Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 668720 (CVE-2018-1121) - sys-process/procps: process hiding through race condition
Summary: sys-process/procps: process hiding through race condition
Status: RESOLVED INVALID
Alias: CVE-2018-1121
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: A4 [upstream cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-15 16:10 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2022-08-16 22:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-10-15 16:10:32 UTC
Summary: procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.
Comment 1 Daniel Robbins 2018-10-21 03:35:37 UTC
Please note that GLSA 201805-14 gives the incorrect impression that following the steps in this GLSA will result in CVE-2018-1121 being addressed, when it hasn't
been yet.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2018-11-25 03:23:52 UTC
(In reply to Daniel Robbins from comment #1)
> Please note that GLSA 201805-14 gives the incorrect impression that
> following the steps in this GLSA will result in CVE-2018-1121 being
> addressed, when it hasn't
> been yet.

Fixed in GLSA 201805-14.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-02 19:17:46 UTC
RedHat seems to believe this is invalid, "The /proc filesystem is not a reliable mechanism to account for processes running on a system, as it is unable to offer snapshot semantics. Short-lived processes have always been able to escape detection by tools that monitor /proc. This CVE simply identifies a reliable way to do so using inotify.

Process accounting for security purposes, or with a requirement to record very short-running processes and those attempting to evade detection, should be performed with more robust methods such as auditd(8) (the Linux Audit Daemon) or systemtap."

Any objection to us marking invalid as well?