CVE-2018-14633
HighA security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. Kernel versions 4.18.x, 4.14.x and 3.10.x are believed to be vulnerable.
CVSS 3.1 score
7.0
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
Weakness type
CWE-121CVE-2018-14633 is classified as CWE-121
See CWE-121 on MITRE CWE for full details on this weakness type.
References
The following references provide additional information about CVE-2018-14633 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.
-
Securityfocushttp://www.securityfocus.com/bid/105388Third Party Advisory VDB Entry
-
Third Party Advisory
-
Third Party Advisory
-
Third Party Advisory
-
Mailing List Third Party Advisory
-
Mailing List Third Party Advisory
-
Ubuntu Securityhttps://usn.ubuntu.com/3775-1/Third Party Advisory
-
Ubuntu Securityhttps://usn.ubuntu.com/3775-2/Third Party Advisory
-
Ubuntu Securityhttps://usn.ubuntu.com/3776-1/Third Party Advisory
-
Ubuntu Securityhttps://usn.ubuntu.com/3776-2/Third Party Advisory
-
Ubuntu Securityhttps://usn.ubuntu.com/3777-1/Third Party Advisory
-
Ubuntu Securityhttps://usn.ubuntu.com/3777-2/Third Party Advisory
-
Ubuntu Securityhttps://usn.ubuntu.com/3777-3/Third Party Advisory
-
Ubuntu Securityhttps://usn.ubuntu.com/3779-1/Third Party Advisory
-
Debian Securityhttps://www.debian.org/security/2018/dsa-4308Third Party Advisory
-
PatchKernel patch commithttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14633
-
PatchKernel patch commithttps://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.19/scsi-fixes&id=1816494330a83f2a064499d8ed2797045641f92c
-
PatchKernel patch commithttps://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.19/scsi-fixes&id=8c39e2699f8acb2e29782a834e56306da24937fe
Frequently asked questions
-
What is CVE-2018-14633?
CVE-2018-14633 is a High severity Linux kernel vulnerability with a CVSS score of 7.0 out of 10 . CVE-2018-14633 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
-
What is the CVSS score for CVE-2018-14633?
CVE-2018-14633 has a CVSS score of 7.0 out of 10, rated High severity (CVSS 3.1). The vector string is
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H. -
Is there a patch available for CVE-2018-14633?
No patch is currently available for CVE-2018-14633. Monitor the NIST NVD and your Linux distribution's security advisories for updates.
-
Is CVE-2018-14633 actively exploited?
No — CVE-2018-14633 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.