The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system.
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
| Link | Tags |
|---|---|
| https://usn.ubuntu.com/3619-2/ | vendor advisory |
| https://www.debian.org/security/2018/dsa-4082 | vendor advisory |
| https://lkml.org/lkml/2017/12/5/950 | third party advisory mailing list |
| http://www.securityfocus.com/bid/102122 | vdb entry third party advisory |
| https://access.redhat.com/errata/RHSA-2018:1062 | vendor advisory |
| https://source.android.com/security/bulletin/pixel/2018-04-01 | |
| https://access.redhat.com/errata/RHSA-2018:0654 | vendor advisory |
| https://access.redhat.com/errata/RHSA-2018:0676 | vendor advisory |
| https://usn.ubuntu.com/3653-2/ | vendor advisory |
| https://usn.ubuntu.com/3655-1/ | vendor advisory |
| https://access.redhat.com/errata/RHSA-2018:1170 | vendor advisory |
| https://access.redhat.com/errata/RHSA-2018:1130 | vendor advisory |
| https://www.debian.org/security/2017/dsa-4073 | vendor advisory |
| https://usn.ubuntu.com/3655-2/ | vendor advisory |
| https://usn.ubuntu.com/3653-1/ | vendor advisory |
| https://usn.ubuntu.com/3657-1/ | vendor advisory |
| https://usn.ubuntu.com/3619-1/ | vendor advisory |