CVE-2018-14633

Name: CVE-2018-14633
Creator: NVD / NIST
Published: 2018-09-25T00:29:00.357+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7/10EPSS 8.74%

Last modified Jun 17, 2026

CVE-2018-14633 is a high-severity vulnerability rated 7/10 on the CVSS scale. A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. EPSS estimates a 8.74% chance of exploitation in the next 30 days.

Description

A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. Kernel versions 4.18.x, 4.14.x and 3.10.x are believed to be vulnerable.

Metrics

CVSS 3.1

7/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

EPSS Probability

8.74%

94.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Linux	Linux Kernel	>= 3.1, < 3.16.59
Linux	Linux Kernel	>= 3.17, < 3.18.124
Linux	Linux Kernel	>= 3.19, < 4.4.159
Linux	Linux Kernel	>= 4.5, < 4.9.130
Linux	Linux Kernel	>= 4.10, < 4.14.73
Linux	Linux Kernel	>= 4.15, < 4.18.11
Canonical	Ubuntu Linux	12.04
Canonical	Ubuntu Linux	14.04
Canonical	Ubuntu Linux	16.04
Canonical	Ubuntu Linux	18.04
Debian	Debian Linux	8.0
Debian	Debian Linux	9.0
Redhat	Enterprise Linux Eus	7.4
Redhat	Enterprise Linux Eus	7.6
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Server Aus	7.4
Redhat	Enterprise Linux Server Aus	7.6
Redhat	Enterprise Linux Server Tus	7.4
Redhat	Enterprise Linux Server Tus	7.6
Redhat	Enterprise Linux Workstation	7.0

References

http://www.securityfocus.com/bid/105388Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2018:3651Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3666Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1946Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14633Issue Tracking, Patch, Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.19/scsi-fixes&id=1816494330a83f2a064499d8ed2797045641f92cPatch, Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.19/scsi-fixes&id=8c39e2699f8acb2e29782a834e56306da24937fePatch, Vendor Advisory
https://lists.debian.org/debian-lts-announce/2018/10/msg00003.htmlMailing List, Third Party Advisory
https://seclists.org/oss-sec/2018/q3/270Mailing List, Third Party Advisory
https://usn.ubuntu.com/3775-1/Third Party Advisory
https://usn.ubuntu.com/3775-2/Third Party Advisory
https://usn.ubuntu.com/3776-1/Third Party Advisory
https://usn.ubuntu.com/3776-2/Third Party Advisory
https://usn.ubuntu.com/3777-1/Third Party Advisory
https://usn.ubuntu.com/3777-2/Third Party Advisory
https://usn.ubuntu.com/3777-3/Third Party Advisory
https://usn.ubuntu.com/3779-1/Third Party Advisory
https://www.debian.org/security/2018/dsa-4308Third Party Advisory
http://www.securityfocus.com/bid/105388Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2018:3651Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3666Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1946Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14633Issue Tracking, Patch, Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.19/scsi-fixes&id=1816494330a83f2a064499d8ed2797045641f92cPatch, Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.19/scsi-fixes&id=8c39e2699f8acb2e29782a834e56306da24937fePatch, Vendor Advisory
https://lists.debian.org/debian-lts-announce/2018/10/msg00003.htmlMailing List, Third Party Advisory
https://seclists.org/oss-sec/2018/q3/270Mailing List, Third Party Advisory
https://usn.ubuntu.com/3775-1/Third Party Advisory
https://usn.ubuntu.com/3775-2/Third Party Advisory
https://usn.ubuntu.com/3776-1/Third Party Advisory
https://usn.ubuntu.com/3776-2/Third Party Advisory
https://usn.ubuntu.com/3777-1/Third Party Advisory
https://usn.ubuntu.com/3777-2/Third Party Advisory
https://usn.ubuntu.com/3777-3/Third Party Advisory
https://usn.ubuntu.com/3779-1/Third Party Advisory
https://www.debian.org/security/2018/dsa-4308Third Party Advisory

Timeline

Published: Sep 25, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-14633?

How severe is CVE-2018-14633?

CVE-2018-14633 has a CVSS score of 7/10 (HIGH severity). The EPSS model estimates a 8.74% probability of exploitation in the next 30 days.

How do I fix CVE-2018-14633?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-14633?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST