing certificate:

1 C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok, CN=NetLock Uzleti (Class B) Tanusitvanykiado

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Izenpe.com.crt contains the following certificate:

1 C=ES, O=IZENPE S.A., CN=Izenpe.com

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/TC_TrustCenter_Class_2_CA_II.crt contains the fol-lowing certificate:

1 C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Class 2 CA, CN=TC TrustCenter Class2 CA II

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/GlobalSign_ECC_Root_CA_R4.crt contains the follow-ing certificate:

1 OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/AffirmTrust_Premium.crt contains the following cer-tificate:

1 C=US, O=AffirmTrust, CN=AffirmTrust Premium

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Baltimore_CyberTrust_Root.crt contains the follow-ing certificate:

1 C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Microsec_e_Szigno_Root_CA_2009.crt contains the fol-lowing certificate:



1 C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009/[email protected]

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Equifax_Secure_Global_eBusiness_CA.crt contains thefollowing certificate:

1 C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/NetLock_Qualified_Class_QA_Root.crt contains thefollowing certificate:

1 C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok, CN=NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado/[email protected]

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/IdenTrust_Commercial_Root_CA_1.crt contains the fol-lowing certificate:

1 C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/CNNIC_ROOT.crt contains the following certificate:

1 C=CN, O=CNNIC, CN=CNNIC ROOT

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/UTN_DATACorp_SGC_Root_CA.crt contains the follow-ing certificate:

1 C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN - DATACorp SGC

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Root_CA_Generalitat_Valenciana.crt contains the fol-lowing certificate:

1 C=ES, O=Generalitat Valenciana, OU=PKIGVA, CN=Root CA Generalitat Valenciana

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/CFCA_EV_ROOT.crt contains the following certificate:

1 C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Trustis_FPS_Root_CA.crt contains the following cer-tificate:

1 C=GB, O=Trustis Limited, OU=Trustis FPS Root CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Buypass_Class_2_Root_CA.crt contains the followingcertificate:

1 C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Camerfirma_Global_Chambersign_Root.crt contains thefollowing certificate:



1 C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=GlobalChambersign Root

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/TWCA_Root_Certification_Authority.crt contains thefollowing certificate:

1 C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/GeoTrust_Global_CA_2.crt contains the followingcer-tificate:

1 C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Certinomis_Autorit_Racine.crt contains the follow-ing certificate:

1 C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Autorit\xC3\xA9 Racine

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/thawte_Primary_Root_CA_G3.crt contains the follow-ing certificate:

1 C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc.- For authorized use only, CN=thawte Primary Root CA - G3

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/CA_Disig.crt contains the following certificate:

1 C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Certplus_Class_2_Primary_CA.crt contains the fol-lowing certificate:

1 C=FR, O=Certplus, CN=Class 2 Primary CA


1 CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1, C=TR, L=Ankara, O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Kas\xC4\xB1m 2005

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Network_Solutions_Certificate_Authority.crt con-tains the following certificate:

1 C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/USERTrust_ECC_Certification_Authority.crt containsthe following certificate:

1 C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECCCertification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/thawte_Primary_Root_CA_G2.crt contains the follow-ing certificate:



1 C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For authorized use only, CN=thawtePrimary Root CA - G2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/S_TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt contains the following certificate:

1 C=DE, ST=Baden-Wuerttemberg (BW), L=Stuttgart, O=Deutscher Sparkassen Verlag GmbH,CN=S-TRUST Authentication and Encryption Root CA 2005:PN

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/XRamp_Global_CA_Root.crt contains the followingcer-tificate:

1 C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp GlobalCertification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/COMODO_ECC_Certification_Authority.crt contains thefollowing certificate:

1 C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECCCertification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/DigiCert_Assured_ID_Root_CA.crt contains the fol-lowing certificate:

1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_2.crt contains the following certificate:

1 C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority



Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/GeoTrust_Universal_CA_2.crt contains the followingcertificate:

1 C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/GeoTrust_Primary_Certification_Authority_G2.crtcontains the following certificate:

1 C=US, O=GeoTrust Inc., OU=(c) 2007 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt contains the following certificate:

1 C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068



Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/QuoVadis_Root_CA.crt contains the following certifi-cate:

1 C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis RootCertification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/SwissSign_Silver_CA_G2.crt contains the followingcertificate:

1 C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/TC_TrustCenter_Universal_CA_I.crt contains the fol-lowing certificate:

1 C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Universal CA, CN=TC TrustCenterUniversal CA I

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/IdenTrust_Public_Sector_Root_CA_1.crt contains thefollowing certificate:

1 C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Starfield_Root_Certificate_Authority_G2.crt con-tains the following certificate:

1 C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield RootCertificate Authority - G2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/GlobalSign_Root_CA.crt contains the following cer-tificate:

1 C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA


1 C=US, O=VeriSign, Inc., OU=Class 1 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/DST_ACES_CA_X6.crt contains the followingcertificate:

1 C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_.crtcontains the following certificate:

1 CN=EBG Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1, O=EBGBili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E., C=TR

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority.crt contains the following certificate:




Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Digital_Signature_Trust_Co._Global_CA_1.crt con-tains the following certificate:

1 C=US, O=Digital Signature Trust Co., OU=DSTCA E1



Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Staat_der_Nederlanden_Root_CA_G3.crt contains thefollowing certificate:

1 C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/StartCom_Certification_Authority_2.crt contains thefollowing certificate:

1 C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartComCertification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Sonera_Class_1_Root_CA.crt contains the followingcertificate:

1 C=FI, O=Sonera, CN=Sonera Class1 CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Staat_der_Nederlanden_EV_Root_CA.crt contains thefollowing certificate:

1 C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Starfield_Services_Root_Certificate_Authority_G2.crt contains the following certificate:

1 C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=StarfieldServices Root Certificate Authority - G2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Digital_Signature_Trust_Co._Global_CA_3.crt con-tains the following certificate:

1 C=US, O=Digital Signature Trust Co., OU=DSTCA E2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt contains the following certificate:

1 C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=HellenicAcademic and Research Institutions RootCA 2011



Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Entrust_Root_Certification_Authority_G2.crt con-tains the following certificate:

1 C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/VeriSign_Universal_Root_Certification_Authority.crt contains the following certificate:

1 C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - Forauthorized use only, CN=VeriSign Universal Root Certification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Entrust_Root_Certification_Authority.crt containsthe following certificate:

1 C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c)2006 Entrust, Inc., CN=Entrust Root Certification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/DigiCert_Global_Root_G3.crt contains the followingcertificate:

1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3


1 CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1, C=TR, L=ANKARA, O=(c) 2005 T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim veBili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E.

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/A_Trust_nQual_03.crt contains the following certifi-cate:

1 C=AT, O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU=A-Trust-nQual-03, CN=A-Trust-nQual-03

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Staat_der_Nederlanden_Root_CA_G2.crt contains thefollowing certificate:

1 C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/spi_cacert_2008.crt contains the followingcertificate:

1 C=US, ST=Indiana, L=Indianapolis, O=Software in the Public Interest, OU=hostmaster,CN=Certificate Authority/[email protected]

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Comodo_AAA_Services_root.crt contains the follow-ing certificate:

1 C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA CertificateServices



Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Certigna.crt contains the following certificate:

1 C=FR, O=Dhimyotis, CN=Certigna

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.crt contains the following certificate:




Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Equifax_Secure_eBusiness_CA_1.crt contains the fol-lowing certificate:

1 C=US, O=Equifax Secure Inc., CN=Equifax Secure eBusiness CA-1

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/QuoVadis_Root_CA_2.crt contains the following cer-tificate:

1 C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/TC_TrustCenter_Class_3_CA_II.crt contains the fol-lowing certificate:

1 C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Class 3 CA, CN=TC TrustCenter Class3 CA II

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/PSCProcert.crt contains the following certificate:

1 [email protected], L=Chacao, ST=Miranda, OU=Proveedor deCertificados PROCERT, O=Sistema Nacional de Certificacion Electronica, C=VE, CN=PSCProcert

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Microsec_e_Szigno_Root_CA.crt contains the follow-ing certificate:

1 C=HU, L=Budapest, O=Microsec Ltd., OU=e-Szigno CA, CN=Microsec e-Szigno Root CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_G5.crt contains the following certificate:


Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Hongkong_Post_Root_CA_1.crt contains the followingcertificate:



1 C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/GlobalSign_Root_CA_R2.crt contains the followingcer-tificate:

1 OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/WoSign_China.crt contains the following certificate:

1 C=CN, O=WoSign CA Limited, CN=CA \xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/SecureSign_RootCA11.crt contains the following cer-tificate:

1 C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/AddTrust_Qualified_Certificates_Root.crt containsthe following certificate:

1 C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Qualified CA Root

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/StartCom_Certification_Authority_G2.crt containsthe following certificate:

1 C=IL, O=StartCom Ltd., CN=StartCom Certification Authority G2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/OISTE_WISeKey_Global_Root_GA_CA.crt contains thefollowing certificate:

1 C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTEWISeKey Global Root GA CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Juur_SK.crt contains the following certificate:

1 [email protected], C=EE, O=AS Sertifitseerimiskeskus, CN=Juur-SK



Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/IGC_A.crt contains the following certificate:

1 C=FR, ST=France, L=Paris, O=PM/SGDN, OU=DCSSI, CN=IGC/A/[email protected]

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Certum_Trusted_Network_CA.crt contains the follow-ing certificate:

1 C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=CertumTrusted Network CA



Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/GeoTrust_Universal_CA.crt contains the followingcer-tificate:

1 C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Swisscom_Root_EV_CA_2.crt contains the followingcer-tificate:

1 C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root EV CA 2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/WellsSecure_Public_Root_Certificate_Authority.crtcontains the following certificate:

1 C=US, O=Wells Fargo WellsSecure, OU=Wells Fargo Bank NA, CN=WellsSecure Public RootCertificate Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.crt contains the fol-lowing certificate:

1 C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/SecureTrust_CA.crt contains the followingcertificate:

1 C=US, O=SecureTrust Corporation, CN=SecureTrust CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/thawte_Primary_Root_CA.crt contains the followingcertificate:

1 C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc.- For authorized use only, CN=thawte Primary Root CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/E_Tugra_Certification_Authority.crt contains thefollowing certificate:

1 C=TR, L=Ankara, O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/EC_ACC.crt contains the following certificate:

1 C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics deCertificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=JerarquiaEntitats de Certificacio Catalanes, CN=EC-ACC

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/TeliaSonera_Root_CA_v1.crt contains the followingcertificate:

1 O=TeliaSonera, CN=TeliaSonera Root CA v1

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Go_Daddy_Class_2_CA.crt contains the following cer-tificate:



1 C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Taiwan_GRCA.crt contains the following certificate:

1 C=TW, O=Government Root Certification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Entrust.net_Premium_2048_Secure_Server_CA.crt con-tains the following certificate:

1 O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c)1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Security_Communication_EV_RootCA1.crt contains thefollowing certificate:

1 C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication EV RootCA1

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/USERTrust_RSA_Certification_Authority.crt containsthe following certificate:

1 C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSACertification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/ePKI_Root_Certification_Authority.crt contains thefollowing certificate:

1 C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/CA_Disig_Root_R2.crt contains the following certifi-cate:

1 C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_G4.crt contains the following certificate:


Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/ComSign_CA.crt contains the following certificate:

1 CN=ComSign CA, O=ComSign, C=IL

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Comodo_Trusted_Services_root.crt contains the fol-lowing certificate:

1 C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Trusted CertificateServices

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Visa_eCommerce_Root.crt contains the following cer-tificate:



1 C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Root

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/TWCA_Global_Root_CA.crt contains the following cer-tificate:

1 C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/AC_Ra_z_Certic_mara_S.A..crt contains the follow-ing certificate:

1 C=CO, O=Sociedad Cameral de Certificaci\xC3\xB3n Digital - Certic\xC3\xA1mara S.A.,CN=AC Ra\xC3\xADz Certic\xC3\xA1mara S.A.

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/DigiCert_Assured_ID_Root_G3.crt contains the fol-lowing certificate:

1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/S_TRUST_Universal_Root_CA.crt contains the follow-ing certificate:

1 C=DE, O=Deutscher Sparkassen Verlag GmbH, OU=S-TRUST Certification Services, CN=S-TRUST Universal Root CA



Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/AffirmTrust_Commercial.crt contains the followingcertificate:

1 C=US, O=AffirmTrust, CN=AffirmTrust Commercial

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/QuoVadis_Root_CA_3.crt contains the following cer-tificate:

1 C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/UTN_USERFirst_Email_Root_CA.crt contains the fol-lowing certificate:

1 C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Client Authentication and Email

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Entrust_Root_Certification_Authority_EC1.crt con-tains the following certificate:

1 C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1



Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/T_B_TAK_UEKAE_K_k_Sertifika_Hizmet_Sa_lay_c_s_S_r_m_3.crt contains the following certificate:

1 C=TR, L=Gebze - Kocaeli, O=T\xC3\xBCrkiye Bilimsel ve Teknolojik Ara\xC5\x9Ft\xC4\xB1rma Kurumu - T\xC3\x9CB\xC4\xB0TAK, OU=Ulusal Elektronik ve Kriptoloji Ara\xC5\x9Ft\xC4\xB1rma Enstit\xC3\xBCs\xC3\xBC - UEKAE, OU=Kamu Sertifikasyon Merkezi, CN=T\xC3\x9CB\xC4\xB0TAK UEKAE K\xC3\xB6k Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 - S\xC3\xBCr\xC3\xBCm 3

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Actalis_Authentication_Root_CA.crt contains the fol-lowing certificate:

1 C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/ACEDICOM_Root.crt contains the following certificate:

1 CN=ACEDICOM Root, OU=PKI, O=EDICOM, C=ES

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/CA_Disig_Root_R1.crt contains the following certifi-cate:

1 C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/WoSign.crt contains the following certificate:

1 C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Swisscom_Root_CA_1.crt contains the following cer-tificate:

1 C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 1

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/RSA_Security_2048_v3.crt contains the followingcer-tificate:

1 O=RSA Security Inc, OU=RSA Security 2048 V3

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/AddTrust_External_Root.crt contains the followingcertificate:

1 C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/SG_TRUST_SERVICES_RACINE.crt contains the follow-ing certificate:

1 CN=SG TRUST SERVICES RACINE, OU=0002 43525289500022, O=SG TRUST SERVICES, C=FR

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/DST_Root_CA_X3.crt contains the followingcertificate:

1 O=Digital Signature Trust Co., CN=DST Root CA X3

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/DigiCert_Global_Root_G2.crt contains the followingcertificate:



1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2



Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/ACCVRAIZ1.crt contains the following certificate:

1 CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/lib/libtp-0.0.0.so contains the following certificate:

1 O=Cisco, CN=Cisco Root CA M1

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/lib/libsmartagent.so contains the following certificates:

1 O=Cisco, CN=Cisco Licensing Root CA2 O=Cisco, CN=Licensing Root - DEV

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Security_Communication_Root_CA.crt contains the fol-lowing certificate:

1 C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/AffirmTrust_Networking.crt contains the followingcertificate:

1 C=US, O=AffirmTrust, CN=AffirmTrust Networking

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Deutsche_Telekom_Root_CA_2.crt contains the follow-ing certificate:

1 C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA2

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/D_TRUST_Root_Class_3_CA_2_EV_2009.crt contains thefollowing certificate:

1 C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/D_TRUST_Root_Class_3_CA_2_2009.crt contains the fol-lowing certificate:

1 C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/Equifax_Secure_CA.crt contains the followingcertifi-cate:

1 C=US, O=Equifax, OU=Equifax Secure Certificate Authority



Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/etc/ssl/certs/DigiCert_Global_Root_CA.crt contains the followingcertificate:

1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/lib/libgch_pf-0.0.0.so contains the following certificates:

1 C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 22 C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 33 C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis RootCertification Authority

4 C=US, O=Cisco Systems, CN=Cisco RXC-R25 C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL ICA G26 C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority7 O=Cisco, CN=ACT2 ECC SUDI CA8 O=Cisco, CN=ACT2 SUDI CA9 O=Cisco, CN=Cisco ECC Root CA

10 O=Cisco, CN=Cisco Licensing Root CA11 O=Cisco, CN=Cisco Root CA M212 O=Cisco Systems, CN=Cisco Manufacturing CA13 O=Cisco Systems, CN=Cisco Root CA 204814 O=Digital Signature Trust Co., CN=DST Root CA X3

Thefile inpath/_openwrt-comcerto2000-hgw-rootfs-ubi_nand.img.extracted/ubifs-root/1115947576/rootfs/usr/lib/libgch_gvd_pf-0.0.0.so contains the following certificates:

1 C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 22 C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 33 C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis RootCertification Authority

4 C=US, O=Cisco Systems, CN=Cisco RXC-R25 C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL ICA G26 C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority7 O=Cisco, CN=ACT2 ECC SUDI CA8 O=Cisco, CN=ACT2 SUDI CA9 O=Cisco, CN=Cisco ECC Root CA

10 O=Cisco, CN=Cisco Licensing Root CA11 O=Cisco, CN=Cisco Root CA M212 O=Cisco Systems, CN=Cisco Manufacturing CA13 O=Cisco Systems, CN=Cisco Root CA 204814 O=Digital Signature Trust Co., CN=DST Root CA X3


IoTInspectorReport - SEC Consult · IoTInspectorReportforIoTInspector Date:2019-05-15 2.3Plugins...

Documents

Transcript of IoTInspectorReport - SEC Consult · IoTInspectorReportforIoTInspector Date:2019-05-15 2.3Plugins...