| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Jan 2018 19:02:27 +0000 From: Kurtis <kurtis@...usinfosec.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] [Fixed Link] [CVE-2018-5189] Rumble In The Jungo – A Code Execution Walkthrough ** Advisory Information Title: [CVE-2018-5189] Rumble In The Jungo – A Code Execution Walkthrough Blog URL: https://www.fidusinfosec.com/jungo-windriver-code-execution-cve-2018-5189/ Vendor: Jungo Date Published: 10/01/2017 CVE: CVE-2018-5189 ** Vulnerability Summary Leveraging a race condition/double fetch to trigger a pool overflow within the Jungo Windriver allowing a local privilage escalation to SYSTEM. ** Vendor Response Jungo have released a new version of the driver thus mitigating exploitation of this issue. ** Report Timeline Disclosed to vendor – 23/12/2017 Response from vendor, request for initial advisory – 24/12/2017 Initial advisory sent – 29/12/2017 Beta patch sent for testing by vendor – 01/01/2018 Patch confirmed to mitigate vulnerabilities – 01/01/2017 Patch released – 10/01/2017 ** Credit This vulnerability was discovered by Tim Carrington @__invictus_, part of the Fidus Information Security research team. ** References https://www.fidusinfosec.com/jungo-windriver-code-execution-cve-2018-5189/ ** Disclaimer This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists