ID CVE-2015-8104
Summary The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c.
References
Vulnerable Configurations
  • Xen Xen 4.3.0
    cpe:2.3:o:xen:xen:4.3.0
  • Xen 4.3.1
    cpe:2.3:o:xen:xen:4.3.1
  • Xen Xen 4.3.2
    cpe:2.3:o:xen:xen:4.3.2
  • Xen Xen 4.3.3
    cpe:2.3:o:xen:xen:4.3.3
  • Xen 4.3.4
    cpe:2.3:o:xen:xen:4.3.4
  • Xen 4.4.0
    cpe:2.3:o:xen:xen:4.4.0
  • Xen Xen 4.4.1
    cpe:2.3:o:xen:xen:4.4.1
  • Xen Xen 4.4.2
    cpe:2.3:o:xen:xen:4.4.2
  • Xen Xen 4.4.3
    cpe:2.3:o:xen:xen:4.4.3
  • Xen Xen 4.5.0
    cpe:2.3:o:xen:xen:4.5.0
  • Xen Xen 4.5.1
    cpe:2.3:o:xen:xen:4.5.1
  • Xen Xen 4.5.2
    cpe:2.3:o:xen:xen:4.5.2
  • Xen Xen 4.6.0
    cpe:2.3:o:xen:xen:4.6.0
  • Oracle Solaris 11.3
    cpe:2.3:o:oracle:solaris:11.3
  • Oracle VM Virtualbox 5.0.13
    cpe:2.3:a:oracle:vm_virtualbox:5.0.13
  • Oracle VM Virtualbox 4.3.35
    cpe:2.3:a:oracle:vm_virtualbox:4.3.35
  • Oracle VM Virtualbox 4.2.34
    cpe:2.3:a:oracle:vm_virtualbox:4.2.34
  • Oracle VM Virtualbox 4.1.42
    cpe:2.3:a:oracle:vm_virtualbox:4.1.42
  • Oracle VM Virtualbox 4.0.34
    cpe:2.3:a:oracle:vm_virtualbox:4.0.34
  • Linux Kernel 4.2.3
    cpe:2.3:o:linux:linux_kernel:4.2.3
CVSS
Base: 4.7 (as of 30-08-2016 - 07:53)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-892.NASL
    description This update fixes the following security issues : - bsc#947165 - CVE-2015-7311: xen: libxl fails to honour readonly flag on disks with qemu-xen (xsa-142) - bsc#954405 - CVE-2015-8104: Xen: guest to host DoS by triggering an infinite loop in microcode via #DB exception - bsc#954018 - CVE-2015-5307: xen: x86: CPU lockup during fault delivery (XSA-156) - bsc#950704 - CVE-2015-7970 xen: x86: Long latency populate-on-demand operation is not preemptible (XSA-150) 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch
    last seen 2017-10-29
    modified 2015-12-16
    plugin id 87393
    published 2015-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87393
    title openSUSE Security Update : xen (openSUSE-2015-892)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-3107.NASL
    description Description of changes: kernel-uek [3.8.13-118.2.2.el7uek] - KVM: svm: unconditionally intercept #DB (Paolo Bonzini) [Orabug: 22333698] {CVE-2015-8104} - KVM: x86: work around infinite loop in microcode when #AC is delivered (Eric Northup) [Orabug: 22333689] {CVE-2015-5307} {CVE-2015-5307} - KVM: x86: Defining missing x86 vectors (Nadav Amit) [Orabug: 22333689]
    last seen 2017-10-29
    modified 2015-12-14
    plugin id 87332
    published 2015-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87332
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2015-3107)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-2636.NASL
    description From Red Hat Security Advisory 2015:2636 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * It was found that the Linux kernel's keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-7872, Important) Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the CVE-2015-5307 issue. This update also fixes the following bugs : * Previously, Human Interface Device (HID) ran a report on an unaligned buffer, which could cause a page fault interrupt and an oops when the end of the report was read. This update fixes this bug by padding the end of the report with extra bytes, so the reading of the report never crosses a page boundary. As a result, a page fault and subsequent oops no longer occur. (BZ#1268203) * The NFS client was previously failing to detect a directory loop for some NFS server directory structures. This failure could cause NFS inodes to remain referenced after attempting to unmount the file system, leading to a kernel crash. Loop checks have been added to VFS, which effectively prevents this problem from occurring. (BZ#1272858) * Due to a race whereby the nfs_wb_pages_cancel() and nfs_commit_release_pages() calls both removed a request from the nfs_inode struct type, the kernel panicked with negative nfs_inode.npages count. The provided upstream patch performs the required serialization by holding the inode i_lock over the check of PagePrivate and locking the request, thus preventing the race and kernel panic from occurring. (BZ#1273721) * Due to incorrect URB_ISO_ASAP semantics, playing an audio file using a USB sound card could previously fail for some hardware configurations. This update fixes the bug, and playing audio from a USB sound card now works as expected. (BZ#1273916) * Inside hugetlb, region data structures were protected by a combination of a memory map semaphore and a single hugetlb instance mutex. However, a page-fault scalability improvement backported to the kernel on previous releases removed the single hugetlb instance mutex and introduced a new mutex table, making the locking combination insufficient, leading to possible race windows that could cause corruption and undefined behavior. This update fixes the problem by introducing a required spinlock to the region tracking functions for proper serialization. The problem only affects software using huge pages through hugetlb interface. (BZ#1274599) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2017-10-29
    modified 2016-10-28
    plugin id 87396
    published 2015-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87396
    title Oracle Linux 6 : kernel (ELSA-2015-2636)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-893.NASL
    description This update fixes the following security issues : - bsc#947165 - CVE-2015-7311: xen: libxl fails to honour readonly flag on disks with qemu-xen (xsa-142) - bsc#954405 - CVE-2015-8104: Xen: guest to host DoS by triggering an infinite loop in microcode via #DB exception - bsc#954018 - CVE-2015-5307: xen: x86: CPU lockup during fault delivery (XSA-156) - bsc#950704 - CVE-2015-7970: xen: x86: Long latency populate-on-demand operation is not preemptible (XSA-150)
    last seen 2017-10-29
    modified 2015-12-17
    plugin id 87443
    published 2015-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87443
    title openSUSE Security Update : xen (openSUSE-2015-893)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2552.NASL
    description Updated kernel packages that fix two security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the CVE-2015-5307 issue. This update also fixes the following bugs : * On Intel Xeon v5 platforms, the processor frequency was always tied to the highest possible frequency. Switching p-states on these client platforms failed. This update sets the idle frequency, busy frequency, and processor frequency values by determining the range and adjusting the minimal and maximal percent limit values. Now, switching p-states on the aforementioned client platforms proceeds successfully. (BZ#1273926) * Due to a validation error of in-kernel memory-mapped I/O (MMIO) tracing, a VM became previously unresponsive when connected to Red Hat Enterprise Virtualization Hypervisor. The provided patch fixes this bug by dropping the check in MMIO handler, and a VM continues running as expected. (BZ#1275150) * Due to retry-able command errors, the NVMe driver previously leaked I/O descriptors and DMA mappings. As a consequence, the kernel could become unresponsive during the hot-unplug operation if a driver was removed. This update fixes the driver memory leak bug on command retries, and the kernel no longer hangs in this situation. (BZ#1279792) * The hybrid_dma_data() function was not initialized before use, which caused an invalid memory access when hot-plugging a PCI card. As a consequence, a kernel oops occurred. The provided patch makes sure hybrid_dma_data() is initialized before use, and the kernel oops no longer occurs in this situation. (BZ#1279793) * When running PowerPC (PPC) KVM guests and the host was experiencing a lot of page faults, for example because it was running low on memory, the host sometimes triggered an incorrect kind of interrupt in the guest: a data storage exception instead of a data segment exception. This caused a kernel panic of the PPC KVM guest. With this update, the host kernel synthesizes a segment fault if the corresponding Segment Lookaside Buffer (SLB) lookup fails, which prevents the kernel panic from occurring. (BZ#1281423) * The kernel accessed an incorrect area of the khugepaged process causing Logical Partitioning (LPAR) to become unresponsive, and an oops occurred in medlp5. The backported upstream patch prevents an LPAR hang, and the oops no longer occurs. (BZ#1281424) * When the sctp module was loaded and a route to an association endpoint was removed after receiving an Out-of-The-Blue (OOTB) chunk but before incrementing the 'dropped because of missing route' SNMP statistic, a NULL pointer Dereference kernel panic previously occurred. This update fixes the race condition between OOTB response and route removal. (BZ#1281426) * The cpuscaling test of the certification test suite previously failed due to a rounding bug in the intel-pstate driver. This bug has been fixed and the cpuscaling test now passes. (BZ#1281491) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 87274
    published 2015-12-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87274
    title RHEL 7 : kernel (RHSA-2015:2552)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-34.NASL
    description This update for xen fixes the following security issues : - CVE-2015-8550: paravirtualized drivers incautious about shared memory contents (XSA-155, boo#957988) - CVE-2015-8558: qemu: usb: infinite loop in ehci_advance_state results in DoS (boo#959006) - CVE-2015-7549: qemu pci: NULL pointer dereference issue (boo#958918) - CVE-2015-8504: qemu: ui: vnc: avoid floating point exception (boo#958493) - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling (XSA-164, boo#958007) - CVE-2015-8555: information leak in legacy x86 FPU/XMM initialization (XSA-165, boo#958009) - boo#958523 xen: ioreq handling possibly susceptible to multiple read issue (XSA-166) - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing command block list (boo#956832) - boo#956592: xen: virtual PMU is unsupported (XSA-163) - CVE-2015-8339, CVE-2015-8340: xen: XENMEM_exchange error handling issues (XSA-159, boo#956408) - CVE-2015-8341: xen: libxl leak of pv kernel and initrd on error (XSA-160, boo#956409) - CVE-2015-7504: xen: heap buffer overflow vulnerability in pcnet emulator (XSA-162, boo#956411) - CVE-2015-7311: xen: libxl fails to honour readonly flag on disks with qemu-xen (xsa-142, boo#947165) - CVE-2015-8104: Xen: guest to host DoS by triggering an infinite loop in microcode via #DB exception (boo#954405) - CVE-2015-5307: xen: x86: CPU lockup during fault delivery (XSA-156, boo#954018) - CVE-2015-7970: xen: x86: Long latency populate-on-demand operation is not preemptible (XSA-150, boo#950704)
    last seen 2017-10-29
    modified 2016-10-13
    plugin id 88124
    published 2016-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88124
    title openSUSE Security Update : xen (openSUSE-2016-34)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2840-1.NASL
    description Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted to garbage collect incompletely instantiated keys. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2015-7872) Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS. (CVE-2015-8104). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-10-26
    plugin id 87465
    published 2015-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87465
    title Ubuntu 12.04 LTS : linux vulnerabilities (USN-2840-1)
  • NASL family Misc.
    NASL id VIRTUALBOX_5_0_10.NASL
    description The Oracle VM VirtualBox application installed on the remote host is a version prior to 4.0.36, 4.1.44, 4.2.36, 4.3.34, or 5.0.10. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability exists due to an infinite loop condition in the KVM subsystem of the Linux kernel. A local attacker can exploit this, by triggering many Alignment Check (#AC) exceptions, to cause an OS panic or hang. (CVE-2015-5307) - A integer overflow condition exists in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) due to a failure to properly validate user-supplied input during memory allocation. A remote attacker can exploit this to corrupt memory, resulting in a denial of service or execution of arbitrary code. (CVE-2015-7183) - A denial of service vulnerability exists due to an infinite loop condition in the KVM subsystem of the Linux kernel. A local attacker can exploit this, by triggering many Debug (#DB) exceptions, to cause an OS panic or hang. (CVE-2015-8104)
    last seen 2017-10-29
    modified 2016-05-02
    plugin id 88051
    published 2016-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88051
    title Oracle VM VirtualBox < 4.0.36 / 4.1.44 / 4.2.36 / 4.3.34 / 5.0.10 Multiple Vulnerabilities (January 2016 CPU)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2844-1.NASL
    description Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS. (CVE-2015-8104) Guoyong Gang discovered that the ppp implementation in the Linux kernel did not ensure that certain slot numbers are valid. A local attacker with the privilege to call ioctl() on /dev/ppp could cause a denial of service (system crash). (CVE-2015-7799) It was discovered that the driver for Digi Neo and ClassicBoard devices did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel. (CVE-2015-7885). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-01
    plugin id 87471
    published 2015-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87471
    title Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-2844-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0046.NASL
    description Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 6.2 Advanced Update Support. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the CVE-2015-5307 issue. All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2017-10-29
    modified 2017-01-10
    plugin id 87999
    published 2016-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87999
    title RHEL 6 : kernel (RHSA-2016:0046)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3502.NASL
    description Description of changes: [2.6.39-400.264.13.el6uek] - KEYS: Don't permit request_key() to construct a new keyring (David Howells) [Orabug: 22373449] {CVE-2015-7872} [2.6.39-400.264.12.el6uek] - crypto: add missing crypto module aliases (Mathias Krause) [Orabug: 22249656] {CVE-2013-7421} {CVE-2014-9644} - crypto: include crypto- module prefix in template (Kees Cook) [Orabug: 22249656] {CVE-2013-7421} {CVE-2014-9644} - crypto: prefix module autoloading with 'crypto-' (Kees Cook) [Orabug: 22249656] {CVE-2013-7421} {CVE-2014-9644} [2.6.39-400.264.11.el6uek] - KVM: x86: Don't report guest userspace emulation error to userspace (Nadav Amit) [Orabug: 22249615] {CVE-2010-5313} {CVE-2014-7842} [2.6.39-400.264.9.el6uek] - msg_unlock() in wrong spot after applying 'Initialize msg/shm IPC objects before doing ipc_addid()' (Chuck Anderson) [Orabug: 22250044] {CVE-2015-7613} {CVE-2015-7613} [2.6.39-400.264.8.el6uek] - ipc/sem.c: fully initialize sem_array before making it visible (Manfred Spraul) [Orabug: 22250044] {CVE-2015-7613} - Initialize msg/shm IPC objects before doing ipc_addid() (Linus Torvalds) [Orabug: 22250044] {CVE-2015-7613} [2.6.39-400.264.7.el6uek] - KVM: svm: unconditionally intercept #DB (Paolo Bonzini) [Orabug: 22333698] {CVE-2015-8104} {CVE-2015-8104} - KVM: x86: work around infinite loop in microcode when #AC is delivered (Eric Northup) [Orabug: 22333689] {CVE-2015-5307} {CVE-2015-5307} [2.6.39-400.264.6.el6uek] - mlx4_core: Introduce restrictions for PD update (Ajaykumar Hotchandani) - IPoIB: Drop priv->lock before calling ipoib_send() (Wengang Wang) - IPoIB: serialize changing on tx_outstanding (Wengang Wang) [Orabug: 21861366] - IB/mlx4: Implement IB_QP_CREATE_USE_GFP_NOIO (Jiri Kosina) - IB: Add a QP creation flag to use GFP_NOIO allocations (Or Gerlitz) - IB: Return error for unsupported QP creation flags (Or Gerlitz) - IB/ipoib: Calculate csum only when skb->ip_summed is CHECKSUM_PARTIAL (Yuval Shaia) [Orabug: 20873175]
    last seen 2017-10-29
    modified 2016-10-28
    plugin id 87835
    published 2016-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87835
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3502)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-2328-1.NASL
    description This update fixes the following security issues : - bsc#956832 - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing command block list - bsc#956592 - xen: virtual PMU is unsupported (XSA-163) - bsc#956408 - CVE-2015-8339, CVE-2015-8340: xen: XENMEM_exchange error handling issues (XSA-159) - bsc#956409 - CVE-2015-8341: xen: libxl leak of pv kernel and initrd on error (XSA-160) - bsc#956411 - CVE-2015-7504: xen: heap buffer overflow vulnerability in pcnet emulator (XSA-162) - bsc#947165 - CVE-2015-7311: xen: libxl fails to honour readonly flag on disks with qemu-xen (xsa-142) - bsc#954405 - CVE-2015-8104: Xen: guest to host DoS by triggering an infinite loop in microcode via #DB exception - bsc#954018 - CVE-2015-5307: xen: x86: CPU lockup during fault delivery (XSA-156) CVE-2015-5307-xsa156.patch - bsc#950704 - CVE-2015-7970: xen: x86: Long latency populate-on-demand operation is not preemptible (XSA-150) 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch - bsc#951845 - CVE-2015-7972: xen: x86: populate-on-demand balloon size inaccuracy can crash guests (XSA-153) xsa153-libxl.patch xend-xsa153.patch - Drop 5604f239-x86-PV-properly-populate-descriptor-tables.patc h - bsc#950703 - CVE-2015-7969: xen: leak of main per-domain vcpu pointer array (DoS) (XSA-149) - bsc#950705 - CVE-2015-7969: xen: x86: leak of per-domain profiling-related vcpu pointer array (DoS) (XSA-151) - bsc#950706 - CVE-2015-7971: xen: x86: some pmu and profiling hypercalls log without rate limiting (XSA-152) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-02
    plugin id 87591
    published 2015-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87591
    title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:2328-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0057.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.
    last seen 2017-10-31
    modified 2017-10-31
    plugin id 99163
    published 2017-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99163
    title OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-124.NASL
    description The openSUSE 13.1 kernel was updated to receive various security and bugfixes. Following security bugs were fixed : - CVE-2016-0728: A reference leak in keyring handling with join_session_keyring() could lead to local attackers gain root privileges. (bsc#962075). - CVE-2015-7550: A local user could have triggered a race between read and revoke in keyctl (bnc#958951). - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel did not verify an address length, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application (bnc#959190). - CVE-2015-8543: The networking implementation in the Linux kernel did not validate protocol identifiers for certain protocol families, which allowed local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application (bnc#958886). - CVE-2014-8989: The Linux kernel did not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allowed local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a 'negative groups' issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c (bnc#906545). - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux kernel on the x86_64 platform mishandles IRET faults in processing NMIs that occurred during userspace execution, which might allow local users to gain privileges by triggering an NMI (bnc#937969). - CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel through 4.2.3 did not ensure that certain slot numbers are valid, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call (bnc#949936). - CVE-2015-8104: The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c (bnc#954404). - CVE-2015-5307: The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c (bnc#953527). - CVE-2014-9529: Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel allowed local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key (bnc#912202). - CVE-2015-7990: Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6937 (bnc#952384 953052). - CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound (bnc#945825). - CVE-2015-7885: The dgnc_mgmt_ioctl function in drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel through 4.3.3 did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel memory via a crafted application (bnc#951627). - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel did not validate attempted changes to the MTU value, which allowed context-dependent attackers to cause a denial of service (packet loss) via a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface, as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager product (bnc#955354). - CVE-2015-8767: A case can occur when sctp_accept() is called by the user during a heartbeat timeout event after the 4-way handshake. Since sctp_assoc_migrate() changes both assoc->base.sk and assoc->ep, the bh_sock_lock in sctp_generate_heartbeat_event() will be taken with the listening socket but released with the new association socket. The result is a deadlock on any future attempts to take the listening socket lock. (bsc#961509) - CVE-2015-8575: Validate socket address length in sco_sock_bind() to prevent information leak (bsc#959399). - CVE-2015-8551, CVE-2015-8552: xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled (bsc#957990). - CVE-2015-8550: Compiler optimizations in the XEN PV backend drivers could have lead to double fetch vulnerabilities, causing denial of service or arbitrary code execution (depending on the configuration) (bsc#957988). The following non-security bugs were fixed : - ALSA: hda - Disable 64bit address for Creative HDA controllers (bnc#814440). - ALSA: hda - Fix noise problems on Thinkpad T440s (boo#958504). - Input: aiptek - fix crash on detecting device without endpoints (bnc#956708). - KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y (boo#956934). - KVM: x86: update masterclock values on TSC writes (bsc#961739). - NFS: Fix a NULL pointer dereference of migration recovery ops for v4.2 client (bsc#960839). - apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task (bsc#921949). - blktap: also call blkif_disconnect() when frontend switched to closed (bsc#952976). - blktap: refine mm tracking (bsc#952976). - cdrom: Random writing support for BD-RE media (bnc#959568). - genksyms: Handle string literals with spaces in reference files (bsc#958510). - ipv4: Do not increase PMTU with Datagram Too Big message (bsc#955224). - ipv6: distinguish frag queues by device for multicast and link-local packets (bsc#955422). - ipv6: fix tunnel error handling (bsc#952579). - route: Use ipv4_mtu instead of raw rt_pmtu (bsc#955224). - uas: Add response iu handling (bnc#954138). - usbvision fix overflow of interfaces array (bnc#950998). - x86/evtchn: make use of PHYSDEVOP_map_pirq. - xen/pciback: Do not allow MSI-X ops if PCI_COMMAND_MEMORY is not set (bsc#957990 XSA-157).
    last seen 2017-10-29
    modified 2016-12-07
    plugin id 88545
    published 2016-02-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88545
    title openSUSE Security Update : the Linux Kernel (openSUSE-2016-124)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-F150B2A8C8.NASL
    description x86: CPU lockup during exception delivery [XSA-156, CVE-2015-5307, CVE-2015-8104] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-03-04
    plugin id 89457
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89457
    title Fedora 21 : xen-4.4.3-8.fc21 (2015-f150b2a8c8)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-CD94AD8D7C.NASL
    description The 4.2.6 stable update contains a number of important fixes across the tree. kernel-4.2.6-200.fc22 - Fix incorrect size calculations in megaraid with 64K pages (rhbz 1269300) - CVE-2015-8104 kvm: DoS infinite loop in microcode DB exception (rhbz 1278496 1279691) - CVE-2015-5307 kvm: DoS infinite loop in microcode AC exception (rhbz 1277172 1279688) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-10-18
    plugin id 89412
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89412
    title Fedora 22 : kernel-4.2.6-200.fc22 (2015-cd94ad8d7c)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-394835A3F6.NASL
    description x86: CPU lockup during exception delivery [XSA-156, CVE-2015-5307, CVE-2015-8104] ---- update to 4.5.2 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-03-04
    plugin id 89212
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89212
    title Fedora 23 : xen-4.5.2-2.fc23 (2015-394835a3f6)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-136.NASL
    description The openSUSE 13.2 kernel was updated to receive various security and bugfixes. Following security bugs were fixed : - CVE-2016-0728: A reference leak in keyring handling with join_session_keyring() could lead to local attackers gain root privileges. (bsc#962075). - CVE-2015-7550: A local user could have triggered a race between read and revoke in keyctl (bnc#958951). - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel did not verify an address length, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application (bnc#959190). - CVE-2015-8543: The networking implementation in the Linux kernel did not validate protocol identifiers for certain protocol families, which allowed local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application (bnc#958886). - CVE-2014-8989: The Linux kernel did not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allowed local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a 'negative groups' issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c (bnc#906545). - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux kernel on the x86_64 platform mishandles IRET faults in processing NMIs that occurred during userspace execution, which might allow local users to gain privileges by triggering an NMI (bnc#937969). - CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel through 4.2.3 did not ensure that certain slot numbers are valid, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call (bnc#949936). - CVE-2015-8104: The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c (bnc#954404). - CVE-2015-5307: The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c (bnc#953527). - CVE-2014-9529: Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel allowed local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key (bnc#912202). - CVE-2015-7990: Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6937 (bnc#952384 953052). - CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound (bnc#945825). - CVE-2015-7885: The dgnc_mgmt_ioctl function in drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel through 4.3.3 did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel memory via a crafted application (bnc#951627). - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel did not validate attempted changes to the MTU value, which allowed context-dependent attackers to cause a denial of service (packet loss) via a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface, as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager product (bnc#955354). - CVE-2015-8767: A case can occur when sctp_accept() is called by the user during a heartbeat timeout event after the 4-way handshake. Since sctp_assoc_migrate() changes both assoc->base.sk and assoc->ep, the bh_sock_lock in sctp_generate_heartbeat_event() will be taken with the listening socket but released with the new association socket. The result is a deadlock on any future attempts to take the listening socket lock. (bsc#961509) - CVE-2015-8575: Validate socket address length in sco_sock_bind() to prevent information leak (bsc#959399). - CVE-2015-8551, CVE-2015-8552: xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled (bsc#957990). - CVE-2015-8550: Compiler optimizations in the XEN PV backend drivers could have lead to double fetch vulnerabilities, causing denial of service or arbitrary code execution (depending on the configuration) (bsc#957988). The following non-security bugs were fixed : - ALSA: hda - Disable 64bit address for Creative HDA controllers (bnc#814440). - ALSA: hda - Fix noise problems on Thinkpad T440s (boo#958504). - Input: aiptek - fix crash on detecting device without endpoints (bnc#956708). - KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y (boo#956934). - KVM: x86: update masterclock values on TSC writes (bsc#961739). - NFS: Fix a NULL pointer dereference of migration recovery ops for v4.2 client (bsc#960839). - apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task (bsc#921949). - blktap: also call blkif_disconnect() when frontend switched to closed (bsc#952976). - blktap: refine mm tracking (bsc#952976). - cdrom: Random writing support for BD-RE media (bnc#959568). - genksyms: Handle string literals with spaces in reference files (bsc#958510). - ipv4: Do not increase PMTU with Datagram Too Big message (bsc#955224). - ipv6: distinguish frag queues by device for multicast and link-local packets (bsc#955422). - ipv6: fix tunnel error handling (bsc#952579). - route: Use ipv4_mtu instead of raw rt_pmtu (bsc#955224). - uas: Add response iu handling (bnc#954138). - usbvision fix overflow of interfaces array (bnc#950998). - x86/evtchn: make use of PHYSDEVOP_map_pirq. - xen/pciback: Do not allow MSI-X ops if PCI_COMMAND_MEMORY is not set (bsc#957990 XSA-157).
    last seen 2017-10-29
    modified 2016-12-07
    plugin id 88605
    published 2016-02-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88605
    title openSUSE Security Update : the Linux Kernel (openSUSE-2016-136)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20151208_KERNEL_ON_SL7_X.NASL
    description - It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) This update also fixes the following bugs : - On Intel Xeon v5 platforms, the processor frequency was always tied to the highest possible frequency. Switching p-states on these client platforms failed. This update sets the idle frequency, busy frequency, and processor frequency values by determining the range and adjusting the minimal and maximal percent limit values. Now, switching p-states on the aforementioned client platforms proceeds successfully. - Due to a validation error of in-kernel memory-mapped I/O (MMIO) tracing, a VM became previously unresponsive when connected to RHEV Hypervisor. The provided patch fixes this bug by dropping the check in MMIO handler, and a VM continues running as expected. - Due to retry-able command errors, the NVMe driver previously leaked I/O descriptors and DMA mappings. As a consequence, the kernel could become unresponsive during the hot-unplug operation if a driver was removed. This update fixes the driver memory leak bug on command retries, and the kernel no longer hangs in this situation. - The hybrid_dma_data() function was not initialized before use, which caused an invalid memory access when hot-plugging a PCI card. As a consequence, a kernel oops occurred. The provided patch makes sure hybrid_dma_data() is initialized before use, and the kernel oops no longer occurs in this situation. - When running PowerPC (PPC) KVM guests and the host was experiencing a lot of page faults, for example because it was running low on memory, the host sometimes triggered an incorrect kind of interrupt in the guest: a data storage exception instead of a data segment exception. This caused a kernel panic of the PPC KVM guest. With this update, the host kernel synthesizes a segment fault if the corresponding Segment Lookaside Buffer (SLB) lookup fails, which prevents the kernel panic from occurring. - The kernel accessed an incorrect area of the khugepaged process causing Logical Partitioning (LPAR) to become unresponsive, and an oops occurred in medlp5. The backported upstream patch prevents an LPAR hang, and the oops no longer occurs. - When the sctp module was loaded and a route to an association endpoint was removed after receiving an Out-of-The-Blue (OOTB) chunk but before incrementing the 'dropped because of missing route' SNMP statistic, a NULL pointer Dereference kernel panic previously occurred. This update fixes the race condition between OOTB response and route removal. - The cpuscaling test of the certification test suite previously failed due to a rounding bug in the intel-pstate driver. This bug has been fixed and the cpuscaling test now passes. The system must be rebooted for this update to take effect.
    last seen 2017-10-29
    modified 2015-12-22
    plugin id 87583
    published 2015-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87583
    title Scientific Linux Security Update : kernel on SL7.x x86_64
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-445.NASL
    description The openSUSE Leap 42.1 kernel was updated to 4.1.20 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2015-1339: A memory leak in cuse could be used to exhaust kernel memory. (bsc#969356). - CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel did not ensure that certain slot numbers are valid, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call (bnc#949936 951638). - CVE-2015-7872: The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel allowed local users to cause a denial of service (OOPS) via crafted keyctl commands (bnc#951440). - CVE-2015-7884: The vivid_fb_ioctl function in drivers/media/platform/vivid/vivid-osd.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel memory via a crafted application (bnc#951626). - CVE-2015-8104: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c (bnc#954404). - CVE-2015-8709: kernel/ptrace.c in the Linux kernel mishandled uid and gid mappings, which allowed local users to gain privileges by establishing a user namespace, waiting for a root process to enter that namespace with an unsafe uid or gid, and then using the ptrace system call. NOTE: the vendor states 'there is no kernel bug here (bnc#959709). - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux kernel did not properly manage the relationship between a lock and a socket, which allowed local users to cause a denial of service (deadlock) via a crafted sctp_accept call. (bsc#961509) - CVE-2015-8785: The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kernel allowed local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov (bnc#963765). - CVE-2015-8787: The nf_nat_redirect_ipv4 function in net/netfilter/nf_nat_redirect.c in the Linux kernel allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by sending certain IPv4 packets to an incompletely configured interface, a related issue to CVE-2003-1604 (bnc#963931). - CVE-2015-8812: A flaw was found in the CXGB3 kernel driver when the network was considered congested. The kernel would incorrectly misinterpret the congestion as an error condition and incorrectly free/clean up the skb. When the device would then send the skb's queued, these structures would be referenced and may panic the system or allow an attacker to escalate privileges in a use-after-free scenario. (bsc#966437). - CVE-2016-0723: Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call (bnc#961500). - CVE-2016-2069: When Linux invalidated a paging structure that is not in use locally, it could, in principle, race against another CPU that is switching to a process that uses the paging structure in question. (bsc#963767) - CVE-2016-2184: A malicious USB device could cause a kernel crash in the alsa usb-audio driver. (bsc#971125) - CVE-2016-2383: Incorrect branch fixups for eBPF allow arbitrary read of kernel memory. (bsc#966684) - CVE-2016-2384: A malicious USB device could cause a kernel crash in the alsa usb-audio driver. (bsc#966693) The following non-security bugs were fixed : - alsa: hda - Apply clock gate workaround to Skylake, too (bsc#966137). - alsa: hda - disable dynamic clock gating on Broxton before reset (bsc#966137). - alsa: hda - Fix playback noise with 24/32 bit sample size on BXT (bsc#966137). - alsa: seq: Fix double port list deletion (bsc#968018). - alsa: seq: Fix leak of pool buffer at concurrent writes (bsc#968018). - alsa: timer: Fix race between stop and interrupt (bsc#968018). - alsa: timer: Fix wrong instance passed to slave callbacks (bsc#968018). - arm64: Add workaround for Cavium erratum 27456. - arm64: Backport arm64 patches from SLE12-SP1-ARM - btrfs: teach backref walking about backrefs with underflowed (bsc#966259). - cgroup kabi fix for 4.1.19. - config: Disable CONFIG_DDR. CONFIG_DDR is selected automatically by drivers which need it. - config: Disable MFD_TPS65218 The TPS65218 is a power management IC for 32-bit ARM systems. - config: Modularize NF_REJECT_IPV4/V6 There is no reason why these helper modules should be built-in when the rest of netfilter is built as modules. - config: Update x86 config files: Enable Intel RAPL This driver is useful when power caping is needed. It was enabled in the SLE kernel 2 years ago. - Delete patches.fixes/bridge-module-get-put.patch. As discussed in http://lists.opensuse.org/opensuse-kernel/2015-11/msg000 46.html - drm/i915: Fix double unref in intelfb_alloc failure path (boo#962866, boo#966179). - drm/i915: Fix failure paths around initial fbdev allocation (boo#962866, boo#966179). - drm/i915: Pin the ifbdev for the info->system_base GGTT mmapping (boo#962866, boo#966179). - e1000e: Avoid divide by zero error (bsc#965125). - e1000e: fix division by zero on jumbo MTUs (bsc#965125). - e1000e: fix systim issues (bsc#965125). - e1000e: Fix tight loop implementation of systime read algorithm (bsc#965125). - ibmvnic: Fix ibmvnic_capability struct. - intel: Disable Skylake support in intel_idle driver again (boo#969582) This turned out to bring a regression on some machines, unfortunately. It should be addressed in the upstream at first. - intel_idle: allow idle states to be freeze-mode specific (boo#969582). - intel_idle: Skylake Client Support (boo#969582). - intel_idle: Skylake Client Support - updated (boo#969582). - libceph: fix scatterlist last_piece calculation (bsc#963746). - lio: Add LIO clustered RBD backend (fate#318836) - net kabi fixes for 4.1.19. - numa patches updated to v15 - ocfs2: fix dlmglue deadlock issue(bnc#962257) - pci: thunder: Add driver for ThunderX-pass{1,2} on-chip devices - pci: thunder: Add PCIe host driver for ThunderX processors - sd: Optimal I/O size is in bytes, not sectors (boo#961263). - sd: Reject optimal transfer length smaller than page size (boo#961263). - series.conf: move cxgb3 patch to network drivers section
    last seen 2017-10-29
    modified 2017-10-02
    plugin id 90482
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90482
    title openSUSE Security Update : the Linux Kernel (openSUSE-2016-445)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0154.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - KVM: svm: unconditionally intercept #DB (Paolo Bonzini) [Orabug: 22333698] (CVE-2015-8104) - KVM: x86: work around infinite loop in microcode when #AC is delivered (Eric Northup) [Orabug: 22333689] (CVE-2015-5307) (CVE-2015-5307) - KVM: x86: Defining missing x86 vectors (Nadav Amit) [Orabug: 22333689]
    last seen 2017-10-29
    modified 2017-02-14
    plugin id 87333
    published 2015-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87333
    title OracleVM 3.3 : kernel-uek (OVMSA-2015-0154)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-2552.NASL
    description Updated kernel packages that fix two security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the CVE-2015-5307 issue. This update also fixes the following bugs : * On Intel Xeon v5 platforms, the processor frequency was always tied to the highest possible frequency. Switching p-states on these client platforms failed. This update sets the idle frequency, busy frequency, and processor frequency values by determining the range and adjusting the minimal and maximal percent limit values. Now, switching p-states on the aforementioned client platforms proceeds successfully. (BZ#1273926) * Due to a validation error of in-kernel memory-mapped I/O (MMIO) tracing, a VM became previously unresponsive when connected to Red Hat Enterprise Virtualization Hypervisor. The provided patch fixes this bug by dropping the check in MMIO handler, and a VM continues running as expected. (BZ#1275150) * Due to retry-able command errors, the NVMe driver previously leaked I/O descriptors and DMA mappings. As a consequence, the kernel could become unresponsive during the hot-unplug operation if a driver was removed. This update fixes the driver memory leak bug on command retries, and the kernel no longer hangs in this situation. (BZ#1279792) * The hybrid_dma_data() function was not initialized before use, which caused an invalid memory access when hot-plugging a PCI card. As a consequence, a kernel oops occurred. The provided patch makes sure hybrid_dma_data() is initialized before use, and the kernel oops no longer occurs in this situation. (BZ#1279793) * When running PowerPC (PPC) KVM guests and the host was experiencing a lot of page faults, for example because it was running low on memory, the host sometimes triggered an incorrect kind of interrupt in the guest: a data storage exception instead of a data segment exception. This caused a kernel panic of the PPC KVM guest. With this update, the host kernel synthesizes a segment fault if the corresponding Segment Lookaside Buffer (SLB) lookup fails, which prevents the kernel panic from occurring. (BZ#1281423) * The kernel accessed an incorrect area of the khugepaged process causing Logical Partitioning (LPAR) to become unresponsive, and an oops occurred in medlp5. The backported upstream patch prevents an LPAR hang, and the oops no longer occurs. (BZ#1281424) * When the sctp module was loaded and a route to an association endpoint was removed after receiving an Out-of-The-Blue (OOTB) chunk but before incrementing the 'dropped because of missing route' SNMP statistic, a NULL pointer Dereference kernel panic previously occurred. This update fixes the race condition between OOTB response and route removal. (BZ#1281426) * The cpuscaling test of the certification test suite previously failed due to a rounding bug in the intel-pstate driver. This bug has been fixed and the cpuscaling test now passes. (BZ#1281491) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2017-10-29
    modified 2016-04-28
    plugin id 87281
    published 2015-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87281
    title CentOS 7 : kernel (CESA-2015:2552)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2841-2.NASL
    description Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS. (CVE-2015-8104) Guoyong Gang discovered that the ppp implementation in the Linux kernel did not ensure that certain slot numbers are valid. A local attacker with the privilege to call ioctl() on /dev/ppp could cause a denial of service (system crash). (CVE-2015-7799) It was discovered that the driver for Digi Neo and ClassicBoard devices did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel. (CVE-2015-7885). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-01
    plugin id 87467
    published 2015-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87467
    title Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2841-2)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL31026324.NASL
    description CVE-2015-2925 The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a 'double-chroot attack.' CVE-2015-5307 The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c. CVE-2015-8104 The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c. Impact A local user may be able to bypass a container protection mechanism by renaming a directory, or cause a denial of service (DoS) to the system by triggering certain exceptions.
    last seen 2017-10-29
    modified 2017-10-26
    plugin id 87905
    published 2016-01-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87905
    title F5 Networks BIG-IP : Linux kernel vulnerabilities (K31026324)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-2108-1.NASL
    description The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to receive various security and bugfixes. Following security bugs were fixed : - CVE-2015-8104: Prevent guest to host DoS caused by infinite loop in microcode via #DB exception (bsc#954404). - CVE-2015-5307: Prevent guest to host DoS caused by infinite loop in microcode via #AC exception (bsc#953527). - CVE-2015-7990: RDS: Verify the underlying transport exists before creating a connection, preventing possible DoS (bsc#952384). - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux kernel on the x86_64 platform mishandled IRET faults in processing NMIs that occurred during userspace execution, which might have allowed local users to gain privileges by triggering an NMI (bsc#938706). - CVE-2015-7872: Possible crash when trying to garbage collect an uninstantiated keyring (bsc#951440). - CVE-2015-0272: Prevent remote DoS using IPv6 RA with bogus MTU by validating before applying it (bsc#944296). - CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound (bsc#945825). - CVE-2015-6252: The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux kernel allowed local users to cause a denial of service (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggered permanent file-descriptor allocation (bsc#942367). The following non-security bugs were fixed : - alsa: hda - Disable 64bit address for Creative HDA controllers (bsc#814440). - btrfs: fix hang when failing to submit bio of directIO (bsc#942688). - btrfs: fix memory corruption on failure to submit bio for direct IO (bsc#942688). - btrfs: fix put dio bio twice when we submit dio bio fail (bsc#942688). - dm sysfs: introduce ability to add writable attributes (bsc#904348). - dm-snap: avoid deadock on s->lock when a read is split (bsc#939826). - dm: do not start current request if it would have merged with the previous (bsc#904348). - dm: impose configurable deadline for dm_request_fn merge heuristic (bsc#904348). - drm/i915: (re)init HPD interrupt storm statistics (bsc#942938). - drm/i915: Add HPD IRQ storm detection (v5) (bsc#942938). - drm/i915: Add Reenable Timer to turn Hotplug Detection back on (v4) (bsc#942938). - drm/i915: Add bit field to record which pins have received HPD events (v3) (bsc#942938). - drm/i915: Add enum hpd_pin to intel_encoder (bsc#942938). - drm/i915: Add messages useful for HPD storm detection debugging (v2) (bsc#942938). - drm/i915: Avoid race of intel_crt_detect_hotplug() with HPD interrupt (bsc#942938). - drm/i915: Convert HPD interrupts to make use of HPD pin assignment in encoders (v2) (bsc#942938). - drm/i915: Disable HPD interrupt on pin when irq storm is detected (v3) (bsc#942938). - drm/i915: Do not WARN nor handle unexpected hpd interrupts on gmch platforms (bsc#942938). - drm/i915: Enable hotplug interrupts after querying hw capabilities (bsc#942938). - drm/i915: Fix DDC probe for passive adapters (bsc#900610, fdo#85924). - drm/i915: Fix hotplug interrupt enabling for SDVOC (bsc#942938). - drm/i915: Fix up sdvo hpd pins for i965g/gm (bsc#942938). - drm/i915: Get rid if the '^A' in struct drm_i915_private (bsc#942938). - drm/i915: Make hpd arrays big enough to avoid out of bounds access (bsc#942938). - drm/i915: Mask out the HPD irq bits before setting them individually (bsc#942938). - drm/i915: Only print hotplug event message when hotplug bit is set (bsc#942938). - drm/i915: Only reprobe display on encoder which has received an HPD event (v2) (bsc#942938). - drm/i915: Queue reenable timer also when enable_hotplug_processing is false (bsc#942938). - drm/i915: Remove i965_hpd_irq_setup (bsc#942938). - drm/i915: Remove pch_rq_mask from struct drm_i915_private (bsc#942938). - drm/i915: Remove valleyview_hpd_irq_setup (bsc#942938). - drm/i915: Use an interrupt save spinlock in intel_hpd_irq_handler() (bsc#942938). - drm/i915: WARN_ONCE() about unexpected interrupts for all chipsets (bsc#942938). - drm/i915: add hotplug activation period to hotplug update mask (bsc#953980). - drm/i915: assert_spin_locked for pipestat interrupt enable/disable (bsc#942938). - drm/i915: clear crt hotplug compare voltage field before setting (bsc#942938). - drm/i915: close tiny race in the ilk pcu even interrupt setup (bsc#942938). - drm/i915: fix hotplug event bit tracking (bsc#942938). - drm/i915: fix hpd interrupt register locking (bsc#942938). - drm/i915: fix hpd work vs. flush_work in the pageflip code deadlock (bsc#942938). - drm/i915: fix locking around ironlake_enable|disable_display_irq (bsc#942938). - drm/i915: fold the hpd_irq_setup call into intel_hpd_irq_handler (bsc#942938). - drm/i915: fold the no-irq check into intel_hpd_irq_handler (bsc#942938). - drm/i915: fold the queue_work into intel_hpd_irq_handler (bsc#942938). - drm/i915: implement ibx_hpd_irq_setup (bsc#942938). - drm/i915: s/hotplug_irq_storm_detect/intel_hpd_irq_handler/ (bsc#942938). - ehci-pci: enable interrupt on BayTrail (bnc926007). - fix lpfc_send_rscn_event allocation size claims bsc#935757 - hugetlb: simplify migrate_huge_page() (bsc#947957, VM Functionality). - hwpoison, hugetlb: lock_page/unlock_page does not match for handling a free hugepage (bsc#947957). - ib/iser: Add Discovery support (bsc#923002). - ib/iser: Move informational messages from error to info level (bsc#923002). - ib/srp: Avoid skipping srp_reset_host() after a transport error (bsc#904965). - ib/srp: Fix a sporadic crash triggered by cable pulling (bsc#904965). - inotify: Fix nested sleeps in inotify_read() (bsc#940925). - ipv6: fix tunnel error handling (bsc#952579). - ipv6: probe routes asynchronous in rt6_probe (bsc#936118). - ipvs: Fix reuse connection if real server is dead (bsc#945827). - ipvs: drop first packet to dead server (bsc#946078). - keys: Fix race between key destruction and finding a keyring by name (bsc#951440). - ktime: add ktime_after and ktime_before helpe (bsc#904348). - lib/string.c: introduce memchr_inv() (bsc#930788). - libiscsi: Exporting new attrs for iscsi session and connection in sysfs (bsc#923002). - macvlan: Support bonding events bsc#948521 - make sure XPRT_CONNECTING gets cleared when needed (bsc#946309). - memory-failure: do code refactor of soft_offline_page() (bsc#947957). - memory-failure: fix an error of mce_bad_pages statistics (bsc#947957). - memory-failure: use num_poisoned_pages instead of mce_bad_pages (bsc#947957). - memory-hotplug: update mce_bad_pages when removing the memory (bsc#947957). - mm/memory-failure.c: fix wrong num_poisoned_pages in handling memory error on thp (bsc#947957). - mm/memory-failure.c: recheck PageHuge() after hugetlb page migrate successfully (bsc#947957). - mm/migrate.c: pair unlock_page() and lock_page() when migrating huge pages (bsc#947957). - mm: exclude reserved pages from dirtyable memory 32b fix (bsc#940017, bsc#949298). - mm: make page pfmemalloc check more robust (bsc#920016). - netfilter: nf_conntrack_proto_sctp: minimal multihoming support (bsc#932350). - pci: Add VPD function 0 quirk for Intel Ethernet devices (bsc#943786). - pci: Add dev_flags bit to access VPD through function 0 (bsc#943786). - pci: Add flag indicating device has been assigned by KVM (bsc#777565). - pci: Clear NumVFs when disabling SR-IOV in sriov_init() (bsc#952084). - pci: Refresh First VF Offset and VF Stride when updating NumVFs (bsc#952084). - pci: Update NumVFs register when disabling SR-IOV (bsc#952084). - pci: delay configuration of SRIOV capability (bsc#952084). - pci: set pci sriov page size before reading SRIOV BAR (bsc#952084). - pktgen: clean up ktime_t helpers (bsc#904348). - qla2xxx: Do not reset adapter if SRB handle is in range (bsc#944993). - qla2xxx: Remove decrement of sp reference count in abort handler (bsc#944993). - qla2xxx: do not clear slot in outstanding cmd array (bsc#944993). - r8169: remember WOL preferences on driver load (bsc#942305). - rcu: Eliminate deadlock between CPU hotplug and expedited grace periods (bsc#949706). - rtc: cmos: Cancel alarm timer if alarm time is equal to now+1 seconds (bsc#930145). - sched/core: Fix task and run queue sched_info::run_delay inconsistencies (bsc#949100). - scsi: fix scsi_error_handler vs. scsi_host_dev_release race (bsc#942204). - scsi: hosts: update to use ida_simple for host_no (bsc#939926) - scsi: kabi: allow iscsi disocvery session support (bsc#923002). - scsi_transport_iscsi: Exporting new attrs for iscsi session and connection in sysfs (bsc#923002). - sg: fix read() error reporting (bsc#926774). - usb: xhci: Prefer endpoint context dequeue pointer over stopped_trb (bsc#933721). - usb: xhci: Reset a halted endpoint immediately when we encounter a stall (bsc#933721). - usb: xhci: apply XHCI_AVOID_BEI quirk to all Intel xHCI controllers (bsc#944989). - usb: xhci: do not start a halted endpoint before its new dequeue is set (bsc#933721). - usb: xhci: handle Config Error Change (CEC) in xhci driver (bsc#933721). - x86/tsc: Change Fast TSC calibration failed from error to info (bsc#942605). - x86: mm: drop TLB flush from ptep_set_access_flags (bsc#948330). - x86: mm: only do a local tlb flush in ptep_set_access_flags() (bsc#948330). - xfs: Fix lost direct IO write in the last block (bsc#949744). - xfs: Fix softlockup in xfs_inode_ag_walk() (bsc#948347). - xfs: add EOFBLOCKS inode tagging/untagging (bsc#930788). - xfs: add XFS_IOC_FREE_EOFBLOCKS ioctl (bsc#930788). - xfs: add background scanning to clear eofblocks inodes (bsc#930788). - xfs: add inode id filtering to eofblocks scan (bsc#930788). - xfs: add minimum file size filtering to eofblocks scan (bsc#930788). - xfs: create function to scan and clear EOFBLOCKS inodes (bsc#930788). - xfs: create helper to check whether to free eofblocks on inode (bsc#930788). - xfs: introduce a common helper xfs_icluster_size_fsb (bsc#932805). - xfs: make xfs_free_eofblocks() non-static, return EAGAIN on trylock failure (bsc#930788). - xfs: support a tag-based inode_ag_iterator (bsc#930788). - xfs: support multiple inode id filtering in eofblocks scan (bsc#930788). - xfs: use xfs_icluster_size_fsb in xfs_bulkstat (bsc#932805). - xfs: use xfs_icluster_size_fsb in xfs_ialloc_inode_init (bsc#932805). - xfs: use xfs_icluster_size_fsb in xfs_ifree_cluster (bsc#932805). - xfs: use xfs_icluster_size_fsb in xfs_imap (bsc#932805). - xhci: Add spurious wakeup quirk for LynxPoint-LP controllers (bsc#949981). - xhci: Allocate correct amount of scratchpad buffers (bsc#933721). - xhci: Calculate old endpoints correctly on device reset (bsc#944831). - xhci: Do not enable/disable RWE on bus suspend/resume (bsc#933721). - xhci: For streams the css flag most be read from the stream-ctx on ep stop (bsc#945691). - xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256 (bsc#933721). - xhci: Treat not finding the event_seg on COMP_STOP the same as COMP_STOP_INVAL (bsc#933721). - xhci: Workaround for PME stuck issues in Intel xhci (bsc#933721). - xhci: change xhci 1.0 only restrictions to support xhci 1.1 (bsc#949502). - xhci: do not report PLC when link is in internal resume state (bsc#933721). - xhci: fix isoc endpoint dequeue from advancing too far on transaction error (bsc#944837). - xhci: fix reporting of 0-sized URBs in control endpoint (bsc#933721). - xhci: report U3 when link is in resume state (bsc#933721). - xhci: rework cycle bit checking for new dequeue pointers (bsc#933721). - xhci: use uninterruptible sleep for waiting for internal operations (bsc#939955). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-27
    plugin id 87104
    published 2015-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87104
    title SUSE SLED11 / SLES11 Security Update : kernel (SUSE-SU-2015:2108-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0024.NASL
    description Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6.6 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the CVE-2015-5307 issue. This update also fixes the following bugs : * When doing TSO/GSO in the presence of VLAN headers on a macvtap device, the header offsets were incorrectly calculated. As a consequence, when 2 guests on the same host communicated over a guest configured VLAN, performance dropped to about 1 Mbps. A set of patches has been provided to fix this bug, and network performance with VLAN tags now works with optimal performance. (BZ#1215914) * Prior to this update, TSO acceleration features have been removed from the VLAN device which caused that VLAN performance on top of a virtio device was much lower than that of a virtio device itself. This update re-enables TSO acceleration features, and performance of VLAN devices on top of a virtio device has thus been restored. (BZ#1240988) * With an IPv6 address on a bond and a slave failover, Unsolicited Neighbor Advertisement (UNA) was previously sent using the link global IPv6 address as source address. The underlying source code has been patched, and, after the failover in bonding, UNA is sent using both the corresponding link IPv6 address and global IPv6 address of bond0 and bond0.vlan. (BZ#1258480) * Previously, Human Interface Device (HID) would run a report on an unaligned buffer, which could cause a page fault interrupt and an oops when the end of the report was read. This update fixes this bug by padding the end of the report with extra bytes, so the reading of the report never crosses a page boundary. As a result, a page fault and subsequent oops no longer occur. (BZ#1268202) * Inside hugetlb, region data structures were protected by a combination of a memory map semaphore and a single hugetlb instance mutex. However, a page-fault scalability improvement backported to the kernel on previous releases removed the single hugetlb instance mutex and introduced a new mutex table, making the locking combination insufficient, leading to possible race windows that could cause corruption and undefined behavior. The problem could be seen for example with software mapping or re-mapping hugetlb areas with concurrent threads reading/writing to same areas causing page faults. This update fixes the problem by introducing now a required spinlock to the region tracking functions for proper serialization. The problem only affects software using huge pages through hugetlb interface. (BZ#1274597) * Previously, VLAN stacked on the macvlan or macvtap device did not work for devices that implement and use VLAN filters. As a consequence, macvtap passthrough mode failed to transfer VLAN packets over the be2net driver. This update implements VLAN ndo calls to the macvlan driver to pass appropriate VLAN tag IDs to lower devices. As a result, macvtap transfers VLAN packets over be2net successfully. (BZ#1280205) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2017-10-29
    modified 2017-01-10
    plugin id 87886
    published 2016-01-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87886
    title RHEL 6 : kernel (RHSA-2016:0024)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2645.NASL
    description Updated kernel packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 6.5 Advanced Update Support. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the CVE-2015-5307 issue. This update also fixes the following bugs : * With an IPv6 address on a bond and a slave failover, Unsolicited Neighbor Advertisement (UNA) was previously sent using the link global IPv6 address as source address. The underlying source code has been patched, and, after the failover in bonding, UNA is sent using both the corresponding link IPv6 address and global IPv6 address of bond0 and bond0.vlan. (BZ#1258479) * Previously, Human Interface Device (HID) would run a report on an unaligned buffer, which could cause a page fault interrupt and an oops when the end of the report was read. This update fixes this bug by padding the end of the report with extra bytes, so the reading of the report never crosses a page boundary. As a result, a page fault and subsequent oops no longer occur. (BZ#1268201) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 87399
    published 2015-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87399
    title RHEL 6 : kernel (RHSA-2015:2645)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2843-2.NASL
    description Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS. (CVE-2015-8104) Guoyong Gang discovered that the ppp implementation in the Linux kernel did not ensure that certain slot numbers are valid. A local attacker with the privilege to call ioctl() on /dev/ppp could cause a denial of service (system crash). (CVE-2015-7799) Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted to garbage collect incompletely instantiated keys. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2015-7872) It was discovered that the virtual video osd test driver in the Linux kernel did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel. (CVE-2015-7884) It was discovered that the driver for Digi Neo and ClassicBoard devices did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel. (CVE-2015-7885). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-01
    plugin id 87497
    published 2015-12-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87497
    title Ubuntu 14.04 LTS : linux-lts-wily vulnerabilities (USN-2843-2)
  • NASL family Windows
    NASL id SMB_KB3108638.NASL
    description The remote Windows host is affected by multiple denial of service vulnerabilities that can be triggered with certain central processing unit (CPU) chipsets. A local attacker with kernel-mode privileges on a Hyper-V guest can exploit this to cause all Hyper-V guests to become unresponsive.
    last seen 2017-10-29
    modified 2017-08-30
    plugin id 86818
    published 2015-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86818
    title MS KB3108638: Update for Windows Hyper-V to Address CPU Weakness
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3414.NASL
    description Multiple security issues have been found in the Xen virtualisation solution, which may result in denial of service or information disclosure.
    last seen 2017-10-29
    modified 2016-04-28
    plugin id 87288
    published 2015-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87288
    title Debian DSA-3414-1 : xen - security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3454.NASL
    description Multiple vulnerabilities have been discovered in VirtualBox, an x86 virtualisation solution. Upstream support for the 4.1 release series has ended and since no information is available which would allow backports of isolated security fixes, security support for virtualbox in wheezy/oldstable needed to be ended as well. If you use virtualbox with externally procured VMs (e.g. through vagrant) we advise you to update to Debian jessie.
    last seen 2017-10-29
    modified 2016-04-28
    plugin id 88423
    published 2016-01-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88423
    title Debian DSA-3454-1 : virtualbox - security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-2306-1.NASL
    description This update fixes the following security issues : - bsc#956832 - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing command block list - bsc#956408 - CVE-2015-8339, CVE-2015-8340: xen: XENMEM_exchange error handling issues (XSA-159) xsa159.patch - bsc#956411 - CVE-2015-7504: xen: heap buffer overflow vulnerability in pcnet emulator (XSA-162) - bsc#954405 - CVE-2015-8104: Xen: guest to host DoS by triggering an infinite loop in microcode via #DB exception - bsc#953527 - CVE-2015-5307: kernel: kvm/xen: x86: avoid guest->host DOS by intercepting #AC (XSA-156) - bsc#950704 - CVE-2015-7970: xen: x86: Long latency populate-on-demand operation is not preemptible (XSA-150) - bsc#951845 - CVE-2015-7972: xen: x86: populate-on-demand balloon size inaccuracy can crash guests (XSA-153) - bsc#950703 - CVE-2015-7969: xen: leak of main per-domain vcpu pointer array (DoS) (XSA-149) - bsc#950705 - CVE-2015-7969: xen: x86: leak of per-domain profiling-related vcpu pointer array (DoS) (XSA-151) - bsc#950706 - CVE-2015-7971: xen: x86: some pmu and profiling hypercalls log without rate limiting (XSA-152) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-02
    plugin id 87528
    published 2015-12-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87528
    title SUSE SLES11 Security Update : xen (SUSE-SU-2015:2306-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0103.NASL
    description Updated kernel packages that fix three security issues, multiple bugs, and one enhancement are now available for Red Hat Enterprise Linux 7.1 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #DB (debug exception) is handled. A privileged user inside a guest could use this flaw to create denial of service conditions on the host kernel. (CVE-2015-8104, Important) * A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2016-0728, Important) * It was found that the fix for CVE-2015-1805 incorrectly kept buffer offset and buffer length in sync on a failed atomic read, potentially resulting in a pipe buffer state corruption. A local, unprivileged user could use this flaw to crash the system or leak kernel memory to user space. (CVE-2016-0774, Moderate) Red Hat would like to thank the Perception Point research team for reporting the CVE-2016-0728 issue. The security impact of the CVE-2016-0774 issue was discovered by Red Hat. Bug fixes : * NMI watchdog of guests using legacy LVT0-based NMI delivery did not work with APICv. Now, NMI works with LVT0 regardless of APICv. (BZ#1244726) * Parallel file-extending direct I/O writes could previously race to update the size of the file. If they executed out-of-order, the file size could move backwards and push a previously completed write beyond the end of the file, causing it to be lost. (BZ#1258942) * The GHES NMI handler had a global spin lock that significantly increased the latency of each perf sample collection. This update simplifies locking inside the handler. (BZ#1280200) * Sometimes, iptables rules are updated along with ip rules, and routes are reloaded. Previously, skb->sk was mistakenly attached to some IPv6 forwarding traffic packets, which could cause kernel panic. Now, such packets are checked and not processed. (BZ#1281700) * The NUMA node was not reported for PCI adapters, which affected every POWER system deployed with Red Hat Enterprise Linux 7 and caused significant decrease in the system performance. (BZ#1283525) * Processing packets with a lot of different IPv6 source addresses caused the kernel to return warnings concerning soft-lockups due to high lock contention and latency increase. (BZ#1285369) * Running edge triggered interrupts with an ack notifier when simultaneously reconfiguring the Intel I/O IOAPIC did not work correctly, so EOI in the interrupt did not cause a VM to exit if APICv was enabled. Consequently, the VM sometimes became unresponsive. (BZ#1287001) * Block device readahead was artificially limited, so the read performance was poor, especially on RAID devices. Now, per-device readahead limits are used for each device, which has improved read performance. (BZ#1287548) * Identical expectations could not be tracked simultaneously even if they resided in different connection tracking zones. Now, an expectation insert attempt is rejected only if the zone is also identical. (BZ#1290093) * The storvsc kernel driver for Microsoft Hyper-V storage was setting incorrect SRB flags, and Red Hat Enterprise Linux 7 guests running on Microsoft Hyper-V were experiencing slow I/O as well as I/O failures when they were connected to a virtual SAN. Now, SRB flags are set correctly. (BZ#1290095) * When a NUMA system with no memory in node 0 was used, the system terminated unexpectedly during boot or when using OpenVSwitch. Now, the kernel tries to allocate memory from other nodes when node 0 is not present. (BZ#1300950) Enhancement : * IPsec has been updated to provide many fixes and some enhancements. Of particular note is the ability to match on outgoing interfaces. (BZ#1287407)
    last seen 2017-12-04
    modified 2017-12-04
    plugin id 88558
    published 2016-02-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88558
    title RHEL 7 : kernel (RHSA-2016:0103)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-2324-1.NASL
    description This update fixes the following security issues : - bsc#956832 - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing command block list - Revert x86/IO-APIC: don't create pIRQ mapping from masked RTE until kernel maintenance release goes out. - bsc#956592 - xen: virtual PMU is unsupported (XSA-163) - bsc#956408 - CVE-2015-8339, CVE-2015-8340: xen: XENMEM_exchange error handling issues (XSA-159) - bsc#956409 - CVE-2015-8341: xen: libxl leak of pv kernel and initrd on error (XSA-160) - bsc#956411 - CVE-2015-7504: xen: heap buffer overflow vulnerability in pcnet emulator (XSA-162) - bsc#947165 - CVE-2015-7311: xen: libxl fails to honour readonly flag on disks with qemu-xen (xsa-142) - bsc#954405 - CVE-2015-8104: Xen: guest to host DoS by triggering an infinite loop in microcode via #DB exception - bsc#954018 - CVE-2015-5307: xen: x86: CPU lockup during fault delivery (XSA-156) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-02
    plugin id 87588
    published 2015-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87588
    title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:2324-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-F2C534BC12.NASL
    description kernel-4.1.13-100.fc21 - Linux v4.1.13 - CVE-2015-8104 kvm: DoS infinite loop in microcode DB exception (rhbz 1278496 1279691) - CVE-2015-5307 kvm: DoS infinite loop in microcode AC exception (rhbz 1277172 1279688) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-10-18
    plugin id 89459
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89459
    title Fedora 21 : kernel-4.1.13-100.fc21 (2015-f2c534bc12)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0037.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0037 for details.
    last seen 2017-10-29
    modified 2017-02-14
    plugin id 90019
    published 2016-03-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90019
    title OracleVM 3.2 : kernel-uek (OVMSA-2016-0037)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2841-1.NASL
    description Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS. (CVE-2015-8104) Guoyong Gang discovered that the ppp implementation in the Linux kernel did not ensure that certain slot numbers are valid. A local attacker with the privilege to call ioctl() on /dev/ppp could cause a denial of service (system crash). (CVE-2015-7799) It was discovered that the driver for Digi Neo and ClassicBoard devices did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel. (CVE-2015-7885). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-01
    plugin id 87466
    published 2015-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87466
    title Ubuntu 14.04 LTS : linux vulnerabilities (USN-2841-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-2339-1.NASL
    description The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. Following security bugs were fixed : - CVE-2015-7509: Mounting ext4 filesystems in no-journal mode could hav lead to a system crash (bsc#956709). - CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel did not ensure that certain slot numbers are valid, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call (bnc#949936). - CVE-2015-8104: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c (bnc#954404). - CVE-2015-5307: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c (bnc#953527). - CVE-2015-7990: RDS: There was no verification that an underlying transport exists when creating a connection, causing usage of a NULL pointer (bsc#952384). - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux kernel on the x86_64 platform mishandled IRET faults in processing NMIs that occurred during userspace execution, which might have allowed local users to gain privileges by triggering an NMI (bnc#938706). - CVE-2015-7872: The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel allowed local users to cause a denial of service (OOPS) via crafted keyctl commands (bnc#951440). - CVE-2015-0272: Missing checks allowed remote attackers to cause a denial of service (IPv6 traffic disruption) via a crafted MTU value in an IPv6 Router Advertisement (RA) message, a different vulnerability than CVE-2015-8215 (bnc#944296). - CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound (bnc#945825). The following non-security bugs were fixed : - ALSA: hda - Disable 64bit address for Creative HDA controllers (bnc#814440). - Driver: Vmxnet3: Fix ethtool -S to return correct rx queue stats (bsc#950750). - Drivers: hv: do not do hypercalls when hypercall_page is NULL. - Drivers: hv: kvp: move poll_channel() to hyperv_vmbus.h. - Drivers: hv: util: move kvp/vss function declarations to hyperv_vmbus.h. - Drivers: hv: vmbus: Get rid of some unused definitions. - Drivers: hv: vmbus: Implement the protocol for tearing down vmbus state. - Drivers: hv: vmbus: add special crash handler (bnc#930770). - Drivers: hv: vmbus: add special kexec handler. - Drivers: hv: vmbus: kill tasklets on module unload. - Drivers: hv: vmbus: prefer '^A' notification chain to 'panic'. - Drivers: hv: vmbus: remove hv_synic_free_cpu() call from hv_synic_cleanup(). - Drivers: hv: vmbus: unregister panic notifier on module unload. - IB/srp: Avoid skipping srp_reset_host() after a transport error (bsc#904965). - IB/srp: Fix a sporadic crash triggered by cable pulling (bsc#904965). - KEYS: Fix race between key destruction and finding a keyring by name (bsc#951440). - Make sure XPRT_CONNECTING gets cleared when needed (bsc#946309). - NFSv4: Fix two infinite loops in the mount code (bsc#954628). - PCI: Add VPD function 0 quirk for Intel Ethernet devices (bnc#943786). - PCI: Add dev_flags bit to access VPD through function 0 (bnc#943786). - PCI: Clear NumVFs when disabling SR-IOV in sriov_init() (bnc#952084). - PCI: Refresh First VF Offset and VF Stride when updating NumVFs (bnc#952084). - PCI: Update NumVFs register when disabling SR-IOV (bnc#952084). - PCI: delay configuration of SRIOV capability (bnc#952084). - PCI: set pci sriov page size before reading SRIOV BAR (bnc#952084). - SCSI: hosts: update to use ida_simple for host_no (bsc#939926) - SUNRPC refactor rpcauth_checkverf error returns (bsc#955673). - af_iucv: avoid path quiesce of severed path in shutdown() (bnc#946214). - ahci: Add Device ID for Intel Sunrise Point PCH (bsc#953799). - blktap: also call blkif_disconnect() when frontend switched to closed (bsc#952976). - blktap: refine mm tracking (bsc#952976). - cachefiles: Avoid deadlocks with fs freezing (bsc#935123). - dm sysfs: introduce ability to add writable attributes (bsc#904348). - dm-snap: avoid deadock on s->lock when a read is split (bsc#939826). - dm: do not start current request if it would've merged with the previous (bsc#904348). - dm: impose configurable deadline for dm_request_fn's merge heuristic (bsc#904348). - drm/i915: Avoid race of intel_crt_detect_hotplug() with HPD interrupt, v2 (bsc#942938). - drm/i915: Fix DDC probe for passive adapters (bsc#900610, fdo#85924). - drm/i915: add hotplug activation period to hotplug update mask (bsc#953980). - fix lpfc_send_rscn_event allocation size claims bnc#935757 - fs: Avoid deadlocks of fsync_bdev() and fs freezing (bsc#935123). - fs: Fix deadlocks between sync and fs freezing (bsc#935123). - hugetlb: simplify migrate_huge_page() (bnc#947957). - hwpoison, hugetlb: lock_page/unlock_page does not match for handling a free hugepage (bnc#947957,). - ipr: Fix incorrect trace indexing (bsc#940913). - ipr: Fix invalid array indexing for HRRQ (bsc#940913). - ipv6: fix tunnel error handling (bsc#952579). - ipvs: Fix reuse connection if real server is dead (bnc#945827). - ipvs: drop first packet to dead server (bsc#946078). - kernel: correct uc_sigmask of the compat signal frame (bnc#946214). - kernel: fix incorrect use of DIAG44 in continue_trylock_relax() (bnc#946214). - kexec: Fix race between panic() and crash_kexec() called directly (bnc#937444). - ktime: add ktime_after and ktime_before helpe (bsc#904348). - lib/string.c: introduce memchr_inv() (bnc#930788). - lpfc: Fix cq_id masking problem (bsc#944677). - macvlan: Support bonding events bsc#948521 - memory-failure: do code refactor of soft_offline_page() (bnc#947957). - memory-failure: fix an error of mce_bad_pages statistics (bnc#947957). - memory-failure: use num_poisoned_pages instead of mce_bad_pages (bnc#947957). - memory-hotplug: update mce_bad_pages when removing the memory (bnc#947957). - mm/memory-failure.c: fix wrong num_poisoned_pages in handling memory error on thp (bnc#947957). - mm/memory-failure.c: recheck PageHuge() after hugetlb page migrate successfully (bnc#947957). - mm/migrate.c: pair unlock_page() and lock_page() when migrating huge pages (bnc#947957). - mm: exclude reserved pages from dirtyable memory 32b fix (bnc#940017, bnc#949298). - mm: fix GFP_THISNODE callers and clarify (bsc#954950). - mm: remove GFP_THISNODE (bsc#954950). - mm: sl[au]b: add knowledge of PFMEMALLOC reserve pages (Swap over NFS). - net/core: Add VF link state control policy (bsc#950298). - netfilter: xt_recent: fix namespace destroy path (bsc#879378). - panic/x86: Allow cpus to save registers even if they (bnc#940946). - panic/x86: Fix re-entrance problem due to panic on (bnc#937444). - pktgen: clean up ktime_t helpers (bsc#904348). - qla2xxx: Do not reset adapter if SRB handle is in range (bsc#944993). - qla2xxx: Remove decrement of sp reference count in abort handler (bsc#944993). - qla2xxx: Remove unavailable firmware files (bsc#921081). - qla2xxx: do not clear slot in outstanding cmd array (bsc#944993). - qlge: Fix qlge_update_hw_vlan_features to handle if interface is down (bsc#930835). - quota: Fix deadlock with suspend and quotas (bsc#935123). - rcu: Eliminate deadlock between CPU hotplug and expedited grace periods (bsc#949706). - rtc: cmos: Cancel alarm timer if alarm time is equal to now+1 seconds (bsc#930145). - rtnetlink: Fix VF IFLA policy (bsc#950298). - rtnetlink: fix VF info size (bsc#950298). - s390/dasd: fix disconnected device with valid path mask (bnc#946214). - s390/dasd: fix invalid PAV assignment after suspend/resume (bnc#946214). - s390/dasd: fix list_del corruption after lcu changes (bnc#954984). - s390/pci: handle events for unused functions (bnc#946214). - s390/pci: improve handling of hotplug event 0x301 (bnc#946214). - s390/pci: improve state check when processing hotplug events (bnc#946214). - sched/core: Fix task and run queue sched_info::run_delay inconsistencies (bnc#949100). - sg: fix read() error reporting (bsc#926774). - usb: xhci: apply XHCI_AVOID_BEI quirk to all Intel xHCI controllers (bnc#944989). - usbback: correct copy length for partial transfers (bsc#941202). - usbvision fix overflow of interfaces array (bnc#950998). - veth: extend device features (bsc#879381). - vfs: Provide function to get superblock and wait for it to thaw (bsc#935123). - vmxnet3: adjust ring sizes when interface is down (bsc#950750). - vmxnet3: fix ethtool ring buffer size setting (bsc#950750). - writeback: Skip writeback for frozen filesystem (bsc#935123). - x86, pageattr: Prevent overflow in slow_virt_to_phys() for X86_PAE (bnc#937256). - x86/evtchn: make use of PHYSDEVOP_map_pirq. - x86: mm: drop TLB flush from ptep_set_access_flags (bsc#948330). - x86: mm: only do a local tlb flush in ptep_set_access_flags() (bsc#948330). - xen: x86, pageattr: Prevent overflow in slow_virt_to_phys() for X86_PAE (bnc#937256). - xfs: Fix lost direct IO write in the last block (bsc#949744). - xfs: Fix softlockup in xfs_inode_ag_walk() (bsc#948347). - xfs: add EOFBLOCKS inode tagging/untagging (bnc#930788). - xfs: add XFS_IOC_FREE_EOFBLOCKS ioctl (bnc#930788). - xfs: add background scanning to clear eofblocks inodes (bnc#930788). - xfs: add inode id filtering to eofblocks scan (bnc#930788). - xfs: add minimum file size filtering to eofblocks scan (bnc#930788). - xfs: create function to scan and clear EOFBLOCKS inodes (bnc#930788). - xfs: create helper to check whether to free eofblocks on inode (bnc#930788). - xfs: introduce a common helper xfs_icluster_size_fsb (bsc#932805). - xfs: make xfs_free_eofblocks() non-static, return EAGAIN on trylock failure (bnc#930788). - xfs: support a tag-based inode_ag_iterator (bnc#930788). - xfs: support multiple inode id filtering in eofblocks scan (bnc#930788). - xfs: use xfs_icluster_size_fsb in xfs_bulkstat (bsc#932805). - xfs: use xfs_icluster_size_fsb in xfs_ialloc_inode_init (bsc#932805). - xfs: use xfs_icluster_size_fsb in xfs_ifree_cluster (bsc#932805). - xfs: use xfs_icluster_size_fsb in xfs_imap (bsc#932805). - xhci: Add spurious wakeup quirk for LynxPoint-LP controllers (bnc#949981). - xhci: Calculate old endpoints correctly on device reset (bnc#944831). - xhci: For streams the css flag most be read from the stream-ctx on ep stop (bnc#945691). - xhci: change xhci 1.0 only restrictions to support xhci 1.1 (bnc#949502). - xhci: fix isoc endpoint dequeue from advancing too far on transaction error (bnc#944837). - xhci: silence TD warning (bnc#939955). - xhci: use uninterruptible sleep for waiting for internal operations (bnc#939955). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-27
    plugin id 87651
    published 2015-12-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87651
    title SUSE SLED11 / SLES11 Security Update : kernel (SUSE-SU-2015:2339-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-479.NASL
    description This security update fixes a number of security issues in Xen in wheezy. For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.1-1+deb7u1. We recommend that you upgrade your libidn packages. CVE-2015-2752 The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, when using a PCI passthrough device, is not preemptable, which allows local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm). CVE-2015-2756 QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response. CVE-2015-5165 The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors. CVE-2015-5307 The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c. CVE-2015-7969 Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest administrators or domains with certain permission to cause a denial of service (memory consumption) via a large number of 'teardowns' of domains with the vcpu pointer array allocated using the (1) XEN_DOMCTL_max_vcpus hypercall or the xenoprofile state vcpu pointer array allocated using the (2) XENOPROF_get_buffer or (3) XENOPROF_set_passive hypercall. CVE-2015-7970 The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3.4.x, 3.5.x, and 3.6.x is not preemptible, which allows local x86 HVM guest administrators to cause a denial of service (CPU consumption and possibly reboot) via crafted memory contents that triggers a 'time-consuming linear scan,' related to Populate-on-Demand. CVE-2015-7971 Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, which allows local guests to cause a denial of service via a sequence of crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in the do_xenpmu_op function in arch/x86/cpu/vpmu.c. CVE-2015-7972 The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen 3.4.x through 4.6.x do not properly calculate the balloon size when using the populate-on-demand (PoD) system, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors related to 'heavy memory pressure.' CVE-2015-8104 The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c. CVE-2015-8339 The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly hand back pages to a domain, which might allow guest OS administrators to cause a denial of service (host crash) via unspecified vectors related to domain teardown. CVE-2015-8340 The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly release locks, which might allow guest OS administrators to cause a denial of service (deadlock or host crash) via unspecified vectors, related to XENMEM_exchange error handling. CVE-2015-8550 Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability. CVE-2015-8554 Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using the qemu-xen-traditional (aka qemu-dm) device model, allows local x86 HVM guest administrators to gain privileges by leveraging a system with access to a passed-through MSI-X capable physical PCI device and MSI-X table entries, related to a 'write path.' CVE-2015-8555 Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors. CVE-2015-8615 The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 does not limit the number of printk console messages when logging the new callback method, which allows local HVM guest OS users to cause a denial of service via a large number of changes to the callback method (HVM_PARAM_CALLBACK_IRQ). CVE-2016-1570 The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x through 4.6.x allows local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates. CVE-2016-1571 The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check. CVE-2016-2270 Xen 4.6.x and earlier allows local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings. CVE-2016-2271 VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-06
    plugin id 91198
    published 2016-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91198
    title Debian DLA-479-1 : xen security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-2194-1.NASL
    description The SUSE Linux Enterprise 12 kernel was updated to 3.12.51 to receive various security and bugfixes. Following security bugs were fixed : - CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel did not ensure that certain slot numbers were valid, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call (bnc#949936). - CVE-2015-5283: The sctp_init function in net/sctp/protocol.c in the Linux kernel had an incorrect sequence of protocol-initialization steps, which allowed local users to cause a denial of service (panic or memory corruption) by creating SCTP sockets before all of the steps have finished (bnc#947155). - CVE-2015-2925: The prepend_path function in fs/dcache.c in the Linux kernel did not properly handle rename actions inside a bind mount, which allowed local users to bypass an intended container protection mechanism by renaming a directory, related to a 'double-chroot attack (bnc#926238). - CVE-2015-8104: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c (bnc#954404). - CVE-2015-5307: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c (bnc#953527). - CVE-2015-7990: RDS: There was no verification that an underlying transport exists when creating a connection, causing usage of a NULL pointer (bsc#952384). - CVE-2015-7872: The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel allowed local users to cause a denial of service (OOPS) via crafted keyctl commands (bnc#951440). - CVE-2015-0272: Missing checks allowed remote attackers to cause a denial of service (IPv6 traffic disruption) via a crafted MTU value in an IPv6 Router Advertisement (RA) message, a different vulnerability than CVE-2015-8215 (bnc#944296). The following non-security bugs were fixed : - ALSA: hda - Disable 64bit address for Creative HDA controllers (bnc#814440). - Add PCI IDs of Intel Sunrise Point-H SATA Controller S232/236 (bsc#953796). - Btrfs: fix file corruption and data loss after cloning inline extents (bnc#956053). - Btrfs: fix truncation of compressed and inlined extents (bnc#956053). - Disable some ppc64le netfilter modules to restore the kabi (bsc#951546) - Fix regression in NFSRDMA server (bsc#951110). - KEYS: Fix race between key destruction and finding a keyring by name (bsc#951440). - KVM: x86: call irq notifiers with directed EOI (bsc#950862). - NVMe: Add shutdown timeout as module parameter (bnc#936076). - NVMe: Mismatched host/device page size support (bsc#935961). - PCI: Drop 'setting latency timer' messages (bsc#956047). - SCSI: Fix hard lockup in scsi_remove_target() (bsc#944749). - SCSI: hosts: update to use ida_simple for host_no (bsc#939926) - SUNRPC: Fix oops when trace sunrpc_task events in nfs client (bnc#956703). - Sync ppc64le netfilter config options with other archs (bnc#951546) - Update kabi files with sbc_parse_cdb symbol change (bsc#954635). - apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task (bsc#921949). - apparmor: temporary work around for bug while unloading policy (boo#941867). - audit: correctly record file names with different path name types (bsc#950013). - audit: create private file name copies when auditing inodes (bsc#950013). - cpu: Defer smpboot kthread unparking until CPU known to scheduler (bsc#936773). - dlm: make posix locks interruptible, (bsc#947241). - dm sysfs: introduce ability to add writable attributes (bsc#904348). - dm-snap: avoid deadock on s->lock when a read is split (bsc#939826). - dm: do not start current request if it would've merged with the previous (bsc#904348). - dm: impose configurable deadline for dm_request_fn's merge heuristic (bsc#904348). - dmapi: Fix xfs dmapi to not unlock and lock XFS_ILOCK_EXCL (bsc#949744). - drm/i915: Avoid race of intel_crt_detect_hotplug() with HPD interrupt, v2 (bsc#942938). - drm/i915: add hotplug activation period to hotplug update mask (bsc#953980). - fanotify: fix notification of groups with inode and mount marks (bsc#955533). - genirq: Make sure irq descriptors really exist when __irq_alloc_descs returns (bsc#945626). - hv: vss: run only on supported host versions (bnc#949504). - ipv4: Do not increase PMTU with Datagram Too Big message (bsc#955224). - ipv6: Check RTF_LOCAL on rt->rt6i_flags instead of rt->dst.flags (bsc#947321). - ipv6: Consider RTF_CACHE when searching the fib6 tree (bsc#947321). - ipv6: Extend the route lookups to low priority metrics (bsc#947321). - ipv6: Stop /128 route from disappearing after pmtu update (bsc#947321). - ipv6: Stop rt6_info from using inet_peer's metrics (bsc#947321). - ipv6: distinguish frag queues by device for multicast and link-local packets (bsc#955422). - ipvs: drop first packet to dead server (bsc#946078). - kABI: protect struct ahci_host_priv. - kABI: protect struct rt6_info changes from bsc#947321 changes (bsc#947321). - kabi: Hide rt6_* types from genksyms on ppc64le (bsc#951546). - kabi: Restore kabi in struct iscsi_tpg_attrib (bsc#954635). - kabi: Restore kabi in struct se_cmd (bsc#954635). - kabi: Restore kabi in struct se_subsystem_api (bsc#954635). - kabi: protect skb_copy_and_csum_datagram_iovec() signature (bsc#951199). - kgr: fix migration of kthreads to the new universe. - kgr: wake up kthreads periodically. - ktime: add ktime_after and ktime_before helper (bsc#904348). - macvlan: Support bonding events (bsc#948521). - net: add length argument to skb_copy_and_csum_datagram_iovec (bsc#951199). - net: handle null iovec pointer in skb_copy_and_csum_datagram_iovec() (bsc#951199). - pci: Update VPD size with correct length (bsc#924493). - rcu: Eliminate deadlock between CPU hotplug and expedited grace periods (bsc#949706). - ring-buffer: Always run per-cpu ring buffer resize with schedule_work_on() (bnc#956711). - route: Use ipv4_mtu instead of raw rt_pmtu (bsc#955224). - rtc: cmos: Cancel alarm timer if alarm time is equal to now+1 seconds (bsc#930145). - rtc: cmos: Revert 'rtc-cmos: Add an alarm disable quirk' (bsc#930145). - sched/core: Fix task and run queue sched_info::run_delay inconsistencies (bnc#949100). - sunrpc/cache: make cache flushing more reliable (bsc#947478). - supported.conf: Add missing dependencies of supported modules hwmon_vid needed by nct6775 hwmon_vid needed by w83627ehf reed_solomon needed by ramoops - supported.conf: Fix dependencies on ppc64le of_mdio needed by mdio-gpio - target/pr: fix core_scsi3_pr_seq_non_holder() caller (bnc#952666). - target/rbd: fix COMPARE AND WRITE page vector leak (bnc#948831). - target/rbd: fix PR info memory leaks (bnc#948831). - target: Send UA upon LUN RESET tmr completion (bsc#933514). - target: use '^A' when allocating UAs (bsc#933514). - usbvision fix overflow of interfaces array (bnc#950998). - vmxnet3: Fix ethtool -S to return correct rx queue stats (bsc#950750). - vmxnet3: adjust ring sizes when interface is down (bsc#950750). - x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down (bsc#940853). - x86/evtchn: make use of PHYSDEVOP_map_pirq. - x86/mm/hotplug: Modify PGD entry when removing memory (VM Functionality, bnc#955148). - x86/mm/hotplug: Pass sync_global_pgds() a correct argument in remove_pagetable() (VM Functionality, bnc#955148). - xfs: DIO needs an ioend for writes (bsc#949744). - xfs: DIO write completion size updates race (bsc#949744). - xfs: DIO writes within EOF do not need an ioend (bsc#949744). - xfs: always drain dio before extending aio write submission (bsc#949744). - xfs: direct IO EOF zeroing needs to drain AIO (bsc#949744). - xfs: do not allocate an ioend for direct I/O completions (bsc#949744). - xfs: factor DIO write mapping from get_blocks (bsc#949744). - xfs: handle DIO overwrite EOF update completion correctly (bsc#949744). - xfs: move DIO mapping size calculation (bsc#949744). - xfs: using generic_file_direct_write() is unnecessary (bsc#949744). - xhci: Add spurious wakeup quirk for LynxPoint-LP controllers (bnc#951165). - xhci: change xhci 1.0 only restrictions to support xhci 1.1 (bnc#949463). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-27
    plugin id 87214
    published 2015-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87214
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2015:2194-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2843-1.NASL
    description Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS. (CVE-2015-8104) Guoyong Gang discovered that the ppp implementation in the Linux kernel did not ensure that certain slot numbers are valid. A local attacker with the privilege to call ioctl() on /dev/ppp could cause a denial of service (system crash). (CVE-2015-7799) Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted to garbage collect incompletely instantiated keys. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2015-7872) It was discovered that the virtual video osd test driver in the Linux kernel did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel. (CVE-2015-7884) It was discovered that the driver for Digi Neo and ClassicBoard devices did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel. (CVE-2015-7885). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-01
    plugin id 87470
    published 2015-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87470
    title Ubuntu 15.10 : linux vulnerabilities (USN-2843-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0004.NASL
    description Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 6.4 Advanced Update Support. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the CVE-2015-5307 issue. All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2017-10-29
    modified 2017-01-10
    plugin id 87804
    published 2016-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87804
    title RHEL 6 : kernel (RHSA-2016:0004)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2842-2.NASL
    description Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS. (CVE-2015-8104) Guoyong Gang discovered that the ppp implementation in the Linux kernel did not ensure that certain slot numbers are valid. A local attacker with the privilege to call ioctl() on /dev/ppp could cause a denial of service (system crash). (CVE-2015-7799) It was discovered that the virtual video osd test driver in the Linux kernel did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel. (CVE-2015-7884) It was discovered that the driver for Digi Neo and ClassicBoard devices did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel. (CVE-2015-7885). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-01
    plugin id 87469
    published 2015-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87469
    title Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-2842-2)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2636.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * It was found that the Linux kernel's keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-7872, Important) Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the CVE-2015-5307 issue. This update also fixes the following bugs : * Previously, Human Interface Device (HID) ran a report on an unaligned buffer, which could cause a page fault interrupt and an oops when the end of the report was read. This update fixes this bug by padding the end of the report with extra bytes, so the reading of the report never crosses a page boundary. As a result, a page fault and subsequent oops no longer occur. (BZ#1268203) * The NFS client was previously failing to detect a directory loop for some NFS server directory structures. This failure could cause NFS inodes to remain referenced after attempting to unmount the file system, leading to a kernel crash. Loop checks have been added to VFS, which effectively prevents this problem from occurring. (BZ#1272858) * Due to a race whereby the nfs_wb_pages_cancel() and nfs_commit_release_pages() calls both removed a request from the nfs_inode struct type, the kernel panicked with negative nfs_inode.npages count. The provided upstream patch performs the required serialization by holding the inode i_lock over the check of PagePrivate and locking the request, thus preventing the race and kernel panic from occurring. (BZ#1273721) * Due to incorrect URB_ISO_ASAP semantics, playing an audio file using a USB sound card could previously fail for some hardware configurations. This update fixes the bug, and playing audio from a USB sound card now works as expected. (BZ#1273916) * Inside hugetlb, region data structures were protected by a combination of a memory map semaphore and a single hugetlb instance mutex. However, a page-fault scalability improvement backported to the kernel on previous releases removed the single hugetlb instance mutex and introduced a new mutex table, making the locking combination insufficient, leading to possible race windows that could cause corruption and undefined behavior. This update fixes the problem by introducing a required spinlock to the region tracking functions for proper serialization. The problem only affects software using huge pages through hugetlb interface. (BZ#1274599) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 87398
    published 2015-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87398
    title RHEL 6 : kernel (RHSA-2015:2636)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20151215_KERNEL_ON_SL6_X.NASL
    description - A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) - It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) - A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) - It was found that the Linux kernel's keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-7872, Important) This update also fixes the following bugs : - Previously, Human Interface Device (HID) ran a report on an unaligned buffer, which could cause a page fault interrupt and an oops when the end of the report was read. This update fixes this bug by padding the end of the report with extra bytes, so the reading of the report never crosses a page boundary. As a result, a page fault and subsequent oops no longer occur. - The NFS client was previously failing to detect a directory loop for some NFS server directory structures. This failure could cause NFS inodes to remain referenced after attempting to unmount the file system, leading to a kernel crash. Loop checks have been added to VFS, which effectively prevents this problem from occurring. - Due to a race whereby the nfs_wb_pages_cancel() and nfs_commit_release_pages() calls both removed a request from the nfs_inode struct type, the kernel panicked with negative nfs_inode.npages count. The provided upstream patch performs the required serialization by holding the inode i_lock over the check of PagePrivate and locking the request, thus preventing the race and kernel panic from occurring. - Due to incorrect URB_ISO_ASAP semantics, playing an audio file using a USB sound card could previously fail for some hardware configurations. This update fixes the bug, and playing audio from a USB sound card now works as expected. - Inside hugetlb, region data structures were protected by a combination of a memory map semaphore and a single hugetlb instance mutex. However, a page-fault scalability improvement backported to the kernel on previous releases removed the single hugetlb instance mutex and introduced a new mutex table, making the locking combination insufficient, leading to possible race windows that could cause corruption and undefined behavior. This update fixes the problem by introducing a required spinlock to the region tracking functions for proper serialization. The problem only affects software using huge pages through hugetlb interface. The system must be rebooted for this update to take effect.
    last seen 2017-10-29
    modified 2016-10-28
    plugin id 87403
    published 2015-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87403
    title Scientific Linux Security Update : kernel on SL6.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2074-1.NASL
    description The SUSE Linux Enterprise 11 SP2 kernel was updated to receive various security and bug fixes. The following security bugs were fixed : - CVE-2016-4486: Fixed 4 byte information leak in net/core/rtnetlink.c (bsc#978822). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126). - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of unread data in pipes, which allowed local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes (bnc#970948). - CVE-2016-2188: The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970956). - CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor (bnc#970911). - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions (bnc#970970). - CVE-2016-3140: The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970892). - CVE-2016-2186: The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970958). - CVE-2016-2185: The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971124). - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandles destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bnc#971360). - CVE-2016-2184: The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971125). - CVE-2016-3139: The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970909). - CVE-2016-2143: The fork implementation in the Linux kernel on s390 platforms mishandled the case of four page-table levels, which allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h (bnc#970504). - CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bnc#968010). - CVE-2015-7566: The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint (bnc#961512). - CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel did not prevent recursive callback access, which allowed local users to cause a denial of service (deadlock) via a crafted ioctl call (bnc#968013). - CVE-2016-2547: sound/core/timer.c in the Linux kernel employed a locking approach that did not consider slave timer instances, which allowed local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call (bnc#968011). - CVE-2016-2548: sound/core/timer.c in the Linux kernel retained certain linked lists after a close or stop action, which allowed local users to cause a denial of service (system crash) via a crafted ioctl call, related to the (1) snd_timer_close and (2) _snd_timer_stop functions (bnc#968012). - CVE-2016-2546: sound/core/timer.c in the Linux kernel used an incorrect type of mutex, which allowed local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call (bnc#967975). - CVE-2016-2545: The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel did not properly maintain a certain linked list, which allowed local users to cause a denial of service (race condition and system crash) via a crafted ioctl call (bnc#967974). - CVE-2016-2544: Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time (bnc#967973). - CVE-2016-2543: The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel did not verify FIFO assignment before proceeding with FIFO clearing, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call (bnc#967972). - CVE-2016-2384: Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor (bnc#966693). - CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel did not properly identify error conditions, which allowed remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted packets (bnc#966437). - CVE-2015-8785: The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kernel allowed local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov (bnc#963765). - CVE-2016-2069: Race condition in arch/x86/mm/tlb.c in the Linux kernel .4.1 allowed local users to gain privileges by triggering access to a paging structure by a different CPU (bnc#963767). - CVE-2016-0723: Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call (bnc#961500). - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (bnc#955654). - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux kernel did not properly manage the relationship between a lock and a socket, which allowed local users to cause a denial of service (deadlock) via a crafted sctp_accept call (bnc#961509). - CVE-2015-7515: The aiptek_probe function in drivers/input/tablet/aiptek.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device that lacks endpoints (bnc#956708). - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel did not validate attempted changes to the MTU value, which allowed context-dependent attackers to cause a denial of service (packet loss) via a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface, as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different vulnerability than CVE-2015-0272 (bnc#955354). - CVE-2015-7550: The keyctl_read_key function in security/keys/keyctl.c in the Linux kernel did not properly use a semaphore, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted application that leverages a race condition between keyctl_revoke and keyctl_read calls (bnc#958951). - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel did not verify an address length, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application (bnc#959190). - CVE-2015-8575: The sco_sock_bind function in net/bluetooth/sco.c in the Linux kernel did not verify an address length, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application (bnc#959399). - CVE-2015-8543: The networking implementation in the Linux kernel did not validate protocol identifiers for certain protocol families, which allowed local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application (bnc#958886). - CVE-2015-8539: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (BUG) via crafted keyctl commands that negatively instantiate a key, related to security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and security/keys/user_defined.c (bnc#958463). - CVE-2015-7509: fs/ext4/namei.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) via a crafted no-journal filesystem, a related issue to CVE-2013-2015 (bnc#956709). - CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel did not ensure that certain slot numbers are valid, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call (bnc#949936). - CVE-2015-8104: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c (bnc#954404). - CVE-2015-5307: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c (bnc#953527). - CVE-2015-7990: Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound (bnc#952384). - CVE-2015-7872: The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel allowed local users to cause a denial of service (OOPS) via crafted keyctl commands (bnc#951440). - CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound (bnc#945825). - CVE-2015-6252: The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux kernel allowed local users to cause a denial of service (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers permanent file-descriptor allocation (bnc#942367). - CVE-2015-3339: Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel allowed local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped (bnc#928130). The following non-security bugs were fixed : - Fix handling of re-write-before-commit for mmapped NFS pages (bsc#964201). - Fix lpfc_send_rscn_event allocation size claims bnc#935757 - Fix ntpd clock synchronization in Xen PV domains (bnc#816446). - Fix vmalloc_fault oops during lazy MMU updates (bsc#948562). - Make sure XPRT_CONNECTING gets cleared when needed (bsc#946309). - SCSI: bfa: Fix to handle firmware tskim abort request response (bsc#972510). - USB: usbip: fix potential out-of-bounds write (bnc#975945). - af_unix: Guard against other == sk in unix_dgram_sendmsg (bsc#973570). - dm-snap: avoid deadock on s->lock when a read is split (bsc#939826). - mm/hugetlb: check for pte NULL pointer in __page_check_address() (bsc#977847). - nf_conntrack: fix bsc#758540 kabi fix (bsc#946117). - privcmd: allow preempting long running user-mode originating hypercalls (bnc#861093). - s390/cio: collect format 1 channel-path description data (bsc#966460, bsc#966662). - s390/cio: ensure consistent measurement state (bsc#966460, bsc#966662). - s390/cio: fix measurement characteristics memleak (bsc#966460, bsc#966662). - s390/cio: update measurement characteristics (bsc#966460, bsc#966662). - xfs: Fix lost direct IO write in the last block (bsc#949744). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-10-02
    plugin id 93289
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93289
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2016:2074-1)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS_JUL2016_SRU11_3_8_7_0.NASL
    description This Solaris system is missing necessary patches to address critical security updates : - Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are VirtualBox prior to 4.0.36, prior to 4.1.44, prior to 4.2.36, prior to 4.3.34 and prior to 5.0.10. Difficult to exploit vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized Operating System hang or frequently repeatable crash (complete DOS). (CVE-2015-8104) - Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). The supported version that is affected is 11.3. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Solaris. (CVE-2016-3497)
    last seen 2017-10-29
    modified 2016-10-25
    plugin id 92454
    published 2016-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92454
    title Oracle Solaris Critical Patch Update : jul2016_SRU11_3_8_7_0
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_2CABFBAB8BFB11E5BD18002590263BF5.NASL
    description The Xen Project reports : A malicious HVM guest administrator can cause a denial of service. Specifically, prevent use of a physical CPU for a significant, perhaps indefinite period. If a host watchdog (Xen or dom0) is in use, this can lead to a watchdog timeout and consequently a reboot of the host. If another, innocent, guest, is configured with a watchdog, this issue can lead to a reboot of such a guest.
    last seen 2017-10-29
    modified 2015-11-17
    plugin id 86877
    published 2015-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86877
    title FreeBSD : xen-kernel -- CPU lockup during exception delivery (2cabfbab-8bfb-11e5-bd18-002590263bf5)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3503.NASL
    description Description of changes: kernel-uek [2.6.32-400.37.15.el6uek] - ipc/sem.c: fully initialize sem_array before making it visible (Manfred Spraul) [Orabug: 22250043] {CVE-2015-7613} - Initialize msg/shm IPC objects before doing ipc_addid() (Linus Torvalds) [Orabug: 22250043] {CVE-2015-7613} - crypto: add missing crypto module aliases (Mathias Krause) [Orabug: 22249655] {CVE-2013-7421} {CVE-2014-9644} - crypto: include crypto- module prefix in template (Kees Cook) [Orabug: 22249655] {CVE-2013-7421} {CVE-2014-9644} - crypto: prefix module autoloading with 'crypto-' (Kees Cook) [Orabug: 22249655] {CVE-2013-7421} {CVE-2014-9644} [2.6.32-400.37.14.el6uek] - KVM: add arg to ac_interception() missing from 'KVM: x86: work around infinite loop in microcode when #AC is delivered' (Chuck Anderson) [Orabug: 22336493] {CVE-2015-5307} [2.6.32-400.37.13.el6uek] - KVM: svm: unconditionally intercept #DB (Paolo Bonzini) [Orabug: 22336518] {CVE-2015-8104} {CVE-2015-8104} - KVM: x86: work around infinite loop in microcode when #AC is delivered (Eric Northup) [Orabug: 22336493] {CVE-2015-5307} {CVE-2015-5307}
    last seen 2017-10-29
    modified 2016-10-28
    plugin id 87836
    published 2016-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87836
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3503)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3426-1.NASL
    description The remote Debian host is running a version of the Linux kernel prior to 3.2.73-2+deb7u1 on Debian 7 or is running a version of the Linux kernel prior to 3.16.7-ckt20-1+deb8u1 on Debian 8. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists in the unix_dgram_poll() function within file net/unix/af_unix.c. A local attacker can exploit this, via specially crafted epoll_ctl calls, to cause a denial of service condition or bypass AF_UNIX socket permissions. (CVE-2013-7446) - A NULL pointer dereference flaw exists in the slhc_init() function within file drivers/net/slip/slhc.c due to improper validation of slot numbers. A local attacker can exploit this, via specially crafted PPPIOCSMAXCID IOCTL calls, to cause a denial of service condition. (CVE-2015-7799) - A flaw exists in the usbvision driver that allows a local attacker, via a nonzero bInterfaceNumber value in a USB device descriptor, to cause a kernel panic, resulting in a denial of service condition. (CVE-2015-7833) - An infinite loop condition exists in the KVM subsystem on some unspecified CPU chipsets. A local attacker who has sufficient privileges within a virtual guest OS can exploit this issue, by triggering many debug exceptions, to cause a denial of service condition. (CVE-2015-8104) - A flaw exists in the truncate_space_check() function within file /fs/btrfs/inode.c due to improper handling of compressed file extents. A local attacker can exploit this, via a clone action, to disclose sensitive pre-truncation information from a file. (CVE-2015-8374) - A NULL pointer dereference flaw exists in the inet_autobind() function within file net/ipv4/af_inet.c when handling connection attempts via IPv6. A local attacker can exploit this, via a specially crafted SOCK_RAW application that makes use of CLONE_NEWUSER support, to cause a denial of service condition or possibly gain elevated privileges. (CVE-2015-8543)
    last seen 2017-10-29
    modified 2016-12-06
    plugin id 92679
    published 2016-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92679
    title Debian DSA-3426-1 : Linux Security Update
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-2552.NASL
    description From Red Hat Security Advisory 2015:2552 : Updated kernel packages that fix two security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the CVE-2015-5307 issue. This update also fixes the following bugs : * On Intel Xeon v5 platforms, the processor frequency was always tied to the highest possible frequency. Switching p-states on these client platforms failed. This update sets the idle frequency, busy frequency, and processor frequency values by determining the range and adjusting the minimal and maximal percent limit values. Now, switching p-states on the aforementioned client platforms proceeds successfully. (BZ#1273926) * Due to a validation error of in-kernel memory-mapped I/O (MMIO) tracing, a VM became previously unresponsive when connected to Red Hat Enterprise Virtualization Hypervisor. The provided patch fixes this bug by dropping the check in MMIO handler, and a VM continues running as expected. (BZ#1275150) * Due to retry-able command errors, the NVMe driver previously leaked I/O descriptors and DMA mappings. As a consequence, the kernel could become unresponsive during the hot-unplug operation if a driver was removed. This update fixes the driver memory leak bug on command retries, and the kernel no longer hangs in this situation. (BZ#1279792) * The hybrid_dma_data() function was not initialized before use, which caused an invalid memory access when hot-plugging a PCI card. As a consequence, a kernel oops occurred. The provided patch makes sure hybrid_dma_data() is initialized before use, and the kernel oops no longer occurs in this situation. (BZ#1279793) * When running PowerPC (PPC) KVM guests and the host was experiencing a lot of page faults, for example because it was running low on memory, the host sometimes triggered an incorrect kind of interrupt in the guest: a data storage exception instead of a data segment exception. This caused a kernel panic of the PPC KVM guest. With this update, the host kernel synthesizes a segment fault if the corresponding Segment Lookaside Buffer (SLB) lookup fails, which prevents the kernel panic from occurring. (BZ#1281423) * The kernel accessed an incorrect area of the khugepaged process causing Logical Partitioning (LPAR) to become unresponsive, and an oops occurred in medlp5. The backported upstream patch prevents an LPAR hang, and the oops no longer occurs. (BZ#1281424) * When the sctp module was loaded and a route to an association endpoint was removed after receiving an Out-of-The-Blue (OOTB) chunk but before incrementing the 'dropped because of missing route' SNMP statistic, a NULL pointer Dereference kernel panic previously occurred. This update fixes the race condition between OOTB response and route removal. (BZ#1281426) * The cpuscaling test of the certification test suite previously failed due to a rounding bug in the intel-pstate driver. This bug has been fixed and the cpuscaling test now passes. (BZ#1281491) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2017-10-29
    modified 2016-04-28
    plugin id 87271
    published 2015-12-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87271
    title Oracle Linux 7 : kernel (ELSA-2015-2552)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2842-1.NASL
    description Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS. (CVE-2015-8104) Guoyong Gang discovered that the ppp implementation in the Linux kernel did not ensure that certain slot numbers are valid. A local attacker with the privilege to call ioctl() on /dev/ppp could cause a denial of service (system crash). (CVE-2015-7799) It was discovered that the virtual video osd test driver in the Linux kernel did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel. (CVE-2015-7884) It was discovered that the driver for Digi Neo and ClassicBoard devices did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel. (CVE-2015-7885). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-01
    plugin id 87468
    published 2015-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87468
    title Ubuntu 15.04 : linux vulnerabilities (USN-2842-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0007.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - x86/VMX: prevent INVVPID failure due to non-canonical guest address While INVLPG (and on SVM INVLPGA) don't fault on non-canonical addresses, INVVPID fails (in the 'individual address' case) when passed such an address. Since such intercepted INVLPG are effectively no-ops anyway, don't fix this in vmx_invlpg_intercept, but instead have paging_invlpg never return true in such a case. This is XSA-168. (CVE-2016-1571) - x86/mm: PV superpage handling lacks sanity checks MMUEXT_[,UN]MARK_SUPER fail to check the input MFN for validity before dereferencing pointers into the superpage frame table. get_superpage has a similar issue. This is XSA-167. (CVE-2016-1570) - x86/HVM: avoid reading ioreq state more than once Otherwise, especially when the compiler chooses to translate the switch to a jump table, unpredictable behavior (and in the jump table case arbitrary code execution) can result. This is XSA-166. - x86: don't leak ST(n)/XMMn values to domains first using them FNINIT doesn't alter these registers, and hence using it is insufficient to initialize a guest's initial state. This is XSA-165. (CVE-2015-8555) - MSI-X: avoid array overrun upon MSI-X table writes pt_msix_init allocates msix->msix_entry[] to just cover msix->total_entries entries. While pci_msix_readl resorts to reading physical memory for out of bounds reads, pci_msix_writel so far simply accessed/corrupted unrelated memory. pt_iomem_map's call to cpu_register_physical_memory registers a page granular region, which is necessary as the Pending Bit Array may share space with the MSI-X table (but nothing else is allowed to). This also explains why pci_msix_readl actually honors out of bounds reads, but pci_msi_writel doesn't need to. This is XSA-164. (CVE-2015-8554) - From 43a10fecd6f4a9d8adf9f5d85e3d5e7187e2d54a Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Wed, 18 Nov 2015 15:34:54 +0000 Subject: [PATCH] libxl: Fix bootloader-related virtual memory leak on pv build failure The bootloader may call libxl__file_reference_map, which mmap's the pv_kernel and pv_ramdisk into process memory. This was only unmapped, however, on the success path of libxl__build_pv. If there were a failure anywhere between libxl_bootloader.c:parse_bootloader_result and the end of libxl__build_pv, the calls to libxl__file_reference_unmap would be skipped, leaking the mapped virtual memory. Ideally this would be fixed by adding the unmap calls to the destruction path for libxl__domain_build_state. Unfortunately the lifetime of the libxl__domain_build_state is opaque, and it doesn't have a proper destruction path. But, the only thing in it that isn't from the gc are these bootloader references, and they are only ever set for one libxl__domain_build_state, the one which is libxl__domain_create_state.build_state. So we can clean up in the exit path from libxl__domain_create_*, which always comes through domcreate_complete. Remove the now-redundant unmaps in libxl__build_pv's success path. This is XSA-160. Based on xen.org's xsa160.patch Conflicts: adjust patch context to match OVM 3.3 code base (CVE-2015-8341) - memory: fix XENMEM_exchange error handling assign_pages can fail due to the domain getting killed in parallel, which should not result in a hypervisor crash. Also delete a redundant put_gfn - all relevant paths leading to the 'fail' label already do this (and there are also paths where it was plain wrong). All of the put_gfn-s got introduced by 51032ca058 ('Modify naming of queries into the p2m'), including the otherwise unneeded initializer for k (with even a kind of misleading comment - the compiler warning could actually have served as a hint that the use is wrong). This is XSA-159. 22326022] (CVE-2015-8339, CVE-2015-8340) - x86/HVM: always intercept #AC and #DB Both being benign exceptions, and both being possible to get triggered by exception delivery, this is required to prevent a guest from locking up a CPU (resulting from no other VM exits occurring once getting into such a loop). The specific scenarios: 1) #AC may be raised during exception delivery if the handler is set to be a ring-3 one by a 32-bit guest, and the stack is misaligned. 2) #DB may be raised during exception delivery when a breakpoint got placed on a data structure involved in delivering the exception. This can result in an endless loop when a 64-bit guest uses a non-zero IST for the vector 1 IDT entry, but even without use of IST the time it takes until a contributory fault would get raised (results depending on the handler) may be quite long. This is XSA-156. (CVE-2015-5307, CVE-2015-8104)
    last seen 2017-10-29
    modified 2017-02-14
    plugin id 88170
    published 2016-01-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88170
    title OracleVM 3.3 : xen (OVMSA-2016-0007)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-2338-1.NASL
    description This update fixes the following security issues : - bsc#955399 - Fix xm migrate --log_progress. Due to logic error progress was not logged when requested. - bsc#956832 - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing command block list - bsc#956592 - xen: virtual PMU is unsupported (XSA-163) - bsc#956408 - CVE-2015-8339, CVE-2015-8340: xen: XENMEM_exchange error handling issues (XSA-159) - bsc#956409 - CVE-2015-8341: xen: libxl leak of pv kernel and initrd on error (XSA-160) - bsc#956411 - CVE-2015-7504: xen: heap buffer overflow vulnerability in pcnet emulator (XSA-162) - bsc#947165 - CVE-2015-7311: xen: libxl fails to honour readonly flag on disks with qemu-xen (xsa-142) - bsc#955399 - Fix xm migrate --live. The options were not passed due to a merge error. As a result the migration was not live, instead the suspended guest was migrated. - bsc#954405 - CVE-2015-8104: Xen: guest to host DoS by triggering an infinite loop in microcode via #DB exception - bsc#954018 - CVE-2015-5307: xen: x86: CPU lockup during fault delivery (XSA-156) - bsc#950704 - CVE-2015-7970: xen: x86: Long latency populate-on-demand operation is not preemptible (XSA-150) - bsc#951845 - CVE-2015-7972: xen: x86: populate-on-demand balloon size inaccuracy can crash guests (XSA-153) - Drop 5604f239-x86-PV-properly-populate-descriptor-tables.patc h - bsc#950703 - CVE-2015-7969: xen: leak of main per-domain vcpu pointer array (DoS) (XSA-149) - bsc#950705 - CVE-2015-7969: xen: x86: leak of per-domain profiling-related vcpu pointer array (DoS) (XSA-151) - bsc#950706 - CVE-2015-7971: xen: x86: some pmu and profiling hypercalls log without rate limiting (XSA-152) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-02
    plugin id 87650
    published 2015-12-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87650
    title SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2015:2338-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-2326-1.NASL
    description This update fixes the following security issues : - bsc#956832 - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing command block list - bsc#956592 - xen: virtual PMU is unsupported (XSA-163) - bsc#956408 - CVE-2015-8339, CVE-2015-8340: xen: XENMEM_exchange error handling issues (XSA-159) - bsc#956409 - CVE-2015-8341: xen: libxl leak of pv kernel and initrd on error (XSA-160) - bsc#956411 - CVE-2015-7504: xen: heap buffer overflow vulnerability in pcnet emulator (XSA-162) - bsc#947165 - CVE-2015-7311: xen: libxl fails to honour readonly flag on disks with qemu-xen (xsa-142) - bsc#954405 - CVE-2015-8104: Xen: guest to host DoS by triggering an infinite loop in microcode via #DB exception - bsc#954018 - CVE-2015-5307: xen: x86: CPU lockup during fault delivery (XSA-156) - bsc#950704 - CVE-2015-7970: xen: x86: Long latency populate-on-demand operation is not preemptible (XSA-150) - bsc#951845 - CVE-2015-7972: xen: x86: populate-on-demand balloon size inaccuracy can crash guests (XSA-153) - bsc#950703 - CVE-2015-7969: xen: leak of main per-domain vcpu pointer array (DoS) (XSA-149) - bsc#950705 - CVE-2015-7969: xen: x86: leak of per-domain profiling-related vcpu pointer array (DoS) (XSA-151) - bsc#950706 - CVE-2015-7971: xen: x86: some pmu and profiling hypercalls log without rate limiting (XSA-152) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-02
    plugin id 87590
    published 2015-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87590
    title SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2015:2326-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-879.NASL
    description The Linux Kernel was updated to 4.1.13 and fixes the following issues : Security issues fixed : - CVE-2015-8104: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c. - CVE-2015-5307: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c. - CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound. - CVE-2015-7990: A local denial of service due to an incomplete fix of CVE-2015-6937 could lead to crashes (local denial of service). - CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel did not ensure that certain slot numbers are valid, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call. Bugs fixed : - alsa: hda - apply hp headphone fixups more generically (boo#954876). - alsa: hda - add fixup for acer aspire one cloudbook 14 (boo#954876). - alsa: hda - fix headphone noise after dell xps 13 resume back from S3 (boo#954876). - alsa: hda - fix noise on dell latitude e6440 (boo#954876). - alsa: hda/hdmi - apply skylake fix-ups to broxton display codec (boo#954647). - alsa: hda - add codec id for broxton display audio codec (boo#954647). - alsa: hda/realtek - dell xps one alc3260 speaker no sound after resume back (boo#954647). - alsa: hda - yet another fix for dell headset mic with alc3266 (boo#954647). - alsa: hda - fix dell laptop for internal mic/headset mic (boo#954647). - alsa: hda - remove no physical connection pins from pin_quirk table (boo#954647). - alsa: hda - add pin quirk for the headset mic jack detection on Dell laptop (boo#954647). - alsa: hda - fix the headset mic that will not work on dell desktop machine (boo#954647). - alsa: hda - remove one pin from alc292_standard_pins (boo#954647). - alsa: hda - add dock support for thinkpad w541 (17aa:2211) (boo#954647). - alsa: hda/realtek: enable hp amp and mute led on hp folio 9480m [v3] (boo#954647). - alsa: hda/realtek - support dell headset mode for alc298 (boo#954647). - alsa: hda/realtek - support headset mode for alc298 (boo#954647). - x86/evtchn: make use of physdevop_map_pirq. - blktap: also call blkif_disconnect() when frontend switched to closed (boo#952976). - blktap: refine mm tracking (boo#952976). - update xen patches to linux 4.1.13. - Backport arm64 patches from sle12-sp1-arm. - Backport pci-ea patches - Enable drm_ast driver - Fix thunderx edac store function - Update arm64 config files. Align arm64 vanilla configuration with default. - rtlwifi: rtl8821ae: fix lockups on boot (boo#944978). - ethernet/atheros/alx: add killer e2400 device id (boo#955363). - drm/i915: don't override output type for ddi hdmi (boo#955190). - drm/i915: set best_encoder field of connector_state also when disabling (boo#955190). - drm/i915: add hotplug activation period to hotplug update mask (boo#955365). - drm/i915: avoid race of intel_crt_detect_hotplug() with hpd interrupt, v2 (boo#955365). - drm/i915: shut up gen8+ sde irq dmesg noise (boo#954757). - ipv6: fix tunnel error handling (boo#952579). - Update config files (boo#951533). - iwlwifi: add new pci ids for the 8260 series (boo#954421). - iwlwifi: edit the 3165 series and 8000 series pci ids (boo#954421). - x86/efi-bgrt: switch pr_err() to pr_debug() for invalid bgrt (boo#953559). - x86/tsc: let high latency pit fail fast in quick_pit_calibrate() (boo#953717). - Backport arm64 patches from sle12-sp1-arm branch Backports to fix Seattle xgbe driver. Fix EL2 page table for systems with high amount of memory. Needed for KVM to work. Convert WARN_ON in numa implementation to pr_warn. - input: elantech - add fujitsu lifebook u745 to force crc_enabled (boo#883192).
    last seen 2017-10-29
    modified 2016-10-13
    plugin id 87391
    published 2015-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87391
    title openSUSE Security Update : the Linux Kernel (openSUSE-2015-879)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-2636.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * It was found that the Linux kernel's keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-7872, Important) Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the CVE-2015-5307 issue. This update also fixes the following bugs : * Previously, Human Interface Device (HID) ran a report on an unaligned buffer, which could cause a page fault interrupt and an oops when the end of the report was read. This update fixes this bug by padding the end of the report with extra bytes, so the reading of the report never crosses a page boundary. As a result, a page fault and subsequent oops no longer occur. (BZ#1268203) * The NFS client was previously failing to detect a directory loop for some NFS server directory structures. This failure could cause NFS inodes to remain referenced after attempting to unmount the file system, leading to a kernel crash. Loop checks have been added to VFS, which effectively prevents this problem from occurring. (BZ#1272858) * Due to a race whereby the nfs_wb_pages_cancel() and nfs_commit_release_pages() calls both removed a request from the nfs_inode struct type, the kernel panicked with negative nfs_inode.npages count. The provided upstream patch performs the required serialization by holding the inode i_lock over the check of PagePrivate and locking the request, thus preventing the race and kernel panic from occurring. (BZ#1273721) * Due to incorrect URB_ISO_ASAP semantics, playing an audio file using a USB sound card could previously fail for some hardware configurations. This update fixes the bug, and playing audio from a USB sound card now works as expected. (BZ#1273916) * Inside hugetlb, region data structures were protected by a combination of a memory map semaphore and a single hugetlb instance mutex. However, a page-fault scalability improvement backported to the kernel on previous releases removed the single hugetlb instance mutex and introduced a new mutex table, making the locking combination insufficient, leading to possible race windows that could cause corruption and undefined behavior. This update fixes the problem by introducing a required spinlock to the region tracking functions for proper serialization. The problem only affects software using huge pages through hugetlb interface. (BZ#1274599) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2017-10-29
    modified 2016-10-28
    plugin id 87381
    published 2015-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87381
    title CentOS 6 : kernel (CESA-2015:2636)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-0658-1.NASL
    description Xen was updated to fix the following vulnerabilities : CVE-2014-0222: Qcow1 L2 table size integer overflows (bsc#877642) CVE-2015-4037: Insecure temporary file use in /net/slirp.c (bsc#932267) CVE-2015-5239: Integer overflow in vnc_client_read() and protocol_client_msg() (bsc#944463) CVE-2015-7504: Heap buffer overflow vulnerability in pcnet emulator (XSA-162, bsc#956411) CVE-2015-7971: Some pmu and profiling hypercalls log without rate limiting (XSA-152, bsc#950706) CVE-2015-8104: Guest to host DoS by triggering an infinite loop in microcode via #DB exception (bsc#954405) CVE-2015-5307: Guest to host DOS by intercepting #AC (XSA-156, bsc#953527) CVE-2015-8339: XENMEM_exchange error handling issues (XSA-159, bsc#956408) CVE-2015-8340: XENMEM_exchange error handling issues (XSA-159, bsc#956408) CVE-2015-7512: Buffer overflow in pcnet's non-loopback mode (bsc#962360) CVE-2015-8550: Paravirtualized drivers incautious about shared memory contents (XSA-155, bsc#957988) CVE-2015-8504: Avoid floating point exception in vnc support (bsc#958493) CVE-2015-8555: Information leak in legacy x86 FPU/XMM initialization (XSA-165, bsc#958009) Ioreq handling possibly susceptible to multiple read issue (XSA-166, bsc#958523) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-27
    plugin id 89723
    published 2016-03-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89723
    title SUSE SLES10 Security Update : Xen (SUSE-SU-2016:0658-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-115C302856.NASL
    description The 4.2.6 stable update contains a number of important fixes across the tree. kernel-4.2.6-300.fc23 - Fix incorrect size calculations in megaraid with 64K pages (rhbz 1269300) - CVE-2015-8104 kvm: DoS infinite loop in microcode DB exception (rhbz 1278496 1279691) - CVE-2015-5307 kvm: DoS infinite loop in microcode AC exception (rhbz 1277172 1279688) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-10-18
    plugin id 89149
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89149
    title Fedora 23 : kernel-4.2.6-300.fc23 (2015-115c302856)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-668D213DC3.NASL
    description x86: CPU lockup during exception delivery [XSA-156, CVE-2015-5307, CVE-2015-8104] ---- update to 4.5.2 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-03-04
    plugin id 89260
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89260
    title Fedora 22 : xen-4.5.2-2.fc22 (2015-668d213dc3)
  • NASL family Misc.
    NASL id CITRIX_XENSERVER_CTX202583.NASL
    description The version of Citrix XenServer running on the remote host is affected by multiple denial of service vulnerabilities : - An infinite loop condition exists in the KVM subsystem that is triggered when handling a stream of #AC (Alignment Check) exceptions. A local attacker within a virtualized guest can exploit this to cause a host OS panic or hang, resulting in a denial of service condition. (CVE-2015-5307) - An infinite loop condition exists in the KVM subsystem that is triggered when handling a stream of #DB (Debug) exceptions. A local attacker within a virtualized guest can exploit this to cause a host OS panic or hang, resulting in a denial of service condition. (CVE-2015-8104)
    last seen 2017-10-29
    modified 2017-02-08
    plugin id 87012
    published 2015-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87012
    title Citrix XenServer Multiple Infinite Loop Guest-to-Host DoS (CTX202583)
redhat via4
advisories
  • bugzilla
    id 1278496
    title CVE-2015-8104 virt: guest to host DoS by triggering an infinite loop in microcode via #DB exception
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment kernel is earlier than 0:3.10.0-327.3.1.el7
          oval oval:com.redhat.rhsa:tst:20152552009
        • comment kernel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842006
      • AND
        • comment kernel-abi-whitelists is earlier than 0:3.10.0-327.3.1.el7
          oval oval:com.redhat.rhsa:tst:20152552005
        • comment kernel-abi-whitelists is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131645028
      • AND
        • comment kernel-bootwrapper is earlier than 0:3.10.0-327.3.1.el7
          oval oval:com.redhat.rhsa:tst:20152552031
        • comment kernel-bootwrapper is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842010
      • AND
        • comment kernel-debug is earlier than 0:3.10.0-327.3.1.el7
          oval oval:com.redhat.rhsa:tst:20152552011
        • comment kernel-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842012
      • AND
        • comment kernel-debug-devel is earlier than 0:3.10.0-327.3.1.el7
          oval oval:com.redhat.rhsa:tst:20152552025
        • comment kernel-debug-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842014
      • AND
        • comment kernel-devel is earlier than 0:3.10.0-327.3.1.el7
          oval oval:com.redhat.rhsa:tst:20152552015
        • comment kernel-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842016
      • AND
        • comment kernel-doc is earlier than 0:3.10.0-327.3.1.el7
          oval oval:com.redhat.rhsa:tst:20152552007
        • comment kernel-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842024
      • AND
        • comment kernel-headers is earlier than 0:3.10.0-327.3.1.el7
          oval oval:com.redhat.rhsa:tst:20152552013
        • comment kernel-headers is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842008
      • AND
        • comment kernel-kdump is earlier than 0:3.10.0-327.3.1.el7
          oval oval:com.redhat.rhsa:tst:20152552021
        • comment kernel-kdump is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842018
      • AND
        • comment kernel-kdump-devel is earlier than 0:3.10.0-327.3.1.el7
          oval oval:com.redhat.rhsa:tst:20152552017
        • comment kernel-kdump-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842020
      • AND
        • comment kernel-tools is earlier than 0:3.10.0-327.3.1.el7
          oval oval:com.redhat.rhsa:tst:20152552027
        • comment kernel-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678010
      • AND
        • comment kernel-tools-libs is earlier than 0:3.10.0-327.3.1.el7
          oval oval:com.redhat.rhsa:tst:20152552033
        • comment kernel-tools-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678012
      • AND
        • comment kernel-tools-libs-devel is earlier than 0:3.10.0-327.3.1.el7
          oval oval:com.redhat.rhsa:tst:20152552029
        • comment kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678020
      • AND
        • comment perf is earlier than 0:3.10.0-327.3.1.el7
          oval oval:com.redhat.rhsa:tst:20152552019
        • comment perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842022
      • AND
        • comment python-perf is earlier than 0:3.10.0-327.3.1.el7
          oval oval:com.redhat.rhsa:tst:20152552023
        • comment python-perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111849018
    rhsa
    id RHSA-2015:2552
    released 2015-12-08
    severity Important
    title RHSA-2015:2552: kernel security and bug fix update (Important)
  • bugzilla
    id 1278496
    title CVE-2015-8104 virt: guest to host DoS by triggering an infinite loop in microcode via #DB exception
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment kernel is earlier than 0:2.6.32-573.12.1.el6
          oval oval:com.redhat.rhsa:tst:20152636023
        • comment kernel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842006
      • AND
        • comment kernel-abi-whitelists is earlier than 0:2.6.32-573.12.1.el6
          oval oval:com.redhat.rhsa:tst:20152636005
        • comment kernel-abi-whitelists is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131645028
      • AND
        • comment kernel-bootwrapper is earlier than 0:2.6.32-573.12.1.el6
          oval oval:com.redhat.rhsa:tst:20152636029
        • comment kernel-bootwrapper is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842010
      • AND
        • comment kernel-debug is earlier than 0:2.6.32-573.12.1.el6
          oval oval:com.redhat.rhsa:tst:20152636027
        • comment kernel-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842012
      • AND
        • comment kernel-debug-devel is earlier than 0:2.6.32-573.12.1.el6
          oval oval:com.redhat.rhsa:tst:20152636015
        • comment kernel-debug-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842014
      • AND
        • comment kernel-devel is earlier than 0:2.6.32-573.12.1.el6
          oval oval:com.redhat.rhsa:tst:20152636025
        • comment kernel-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842016
      • AND
        • comment kernel-doc is earlier than 0:2.6.32-573.12.1.el6
          oval oval:com.redhat.rhsa:tst:20152636007
        • comment kernel-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842024
      • AND
        • comment kernel-firmware is earlier than 0:2.6.32-573.12.1.el6
          oval oval:com.redhat.rhsa:tst:20152636009
        • comment kernel-firmware is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842026
      • AND
        • comment kernel-headers is earlier than 0:2.6.32-573.12.1.el6
          oval oval:com.redhat.rhsa:tst:20152636017
        • comment kernel-headers is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842008
      • AND
        • comment kernel-kdump is earlier than 0:2.6.32-573.12.1.el6
          oval oval:com.redhat.rhsa:tst:20152636019
        • comment kernel-kdump is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842018
      • AND
        • comment kernel-kdump-devel is earlier than 0:2.6.32-573.12.1.el6
          oval oval:com.redhat.rhsa:tst:20152636021
        • comment kernel-kdump-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842020
      • AND
        • comment perf is earlier than 0:2.6.32-573.12.1.el6
          oval oval:com.redhat.rhsa:tst:20152636013
        • comment perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842022
      • AND
        • comment python-perf is earlier than 0:2.6.32-573.12.1.el6
          oval oval:com.redhat.rhsa:tst:20152636011
        • comment python-perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111849018
    rhsa
    id RHSA-2015:2636
    released 2015-12-15
    severity Important
    title RHSA-2015:2636: kernel security and bug fix update (Important)
  • rhsa
    id RHSA-2015:2645
  • rhsa
    id RHSA-2016:0046
rpms
  • kernel-0:3.10.0-327.3.1.el7
  • kernel-abi-whitelists-0:3.10.0-327.3.1.el7
  • kernel-bootwrapper-0:3.10.0-327.3.1.el7
  • kernel-debug-0:3.10.0-327.3.1.el7
  • kernel-debug-devel-0:3.10.0-327.3.1.el7
  • kernel-devel-0:3.10.0-327.3.1.el7
  • kernel-doc-0:3.10.0-327.3.1.el7
  • kernel-headers-0:3.10.0-327.3.1.el7
  • kernel-kdump-0:3.10.0-327.3.1.el7
  • kernel-kdump-devel-0:3.10.0-327.3.1.el7
  • kernel-tools-0:3.10.0-327.3.1.el7
  • kernel-tools-libs-0:3.10.0-327.3.1.el7
  • kernel-tools-libs-devel-0:3.10.0-327.3.1.el7
  • perf-0:3.10.0-327.3.1.el7
  • python-perf-0:3.10.0-327.3.1.el7
  • kernel-0:2.6.32-573.12.1.el6
  • kernel-abi-whitelists-0:2.6.32-573.12.1.el6
  • kernel-bootwrapper-0:2.6.32-573.12.1.el6
  • kernel-debug-0:2.6.32-573.12.1.el6
  • kernel-debug-devel-0:2.6.32-573.12.1.el6
  • kernel-devel-0:2.6.32-573.12.1.el6
  • kernel-doc-0:2.6.32-573.12.1.el6
  • kernel-firmware-0:2.6.32-573.12.1.el6
  • kernel-headers-0:2.6.32-573.12.1.el6
  • kernel-kdump-0:2.6.32-573.12.1.el6
  • kernel-kdump-devel-0:2.6.32-573.12.1.el6
  • perf-0:2.6.32-573.12.1.el6
  • python-perf-0:2.6.32-573.12.1.el6
refmap via4
bid
  • 77524
  • 91787
confirm
debian
  • DSA-3414
  • DSA-3426
  • DSA-3454
fedora
  • FEDORA-2015-394835a3f6
  • FEDORA-2015-668d213dc3
  • FEDORA-2015-f150b2a8c8
mlist [oss-security] 20151110 CVE-2015-8104 kernel: kvm: guest to host DoS by triggering an infinite loop in microcode via #DB exception
sectrack 1034105
suse
  • SUSE-SU-2015:2108
  • SUSE-SU-2015:2194
  • SUSE-SU-2015:2339
  • SUSE-SU-2015:2350
  • SUSE-SU-2016:0354
  • SUSE-SU-2016:2074
  • openSUSE-SU-2015:2232
  • openSUSE-SU-2015:2250
  • openSUSE-SU-2016:1008
ubuntu
  • USN-2840-1
  • USN-2841-1
  • USN-2841-2
  • USN-2842-1
  • USN-2842-2
  • USN-2843-1
  • USN-2843-2
  • USN-2844-1
Last major update 07-12-2016 - 13:26
Published 16-11-2015 - 06:59
Last modified 23-05-2017 - 21:29
Back to Top