SB2018080629 - Information disclosure in lxc (Alpine package)
Published: August 6, 2018
Security Bulletin ID
SB2018080629
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2018-6556)
The vulnerability allows a local unauthenticated attacker to obtain potentially sensitive information on the target system.The weakness exists due to lxc-user-nic unconditionally opens a user provided path when asked to delete a network interface. A local attacker can check for the existence of a path which he wouldn't otherwise be able to reach and trigger side effects by causing a (read-only) open of special kernel files (ptmx, proc, sys).
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=c3d02104be97a60d9d339777d2356b1243ec8698
- https://git.alpinelinux.org/aports/commit/?id=da688e83197010c4441f991b8df54885eb05a651
- https://git.alpinelinux.org/aports/commit/?id=3b59bf1ceb65a93255af5cf0093680e635415adc
- https://git.alpinelinux.org/aports/commit/?id=228f1186348553da00690d33b859187b439d94b2
- https://git.alpinelinux.org/aports/commit/?id=336d2a6a1f60b1cc72eb7fdc4ca49d374b9dc627
- https://git.alpinelinux.org/aports/commit/?id=f6b0d4ea66ca7fd95a2d90a4e8c0f5cef679411b