Vulnerability Name:

CVE-2018-5750 (CCN-138417)

Assigned:2017-12-19
Published:2017-12-19
Updated:2019-03-07
Summary:The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.
CVSS v3 Severity:5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
3.5 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
3.3 Low (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
2.9 Low (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2018-5750

Source: CCN
Type: IBM Security Bulletin 715699 (QRadar Network Security)
IBM QRadar Network Security is affected by Linux kernel vulnerabilities

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1040319

Source: REDHAT
Type: Third Party Advisory
RHSA-2018:0676

Source: REDHAT
Type: Third Party Advisory
RHSA-2018:1062

Source: REDHAT
Type: Third Party Advisory
RHSA-2018:2948

Source: XF
Type: UNKNOWN
linux-kernel-cve20185750-info-disc(138417)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20180502 [SECURITY] [DLA 1369-1] linux security update

Source: CCN
Type: Patchwork Web site
ACPI: sbshc: remove raw pointer from printk message

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://patchwork.kernel.org/patch/10174835/

Source: UBUNTU
Type: Third Party Advisory
USN-3631-1

Source: UBUNTU
Type: Third Party Advisory
USN-3631-2

Source: UBUNTU
Type: Third Party Advisory
USN-3697-1

Source: UBUNTU
Type: Third Party Advisory
USN-3697-2

Source: UBUNTU
Type: Third Party Advisory
USN-3698-1

Source: UBUNTU
Type: Third Party Advisory
USN-3698-2

Source: DEBIAN
Type: Third Party Advisory
DSA-4120

Source: DEBIAN
Type: Third Party Advisory
DSA-4187

Source: CCN
Type: Linux Kernel Web site
The Linux Kernel Archives

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-5750

Vulnerable Configuration:Configuration 1:
  • cpe:/o:linux:linux_kernel:*:*:*:*:*:*:*:* (Version <= 4.14.15)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:rhel_extras_rt:7:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:linux:linux_kernel:4.14.15:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:qradar_network_security:5.4.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20180676
    P
    		RHSA-2018:0676: kernel-rt security, bug fix, and enhancement update (Important)
    2018-04-10
    oval:com.redhat.rhsa:def:20181062
    P
    		RHSA-2018:1062: kernel security, bug fix, and enhancement update (Important)
    2018-04-10
    oval:com.ubuntu.xenial:def:201857500000000
    V
    		CVE-2018-5750 on Ubuntu 16.04 LTS (xenial) - low.
    2018-01-26
    oval:com.ubuntu.trusty:def:20185750000
    V
    		CVE-2018-5750 on Ubuntu 14.04 LTS (trusty) - low.
    2018-01-26
    oval:com.ubuntu.xenial:def:20185750000
    V
    		CVE-2018-5750 on Ubuntu 16.04 LTS (xenial) - low.
    2018-01-26
    oval:com.ubuntu.artful:def:20185750000
    V
    		CVE-2018-5750 on Ubuntu 17.10 (artful) - low.
    2018-01-26
    oval:com.ubuntu.bionic:def:201857500000000
    V
    		CVE-2018-5750 on Ubuntu 18.04 LTS (bionic) - low.
    2018-01-26
    oval:com.ubuntu.bionic:def:20185750000
    V
    		CVE-2018-5750 on Ubuntu 18.04 LTS (bionic) - low.
    2018-01-26
    BACK
    linux linux kernel *
    debian debian linux 7.0
    debian debian linux 8.0
    debian debian linux 9.0
    canonical ubuntu linux 12.04
    canonical ubuntu linux 14.04
    canonical ubuntu linux 16.04
    canonical ubuntu linux 17.10
    redhat virtualization host 4.0
    redhat enterprise linux desktop 7.0
    redhat enterprise linux server 7.0
    redhat enterprise linux server aus 7.6
    redhat enterprise linux server eus 7.6
    redhat enterprise linux server tus 7.6
    redhat enterprise linux workstation 7.0
    linux linux kernel 4.14.15
    ibm qradar network security 5.4.0