PlayStation discloses “severe” Use-After-Free kernel vulnerability
Originally published at securityreport.com on July 7, 2020.
PlayStation has disclosed a severe use-after-free vulnerability, after over three months since it was reported.
The vulnerability discovered by researcher Andy Nguyen exists in PS4 Firmware versions 7.02 and below. After constructing a demonstrable Proof of Concept (PoC) exploit, the researcher had responsibly reported the flaw to the company in March 2020.
If exploited in conjunction with a WebKit/Chromium vulnerability (such as CVE-2018–4386, in PS4 firmware versions up to 6.72), an attacker could:
- Achieve a fully chained remote attack on a console.
- Steal or modify user data.
- Dump and run pirated games on the console.
“Due to missing locks in option IPV6_2292PKTOPTIONS of setsockopt , it is possible to race and free the struct ip6_pktopts buffer, while it is being handled by ip6_setpktopt,” states Nguyen in the HackerOne coordinated disclosure made public yesterday.
“This structure contains pointers ( ip6po_pktinfo) that can be hijacked to obtain arbitrary kernel R/W…