Security firm Qualys has disclosed three flaws (CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 ) in a component of
The flaws reside in the
Both CVE-2018-16864 and CVE-2018-16865 bugs are memory corruption vulnerabilities, while the CVE-2018-16866 is an out of bounds issue that can lead to an
Security patches for the three vulnerabilities are included in
“CVE-2018-16864 was introduced in April 2013 (
Qualys experts were working on an exploit for another Linux vulnerability when noticed that passing several megabytes of command-line arguments to a program that calls
“CVE-2018-16865 was introduced in December 2011 (
The experts developed a PoC exploit for both CVE-2018-16865 and CVE-2018-16866 that is able to obtain a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average. They plan to publish the exploit code in the near future.
In an attack scenario against a Linux box, the CVE-2018-16864 can be exploited by
The CVE-2018-16865 was found by the experts because surprised by the heavy usage of
The CVE-2018-16866 flaw appeared in June 2015 (v221) and was fixed inadvertently in August 2018.
“We discovered an out-of-bounds read in
The security firm acknowledged
(SecurityAffairs – Linux, hacking)