On Tue, 2020-11-17 at 11:18 -0500, Antoine Beaupré wrote:
[...]
> Could we get a little more hard data about the attack vectors here? I
> totally trust the security team's "gut feeling" on this, but it would be
> great to be able to evaluate more concretely what we're talking about
> here.
> 
> Local root privilege escalation, basically? Can we get a sense of what
> those vulerabilities are, say with some example CVEs?

Yes, local privilege escalation.

From the advisories I've prepared, I think these are all LPEs that were
mitigated by our current patch:

CVE-2015-2041
CVE-2015-8709
CVE-2016-3134
CVE-2016-8655
CVE-2017-6346
CVE-2017-7184
CVE-2017-7308
CVE-2017-11600
CVE-2017-15649
CVE-2017-16939
CVE-2017-18509
CVE-2017-1000111
CVE-2018-16884
CVE-2019-15666
CVE-2020-14386

They seem to have slowed to a trickle at this point.  And there are
sadly lots of other LPE bugs that it has no effect on.

> I'm asking because my main concern with security these days is with the
> web browser. It's this huge gaping hole: every measure we can take to
> sandbox that thing is become more and more critical, so I wonder if the
> our tradeoff's evaluation is well adjusted here, especially considering
> a lot of user_ns consumers are bypassing those restrictions by running
> as root anyways...

I tend to agree with this.

Ben.

> It seems that, in those cases, we're getting the worst of both worlds...
> 
> a.
-- 
Ben Hutchings
Usenet is essentially a HUGE group of people passing notes in class.
                 - Rachel Kadel, `A Quick Guide to Newsgroup Etiquette'

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to