ID CVE-2016-8650
Summary The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through 4.8.11 does not ensure that memory is allocated for limb data, which allows local users to cause a denial of service (stack memory corruption and panic) via an add_key system call for an RSA key with a zero exponent.
References
Vulnerable Configurations
  • Linux Kernel 4.8.11
    cpe:2.3:o:linux:linux_kernel:4.8.11
CVSS
Base: 4.9 (as of 28-11-2016 - 13:47)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-1842-1.NASL
    description The remote Oracle Linux host is missing a security update for the kernel package(s).
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 102511
    published 2017-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102511
    title Oracle Linux 7 : kernel (ELSA-2017-1842-1) (Stack Clash)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-0933-1.NASL
    description Description of changes: - [3.10.0-514.16.1.0.1.el7.OL7] - [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug 22552377] - Oracle Linux certificates (Alexey Petrenko) - Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petrenko at oracle.com) - Update x509.genkey [bug 24817676] [3.10.0-514.16.1.el7] - [tty] n_hdlc: get rid of racy n_hdlc.tbuf ('Herton R. Krzesinski') [1429919 1429920] {CVE-2017-2636} - [md] dm rq: cope with DM device destruction while in dm_old_request_fn() (Mike Snitzer) [1430334 1412854] - [fs] nfs: Fix inode corruption in nfs_prime_dcache() (Benjamin Coddington) [1429514 1416532] - [fs] nfs: Don't let readdirplus revalidate an inode that was marked as stale (Benjamin Coddington) [1429514 1416532] - [block] Copy a user iovec if it includes gaps (Jeff Moyer) [1429508 1421263] - [kernel] percpu-refcount: fix reference leak during percpu-atomic transition (Jeff Moyer) [1429507 1418333] - [powerpc] eeh: eeh_pci_enable(): fix checking of post-request state (Steve Best) [1425538 1383670] - [s390] mm: handle PTE-mapped tail pages in fast gup (Hendrik Brueckner) [1423438 1391532] - [net] skbuff: Fix skb checksum partial check (Lance Richardson) [1422964 1411480] - [net] skbuff: Fix skb checksum flag on skb pull (Lance Richardson) [1422964 1411480] - [security] selinux: fix off-by-one in setprocattr (Paul Moore) [1422368 1422369] {CVE-2017-2618} - [virtio] balloon: check the number of available pages in leak balloon (David Hildenbrand) [1417194 1401615] - [infiniband] ib/rdmavt: Only put mmap_info ref if it exists (Jonathan Toppins) [1417191 1391299] - [x86] kvm: x86: make lapic hrtimer pinned (Luiz Capitulino) [1416373 1392593] - [kernel] sched/nohz: Fix affine unpinned timers mess (Luiz Capitulino) [1416373 1392593] - [kernel] nohz: Affine unpinned timers to housekeepers (Luiz Capitulino) [1416373 1392593] - [kernel] tick-sched: add housekeeping_mask cpumask (Luiz Capitulino) [1416373 1392593] - [x86] platform/uv/bau: Add UV4-specific functions (Frank Ramsay) [1414715 1386692] - [x86] platform/uv/bau: Fix payload queue setup on UV4 hardware (Frank Ramsay) [1414715 1386692] - [x86] platform/uv/bau: Disable software timeout on UV4 hardware (Frank Ramsay) [1414715 1386692] - [x86] platform/uv/bau: Populate ->uvhub_version with UV4 version information (Frank Ramsay) [1414715 1386692] - [x86] platform/uv/bau: Use generic function pointers (Frank Ramsay) [1414715 1386692] - [x86] platform/uv/bau: Add generic function pointers (Frank Ramsay) [1414715 1386692] - [x86] platform/uv/bau: Convert uv_physnodeaddr() use to uv_gpa_to_offset() (Frank Ramsay) [1414715 1386692] - [x86] platform/uv/bau: Clean up pq_init() (Frank Ramsay) [1414715 1386692] - [x86] platform/uv/bau: Clean up and update printks (Frank Ramsay) [1414715 1386692] - [x86] platform/uv/bau: Clean up vertical alignment (Frank Ramsay) [1414715 1386692] - [virtio] virtio-pci: alloc only resources actually used (Laurent Vivier) [1413093 1375153] - [net] avoid signed overflows for SO_{SND|RCV}BUFFORCE (Sabrina Dubroca) [1412473 1412474] {CVE-2016-9793} - [netdrv] sfc: clear napi_hash state when copying channels (Jarod Wilson) [1401461 1394304] - [lib] mpi: Fix NULL ptr dereference in mpi_powm() (Mateusz Guzik) [1398457 1398458] {CVE-2016-8650} - [scsi] lpfc: Fix eh_deadline setting for sli3 adapters (Ewan Milne) [1430687 1366564] - [md] dm round robin: revert 'use percpu 'repeat_count' and 'current_path'' (Mike Snitzer) [1430689 1422567] - [md] dm round robin: do not use this_cpu_ptr() without having preemption disabled (Mike Snitzer) [1430689 1422567] - Revert: [x86] Handle non enumerated CPU after physical hotplug (Prarit Bhargava) [1426633 1373738] - Revert: [x86] smp: Don't try to poke disabled/non-existent APIC (Prarit Bhargava) [1426633 1373738] - Revert: [x86] smpboot: Init apic mapping before usage (Prarit Bhargava) [1426633 1373738] - Revert: [x86] revert 'perf/uncore: Disable uncore on kdump kernel' (Prarit Bhargava) [1426633 1373738] - Revert: [x86] perf/x86/intel/uncore: Fix hardcoded socket 0 assumption in the Haswell init code (Prarit Bhargava) [1426633 1373738]
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 99386
    published 2017-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99386
    title Oracle Linux 7 : kernel (ELSA-2017-0933-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-0933.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. To see the complete list of bug fixes, users are directed to the related Knowledge Article: https://access.redhat.com/articles/2986951. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650, Moderate) * A flaw was found in the Linux kernel's implementation of setsockopt for the SO_{SND|RCV}BUFFORCE setsockopt() system call. Users with non-namespace CAP_NET_ADMIN are able to trigger this call and create a situation in which the sockets sendbuff data size could be negative. This could adversely affect memory allocations and create situations where the system could crash or cause memory corruption. (CVE-2016-9793, Moderate) * A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory. (CVE-2017-2618, Moderate) Red Hat would like to thank Alexander Popov for reporting CVE-2017-2636 and Ralf Spenneberg for reporting CVE-2016-8650. The CVE-2017-2618 issue was discovered by Paul Moore (Red Hat Engineering).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 99383
    published 2017-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99383
    title CentOS 7 : kernel (CESA-2017:0933)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1072.NASL
    description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650) - A flaw was found in the Linux kernel's implementation of setsockopt for the SO_{SND|RCV}BUFFORCE setsockopt() system call. Users with non-namespace CAP_NET_ADMIN are able to trigger this call and create a situation in which the sockets sendbuff data size could be negative. This could adversely affect memory allocations and create situations where the system could crash or cause memory corruption. (CVE-2016-9793) - A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory. (CVE-2017-2618) - The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the 'dead' type.(CVE-2017-6951) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 99938
    published 2017-05-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99938
    title EulerOS 2.0 SP2 : kernel (EulerOS-SA-2017-1072)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3651.NASL
    description Description of changes: kernel-uek [3.8.13-118.15.1.el7uek] - Revert 'i40e: Set defport behavior for the Main VSI when in promiscuous mode' (Jack Vogel) [Orabug: 22683573] - mlx4: avoid multiple free on id_map_ent (Wengang Wang) - xen-netfront: cast grant table reference first to type int (Dongli Zhang) - xen-netfront: do not cast grant table reference to signed short (Dongli Zhang) - RDS: Drop the connection as part of cancel to avoid hangs (Avinash Repaka) [Orabug: 25045360] - sctp: validate chunk len before actually using it (Marcelo Ricardo Leitner) [Orabug: 25142879] {CVE-2016-9555} - mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] (Andrey Ryabinin) [Orabug: 25154098] {CVE-2016-8650} {CVE-2016-8650}
    last seen 2019-02-21
    modified 2016-12-13
    plugin id 95758
    published 2016-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95758
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3651)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-0933.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. To see the complete list of bug fixes, users are directed to the related Knowledge Article: https://access.redhat.com/articles/2986951. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650, Moderate) * A flaw was found in the Linux kernel's implementation of setsockopt for the SO_{SND|RCV}BUFFORCE setsockopt() system call. Users with non-namespace CAP_NET_ADMIN are able to trigger this call and create a situation in which the sockets sendbuff data size could be negative. This could adversely affect memory allocations and create situations where the system could crash or cause memory corruption. (CVE-2016-9793, Moderate) * A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory. (CVE-2017-2618, Moderate) Red Hat would like to thank Alexander Popov for reporting CVE-2017-2636 and Ralf Spenneberg for reporting CVE-2016-8650. The CVE-2017-2618 issue was discovered by Paul Moore (Red Hat Engineering). Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-20
    plugin id 101449
    published 2017-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101449
    title Virtuozzo 7 : kernel / kernel-abi-whitelists / kernel-debug / etc (VZLSA-2017-0933)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3422-1.NASL
    description It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-1000251) It was discovered that the asynchronous I/O (aio) subsystem of the Linux kernel did not properly set permissions on aio memory mappings in some situations. An attacker could use this to more easily exploit other vulnerabilities. (CVE-2016-10044) Baozeng Ding and Andrey Konovalov discovered a race condition in the L2TPv3 IP Encapsulation implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-10200) Andreas Gruenbacher and Jan Kara discovered that the filesystem implementation in the Linux kernel did not clear the setgid bit during a setxattr call. A local attacker could use this to possibly elevate group privileges. (CVE-2016-7097) Sergej Schumilo, Ralf Spenneberg, and Hendrik Schwartke discovered that the key management subsystem in the Linux kernel did not properly allocate memory in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-8650) Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084) It was discovered that an information leak existed in __get_user_asm_ex() in the Linux kernel. A local attacker could use this to expose sensitive information. (CVE-2016-9178) CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191) It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604) It was discovered that an integer overflow existed in the trace subsystem of the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2016-9754) Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970) Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214) It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346) It was discovered that the keyring implementation in the Linux kernel did not properly restrict searches for dead keys. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-6951) Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7187) Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472) It was discovered that a buffer overflow existed in the Broadcom FullMAC WLAN driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7541). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 103326
    published 2017-09-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103326
    title Ubuntu 14.04 LTS : linux vulnerabilities (USN-3422-1) (BlueBorne)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-0933.NASL
    description From Red Hat Security Advisory 2017:0933 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. To see the complete list of bug fixes, users are directed to the related Knowledge Article: https://access.redhat.com/articles/2986951. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650, Moderate) * A flaw was found in the Linux kernel's implementation of setsockopt for the SO_{SND|RCV}BUFFORCE setsockopt() system call. Users with non-namespace CAP_NET_ADMIN are able to trigger this call and create a situation in which the sockets sendbuff data size could be negative. This could adversely affect memory allocations and create situations where the system could crash or cause memory corruption. (CVE-2016-9793, Moderate) * A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory. (CVE-2017-2618, Moderate) Red Hat would like to thank Alexander Popov for reporting CVE-2017-2636 and Ralf Spenneberg for reporting CVE-2016-8650. The CVE-2017-2618 issue was discovered by Paul Moore (Red Hat Engineering).
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 99333
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99333
    title Oracle Linux 7 : kernel (ELSA-2017-0933)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1071.NASL
    description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650) - A flaw was found in the Linux kernel's implementation of setsockopt for the SO_{SND|RCV}BUFFORCE setsockopt() system call. Users with non-namespace CAP_NET_ADMIN are able to trigger this call and create a situation in which the sockets sendbuff data size could be negative. This could adversely affect memory allocations and create situations where the system could crash or cause memory corruption. (CVE-2016-9793) - A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory. (CVE-2017-2618) - The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the 'dead' type.(CVE-2017-6951) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 99937
    published 2017-05-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99937
    title EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1071)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-1854.NASL
    description From Red Hat Security Advisory 2018:1854 : An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, PowerPC) * kernel: net/packet: overflow in check for priv area size (CVE-2017-7308) * kernel: AIO interface didn't use rw_verify_area() for checking mandatory locking on files and size of access (CVE-2012-6701) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: NULL pointer dereference via keyctl (CVE-2016-8650) * kernel: ping socket / AF_LLC connect() sin_family race (CVE-2017-2671) * kernel: Race condition between multiple sys_perf_event_open() calls (CVE-2017-6001) * kernel: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c (CVE-2017-7616) * kernel: mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism (CVE-2017-7889) * kernel: Double free in the inet_csk_clone_lock function in net/ipv4/ inet_connection_sock.c (CVE-2017-8890) * kernel: net: sctp_v6_create_accept_sk function mishandles inheritance (CVE-2017-9075) * kernel: net: IPv6 DCCP implementation mishandles inheritance (CVE-2017-9076) * kernel: net: tcp_v6_syn_recv_sock function mishandles inheritance (CVE-2017-9077) * kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190) * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203) * kernel: a NULL pointer dereference in net/dccp/output.c:dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: Missing length check of payload in net/sctp/ sm_make_chunk.c:_sctp_make_chunk() function allows denial of service (CVE-2018-5803) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639; Vitaly Mayatskih for reporting CVE-2017-12190; and Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 110701
    published 2018-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110701
    title Oracle Linux 6 : kernel (ELSA-2018-1854) (Spectre)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-6AFDD2B61D.NASL
    description The 4.8.11 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-06
    plugin id 95544
    published 2016-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95544
    title Fedora 25 : kernel (2016-6afdd2b61d)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0174.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - ocfs2: fix trans extend while free cached blocks (Junxiao Bi) - ocfs2: fix trans extend while flush truncate log (Junxiao Bi) - ocfs2: extend enough credits for freeing one truncate record while replaying truncate records (Xue jiufei) [Orabug: 25136991] - mpi: Fix NULL ptr dereference in mpi_powm [ver #3] (Andrey Ryabinin) [Orabug: 25154096] (CVE-2016-8650) (CVE-2016-8650) - mlx4: avoid multiple free on id_map_ent (Wengang Wang) [Orabug: 25159035] - NVMe: reduce queue depth as workaround for Samsung EPIC SQ errata (Ashok Vairavan) [Orabug: 25144380] - sctp: validate chunk len before actually using it (Marcelo Ricardo Leitner) [Orabug: 25142868] (CVE-2016-9555) - rebuild bumping release
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 95621
    published 2016-12-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95621
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0174)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3648.NASL
    description Description of changes: kernel-uek [4.1.12-61.1.22.el7uek] - ocfs2: fix trans extend while free cached blocks (Junxiao Bi) [Orabug: 25136991] - ocfs2: fix trans extend while flush truncate log (Junxiao Bi) [Orabug: 25136991] - ocfs2: extend enough credits for freeing one truncate record while replaying truncate records (Xue jiufei) [Orabug: 25136991] - mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] (Andrey Ryabinin) [Orabug: 25154096] {CVE-2016-8650} {CVE-2016-8650} - mlx4: avoid multiple free on id_map_ent (Wengang Wang) [Orabug: 25159035] [4.1.12-61.1.21.el7uek] - NVMe: reduce queue depth as workaround for Samsung EPIC SQ errata (Ashok Vairavan) [Orabug: 25144380] - sctp: validate chunk len before actually using it (Marcelo Ricardo Leitner) [Orabug: 25142868] {CVE-2016-9555} [4.1.12-61.1.20.el7uek] - rebuild bumping release
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 95617
    published 2016-12-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95617
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3648)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170412_KERNEL_ON_SL7_X.NASL
    description Security Fix(es) : - A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) - A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650, Moderate) - A flaw was found in the Linux kernel's implementation of setsockopt for the SO_{SND|RCV}BUFFORCE setsockopt() system call. Users with non- namespace CAP_NET_ADMIN are able to trigger this call and create a situation in which the sockets sendbuff data size could be negative. This could adversely affect memory allocations and create situations where the system could crash or cause memory corruption. (CVE-2016-9793, Moderate) - A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory. (CVE-2017-2618, Moderate)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 99351
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99351
    title Scientific Linux Security Update : kernel on SL7.x x86_64
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-1854.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, PowerPC) * kernel: net/packet: overflow in check for priv area size (CVE-2017-7308) * kernel: AIO interface didn't use rw_verify_area() for checking mandatory locking on files and size of access (CVE-2012-6701) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: NULL pointer dereference via keyctl (CVE-2016-8650) * kernel: ping socket / AF_LLC connect() sin_family race (CVE-2017-2671) * kernel: Race condition between multiple sys_perf_event_open() calls (CVE-2017-6001) * kernel: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c (CVE-2017-7616) * kernel: mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism (CVE-2017-7889) * kernel: Double free in the inet_csk_clone_lock function in net/ipv4/ inet_connection_sock.c (CVE-2017-8890) * kernel: net: sctp_v6_create_accept_sk function mishandles inheritance (CVE-2017-9075) * kernel: net: IPv6 DCCP implementation mishandles inheritance (CVE-2017-9076) * kernel: net: tcp_v6_syn_recv_sock function mishandles inheritance (CVE-2017-9077) * kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190) * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203) * kernel: a NULL pointer dereference in net/dccp/output.c:dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: Missing length check of payload in net/sctp/ sm_make_chunk.c:_sctp_make_chunk() function allows denial of service (CVE-2018-5803) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639; Vitaly Mayatskih for reporting CVE-2017-12190; and Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-06-25
    plugin id 110645
    published 2018-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110645
    title CentOS 6 : kernel (CESA-2018:1854) (Spectre)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-B18410C59C.NASL
    description The 4.8.11 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 95583
    published 2016-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95583
    title Fedora 24 : kernel (2016-b18410c59c)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-782.NASL
    description A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650) The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device. (CVE-2016-9576) The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option. (CVE-2016-9793) A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out of bounds read by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399) Algorithms not compatible with mcryptd could be spawned by mcryptd with a direct crypto_alloc_tfm invocation using a 'mcryptd(alg)' name construct. This causes mcryptd to crash the kernel if an arbitrary 'alg' is incompatible and not intended to be used with mcryptd. (CVE-2016-10147) (Updated on 2017-01-19: CVE-2016-8399 was fixed in this release but was previously not part of this errata.) (Updated on 2017-02-22: CVE-2016-10147 was fixed in this release but was previously not part of this errata.)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 96284
    published 2017-01-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96284
    title Amazon Linux AMI : kernel (ALAS-2017-782)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2018-041.NASL
    description According to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - The do_get_mempolicy() function in 'mm/mempolicy.c' in the Linux kernel allows local users to hit a use-after-free bug via crafted system calls and thus cause a denial of service (DoS) or possibly have unspecified other impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. - It was found that AIO interface didn't use the proper rw_verify_area() helper function with extended functionality, for example, mandatory locking on the file. Also rw_verify_area() makes extended checks, for example, that the size of the access doesn't cause overflow of the provided offset limits. This integer overflow in fs/aio.c in the Linux kernel before 3.4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. - A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. - A race condition leading to a NULL pointer dereference was found in the Linux kernel's Link Layer Control implementation. A local attacker with access to ping sockets could use this flaw to crash the system. - It was found that the original fix for CVE-2016-6786 was incomplete. There exist a race between two concurrent sys_perf_event_open() calls when both try and move the same pre-existing software group into a hardware context. - Incorrect error handling in the set_mempolicy() and mbind() compat syscalls in 'mm/mempolicy.c' in the Linux kernel allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation. - The mm subsystem in the Linux kernel through 4.10.10 does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c. - It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in 'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition. - The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with __dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker. - An error in the '_sctp_make_chunk()' function (net/sctp/sm_make_chunk.c) when handling SCTP, packet length can be exploited by a malicious local user to cause a kernel crash and a DoS. - Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel allows local users to cause a denial of service (kernel memory exhaustion) via multiple read accesses to files in the /sys/class/sas_phy directory. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 110694
    published 2018-06-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110694
    title Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2018-041)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-0933.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. To see the complete list of bug fixes, users are directed to the related Knowledge Article: https://access.redhat.com/articles/2986951. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650, Moderate) * A flaw was found in the Linux kernel's implementation of setsockopt for the SO_{SND|RCV}BUFFORCE setsockopt() system call. Users with non-namespace CAP_NET_ADMIN are able to trigger this call and create a situation in which the sockets sendbuff data size could be negative. This could adversely affect memory allocations and create situations where the system could crash or cause memory corruption. (CVE-2016-9793, Moderate) * A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory. (CVE-2017-2618, Moderate) Red Hat would like to thank Alexander Popov for reporting CVE-2017-2636 and Ralf Spenneberg for reporting CVE-2016-8650. The CVE-2017-2618 issue was discovered by Paul Moore (Red Hat Engineering).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 99346
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99346
    title RHEL 7 : kernel (RHSA-2017:0933)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0057.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 99163
    published 2017-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99163
    title OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0175.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Revert 'i40e: Set defport behavior for the Main VSI when in promiscuous mode' (Jack Vogel) [Orabug: 22683573] - mlx4: avoid multiple free on id_map_ent (Wengang Wang) - xen-netfront: cast grant table reference first to type int (Dongli Zhang) - xen-netfront: do not cast grant table reference to signed short (Dongli Zhang) - RDS: Drop the connection as part of cancel to avoid hangs (Avinash Repaka) [Orabug: 25045360] - sctp: validate chunk len before actually using it (Marcelo Ricardo Leitner) [Orabug: 25142879] (CVE-2016-9555) - mpi: Fix NULL ptr dereference in mpi_powm [ver #3] (Andrey Ryabinin) [Orabug: 25154098] (CVE-2016-8650) (CVE-2016-8650)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 95760
    published 2016-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95760
    title OracleVM 3.3 : Unbreakable / etc (OVMSA-2016-0175)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1854.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, PowerPC) * kernel: net/packet: overflow in check for priv area size (CVE-2017-7308) * kernel: AIO interface didn't use rw_verify_area() for checking mandatory locking on files and size of access (CVE-2012-6701) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: NULL pointer dereference via keyctl (CVE-2016-8650) * kernel: ping socket / AF_LLC connect() sin_family race (CVE-2017-2671) * kernel: Race condition between multiple sys_perf_event_open() calls (CVE-2017-6001) * kernel: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c (CVE-2017-7616) * kernel: mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism (CVE-2017-7889) * kernel: Double free in the inet_csk_clone_lock function in net/ipv4/ inet_connection_sock.c (CVE-2017-8890) * kernel: net: sctp_v6_create_accept_sk function mishandles inheritance (CVE-2017-9075) * kernel: net: IPv6 DCCP implementation mishandles inheritance (CVE-2017-9076) * kernel: net: tcp_v6_syn_recv_sock function mishandles inheritance (CVE-2017-9077) * kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190) * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203) * kernel: a NULL pointer dereference in net/dccp/output.c:dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: Missing length check of payload in net/sctp/ sm_make_chunk.c:_sctp_make_chunk() function allows denial of service (CVE-2018-5803) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639; Vitaly Mayatskih for reporting CVE-2017-12190; and Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 110600
    published 2018-06-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110600
    title RHEL 6 : kernel (RHSA-2018:1854) (Spectre)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-0932.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system. (CVE-2017-6074, Important) * A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650, Moderate) * A flaw was found in the Linux kernel's implementation of setsockopt for the SO_{SND|RCV}BUFFORCE setsockopt() system call. Users with non-namespace CAP_NET_ADMIN are able to trigger this call and create a situation in which the sockets sendbuff data size could be negative. This could adversely affect memory allocations and create situations where the system could crash or cause memory corruption. (CVE-2016-9793, Moderate) * A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory. (CVE-2017-2618, Moderate) Red Hat would like to thank Alexander Popov for reporting CVE-2017-2636; Andrey Konovalov (Google) for reporting CVE-2017-6074; and Ralf Spenneberg for reporting CVE-2016-8650. The CVE-2017-2618 issue was discovered by Paul Moore (Red Hat Engineering). Bug Fix(es) : * The kernel-rt packages have been upgraded to version 3.10.0-514.rt56.219, which provides a number of bug fix updates over the previous version. (BZ# 1429613)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 99345
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99345
    title RHEL 6 : MRG (RHSA-2017:0932)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180619_KERNEL_ON_SL6_X.NASL
    description Security Fix(es) : - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, PowerPC) - kernel: net/packet: overflow in check for priv area size (CVE-2017-7308) - kernel: AIO interface didn't use rw_verify_area() for checking mandatory locking on files and size of access (CVE-2012-6701) - kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) - kernel: NULL pointer dereference via keyctl (CVE-2016-8650) - kernel: ping socket / AF_LLC connect() sin_family race (CVE-2017-2671) - kernel: Race condition between multiple sys_perf_event_open() calls (CVE-2017-6001) - kernel: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c (CVE-2017-7616) - kernel: mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism (CVE-2017-7889) - kernel: Double free in the inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c (CVE-2017-8890) - kernel: net: sctp_v6_create_accept_sk function mishandles inheritance (CVE-2017-9075) - kernel: net: IPv6 DCCP implementation mishandles inheritance (CVE-2017-9076) - kernel: net: tcp_v6_syn_recv_sock function mishandles inheritance (CVE-2017-9077) - kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190) - kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121) - kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203) - kernel: a NULL pointer dereference in net/dccp/output.c:dccp_write_xmit() leads to a system crash (CVE-2018-1130) - kernel: Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service (CVE-2018-5803)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 110887
    published 2018-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110887
    title Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (Spectre)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-A820774FC2.NASL
    description The 4.8.11 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 95582
    published 2016-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95582
    title Fedora 23 : kernel (2016-a820774fc2)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-0931.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650, Moderate) * A flaw was found in the Linux kernel's implementation of setsockopt for the SO_{SND|RCV}BUFFORCE setsockopt() system call. Users with non-namespace CAP_NET_ADMIN are able to trigger this call and create a situation in which the sockets sendbuff data size could be negative. This could adversely affect memory allocations and create situations where the system could crash or cause memory corruption. (CVE-2016-9793, Moderate) * A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory. (CVE-2017-2618, Moderate) Red Hat would like to thank Alexander Popov for reporting CVE-2017-2636 and Ralf Spenneberg for reporting CVE-2016-8650. The CVE-2017-2618 issue was discovered by Paul Moore (Red Hat Engineering). Bug Fix(es) : * Previously, a cgroups data structure was sometimes corrupted due to a race condition in the kernel-rt cgroups code. Consequently, several system tasks were blocked, and the operating system became unresponsive. This update adds a lock that prevents the race condition. As a result, the cgroups data structure no longer gets corrupted and the operating system no longer hangs under the described circumstances. (BZ#1420784) * The kernel-rt packages have been upgraded to the 3.10.0-514.16.1 source tree, which provides a number of bug fixes over the previous version. (BZ# 1430749)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 99344
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99344
    title RHEL 7 : kernel-rt (RHSA-2017:0931)
redhat via4
advisories
  • rhsa
    id RHSA-2017:0931
  • rhsa
    id RHSA-2017:0932
  • rhsa
    id RHSA-2017:0933
  • rhsa
    id RHSA-2018:1854
rpms
  • kernel-rt-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-debug-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-debug-devel-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-debug-kvm-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-devel-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-doc-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-kvm-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-trace-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-trace-devel-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-trace-kvm-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-0:3.10.0-514.16.1.el7
  • kernel-abi-whitelists-0:3.10.0-514.16.1.el7
  • kernel-bootwrapper-0:3.10.0-514.16.1.el7
  • kernel-debug-0:3.10.0-514.16.1.el7
  • kernel-debug-devel-0:3.10.0-514.16.1.el7
  • kernel-devel-0:3.10.0-514.16.1.el7
  • kernel-doc-0:3.10.0-514.16.1.el7
  • kernel-headers-0:3.10.0-514.16.1.el7
  • kernel-kdump-0:3.10.0-514.16.1.el7
  • kernel-kdump-devel-0:3.10.0-514.16.1.el7
  • kernel-tools-0:3.10.0-514.16.1.el7
  • kernel-tools-libs-0:3.10.0-514.16.1.el7
  • kernel-tools-libs-devel-0:3.10.0-514.16.1.el7
  • perf-0:3.10.0-514.16.1.el7
  • python-perf-0:3.10.0-514.16.1.el7
  • kernel-0:2.6.32-754.el6
  • kernel-abi-whitelists-0:2.6.32-754.el6
  • kernel-bootwrapper-0:2.6.32-754.el6
  • kernel-debug-0:2.6.32-754.el6
  • kernel-debug-devel-0:2.6.32-754.el6
  • kernel-devel-0:2.6.32-754.el6
  • kernel-doc-0:2.6.32-754.el6
  • kernel-firmware-0:2.6.32-754.el6
  • kernel-headers-0:2.6.32-754.el6
  • kernel-kdump-0:2.6.32-754.el6
  • kernel-kdump-devel-0:2.6.32-754.el6
  • perf-0:2.6.32-754.el6
  • python-perf-0:2.6.32-754.el6
refmap via4
bid 94532
confirm
fulldisc 20161115 OS-S 2016-21 - Local DoS: Linux Kernel Nullpointer Dereference via keyctl
mlist [oss-security] 20161125 Linux kernel: CVE-2016-8650 : Local denial of service with in key subsystem
sectrack 1037968
Last major update 07-03-2017 - 21:59
Published 27-11-2016 - 22:59
Last modified 19-06-2018 - 21:29
Back to Top