Vulnerability CVE-2014-1438

Vulnerability Name:

CVE-2014-1438 (CCN-90031)

Assigned:

2013-12-29

Published:

2013-12-29

Updated:

2014-03-16

Summary:

The restore_fpu_checking function in arch/x86/include/asm/fpu-internal.h in the Linux kernel before 3.12.8 on the AMD K7 and K8 platforms does not clear pending exceptions before proceeding to an EMMS instruction, which allows local users to cause a denial of service (task kill) or possibly gain privileges via a crafted application.

CVSS v3 Severity:

6.2 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

4.7 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:N/A:C)
3.5 Low (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

4.7 Medium (CCN CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:N/A:C)
3.5 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Denial of Service

References:

Vulnerable Configuration:

Configuration 1:

cpe:/o:linux:linux_kernel:3.12:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:3.12.1:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:3.12.2:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:3.12.3:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:3.12.4:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:3.12.5:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:3.12.6:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:*:*:*:*:*:*:*:* (Version <= 3.12.7)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20141438	V	CVE-2014-1438	2017-03-01
oval:org.mitre.oval:def:24074	P	USN-2135-1 -- linux-lts-quantal vulnerabilities	2014-07-21
oval:org.mitre.oval:def:24316	P	USN-2138-1 -- linux vulnerabilities	2014-07-21
oval:org.mitre.oval:def:24568	P	USN-2234-1 -- linux-ec2 vulnerabilities	2014-07-21
oval:org.mitre.oval:def:24102	P	USN-2134-1 -- linux-ti-omap4 vulnerabilities	2014-07-21
oval:org.mitre.oval:def:24394	P	USN-2139-1 -- linux-ti-omap4 vulnerabilities	2014-07-21
oval:org.mitre.oval:def:24852	P	USN-2233-1 -- linux vulnerabilities	2014-07-21
oval:org.mitre.oval:def:23441	P	USN-2117-1 -- linux vulnerabilities	2014-07-21
oval:org.mitre.oval:def:24233	P	USN-2136-1 -- linux-lts-raring vulnerabilities	2014-06-30
oval:org.mitre.oval:def:24404	P	USN-2141-1 -- linux-ti-omap4 vulnerabilities	2014-06-30
oval:org.mitre.oval:def:24220	P	USN-2113-1 -- linux-lts-saucy vulnerabilities	2014-06-30
oval:org.mitre.oval:def:24395	P	USN-2133-1 -- linux vulnerabilities	2014-06-30
oval:com.ubuntu.precise:def:20141438000	V	CVE-2014-1438 on Ubuntu 12.04 LTS (precise) - medium.	2014-01-18
oval:com.ubuntu.xenial:def:201414380000000	V	CVE-2014-1438 on Ubuntu 16.04 LTS (xenial) - medium.	2014-01-18
oval:com.ubuntu.trusty:def:20141438000	V	CVE-2014-1438 on Ubuntu 14.04 LTS (trusty) - medium.	2014-01-18
oval:com.ubuntu.xenial:def:20141438000	V	CVE-2014-1438 on Ubuntu 16.04 LTS (xenial) - medium.	2014-01-18

BACK