Vulnerability Name:

CVE-2004-0114 (CCN-15061)

Assigned:2004-02-05
Published:2004-02-05
Updated:2017-10-10
Summary:The shmat system call in the System V Shared Memory interface for FreeBSD 5.2 and earlier, NetBSD 1.3 and earlier, and OpenBSD 2.6 and earlier, does not properly decrement a shared memory segment's reference count when the vm_map_find function fails, which could allow local users to gain read or write access to a portion of kernel memory and gain privileges.
CVSS v3 Severity:5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Privileges
References:Source: CCN
Type: FreeBSD Security Advisory FreeBSD-SA-04:02.shmat
shmat reference counting bug

Source: FREEBSD
Type: Patch, Vendor Advisory
FreeBSD-SA-04:02

Source: NETBSD
Type: UNKNOWN
NetBSD-SA2004-004

Source: CCN
Type: BugTraq Mailing List, Thu Feb 05 2004 - 12:08:39 CST
reference count overflow in shmat()

Source: MITRE
Type: CNA
CVE-2004-0114

Source: CCN
Type: NetBSD Security Advisory 2004-004
shmat reference counting bug

Source: BUGTRAQ
Type: UNKNOWN
20040205 [PINE-CERT-20040201] reference count overflow in shmat()

Source: CCN
Type: OpenBSD 3.4 errata Web site
010: SECURITY FIX: February 5, 2004

Source: CCN
Type: OpenBSD 3.3 errata Web site
015: SECURITY FIX: February 5, 2004

Source: CONFIRM
Type: UNKNOWN
http://www.openbsd.org/errata33.html#sysvshm

Source: OSVDB
Type: UNKNOWN
3836

Source: CCN
Type: OSVDB ID: 3836
Multiple BSD shmat() Privilege Escalation

Source: MISC
Type: UNKNOWN
http://www.pine.nl/press/pine-cert-20040201.txt

Source: BID
Type: Patch, Vendor Advisory
9586

Source: CCN
Type: BID-9586
BSD Kernel SHMAT System Call Privilege Escalation Vulnerability

Source: XF
Type: UNKNOWN
bsd-shmat-gain-privileges(15061)

Source: XF
Type: UNKNOWN
bsd-shmat-gain-privileges(15061)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:freebsd:freebsd:*:*:*:*:*:*:*:* (Version <= 5.2)
  • OR cpe:/o:netbsd:netbsd:*:*:*:*:*:*:*:* (Version <= 1.3)
  • OR cpe:/o:openbsd:openbsd:*:*:*:*:*:*:*:* (Version <= 2.6)

    • Configuration CCN 1:
  • cpe:/o:netbsd:netbsd:1.5:*:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:1.5.1:*:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:1.5.2:*:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:1.5.3:*:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:1.6:*:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:1.6.1:*:*:*:*:*:*:*
  • AND
  • cpe:/o:freebsd:freebsd:*:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    freebsd freebsd *
    netbsd netbsd *
    openbsd openbsd *
    netbsd netbsd 1.5
    netbsd netbsd 1.5.1
    netbsd netbsd 1.5.2
    netbsd netbsd 1.5.3
    netbsd netbsd 1.6
    netbsd netbsd 1.6.1
    freebsd freebsd *