ID CVE-2017-13080
Summary Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.
References
Vulnerable Configurations
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 17.04
    cpe:2.3:o:canonical:ubuntu_linux:17.04
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • FreeBSD
    cpe:2.3:o:freebsd:freebsd
  • cpe:2.3:o:freebsd:freebsd:10
    cpe:2.3:o:freebsd:freebsd:10
  • cpe:2.3:o:freebsd:freebsd:10.4
    cpe:2.3:o:freebsd:freebsd:10.4
  • cpe:2.3:o:freebsd:freebsd:11
    cpe:2.3:o:freebsd:freebsd:11
  • cpe:2.3:o:freebsd:freebsd:11.1
    cpe:2.3:o:freebsd:freebsd:11.1
  • openSUSE Leap 42.2
    cpe:2.3:o:opensuse:leap:42.2
  • openSUSE Leap 42.3
    cpe:2.3:o:opensuse:leap:42.3
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7
    cpe:2.3:o:redhat:enterprise_linux_desktop:7
  • cpe:2.3:o:redhat:enterprise_linux_server:7
    cpe:2.3:o:redhat:enterprise_linux_server:7
  • w1.fi Hostapd 0.2.4
    cpe:2.3:a:w1.fi:hostapd:0.2.4
  • cpe:2.3:a:w1.fi:hostapd:0.2.5
    cpe:2.3:a:w1.fi:hostapd:0.2.5
  • cpe:2.3:a:w1.fi:hostapd:0.2.6
    cpe:2.3:a:w1.fi:hostapd:0.2.6
  • cpe:2.3:a:w1.fi:hostapd:0.2.8
    cpe:2.3:a:w1.fi:hostapd:0.2.8
  • w1.fi Hostapd 0.3.7
    cpe:2.3:a:w1.fi:hostapd:0.3.7
  • cpe:2.3:a:w1.fi:hostapd:0.3.9
    cpe:2.3:a:w1.fi:hostapd:0.3.9
  • cpe:2.3:a:w1.fi:hostapd:0.3.10
    cpe:2.3:a:w1.fi:hostapd:0.3.10
  • cpe:2.3:a:w1.fi:hostapd:0.3.11
    cpe:2.3:a:w1.fi:hostapd:0.3.11
  • w1.fi Hostapd 0.4.7
    cpe:2.3:a:w1.fi:hostapd:0.4.7
  • cpe:2.3:a:w1.fi:hostapd:0.4.8
    cpe:2.3:a:w1.fi:hostapd:0.4.8
  • cpe:2.3:a:w1.fi:hostapd:0.4.9
    cpe:2.3:a:w1.fi:hostapd:0.4.9
  • cpe:2.3:a:w1.fi:hostapd:0.4.10
    cpe:2.3:a:w1.fi:hostapd:0.4.10
  • cpe:2.3:a:w1.fi:hostapd:0.4.11
    cpe:2.3:a:w1.fi:hostapd:0.4.11
  • cpe:2.3:a:w1.fi:hostapd:0.5.7
    cpe:2.3:a:w1.fi:hostapd:0.5.7
  • cpe:2.3:a:w1.fi:hostapd:0.5.8
    cpe:2.3:a:w1.fi:hostapd:0.5.8
  • cpe:2.3:a:w1.fi:hostapd:0.5.9
    cpe:2.3:a:w1.fi:hostapd:0.5.9
  • cpe:2.3:a:w1.fi:hostapd:0.5.10
    cpe:2.3:a:w1.fi:hostapd:0.5.10
  • cpe:2.3:a:w1.fi:hostapd:0.5.11
    cpe:2.3:a:w1.fi:hostapd:0.5.11
  • cpe:2.3:a:w1.fi:hostapd:0.6.8
    cpe:2.3:a:w1.fi:hostapd:0.6.8
  • cpe:2.3:a:w1.fi:hostapd:0.6.9
    cpe:2.3:a:w1.fi:hostapd:0.6.9
  • cpe:2.3:a:w1.fi:hostapd:0.6.10
    cpe:2.3:a:w1.fi:hostapd:0.6.10
  • w1.fi Hostapd 0.7.3
    cpe:2.3:a:w1.fi:hostapd:0.7.3
  • cpe:2.3:a:w1.fi:hostapd:1.0
    cpe:2.3:a:w1.fi:hostapd:1.0
  • w1.fi Hostapd 1.1
    cpe:2.3:a:w1.fi:hostapd:1.1
  • w1.fi Hostapd 2.0
    cpe:2.3:a:w1.fi:hostapd:2.0
  • w1.fi Hostapd 2.1
    cpe:2.3:a:w1.fi:hostapd:2.1
  • w1.fi Hostapd 2.2
    cpe:2.3:a:w1.fi:hostapd:2.2
  • w1.fi hostapd 2.3
    cpe:2.3:a:w1.fi:hostapd:2.3
  • w1.fi hostapd 2.4
    cpe:2.3:a:w1.fi:hostapd:2.4
  • w1.fi Hostapd 2.5
    cpe:2.3:a:w1.fi:hostapd:2.5
  • w1.fi hostapd 2.6
    cpe:2.3:a:w1.fi:hostapd:2.6
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.2.4
    cpe:2.3:a:w1.fi:wpa_supplicant:0.2.4
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.2.5
    cpe:2.3:a:w1.fi:wpa_supplicant:0.2.5
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.2.6
    cpe:2.3:a:w1.fi:wpa_supplicant:0.2.6
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.2.7
    cpe:2.3:a:w1.fi:wpa_supplicant:0.2.7
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.2.8
    cpe:2.3:a:w1.fi:wpa_supplicant:0.2.8
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.3.7
    cpe:2.3:a:w1.fi:wpa_supplicant:0.3.7
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.3.8
    cpe:2.3:a:w1.fi:wpa_supplicant:0.3.8
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.3.9
    cpe:2.3:a:w1.fi:wpa_supplicant:0.3.9
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.3.10
    cpe:2.3:a:w1.fi:wpa_supplicant:0.3.10
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.3.11
    cpe:2.3:a:w1.fi:wpa_supplicant:0.3.11
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.4.7
    cpe:2.3:a:w1.fi:wpa_supplicant:0.4.7
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.4.8
    cpe:2.3:a:w1.fi:wpa_supplicant:0.4.8
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.4.9
    cpe:2.3:a:w1.fi:wpa_supplicant:0.4.9
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.4.10
    cpe:2.3:a:w1.fi:wpa_supplicant:0.4.10
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.4.11
    cpe:2.3:a:w1.fi:wpa_supplicant:0.4.11
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.5.7
    cpe:2.3:a:w1.fi:wpa_supplicant:0.5.7
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.5.8
    cpe:2.3:a:w1.fi:wpa_supplicant:0.5.8
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.5.9
    cpe:2.3:a:w1.fi:wpa_supplicant:0.5.9
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.5.10
    cpe:2.3:a:w1.fi:wpa_supplicant:0.5.10
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.5.11
    cpe:2.3:a:w1.fi:wpa_supplicant:0.5.11
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.6.8
    cpe:2.3:a:w1.fi:wpa_supplicant:0.6.8
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.6.9
    cpe:2.3:a:w1.fi:wpa_supplicant:0.6.9
  • cpe:2.3:a:w1.fi:wpa_supplicant:0.6.10
    cpe:2.3:a:w1.fi:wpa_supplicant:0.6.10
  • w1.fi WPA Supplicant 0.7.3
    cpe:2.3:a:w1.fi:wpa_supplicant:0.7.3
  • cpe:2.3:a:w1.fi:wpa_supplicant:1.0
    cpe:2.3:a:w1.fi:wpa_supplicant:1.0
  • w1.fi WPA Supplicant 1.1
    cpe:2.3:a:w1.fi:wpa_supplicant:1.1
  • w1.fi WPA Supplicant 2.0
    cpe:2.3:a:w1.fi:wpa_supplicant:2.0
  • w1.fi WPA Supplicant 2.1
    cpe:2.3:a:w1.fi:wpa_supplicant:2.1
  • w1.fi WPA Supplicant 2.2
    cpe:2.3:a:w1.fi:wpa_supplicant:2.2
  • w1.fi WPA Supplicant 2.3
    cpe:2.3:a:w1.fi:wpa_supplicant:2.3
  • w1.fi WPA Supplicant 2.4
    cpe:2.3:a:w1.fi:wpa_supplicant:2.4
  • w1.fi WPA Supplicant 2.5
    cpe:2.3:a:w1.fi:wpa_supplicant:2.5
  • w1.fi WPA Supplicant 2.6
    cpe:2.3:a:w1.fi:wpa_supplicant:2.6
  • cpe:2.3:o:suse:linux_enterprise_desktop:12:sp2
    cpe:2.3:o:suse:linux_enterprise_desktop:12:sp2
  • cpe:2.3:o:suse:linux_enterprise_desktop:12:sp3
    cpe:2.3:o:suse:linux_enterprise_desktop:12:sp3
  • cpe:2.3:o:suse:linux_enterprise_point_of_sale:11:sp3
    cpe:2.3:o:suse:linux_enterprise_point_of_sale:11:sp3
  • cpe:2.3:o:suse:linux_enterprise_server:11:sp3:-:-:-:ltss
    cpe:2.3:o:suse:linux_enterprise_server:11:sp3:-:-:-:ltss
  • SUSE Linux Enterprise Server 11 Service Pack 4
    cpe:2.3:o:suse:linux_enterprise_server:11:sp4
  • cpe:2.3:o:suse:linux_enterprise_server:12:-:-:-:ltss
    cpe:2.3:o:suse:linux_enterprise_server:12:-:-:-:ltss
  • cpe:2.3:o:suse:openstack_cloud:6
    cpe:2.3:o:suse:openstack_cloud:6
CVSS
Base: 2.9
Impact:
Exploitability:
CWE CWE-254
CAPEC
msbulletin via4
bulletin_SOURCE_FILE https://portal.msrc.microsoft.com/api/security-guidance/en-us/
cves_url https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080
impact Spoofing
knowledgebase_SOURCE_FILE https://support.microsoft.com/help/4041676
knowledgebase_id 4041676
name Windows 10 Version 1703 for 32-bit Systems
publishedDate 2017-10-16T07:00:00
severity Important
nessus via4
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20171018_WPA_SUPPLICANT_ON_SL7_X.NASL
    description Security Fix(es) : - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
    last seen 2018-09-02
    modified 2018-01-29
    plugin id 103960
    published 2017-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103960
    title Scientific Linux Security Update : wpa_supplicant on SL7.x x86_64 (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1194.NASL
    description The openSUSE Leap 42.3 kernel was updated to 4.4.92 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667). - CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c (bnc#1062520). - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388). The following non-security bugs were fixed : - acpi/processor: Check for duplicate processor ids at hotplug time (bnc#1056230). - acpi/processor: Implement DEVICE operator for processor enumeration (bnc#1056230). - add mainline tags to hyperv patches - alsa: au88x0: avoid theoretical uninitialized access (bnc#1012382). - alsa: compress: Remove unused variable (bnc#1012382). - alsa: usb-audio: Check out-of-bounds access by corrupted buffer descriptor (bnc#1012382). - alsa: usx2y: Suppress kernel warning at page allocation failures (bnc#1012382). - arm64: add function to get a cpu's MADT GICC table (bsc#1062279). - arm64: dts: Add Broadcom Vulcan PMU in dts (fate#319481). - arm64/perf: Access pmu register using irq_affinity on error (bsc#1062279). - drivers/perf: arm_pmu: avoid NULL dereference when not using devicetree (bsc#1062279). - drivers/perf: arm-pmu: convert arm_pmu_mutex to spinlock (bsc#1062279). - drivers/perf: arm_pmu: Defer the setting of __oprofile_cpu_pmu (bsc#1062279). - drivers/perf: arm_pmu: define armpmu_init_fn (bsc#1062279). - drivers/perf: arm_pmu: expose a cpumask in sysfs (bsc#1062279). - drivers/perf: arm_pmu: factor out pmu registration (bsc#1062279). - drivers/perf: arm-pmu: Fix handling of SPI lacking 'interrupt-affinity' property (bsc#1062279). - drivers/perf: arm_pmu: Fix NULL pointer dereference during probe (bsc#1062279). - drivers/perf: arm-pmu: fix RCU usage on pmu resume from low-power (bsc#1062279). - drivers/perf: arm_pmu: Fix reference count of a device_node in of_pmu_irq_cfg (bsc#1062279). - drivers/perf: arm_pmu: fold init into alloc (bsc#1062279). - drivers/perf: arm_pmu: handle no platform_device (bsc#1062279). - drivers/perf: arm-pmu: Handle per-interrupt affinity mask (bsc#1062279). - drivers/perf: arm_pmu: implement CPU_PM notifier (bsc#1062279). - drivers/perf: arm_pmu: make info messages more verbose (bsc#1062279). - drivers/perf: arm_pmu: manage interrupts per-cpu (bsc#1062279). - drivers/perf: arm_pmu: move irq request/free into probe (bsc#1062279). - drivers/perf: arm_pmu: only use common attr_groups (bsc#1062279). - drivers/perf: arm_pmu: remove pointless PMU disabling (bsc#1062279). - drivers/perf: arm_pmu: rename irq request/free functions (bsc#1062279). - drivers/perf: arm_pmu: Request PMU SPIs with IRQF_PER_CPU (bsc#1062279). - drivers/perf: arm_pmu: rework per-cpu allocation (bsc#1062279). - drivers/perf: arm_pmu: simplify cpu_pmu_request_irqs() (bsc#1062279). - drivers/perf: arm_pmu: split cpu-local irq request/free (bsc#1062279). - drivers/perf: arm_pmu: split irq request from enable (bsc#1062279). - drivers/perf: arm_pmu: split out platform device probe logic (bsc#1062279). - drivers/perf: kill armpmu_register (bsc#1062279). - drm/amdkfd: fix improper return value on error (bnc#1012382). - drm: bridge: add DT bindings for TI ths8135 (bnc#1012382). - drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define (bnc#1012382). - drm/i915/bios: ignore HDMI on port A (bnc#1012382). - e1000e: use disable_hardirq() also for MSIX vectors in e1000_netpoll() (bsc#1022912 FATE#321246). - edac, sb_edac: Assign EDAC memory controller per h/w controller (bsc#1061721). - edac, sb_edac: Avoid creating SOCK memory controller (bsc#1061721). - edac, sb_edac: Bump driver version and do some cleanups (bsc#1061721). - edac, sb_edac: Carve out dimm-populating loop (bsc#1061721). - edac, sb_edac: Check if ECC enabled when at least one DIMM is present (bsc#1061721). - edac, sb_edac: Classify memory mirroring modes (bsc#1061721). - edac, sb_edac: Classify PCI-IDs by topology (bsc#1061721). - edac, sb_edac: Do not create a second memory controller if HA1 is not present (bsc#1061721). - edac, sb_edac: Do not use 'Socket#' in the memory controller name (bsc#1061721). - edac, sb_edac: Drop NUM_CHANNELS from 8 back to 4 (bsc#1061721). - edac, sb_edac: Fix mod_name (bsc#1061721). - edac, sb_edac: Get rid of ->show_interleave_mode() (bsc#1061721). - edac, sb_edac: Remove double buffering of error records (bsc#1061721). - edac, sb_edac: Remove NULL pointer check on array pci_tad (bsc#1061721). - edac, skx_edac: Handle systems with segmented PCI busses (bsc#1063102). - ext4: do not allow encrypted operations without keys (bnc#1012382). - extcon: axp288: Use vbus-valid instead of -present to determine cable presence (bnc#1012382). - exynos-gsc: Do not swap cb/cr for semi planar formats (bnc#1012382). - fix flags ordering (bsc#1034075 comment 131) - Fix mpage_writepage() for pages with buffers (bsc#1050471). - fix whitespace according to upstream commit - fs/epoll: cache leftmost node (bsc#1056427). - fs/mpage.c: fix mpage_writepage() for pages with buffers (bsc#1050471). Update to version in mainline - ftrace: Fix kmemleak in unregister_ftrace_graph (bnc#1012382). - gfs2: Fix reference to ERR_PTR in gfs2_glock_iter_next (bnc#1012382). - hid: i2c-hid: allocate hid buffers for real worst case (bnc#1012382). - hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes (bnc#1012382). - i2c: meson: fix wrong variable usage in meson_i2c_put_data (bnc#1012382). - i40e: Initialize 64-bit statistics TX ring seqcount (bsc#1024346 FATE#321239 bsc#1024373 FATE#321247). - i40iw: Add missing memory barriers (bsc#969476 FATE#319648 bsc#969477 FATE#319816). - i40iw: Fix port number for query QP (bsc#969476 FATE#319648 bsc#969477 FATE#319816). - ib/core: Add generic function to extract IB speed from netdev (bsc#1056596). - ib/core: Add ordered workqueue for RoCE GID management (bsc#1056596). - ib/core: Fix for core panic (bsc#1022595 FATE#322350). - ib/core: Fix the validations of a multicast LID in attach or detach operations (bsc#1022595 FATE#322350). - ib/i40iw: Fix error code in i40iw_create_cq() (bsc#969476 FATE#319648 bsc#969477 FATE#319816). - ib/ipoib: Fix deadlock over vlan_mutex (bnc#1012382 bsc#1022595 FATE#322350). - ib/ipoib: Replace list_del of the neigh->list with list_del_init (FATE#322350 bnc#1012382 bsc#1022595). - ib/ipoib: rtnl_unlock can not come after free_netdev (FATE#322350 bnc#1012382 bsc#1022595). - ib/mlx5: Change logic for dispatching IB events for port state (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - ib/mlx5: Fix cached MR allocation flow (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - ib/mlx5: Fix Raw Packet QP event handler assignment (bsc#966170 FATE#320225 bsc#966172 FATE#320226). - ibmvnic: Set state UP (bsc#1062962). - ib/qib: fix false-postive maybe-uninitialized warning (FATE#321231 FATE#321473 FATE#322149 FATE#322153 bnc#1012382). - igb: re-assign hw address pointer on reset after PCI error (bnc#1012382). - iio: ad7793: Fix the serial interface reset (bnc#1012382). - iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register modifications (bnc#1012382). - iio: adc: hx711: Add DT binding for avia,hx711 (bnc#1012382). - iio: adc: mcp320x: Fix oops on module unload (bnc#1012382). - iio: adc: mcp320x: Fix readout of negative voltages (bnc#1012382). - iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path of 'twl4030_madc_probe()' (bnc#1012382). - iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()' (bnc#1012382). - iio: ad_sigma_delta: Implement a dedicated reset function (bnc#1012382). - iio: core: Return error for failed read_reg (bnc#1012382). - iommu/io-pgtable-arm: Check for leaf entry before dereferencing it (bnc#1012382). - iwlwifi: add workaround to disable wide channels in 5GHz (bnc#1012382). - kabi fixup struct nvmet_sq (bsc#1063349). - kABI: protect enum fs_flow_table_type (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - kABI: protect struct mlx5_priv (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - kABI: protect struct rm_data_op (kabi). - kABI: protect struct sdio_func (kabi). - libata: transport: Remove circular dependency at free time (bnc#1012382). - libceph: do not allow bidirectional swap of pg-upmap-items (bsc#1061451). - lsm: fix smack_inode_removexattr and xattr_getsecurity memleak (bnc#1012382). - md/raid10: submit bio directly to replacement disk (bnc#1012382). - mips: Ensure bss section ends on a long-aligned address (bnc#1012382). - mips: Fix minimum alignment requirement of IRQ stack (git-fixes). - mips: IRQ Stack: Unwind IRQ stack onto task stack (bnc#1012382). - mips: Lantiq: Fix another request_mem_region() return code check (bnc#1012382). - mips: ralink: Fix incorrect assignment on ralink_soc (bnc#1012382). - mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms array (bsc#966170 FATE#320225 bsc#966172 FATE#320226). - mm: avoid marking swap cached page as lazyfree (VM Functionality, bsc#1061775). - mm/backing-dev.c: fix an error handling path in 'cgwb_create()' (bnc#1063475). - mm,compaction: serialize waitqueue_active() checks (for real) (bsc#971975). - mmc: sdio: fix alignment issue in struct sdio_func (bnc#1012382). - mm: discard memblock data later (bnc#1063460). - mm: fix data corruption caused by lazyfree page (VM Functionality, bsc#1061775). - mm/memblock.c: reversed logic in memblock_discard() (bnc#1063460). - mm: meminit: mark init_reserved_page as __meminit (bnc#1063509). - mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to inline function (bnc#1063501). - mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as unsigned long (bnc#1063520). - net: core: Prevent from dereferencing NULL pointer when releasing SKB (bnc#1012382). - netfilter: invoke synchronize_rcu after set the _hook_ to NULL (bnc#1012382). - netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max (bnc#1012382). - net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled (bsc#966191 FATE#320230 bsc#966186 FATE#320228). - net/mlx5: Check device capability for maximum flow counters (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - net/mlx5: Delay events till ib registration ends (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - net/mlx5e: Check for qos capability in dcbnl_initialize (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - net/mlx5e: Do not add/remove 802.1ad rules when changing 802.1Q VLAN filter (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - net/mlx5e: Fix calculated checksum offloads counters (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - net/mlx5e: Fix dangling page pointer on DMA mapping error (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - net/mlx5e: Fix DCB_CAP_ATTR_DCBX capability for DCBNL getcap (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - net/mlx5e: Fix inline header size for small packets (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - net/mlx5e: Print netdev features correctly in error message (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - net/mlx5e: Schedule overflow check work to mlx5e workqueue (bsc#966170 FATE#320225 bsc#966172 FATE#320226). - net/mlx5: E-Switch, Unload the representors in the correct order (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - net/mlx5: Fix arm SRQ command for ISSI version 0 (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - net/mlx5: Fix command completion after timeout access invalid structure (bsc#966318 FATE#320158 bsc#966316 FATE#320159). - net/mlx5: Fix counter list hardware structure (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689). - net/mlx5: Remove the flag MLX5_INTERFACE_STATE_SHUTDOWN (bsc#966170 FATE#320225 bsc#966172 FATE#320226). - net/mlx5: Skip mlx5_unload_one if mlx5_load_one fails (bsc#966170 FATE#320225 bsc#966172 FATE#320226). - net: mvpp2: fix the mac address used when using PPv2.2 (bsc#1032150). - net: mvpp2: use {get, put}_cpu() instead of smp_processor_id() (bsc#1032150). - net/packet: check length in getsockopt() called with PACKET_HDRLEN (bnc#1012382). - netvsc: Initialize 64-bit stats seqcount (fate#320485). - nvme: allow timed-out ios to retry (bsc#1063349). - nvme: fix sqhd reference when admin queue connect fails (bsc#1063349). - nvme: fix visibility of 'uuid' ns attribute (bsc#1060400). - nvme: protect against simultaneous shutdown invocations (FATE#319965 bnc#1012382 bsc#964944). - nvme: stop aer posting if controller state not live (bsc#1063349). - nvmet: implement valid sqhd values in completions (bsc#1063349). - nvmet: synchronize sqhd update (bsc#1063349). - nvme: use device_add_disk_with_groups() (bsc#1060400). - parisc: perf: Fix potential NULL pointer dereference (bnc#1012382). - partitions/efi: Fix integer overflow in GPT size calculation (FATE#322379 bnc#1012382 bsc#1020989). - perf: arm: acpi: remove cpu hotplug statemachine dependency (bsc#1062279). - perf: arm: platform: remove cpu hotplug statemachine dependency (bsc#1062279). - perf: arm: replace irq_get_percpu_devid_partition call (bsc#1062279). - perf: arm: temporary workaround for build errors (bsc#1062279). - perf: Convert to using %pOF instead of full_name (bsc#1062279). - powerpc: Fix unused function warning 'lmb_to_memblock' (FATE#322022). - powerpc/pseries: Add pseries hotplug workqueue (FATE#322022). - powerpc/pseries: Auto-online hotplugged memory (FATE#322022). - powerpc/pseries: Check memory device state before onlining/offlining (FATE#322022). - powerpc/pseries: Correct possible read beyond dlpar sysfs buffer (FATE#322022). - powerpc/pseries: Do not attempt to acquire drc during memory hot add for assigned lmbs (FATE#322022). - powerpc/pseries: Fix build break when MEMORY_HOTREMOVE=n (FATE#322022). - powerpc/pseries: fix memory leak in queue_hotplug_event() error path (FATE#322022). - powerpc/pseries: Implement indexed-count hotplug memory add (FATE#322022). - powerpc/pseries: Implement indexed-count hotplug memory remove (FATE#322022). - powerpc/pseries: Introduce memory hotplug READD operation (FATE#322022). - powerpc/pseries: Make the acquire/release of the drc for memory a separate step (FATE#322022). - powerpc/pseries: Remove call to memblock_add() (FATE#322022). - powerpc/pseries: Revert 'Auto-online hotplugged memory' (FATE#322022). - powerpc/pseries: Use kernel hotplug queue for PowerVM hotplug events (FATE#322022). - powerpc/pseries: Use lmb_is_removable() to check removability (FATE#322022). - powerpc/pseries: Verify CPU does not exist before adding (FATE#322022). - rdma: Fix return value check for ib_get_eth_speed() (bsc#1056596). - rdma/qedr: Parse VLAN ID correctly and ignore the value of zero (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702 bsc#1022604 FATE#321747). - rdma/qedr: Parse vlan priority as sl (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702 bsc#1022604 FATE#321747). - rds: ib: add error handle (bnc#1012382). - rds: rdma: Fix the composite message user notification (bnc#1012382). - README.BRANCH: Add Michal and Johannes as co-maintainers. - Remove superfluous hunk in bigmem backport (bsc#1064436). Refresh patches.arch/powerpc-bigmem-16-mm-Add-addr_limit-to-mm_c ontext-and-use-it-t.patch. - Revert 'x86/acpi: Enable MADT APIs to return disabled apicids' (bnc#1056230). - Revert 'x86/acpi: Set persistent cpuid <-> nodeid mapping when booting' (bnc#1056230). - s390/cpcmd,vmcp: avoid GFP_DMA allocations (bnc#1060249, LTC#159112). - s390/qdio: avoid reschedule of outbound tasklet once killed (bnc#1060249, LTC#159885). - s390/topology: alternative topology for topology-less machines (bnc#1060249, LTC#159177). - s390/topology: always use s390 specific sched_domain_topology_level (bnc#1060249, LTC#159177). - s390/topology: enable / disable topology dynamically (bnc#1060249, LTC#159177). - sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs (bnc#1012382). - scsi: fixup kernel warning during rmmod() (bsc#1052360). - scsi: libfc: fix a deadlock in fc_rport_work (bsc#1063695). - scsi: lpfc: Ensure io aborts interlocked with the target (bsc#1056587). - scsi: qedi: off by one in qedi_get_cmd_from_tid() (bsc#1004527, FATE#321744). - scsi: qla2xxx: Fix uninitialized work element (bsc#1019675,FATE#321701). - scsi: scsi_transport_fc: Also check for NOTPRESENT in fc_remote_port_add() (bsc#1037890). - scsi: scsi_transport_fc: set scsi_target_id upon rescan (bsc#1058135). - scsi: sd: Do not override max_sectors_kb sysfs setting (bsc#1025461). - scsi: sd: Remove LBPRZ dependency for discards (bsc#1060985). This patch is originally part of a larger series which can't be easily backported to SLE-12. For a reasoning why we think it's safe to apply, see bsc#1060985, comment 20. - scsi: sg: close race condition in sg_remove_sfp_usercontext() (bsc#1064206). - scsi: sg: do not return bogus Sg_requests (bsc#1064206). - scsi: sg: only check for dxfer_len greater than 256M (bsc#1064206). - sh_eth: use correct name for ECMR_MPDE bit (bnc#1012382). - staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack (bnc#1012382). - stm class: Fix a use-after-free (bnc#1012382). - supported.conf: enable dw_mmc-rockchip driver References: bsc#1064064 - team: call netdev_change_features out of team lock (bsc#1055567). - team: fix memory leaks (bnc#1012382). - ttpci: address stringop overflow warning (bnc#1012382). - tty: goldfish: Fix a parameter of a call to free_irq (bnc#1012382). - usb: chipidea: vbus event may exist before starting gadget (bnc#1012382). - usb: core: harden cdc_parse_cdc_header (bnc#1012382). - usb: devio: Do not corrupt user memory (bnc#1012382). - usb: dummy-hcd: fix connection failures (wrong speed) (bnc#1012382). - usb: dummy-hcd: Fix erroneous synchronization change (bnc#1012382). - usb: dummy-hcd: fix infinite-loop resubmission bug (bnc#1012382). - usb: fix out-of-bounds in usb_set_configuration (bnc#1012382). - usb: gadgetfs: fix copy_to_user while holding spinlock (bnc#1012382). - usb: gadgetfs: Fix crash caused by inadequate synchronization (bnc#1012382). - usb: gadget: inode.c: fix unbalanced spin_lock in ep0_write (bnc#1012382). - usb: gadget: mass_storage: set msg_registered after msg registered (bnc#1012382). - usb: gadget: udc: atmel: set vbus irqflags explicitly (bnc#1012382). - usb: g_mass_storage: Fix deadlock when driver is unbound (bnc#1012382). - usb: Increase quirk delay for USB devices (bnc#1012382). - usb: pci-quirks.c: Corrected timeout values used in handshake (bnc#1012382). - usb: plusb: Add support for PL-27A1 (bnc#1012382). - usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe (bnc#1012382). - usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction (bnc#1012382). - usb: serial: mos7720: fix control-message error handling (bnc#1012382). - usb: serial: mos7840: fix control-message error handling (bnc#1012382). - usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives (bnc#1012382). - usb: uas: fix bug in handling of alternate settings (bnc#1012382). - uwb: ensure that endpoint is interrupt (bnc#1012382). - uwb: properly check kthread_run return value (bnc#1012382). - x86/acpi: Restore the order of CPU IDs (bnc#1056230). - x86/cpu: Remove unused and undefined __generic_processor_info() declaration (bnc#1056230). - x86 edac, sb_edac.c: Take account of channel hashing when needed (bsc#1061721). - x86/mshyperv: Remove excess #includes from mshyperv.h (fate#320485). - xfs: handle error if xfs_btree_get_bufs fails (bsc#1059863). - xfs: remove kmem_zalloc_greedy (bnc#1012382). - xhci: fix finding correct bus_state structure for USB 3.1 hosts (bnc#1012382).
    last seen 2018-09-01
    modified 2018-01-29
    plugin id 104166
    published 2017-10-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104166
    title openSUSE Security Update : the Linux Kernel (openSUSE-2017-1194) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1317.NASL
    description This update for kernel-firmware fixes the following issues : - Update Intel WiFi firmwares for the 3160, 7260 and 7265 adapters. Security issues fixed are part of the 'KRACK' attacks affecting the firmware : - CVE-2017-13080: The reinstallation of the Group Temporal key could be used for replay attacks (bsc#1066295) : - CVE-2017-13081: The reinstallation of the Integrity Group Temporal key could be used for replay attacks (bsc#1066295) : This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen 2018-09-01
    modified 2018-01-29
    plugin id 105219
    published 2017-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105219
    title openSUSE Security Update : kernel-firmware (openSUSE-2017-1317) (KRACK)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-60BFB576B7.NASL
    description Fix the for the Key Reinstallation Attacks ========================================== - hostapd: Avoid key reinstallation in FT handshake (CVE-2017-13082) - Fix PTK rekeying to generate a new ANonce - Prevent reinstallation of an already in-use group key and extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases (CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088) - Prevent installation of an all-zero TK - TDLS: Reject TPK-TK reconfiguration - WNM: Ignore WNM-Sleep Mode Response without pending request - FT: Do not allow multiple Reassociation Response frames Upstream advisory: https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-me ssages.txt Details and the paper: https://www.krackattacks.com/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-02-02
    plugin id 103896
    published 2017-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103896
    title Fedora 26 : 1:wpa_supplicant (2017-60bfb576b7) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1224.NASL
    description The openSUSE Leap 42.2 kernel was updated to 4.4.92 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667). - CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c (bnc#1062520). - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388). The following non-security bugs were fixed : - alsa: au88x0: avoid theoretical uninitialized access (bnc#1012382). - alsa: compress: Remove unused variable (bnc#1012382). - alsa: usb-audio: Check out-of-bounds access by corrupted buffer descriptor (bnc#1012382). - alsa: usx2y: Suppress kernel warning at page allocation failures (bnc#1012382). - arm: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM (bnc#1012382). - arm: dts: r8a7790: Use R-Car Gen 2 fallback binding for msiof nodes (bnc#1012382). - arm: remove duplicate 'const' annotations' (bnc#1012382). - asoc: dapm: fix some pointer error handling (bnc#1012382). - asoc: dapm: handle probe deferrals (bnc#1012382). - audit: log 32-bit socketcalls (bnc#1012382). - blacklist 0e7736c6b806 powerpc/powernv: Fix data type for @r in pnv_ioda_parse_m64_window() - blacklist.conf: not fitting cleanup patch - brcmfmac: setup passive scan if requested by user-space (bnc#1012382). - bridge: netlink: register netdevice before executing changelink (bnc#1012382). - ceph: avoid panic in create_session_open_msg() if utsname() returns NULL (bsc#1061451). - ceph: check negative offsets in ceph_llseek() (bsc#1061451). - driver core: platform: Do not read past the end of 'driver_override' buffer (bnc#1012382). - drivers: firmware: psci: drop duplicate const from psci_of_match (bnc#1012382). - drivers: hv: fcopy: restore correct transfer length (bnc#1012382). - drm/amdkfd: fix improper return value on error (bnc#1012382). - drm: bridge: add DT bindings for TI ths8135 (bnc#1012382). - drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define (bnc#1012382). - drm/i915/bios: ignore HDMI on port A (bnc#1012382). - ext4: do not allow encrypted operations without keys (bnc#1012382). - extcon: axp288: Use vbus-valid instead of -present to determine cable presence (bnc#1012382). - exynos-gsc: Do not swap cb/cr for semi planar formats (bnc#1012382). - fix whitespace according to upstream commit - fs/epoll: cache leftmost node (bsc#1056427). - ftrace: Fix kmemleak in unregister_ftrace_graph (bnc#1012382). - gfs2: Fix reference to ERR_PTR in gfs2_glock_iter_next (bnc#1012382). - hid: i2c-hid: allocate hid buffers for real worst case (bnc#1012382). - hpsa: correct lun data caching bitmap definition (bsc#1028971). - hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes (bnc#1012382). - i2c: meson: fix wrong variable usage in meson_i2c_put_data (bnc#1012382). - i40e: Initialize 64-bit statistics TX ring seqcount (bsc#969476 FATE#319648 bsc#969477 FATE#319816). - i40iw: Add missing memory barriers (bsc#969476 FATE#319648 bsc#969477 FATE#319816). - i40iw: Fix port number for query QP (bsc#969476 FATE#319648 bsc#969477 FATE#319816). - ib/core: Fix for core panic (bsc#1022595 FATE#322350). - ib/core: Fix the validations of a multicast LID in attach or detach operations (bsc#1022595 FATE#322350). - ib/i40iw: Fix error code in i40iw_create_cq() (bsc#969476 FATE#319648 bsc#969477 FATE#319816). - ib/ipoib: Fix deadlock over vlan_mutex (bnc#1012382). - ib/ipoib: Replace list_del of the neigh->list with list_del_init (bnc#1012382). - ib/ipoib: rtnl_unlock can not come after free_netdev (bnc#1012382). - ib/mlx5: Fix Raw Packet QP event handler assignment (bsc#966170 FATE#320225 bsc#966172 FATE#320226). - ibmvnic: Set state UP (bsc#1062962). - ib/qib: fix false-postive maybe-uninitialized warning (bnc#1012382). - igb: re-assign hw address pointer on reset after PCI error (bnc#1012382). - iio: ad7793: Fix the serial interface reset (bnc#1012382). - iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register modifications (bnc#1012382). - iio: adc: hx711: Add DT binding for avia,hx711 (bnc#1012382). - iio: adc: mcp320x: Fix oops on module unload (bnc#1012382). - iio: adc: mcp320x: Fix readout of negative voltages (bnc#1012382). - iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path of 'twl4030_madc_probe()' (bnc#1012382). - iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()' (bnc#1012382). - iio: ad_sigma_delta: Implement a dedicated reset function (bnc#1012382). - iio: core: Return error for failed read_reg (bnc#1012382). - iommu/io-pgtable-arm: Check for leaf entry before dereferencing it (bnc#1012382). - iwlwifi: add workaround to disable wide channels in 5GHz (bnc#1012382). - ixgbe: Fix incorrect bitwise operations of PTP Rx timestamp flags (bsc#969474 FATE#319812 bsc#969475 FATE#319814). - kABI: protect struct rm_data_op (kabi). - kABI: protect struct sdio_func (kabi). - libata: transport: Remove circular dependency at free time (bnc#1012382). - lsm: fix smack_inode_removexattr and xattr_getsecurity memleak (bnc#1012382). - md/raid10: submit bio directly to replacement disk (bnc#1012382). - mips: Ensure bss section ends on a long-aligned address (bnc#1012382). - mips: Fix minimum alignment requirement of IRQ stack (git-fixes). - mips: IRQ Stack: Unwind IRQ stack onto task stack (bnc#1012382). - mips: Lantiq: Fix another request_mem_region() return code check (bnc#1012382). - mips: ralink: Fix incorrect assignment on ralink_soc (bnc#1012382). - mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms array (bsc#966170 FATE#320225 bsc#966172 FATE#320226). - mm/backing-dev.c: fix an error handling path in 'cgwb_create()' (bnc#1063475). - mm,compaction: serialize waitqueue_active() checks (for real) (bsc#971975). - mmc: sdio: fix alignment issue in struct sdio_func (bnc#1012382). - mm: discard memblock data later (bnc#1063460). - mm/memblock.c: reversed logic in memblock_discard() (bnc#1063460). - mm: meminit: mark init_reserved_page as __meminit (bnc#1063509). - mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to inline function (bnc#1063501). - mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as unsigned long (bnc#1063520). - net: core: Prevent from dereferencing NULL pointer when releasing SKB (bnc#1012382). - netfilter: invoke synchronize_rcu after set the _hook_ to NULL (bnc#1012382). - netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max (bnc#1012382). - net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled (bsc#966191 FATE#320230 bsc#966186 FATE#320228). - net/mlx5e: Fix wrong delay calculation for overflow check scheduling (bsc#966170 FATE#320225 bsc#966172 FATE#320226). - net/mlx5e: Schedule overflow check work to mlx5e workqueue (bsc#966170 FATE#320225 bsc#966172 FATE#320226). - net/mlx5: Skip mlx5_unload_one if mlx5_load_one fails (bsc#966170 FATE#320225 bsc#966172 FATE#320226). - net/packet: check length in getsockopt() called with PACKET_HDRLEN (bnc#1012382). - nvme: protect against simultaneous shutdown invocations (FATE#319965 bnc#1012382 bsc#964944). - parisc: perf: Fix potential NULL pointer dereference (bnc#1012382). - partitions/efi: Fix integer overflow in GPT size calculation (bnc#1012382). - qed: Fix stack corruption on probe (bsc#966318 FATE#320158 bsc#966316 FATE#320159). - rds: ib: add error handle (bnc#1012382). - rds: RDMA: Fix the composite message user notification (bnc#1012382). - README.BRANCH: Add Michal and Johannes as co-maintainers. - sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs (bnc#1012382). - scsi: hpsa: add 'ctlr_num' sysfs attribute (bsc#1028971). - scsi: hpsa: bump driver version (bsc#1022600 fate#321928). - scsi: hpsa: change driver version (bsc#1022600 bsc#1028971 fate#321928). - scsi: hpsa: Check for null device pointers (bsc#1028971). - scsi: hpsa: Check for null devices in ioaccel (bsc#1028971). - scsi: hpsa: Check for vpd support before sending (bsc#1028971). - scsi: hpsa: cleanup reset handler (bsc#1022600 fate#321928). - scsi: hpsa: correct call to hpsa_do_reset (bsc#1028971). - scsi: hpsa: correct logical resets (bsc#1028971). - scsi: hpsa: correct queue depth for externals (bsc#1022600 fate#321928). - scsi: hpsa: correct resets on retried commands (bsc#1022600 fate#321928). - scsi: hpsa: correct scsi 6byte lba calculation (bsc#1028971). - scsi: hpsa: Determine device external status earlier (bsc#1028971). - scsi: hpsa: do not get enclosure info for external devices (bsc#1022600 fate#321928). - scsi: hpsa: do not reset enclosures (bsc#1022600 fate#321928). - scsi: hpsa: do not timeout reset operations (bsc#1022600 bsc#1028971 fate#321928). - scsi: hpsa: fallback to use legacy REPORT PHYS command (bsc#1028971). - scsi: hpsa: fix volume offline state (bsc#1022600 bsc#1028971 fate#321928). - scsi: hpsa: limit outstanding rescans (bsc#1022600 bsc#1028971 fate#321928). - scsi: hpsa: Prevent sending bmic commands to externals (bsc#1028971). - scsi: hpsa: remove abort handler (bsc#1022600 fate#321928). - scsi: hpsa: remove coalescing settings for ioaccel2 (bsc#1028971). - scsi: hpsa: remove memory allocate failure message (bsc#1028971). - scsi: hpsa: Remove unneeded void pointer cast (bsc#1028971). - scsi: hpsa: rescan later if reset in progress (bsc#1022600 fate#321928). - scsi: hpsa: send ioaccel requests with 0 length down raid path (bsc#1022600 fate#321928). - scsi: hpsa: separate monitor events from rescan worker (bsc#1022600 fate#321928). - scsi: hpsa: update check for logical volume status (bsc#1022600 bsc#1028971 fate#321928). - scsi: hpsa: update identify physical device structure (bsc#1022600 fate#321928). - scsi: hpsa: update pci ids (bsc#1022600 bsc#1028971 fate#321928). - scsi: hpsa: update reset handler (bsc#1022600 fate#321928). - scsi: hpsa: use designated initializers (bsc#1028971). - scsi: hpsa: use %phN for short hex dumps (bsc#1028971). - scsi: libfc: fix a deadlock in fc_rport_work (bsc#1063695). - scsi: sd: Do not override max_sectors_kb sysfs setting (bsc#1025461). - scsi: sd: Remove LBPRZ dependency for discards (bsc#1060985). This patch is originally part of a larger series which can't be easily backported to SLE-12. For a reasoning why we think it's safe to apply, see bsc#1060985, comment 20. - scsi: sg: close race condition in sg_remove_sfp_usercontext() (bsc#1064206). - sh_eth: use correct name for ECMR_MPDE bit (bnc#1012382). - staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack (bnc#1012382). - stm class: Fix a use-after-free (bnc#1012382). - supported.conf: mark hid-multitouch as supported (FATE#323670) - team: call netdev_change_features out of team lock (bsc#1055567). - team: fix memory leaks (bnc#1012382). - tpm_tis: Do not fall back to a hardcoded address for TPM2 (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048). - ttpci: address stringop overflow warning (bnc#1012382). - tty: goldfish: Fix a parameter of a call to free_irq (bnc#1012382). - usb: chipidea: vbus event may exist before starting gadget (bnc#1012382). - usb: core: harden cdc_parse_cdc_header (bnc#1012382). - usb: devio: Do not corrupt user memory (bnc#1012382). - usb: dummy-hcd: fix connection failures (wrong speed) (bnc#1012382). - usb: dummy-hcd: Fix erroneous synchronization change (bnc#1012382). - usb: dummy-hcd: fix infinite-loop resubmission bug (bnc#1012382). - usb: fix out-of-bounds in usb_set_configuration (bnc#1012382). - usb: gadgetfs: fix copy_to_user while holding spinlock (bnc#1012382). - usb: gadgetfs: Fix crash caused by inadequate synchronization (bnc#1012382). - usb: gadget: inode.c: fix unbalanced spin_lock in ep0_write (bnc#1012382). - usb: gadget: mass_storage: set msg_registered after msg registered (bnc#1012382). - usb: gadget: udc: atmel: set vbus irqflags explicitly (bnc#1012382). - usb: g_mass_storage: Fix deadlock when driver is unbound (bnc#1012382). - usb: Increase quirk delay for USB devices (bnc#1012382). - usb: pci-quirks.c: Corrected timeout values used in handshake (bnc#1012382). - usb: plusb: Add support for PL-27A1 (bnc#1012382). - usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe (bnc#1012382). - usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction (bnc#1012382). - usb: serial: mos7720: fix control-message error handling (bnc#1012382). - usb: serial: mos7840: fix control-message error handling (bnc#1012382). - usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives (bnc#1012382). - usb: uas: fix bug in handling of alternate settings (bnc#1012382). - uwb: ensure that endpoint is interrupt (bnc#1012382). - uwb: properly check kthread_run return value (bnc#1012382). - xfs: handle error if xfs_btree_get_bufs fails (bsc#1059863). - xfs: remove kmem_zalloc_greedy (bnc#1012382). - xhci: fix finding correct bus_state structure for USB 3.1 hosts (bnc#1012382).
    last seen 2018-09-02
    modified 2018-01-29
    plugin id 104246
    published 2017-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104246
    title openSUSE Security Update : the Linux Kernel (openSUSE-2017-1224) (KRACK)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20171018_WPA_SUPPLICANT_ON_SL6_X.NASL
    description Security Fix(es): * A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13087)
    last seen 2018-09-01
    modified 2018-01-29
    plugin id 103959
    published 2017-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103959
    title Scientific Linux Security Update : wpa_supplicant on SL6.x i386/x86_64 (KRACK)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2017-291-02.NASL
    description New wpa_supplicant packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2018-09-02
    modified 2018-01-29
    plugin id 103944
    published 2017-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103944
    title Slackware 14.0 / 14.1 / 14.2 / current : wpa_supplicant (SSA:2017-291-02) (KRACK)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS17_OCT_4041676.NASL
    description The remote Windows host is missing security update 4041676. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2017-11765, CVE-2017-11814) - An elevation of privilege vulnerability exists when the Windows Update Delivery Optimization does not properly enforce file share permissions. An attacker who successfully exploited the vulnerability could overwrite files that require higher privileges than what the attacker already has. (CVE-2017-11829) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11762, CVE-2017-11763) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11792, CVE-2017-11796, CVE-2017-11798, CVE-2017-11799, CVE-2017-11802, CVE-2017-11804, CVE-2017-11805, CVE-2017-11806, CVE-2017-11807, CVE-2017-11808, CVE-2017-11811, CVE-2017-11812, CVE-2017-11821) - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11783) - A remote code execution vulnerability exists in Windows Domain Name System (DNS) DNSAPI.dll when it fails to properly handle DNS responses. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. (CVE-2017-11779) - A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2017-8717, CVE-2017-8718) - A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this vulnerability could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine. (CVE-2017-11823, CVE-2017-8715) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2017-11817) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11793, CVE-2017-11810) - An Information disclosure vulnerability exists when Windows Search improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11772) - An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11794) - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2017-11824) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory via the Microsoft Windows Text Services Framework. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-8727) - An Security Feature bypass vulnerability exists in Microsoft Windows storage when it fails to validate an integrity-level check. An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level. The update addresses the vulnerability by correcting how Microsoft storage validates an integrity-level check. (CVE-2017-11818) - A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11771) - An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests. An authenticated attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server. (CVE-2017-11815) - A denial of service vulnerability exists in the Microsoft Server Block Message (SMB) when an attacker sends specially crafted requests to the server. An attacker who exploited this vulnerability could cause the affected system to crash. To attempt to exploit this issue, an attacker would need to send specially crafted SMB requests to the target system. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. The security update addresses the vulnerability by correcting the manner in which SMB handles specially crafted client requests. (CVE-2017-11781) - An elevation of privilege vulnerability exists when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-8689, CVE-2017-8694) - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server. (CVE-2017-11780) - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-8693) - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2017-11816) - A remote code execution vulnerability exists in the way the scripting engine handle objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11809) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2017-11785) - A denial of service vulnerability exists when Windows Subsystem for Linux improperly handles objects in memory. An attacker who successfully exploited this vulnerability could cause a denial of service against the local system. A attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how Windows Subsystem for Linux handles objects in memory. (CVE-2017-8703) - A remote code execution vulnerability exists in the way that certain Windows components handle the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11769) - A remote code execution vulnerability exists in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-8726) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11790) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11822) - A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network. (CVE-2017-13080)
    last seen 2018-09-01
    modified 2018-08-03
    plugin id 103745
    published 2017-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103745
    title KB4041676: Windows 10 Version 1703 October 2017 Cumulative Update (KRACK)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1200.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2016-10208 Sergej Schumilo and Ralf Spenneberg discovered that a crafted ext4 filesystem could trigger memory corruption when it is mounted. A user that can provide a device or filesystem image to be mounted could use this for denial of service (crash or data corruption) or possibly for privilege escalation. CVE-2017-8824 Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-dccp.conf install dccp false CVE-2017-8831 Pengfei Wang discovered that the saa7164 video capture driver re-reads data from a PCI device after validating it. A physically present user able to attach a specially designed PCI device could use this for privilege escalation. CVE-2017-12190 Vitaly Mayatskikh discovered that the block layer did not correctly count page references for raw I/O from user-space. This can be exploited by a guest VM with access to a host SCSI device for denial of service (memory exhaustion) or potentially for privilege escalation. CVE-2017-13080 A vulnerability was found in the WPA2 protocol that could lead to reinstallation of the same Group Temporal Key (GTK), which substantially reduces the security of wifi encryption. This is one of the issues collectively known as 'KRACK'. Updates to GTKs are usually handled by the wpa package, where this issue was already fixed (DLA-1150-1). However, some wifi devices can remain active and update GTKs autonomously while the system is suspended. The kernel must also check for and ignore key reinstallation. CVE-2017-14051 'shqking' reported that the qla2xxx SCSI host driver did not correctly validate I/O to the 'optrom' sysfs attribute of the devices it creates. This is unlikely to have any security impact. CVE-2017-15115 Vladis Dronov reported that the SCTP implementation did not correctly handle 'peel-off' of an association to another net namespace. This leads to a use-after-free, which a local user can exploit for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the sctp module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-sctp.conf install sctp false CVE-2017-15265 Michael23 Yu reported a race condition in the ALSA sequencer subsystem involving creation and deletion of ports, which could lead to a use-after-free. A local user with access to an ALSA sequencer device can use this for denial of service (crash or data loss) or possibly for privilege escalation. CVE-2017-15299 Eric Biggers discovered that the KEYS subsystem did not correctly handle update of an uninstantiated key, leading to a null dereference. A local user can use this for denial of service (crash). CVE-2017-15649 'nixioaming' reported a race condition in the packet socket (AF_PACKET) implementation involving rebinding to a fanout group, which could lead to a use-after-free. A local user with the CAP_NET_RAW capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation. CVE-2017-15868 Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of the second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation. CVE-2017-16525 Andrey Konovalov reported that the USB serial console implementation did not correctly handle disconnection of unusual serial devices, leading to a use-after-free. A similar issue was found in the case where setup of a serial console fails. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or data corruption) or possibly for privilege escalation. CVE-2017-16527 Andrey Konovalov reported that the USB sound mixer driver did not correctly cancel I/O in case it failed to probe a device, which could lead to a use-after-free. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or data corruption) or possibly for privilege escalation. CVE-2017-16529 Andrey Konovalov reported that the USB sound driver did not fully validate descriptor lengths, which could lead to a buffer over-read. A physically present user with a specially designed USB device may be able to use this to cause a denial of service (crash). CVE-2017-16531 Andrey Konovalov reported that the USB core did not validate IAD lengths, which could lead to a buffer over-read. A physically present user with a specially designed USB device may be able to use this to cause a denial of service (crash). CVE-2017-16532 Andrey Konovalov reported that the USB test driver did not correctly handle devices with specific combinations of endpoints. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). CVE-2017-16533 Andrey Konovalov reported that the USB HID driver did not fully validate descriptor lengths, which could lead to a buffer over-read. A physically present user with a specially designed USB device may be able to use this to cause a denial of service (crash). CVE-2017-16535 Andrey Konovalov reported that the USB core did not validate BOS descriptor lengths, which could lead to a buffer over-read. A physically present user with a specially designed USB device may be able to use this to cause a denial of service (crash). CVE-2017-16536 Andrey Konovalov reported that the cx231xx video capture driver did not fully validate the device endpoint configuration, which could lead to a null dereference. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). CVE-2017-16537 Andrey Konovalov reported that the imon RC driver did not fully validate the device interface configuration, which could lead to a null dereference. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). CVE-2017-16643 Andrey Konovalov reported that the gtco tablet driver did not fully validate descriptor lengths, which could lead to a buffer over-read. A physically present user with a specially designed USB device may be able to use this to cause a denial of service (crash). CVE-2017-16649 Bjørn Mork found that the cdc_ether network driver did not validate the device's maximum segment size, potentially leading to a division by zero. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). CVE-2017-16939 Mohamed Ghannam reported (through Beyond Security's SecuriTeam Secure Disclosure program) that the IPsec (xfrm) implementation did not correctly handle some failure cases when dumping policy information through netlink. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation. CVE-2017-1000407 Andrew Honig reported that the KVM implementation for Intel processors allowed direct access to host I/O port 0x80, which is not generally safe. On some systems this allows a guest VM to cause a denial of service (crash) of the host. For Debian 7 'Wheezy', these problems have been fixed in version 3.2.96-2. This version also includes bug fixes from upstream versions up to and including 3.2.96. It also fixes some regressions caused by the fix for CVE-2017-1000364, which was included in DLA-993-1. We recommend that you upgrade your linux packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-07-06
    plugin id 105116
    published 2017-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105116
    title Debian DLA-1200-1 : linux security update (KRACK)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201711-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-201711-03 (hostapd and wpa_supplicant: Key Reinstallation (KRACK) attacks) WiFi Protected Access (WPA and WPA2) and it’s associated technologies are all vulnerable to the KRACK attacks. Please review the referenced CVE identifiers for details. Impact : An attacker can carry out the KRACK attacks on a wireless network in order to gain access to network clients. Once achieved, the attacker can potentially harvest confidential information (e.g. HTTP/HTTPS), inject malware, or perform a myriad of other attacks. Workaround : There is no known workaround at this time.
    last seen 2018-09-01
    modified 2018-01-29
    plugin id 104511
    published 2017-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104511
    title GLSA-201711-03 : hostapd and wpa_supplicant: Key Reinstallation (KRACK) attacks (KRACK)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2017-004.NASL
    description The remote host is running Mac OS X 10.11.6 or Mac OS X 10.12.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities affecting the following components : - 802.1X - apache - AppleScript - ATS - Audio - CFString - CoreText - curl - Dictionary Widget - file - Fonts - fsck_msdos - HFS - Heimdal - HelpViewer - ImageIO - Kernel - libarchive - Open Scripting Architecture - PCRE - Postfix - Quick Look - QuickTime - Remote Management - Sandbox - StreamingZip - tcpdump - Wi-Fi
    last seen 2018-09-02
    modified 2018-07-14
    plugin id 104379
    published 2017-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104379
    title macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-001 and 2017-004)
  • NASL family CISCO
    NASL id CISCO-SA-20171016-WPA-ASA_WITH_FIREPOWER_SERVICES.NASL
    description According to its self-reported version, the Cisco ASA with FirePOWER Services is affected by multiple vulnerabilities related to the KRACK attack. Please see the included Cisco BIDs and the Cisco Security Advisory for more information.
    last seen 2018-09-01
    modified 2018-07-09
    plugin id 103856
    published 2017-10-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103856
    title Cisco ASA FirePOWER Services Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II (KRACK)
  • NASL family MacOS X Local Security Checks
    NASL id MACOS_10_13_1.NASL
    description The remote host is running a version of Mac OS X that is 10.13.x prior to 10.13.1. It is, therefore, affected by multiple vulnerabilities in the following components : - APFS - curl - Dictionary Widget - Kernel - StreamingZip - tcpdump - Wi-Fi Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2018-09-01
    modified 2018-07-14
    plugin id 104378
    published 2017-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104378
    title macOS 10.13.x < 10.13.1 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1163.NASL
    description This update for wpa_supplicant fixes the security issues : - Several vulnerabilities in standard conforming implementations of the WPA2 protocol have been discovered and published under the code name KRACK. This update remedies those issues in a backwards compatible manner, i.e. the updated wpa_supplicant can interface properly with both vulnerable and patched implementations of WPA2, but an attacker won't be able to exploit the KRACK weaknesses in those connections anymore even if the other party is still vulnerable. [bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088] This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2018-09-02
    modified 2018-01-29
    plugin id 104076
    published 2017-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104076
    title openSUSE Security Update : wpa_supplicant (openSUSE-2017-1163) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1201.NASL
    description This update for hostapd fixes the following issues : - Fix KRACK attacks on the AP side (boo#1063479, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088) : Hostap was updated to upstream release 2.6 - fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5314) - fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476) - extended channel switch support for VHT bandwidth changes - added support for configuring new ANQP-elements with anqp_elem=: - fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) - added no_probe_resp_if_max_sta=1 parameter to disable Probe Response frame sending for not-associated STAs if max_num_sta limit has been reached - added option (-S as command line argument) to request all interfaces to be started at the same time - modified rts_threshold and fragm_threshold configuration parameters to allow -1 to be used to disable RTS/fragmentation - EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) - fixed EAPOL reauthentication after FT protocol run - fixed FTIE generation for 4-way handshake after FT protocol run - fixed and improved various FST operations - TLS server - support SHA384 and SHA512 hashes - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) - added support for OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 - EAP-PEAP: support fast-connect crypto binding - RADIUS - fix Called-Station-Id to not escape SSID - add Event-Timestamp to all Accounting-Request packets - add Acct-Session-Id to Accounting-On/Off - add Acct-Multi-Session-Id ton Access-Request packets - add Service-Type (= Frames) - allow server to provide PSK instead of passphrase for WPA-PSK Tunnel_password case - update full message for interim accounting updates - add Acct-Delay-Time into Accounting messages - add require_message_authenticator configuration option to require CoA/Disconnect-Request packets to be authenticated - started to postpone WNM-Notification frame sending by 100 ms so that the STA has some more time to configure the key before this frame is received after the 4-way handshake - VHT: added interoperability workaround for 80+80 and 160 MHz channels - extended VLAN support (per-STA vif, etc.) - fixed PMKID derivation with SAE - nl80211 - added support for full station state operations - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames - added initial MBO support; number of extensions to WNM BSS Transition Management - added initial functionality for location related operations - added assocresp_elements parameter to allow vendor specific elements to be added into (Re)Association Response frames - improved Public Action frame addressing - use Address 3 = wildcard BSSID in GAS response if a query from an unassociated STA used that address - fix TX status processing for Address 3 = wildcard BSSID - add gas_address3 configuration parameter to control Address 3 behavior - added command line parameter -i to override interface parameter in hostapd.conf - added command completion support to hostapd_cli - added passive client taxonomy determination (CONFIG_TAXONOMY=y compile option and 'SIGNATURE ' control interface command) - number of small fixes hostapd was updated to upstream release 2.5 - (CVE-2015-1863) is fixed in upstream release 2.5 - fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141 boo#930077) - fixed WMM Action frame parser [http://w1.fi/security/2015-3/] (CVE-2015-4142 boo#930078) - fixed EAP-pwd server missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, boo#930079) - fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] - nl80211 : - fixed vendor command handling to check OUI properly - fixed hlr_auc_gw build with OpenSSL - hlr_auc_gw: allow Milenage RES length to be reduced - disable HT for a station that does not support WMM/QoS - added support for hashed password (NtHash) in EAP-pwd server - fixed and extended dynamic VLAN cases - added EAP-EKE server support for deriving Session-Id - set Acct-Session-Id to a random value to make it more likely to be unique even if the device does not have a proper clock - added more 2.4 GHz channels for 20/40 MHz HT co-ex scan - modified SAE routines to be more robust and PWE generation to be stronger against timing attacks - added support for Brainpool Elliptic Curves with SAE - increases maximum value accepted for cwmin/cwmax - added support for CCMP-256 and GCMP-256 as group ciphers with FT - added Fast Session Transfer (FST) module - removed optional fields from RSNE when using FT with PMF (workaround for interoperability issues with iOS 8.4) - added EAP server support for TLS session resumption - fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) - added mechanism to track unconnected stations and do minimal band steering - number of small fixes
    last seen 2018-09-01
    modified 2017-12-21
    plugin id 104237
    published 2017-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104237
    title openSUSE Security Update : hostapd (openSUSE-2017-1201) (KRACK)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2911.NASL
    description From Red Hat Security Advisory 2017:2911 : An update for wpa_supplicant is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13087) Red Hat would like to thank CERT for reporting these issues. Upstream acknowledges Mathy Vanhoef (University of Leuven) as the original reporter of these issues.
    last seen 2018-09-02
    modified 2018-07-24
    plugin id 103955
    published 2017-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103955
    title Oracle Linux 6 : wpa_supplicant (ELSA-2017-2911) (KRACK)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS17_OCT_4041690.NASL
    description The remote Windows host is missing security update 4041679 or cumulative update 4041690. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory via the Microsoft Windows Text Services Framework. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-8727) - A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11771) - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2017-11824) - An elevation of privilege vulnerability exists when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-8694) - A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2017-8717, CVE-2017-8718) - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2017-11816) - An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests. An authenticated attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server. (CVE-2017-11815) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2017-11765, CVE-2017-11814) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11793, CVE-2017-11810) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11762, CVE-2017-11763) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11790) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2017-11817) - A denial of service vulnerability exists in the Microsoft Server Block Message (SMB) when an attacker sends specially crafted requests to the server. An attacker who exploited this vulnerability could cause the affected system to crash. To attempt to exploit this issue, an attacker would need to send specially crafted SMB requests to the target system. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. The security update addresses the vulnerability by correcting the manner in which SMB handles specially crafted client requests. (CVE-2017-11781) - An Information disclosure vulnerability exists when Windows Search improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11772) - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server. (CVE-2017-11780) - A remote code execution vulnerability exists in Windows Domain Name System (DNS) DNSAPI.dll when it fails to properly handle DNS responses. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. (CVE-2017-11779) - An Security Feature bypass vulnerability exists in Microsoft Windows storage when it fails to validate an integrity-level check. An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level. The update addresses the vulnerability by correcting how Microsoft storage validates an integrity-level check. (CVE-2017-11818) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2017-11784, CVE-2017-11785) - A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network. (CVE-2017-13080)
    last seen 2018-09-01
    modified 2018-08-03
    plugin id 103748
    published 2017-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103748
    title Windows Server 2012 October 2017 Security Updates (KRACK)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-F45E844A85.NASL
    description Fix the for the Key Reinstallation Attacks ========================================== - hostapd: Avoid key reinstallation in FT handshake (CVE-2017-13082) - Fix PTK rekeying to generate a new ANonce - Prevent reinstallation of an already in-use group key and extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases (CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088) - Prevent installation of an all-zero TK - TDLS: Reject TPK-TK reconfiguration - WNM: Ignore WNM-Sleep Mode Response without pending request - FT: Do not allow multiple Reassociation Response frames Upstream advisory: https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-me ssages.txt Details and the paper: https://www.krackattacks.com/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-02-02
    plugin id 106004
    published 2018-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106004
    title Fedora 27 : 1:wpa_supplicant (2017-f45e844a85) (KRACK)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-12E76E8364.NASL
    description Fix the for the Key Reinstallation Attacks ========================================== - hostapd: Avoid key reinstallation in FT handshake (CVE-2017-13082) - Fix PTK rekeying to generate a new ANonce - Prevent reinstallation of an already in-use group key and extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases (CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088) - Prevent installation of an all-zero TK - TDLS: Reject TPK-TK reconfiguration - WNM: Ignore WNM-Sleep Mode Response without pending request - FT: Do not allow multiple Reassociation Response frames Upstream advisory: https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-me ssages.txt Details and the paper: https://www.krackattacks.com/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-02-02
    plugin id 103884
    published 2017-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103884
    title Fedora 25 : 1:wpa_supplicant (2017-12e76e8364) (KRACK)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-2907.NASL
    description An update for wpa_supplicant is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) Red Hat would like to thank CERT for reporting these issues. Upstream acknowledges Mathy Vanhoef (University of Leuven) as the original reporter of these issues. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 104581
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104581
    title Virtuozzo 7 : wpa_supplicant (VZLSA-2017-2907)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3145-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_40 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104952
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104952
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3145-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3123-1.NASL
    description This update for the Linux Kernel 3.12.61-52_83 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104874
    published 2017-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104874
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3123-1) (KRACK)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_D670A953B2A111E7A633009C02A2AB30.NASL
    description wpa_supplicant developers report : A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 103862
    published 2017-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103862
    title FreeBSD : WPA packet number reuse with replayed messages and key reinstallation (d670a953-b2a1-11e7-a633-009c02a2ab30) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2920-1.NASL
    description The SUSE Linux Enterprise 12 GA LTS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388). - CVE-2015-9004: kernel/events/core.c in the Linux kernel mishandled counter grouping, which allowed local users to gain privileges via a crafted application, related to the perf_pmu_register and perf_event_open functions (bnc#1037306). - CVE-2016-10229: udp.c in the Linux kernel allowed remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag (bnc#1032268). - CVE-2016-9604: The handling of keyrings starting with '.' in KEYCTL_JOIN_SESSION_KEYRING, which could have allowed local users to manipulate privileged keyrings, was fixed (bsc#1035576) - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary (can happen due to bootloader vulns, e.g. Google Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has partial control over the command line) can overflow the parport_nr array in the following code, by appending many (>LP_NO) 'lp=none' arguments to the command line (bnc#1039456). - CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation. (bnc#1039354). - CVE-2017-1000380: sound/core/timer.c in the Linux kernel is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time (bnc#1044125). - CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152). - CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bnc#1048275). - CVE-2017-12153: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410). - CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the 'CR8-load exiting' and 'CR8-store exiting' L0 vmcs02 controls exist in cases where L1 omits the 'use TPR shadow' vmcs12 control, which allowed KVM L2 guest OS users to obtain read and write access to the hardware CR8 register (bnc#1058507). - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148). - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667). - CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588). - CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982). - CVE-2017-14140: The move_pages system call in mm/migrate.c in the Linux kernel doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR (bnc#1057179). - CVE-2017-15265: Use-after-free vulnerability in the Linux kernel allowed local users to have unspecified impact via vectors related to /dev/snd/seq (bnc#1062520). - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192 (bnc#1045327). - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c (bnc#1030593). - CVE-2017-6951: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the 'dead' type (bnc#1029850). - CVE-2017-7482: A potential memory corruption was fixed in decoding of krb5 principals in the kernels kerberos handling. (bnc#1046107). - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bnc#1038879). - CVE-2017-7518: The Linux kernel was vulnerable to an incorrect debug exception(#DB) error. It could occur while emulating a syscall instruction and potentially lead to guest privilege escalation. (bsc#1045922). - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-7889: The mm subsystem in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allowed local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c (bnc#1034405). - CVE-2017-8106: The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel 3.12 allowed privileged KVM guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a single-context INVEPT instruction with a NULL EPT pointer (bnc#1035877). - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bnc#1038544). - CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1037182 bsc#1038982). - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1037183 bsc#1038981). - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882). - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039883). - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885). - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1040069). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104374
    published 2017-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104374
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2920-1) (KRACK) (Stack Clash)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-0040-1.NASL
    description The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032). - CVE-2017-5753: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use attacker controllable speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets. This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel. - CVE-2017-5715: Local attackers on systems with modern CPUs featuring branch prediction could use mispredicted branches to speculatively execute code patterns that in turn could be made to leak other non-readable content in the same address space, an attack similar to CVE-2017-5753. This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries. Please contact your CPU / hardware vendor for potential microcode or BIOS updates needed for this fix. As this feature can have a performance impact, it can be disabled using the 'nospec' kernel commandline option. - CVE-2017-5754: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use code patterns in userspace to speculative executive code that would read otherwise read protected memory, an attack similar to CVE-2017-5753. This problem is mitigated by unmapping the Linux Kernel from the user address space during user code execution, following a approach called 'KAISER'. The terms used here are 'KAISER' / 'Kernel Address Isolation' and 'PTI' / 'Page Table Isolation'. This feature is disabled on unaffected architectures. This feature can be enabled / disabled by the 'pti=[on|off|auto]' or 'nopti' commandline options. The following security bugs were fixed : - CVE-2017-1000251: The native Bluetooth stack in the Linux Kernel (BlueZ) was vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space (bnc#1057389). - CVE-2017-11600: net/xfrm/xfrm_policy.c in the Linux kernel did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bnc#1050231). - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667). - CVE-2017-13167: An elevation of privilege vulnerability in the kernel sound timer was fixed. (bnc#1072876). - CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982). - CVE-2017-14140: The move_pages system call in mm/migrate.c in the Linux kernel didn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR (bnc#1057179). - CVE-2017-14340: The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel did not verify that a filesystem has a realtime device, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory (bnc#1058524). - CVE-2017-15102: The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel allowed local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference (bnc#1066705). - CVE-2017-15115: The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel did not check whether the intended netns is used in a peel-off action, which allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls (bnc#1068671). - CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c (bnc#1062520). - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192 (bnc#1045327). - CVE-2017-15868: The bnep_add_connection function in net/bluetooth/bnep/core.c in the Linux kernel did not ensure that an l2cap socket is available, which allowed local users to gain privileges via a crafted application (bnc#1071470). - CVE-2017-16525: The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup (bnc#1066618). - CVE-2017-16527: sound/usb/mixer.c in the Linux kernel allowed local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066625). - CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066650). - CVE-2017-16531: drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor (bnc#1066671). - CVE-2017-16534: The cdc_parse_cdc_header function in drivers/usb/core/message.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066693). - CVE-2017-16535: The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066700). - CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066606). - CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066573). - CVE-2017-16538: drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel allowed local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device, related to a missing warm-start check and incorrect attach timing (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner) (bnc#1066569). - CVE-2017-16649: The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel allowed local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067085). - CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bnc#1069702 1069708). - CVE-2017-17450: net/netfilter/xt_osf.c in the Linux kernel did not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allowed local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces (bnc#1071695 1074033). - CVE-2017-17558: The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel did not consider the maximum number of configurations and interfaces before attempting to release resources, which allowed local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device (bnc#1072561). - CVE-2017-17805: The Salsa20 encryption algorithm in the Linux kernel did not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable (bnc#1073792). - CVE-2017-17806: The HMAC implementation (crypto/hmac.c) in the Linux kernel did not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack-based buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization (bnc#1073874). - CVE-2017-7472: The KEYS subsystem in the Linux kernel allowed local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls (bnc#1034862). - CVE-2017-8824: The dccp_disconnect function in net/dccp/proto.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state (bnc#1070771). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 105685
    published 2018-01-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105685
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0040-1) (BlueBorne) (KRACK) (Meltdown) (Spectre)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3999.NASL
    description Mathy Vanhoef of the imec-DistriNet research group of KU Leuven discovered multiple vulnerabilities in the WPA protocol, used for authentication in wireless networks. Those vulnerabilities apply to both the access point (implemented in hostapd) and the station (implemented in wpa_supplicant). An attacker exploiting the vulnerabilities could force the vulnerable system to reuse cryptographic session keys, enabling a range of cryptographic attacks against the ciphers used in WPA1 and WPA2. More information can be found in the researchers's paper, Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. - CVE-2017-13077 : reinstallation of the pairwise key in the Four-way handshake - CVE-2017-13078 : reinstallation of the group key in the Four-way handshake - CVE-2017-13079 : reinstallation of the integrity group key in the Four-way handshake - CVE-2017-13080 : reinstallation of the group key in the Group Key handshake - CVE-2017-13081 : reinstallation of the integrity group key in the Group Key handshake - CVE-2017-13082 : accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it - CVE-2017-13086 : reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake - CVE-2017-13087 : reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame - CVE-2017-13088 : reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 103859
    published 2017-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103859
    title Debian DSA-3999-1 : wpa - security update (KRACK)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1150.NASL
    description A vulnerability was found in how WPA code can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys. Such reinstallation of the encryption key can result in two different types of vulnerabilities: disabling replay protection and significantly reducing the security of encryption to the point of allowing frames to be decrypted or some parts of the keys to be determined by an attacker depending on which cipher is used. Those issues are commonly known under the 'KRACK' appelation. According to US-CERT, 'the impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others.' CVE-2017-13077 Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake. CVE-2017-13078 Reinstallation of the group key (GTK) in the 4-way handshake. CVE-2017-13079 Reinstallation of the integrity group key (IGTK) in the 4-way handshake. CVE-2017-13080 Reinstallation of the group key (GTK) in the group key handshake. CVE-2017-13081 Reinstallation of the integrity group key (IGTK) in the group key handshake. CVE-2017-13082 Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it. CVE-2017-13084 Reinstallation of the STK key in the PeerKey handshake. CVE-2017-13086 reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake. CVE-2017-13087 reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. CVE-2017-13088 reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. For Debian 7 'Wheezy', these problems have been fixed in version 1.0-3+deb7u5. Note that the latter two vulnerabilities (CVE-2017-13087 and CVE-2017-13088) were mistakenly marked as fixed in the changelog whereas they simply did not apply to the 1.0 version of the WPA source code, which doesn't implement WNM sleep mode responses. We recommend that you upgrade your wpa packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-07-06
    plugin id 104299
    published 2017-11-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104299
    title Debian DLA-1150-1 : wpa security update (KRACK)
  • NASL family Firewalls
    NASL id SCREENOS_JSA10827_KRACK.NASL
    description The version of Juniper ScreenOS installed on the remote host is affected by multiple vulnerabilities related to the KRACK attacks. This may allow an attacker to decrypt, replay, and forge some frames on a WPA2 encrypted network. Note that Juniper's products do not support Fast BSS Transition Reassociation and PeerKey Handshake so are Not Vulnerable to CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, or CVE-2017-13088.
    last seen 2018-09-02
    modified 2018-07-30
    plugin id 105654
    published 2018-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105654
    title Juniper ScreenOS 6.3 SSG-5 and SSG-20 (KRACK)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS17_OCT_4042895.NASL
    description The remote Windows host is missing security update 4042895. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2017-11765, CVE-2017-11814) - An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-8726) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11762, CVE-2017-11763) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11798, CVE-2017-11799, CVE-2017-11800, CVE-2017-11802, CVE-2017-11804, CVE-2017-11808, CVE-2017-11811) - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11783) - A remote code execution vulnerability exists in Windows Domain Name System (DNS) DNSAPI.dll when it fails to properly handle DNS responses. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. (CVE-2017-11779) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2017-11784, CVE-2017-11785) - A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2017-8717, CVE-2017-8718) - A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this vulnerability could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine. (CVE-2017-11823, CVE-2017-8715) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2017-11817) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11793, CVE-2017-11810) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11809) - An Information disclosure vulnerability exists when Windows Search improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11772) - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2017-11824) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory via the Microsoft Windows Text Services Framework. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-8727) - An Security Feature bypass vulnerability exists in Microsoft Windows storage when it fails to validate an integrity-level check. An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level. The update addresses the vulnerability by correcting how Microsoft storage validates an integrity-level check. (CVE-2017-11818) - A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11771) - An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests. An authenticated attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server. (CVE-2017-11815) - A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network. Multiple conditions would need to be met in order for an attacker to exploit the vulnerability the attacker would need to be within the physical proximity of the targeted user, and the user's computer would need to have wireless networking enabled. The attacker would then need to execute a man-in-the-middle (MitM) attack to intercept traffic between the target computer and wireless access point. The security update addresses the vulnerability by changing how Windows verifies wireless group key handshakes. (CVE-2017-13080) - A denial of service vulnerability exists in the Microsoft Server Block Message (SMB) when an attacker sends specially crafted requests to the server. An attacker who exploited this vulnerability could cause the affected system to crash. To attempt to exploit this issue, an attacker would need to send specially crafted SMB requests to the target system. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. The security update addresses the vulnerability by correcting the manner in which SMB handles specially crafted client requests. (CVE-2017-11781) - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server. (CVE-2017-11780) - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-8693) - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2017-11816) - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-8689, CVE-2017-8694) - A remote code execution vulnerability exists in the way that certain Windows components handle the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11769) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11790) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11822)
    last seen 2018-09-01
    modified 2018-08-03
    plugin id 104384
    published 2017-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104384
    title KB4042895: Windows 10 October 2017 Cumulative Update (KRACK)
  • NASL family Misc.
    NASL id UBNT_UNIFI_KRACK.NASL
    description According to its self-reported version, the remote networking device is running a version of UniFi OS prior to 3.9.3.7537. It, therefore, vulnerable to multiple vulnerabilities discovered in the WPA2 handshake protocol.
    last seen 2018-09-01
    modified 2018-08-03
    plugin id 103875
    published 2017-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103875
    title Ubiquiti Networks UniFi < 3.9.3.7537 (KRACK)
  • NASL family Firewalls
    NASL id FORTIOS_FG-IR-17-196.NASL
    description The remote host is running FortiOS prior to 5.2, 5.2.x prior to or equal to 5.2.11, 5.4.x prior to or equal 5.4.5, or 5.6.x prior to or equal to 5.6.2. It is, therefore, affected by multiple vulnerabilities discovered in the WPA2 handshake protocol. Note these issues affect only WiFi model devices in 'Wifi Client' mode.
    last seen 2018-09-01
    modified 2018-07-12
    plugin id 103873
    published 2017-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103873
    title Fortinet FortiGate < 5.2 / 5.2.x <= 5.2.11 / 5.4.x <= 5.4.5 / 5.6.x <= 5.6.2 Multiple Vulnerabilities (FG-IR-17-196) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3158-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_60 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104964
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104964
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3158-1) (KRACK)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS17_OCT_WIN2008.NASL
    description The remote Windows host is missing multiple security updates released on 2017/10/10. It is, therefore, affected by multiple vulnerabilities : - A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. (CVE-2017-0250) - A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11771) - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2017-11824) - An elevation of privilege vulnerability exists when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-8689, CVE-2017-8694) - A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2017-8717, CVE-2017-8718) - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2017-11816) - An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests. An authenticated attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server. (CVE-2017-11815) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2017-11765, CVE-2017-11814) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11793, CVE-2017-11810) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11762, CVE-2017-11763) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11790) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2017-11817) - A denial of service vulnerability exists in the Microsoft Server Block Message (SMB) when an attacker sends specially crafted requests to the server. An attacker who exploited this vulnerability could cause the affected system to crash. To attempt to exploit this issue, an attacker would need to send specially crafted SMB requests to the target system. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. The security update addresses the vulnerability by correcting the manner in which SMB handles specially crafted client requests. (CVE-2017-11781) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11822) - An Information disclosure vulnerability exists when Windows Search improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11772) - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server. (CVE-2017-11780) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2017-11784, CVE-2017-11785) - A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network. (CVE-2017-13080)
    last seen 2018-09-19
    modified 2018-09-17
    plugin id 103816
    published 2017-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103816
    title Windows 2008 October 2017 Multiple Security Updates (KRACK)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS17_OCT_4041681.NASL
    description The remote Windows host is missing security update 4041678 or cumulative update 4041681. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11813, CVE-2017-11822) - A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11771) - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2017-11824) - An elevation of privilege vulnerability exists when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-8689, CVE-2017-8694) - A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2017-8717, CVE-2017-8718) - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2017-11816) - An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests. An authenticated attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server. (CVE-2017-11815) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2017-11765, CVE-2017-11814) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11793, CVE-2017-11810) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11762, CVE-2017-11763) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11790) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2017-11817) - A denial of service vulnerability exists in the Microsoft Server Block Message (SMB) when an attacker sends specially crafted requests to the server. An attacker who exploited this vulnerability could cause the affected system to crash. To attempt to exploit this issue, an attacker would need to send specially crafted SMB requests to the target system. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. The security update addresses the vulnerability by correcting the manner in which SMB handles specially crafted client requests. (CVE-2017-11781) - An Information disclosure vulnerability exists when Windows Search improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11772) - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server. (CVE-2017-11780) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2017-11784, CVE-2017-11785) - A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network. (CVE-2017-13080)
    last seen 2018-09-02
    modified 2018-08-03
    plugin id 103746
    published 2017-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103746
    title Windows 7 and Windows Server 2008 R2 October 2017 Security Updates (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3265-1.NASL
    description The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-16649: The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel allowed local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067085). - CVE-2017-16535: The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066700). - CVE-2017-15102: The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel allowed local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference (bnc#1066705). - CVE-2017-16531: drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor (bnc#1066671). - CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066650). - CVE-2017-16525: The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup (bnc#1066618). - CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066573). - CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066606). - CVE-2017-16527: sound/usb/mixer.c in the Linux kernel allowed local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066625). - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667). - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192 (bnc#1045327). - CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c (bnc#1062520). - CVE-2017-14489: The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel allowed local users to cause a denial of service (panic) by leveraging incorrect length validation (bnc#1059051). - CVE-2017-14340: The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel did not verify that a filesystem has a realtime device, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory (bnc#1058524). - CVE-2017-14140: The move_pages system call in mm/migrate.c in the Linux kernel doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR (bnc#1057179). - CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588). - CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152). - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148). - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994). - CVE-2017-1000112: An exploitable memory corruption due to UFO to non-UFO path switch was fixed. (bnc#1052311 bnc#1052365). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 105172
    published 2017-12-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105172
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2017:3265-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3153-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_45 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104960
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104960
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3153-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3154-1.NASL
    description This update for the Linux Kernel 3.12.61-52_66 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104961
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104961
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3154-1) (KRACK)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-2911.NASL
    description An update for wpa_supplicant is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13087) Red Hat would like to thank CERT for reporting these issues. Upstream acknowledges Mathy Vanhoef (University of Leuven) as the original reporter of these issues.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 103946
    published 2017-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103946
    title CentOS 6 : wpa_supplicant (CESA-2017:2911) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3149-1.NASL
    description This update for the Linux Kernel 3.12.61-52_72 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104956
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104956
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3149-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3127-1.NASL
    description This update for the Linux Kernel 3.12.69-60_64_35 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104877
    published 2017-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104877
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3127-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3147-1.NASL
    description This update for the Linux Kernel 3.12.67-60_64_24 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104954
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104954
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3147-1) (KRACK)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2911.NASL
    description An update for wpa_supplicant is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13087) Red Hat would like to thank CERT for reporting these issues. Upstream acknowledges Mathy Vanhoef (University of Leuven) as the original reporter of these issues.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 103958
    published 2017-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103958
    title RHEL 6 : wpa_supplicant (RHSA-2017:2911) (KRACK)
  • NASL family Firewalls
    NASL id JUNIPER_JSA10827_KRACK.NASL
    description The version of Juniper Junos OS installed on the remote host is affected by multiple vulnerabilities related to the KRACK attacks. This may allow an attacker to decrypt, replay, and forge some frames on a WPA2 encrypted network. Note that Juniper's products do not support Fast BSS Transition Reassociation and PeerKey Handshake so are Not Vulnerable to CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, or CVE-2017-13088.
    last seen 2018-09-02
    modified 2018-07-13
    plugin id 105653
    published 2018-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105653
    title Junos OS 12.1X46 SRX 210, 240, 650 series firewalls (KRACK)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1241.NASL
    description According to the versions of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) - Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.(CVE-2017-13079) - Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.(CVE-2017-13081) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-15
    modified 2018-11-14
    plugin id 104576
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104576
    title EulerOS 2.0 SP1 : wpa_supplicant (EulerOS-SA-2017-1241)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1242.NASL
    description According to the versions of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) - Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.(CVE-2017-13079) - Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.(CVE-2017-13081) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-15
    modified 2018-11-14
    plugin id 104577
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104577
    title EulerOS 2.0 SP2 : wpa_supplicant (EulerOS-SA-2017-1242)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3130-1.NASL
    description This update for the Linux Kernel 3.12.67-60_64_18 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104878
    published 2017-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104878
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3130-1) (KRACK)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1573.NASL
    description Several vulnerabilities have been discovered in the firmware for Broadcom BCM43xx wifi chips that may lead to a privilege escalation or loss of confidentiality. CVE-2016-0801 Broadgate Team discovered flaws in packet processing in the Broadcom wifi firmware and proprietary drivers that could lead to remote code execution. However, this vulnerability is not believed to affect the drivers used in Debian. CVE-2017-0561 Gal Beniamini of Project Zero discovered a flaw in the TDLS implementation in Broadcom wifi firmware. This could be exploited by an attacker on the same WPA2 network to execute code on the wifi microcontroller. CVE-2017-9417 / #869639 Nitay Artenstein of Exodus Intelligence discovered a flaw in the WMM implementation in Broadcom wifi firmware. This could be exploited by a nearby attacker to execute code on the wifi microcontroller. CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081 Mathy Vanhoef of the imec-DistriNet research group of KU Leuven discovered multiple vulnerabilities in the WPA protocol used for authentication in wireless networks, dubbed 'KRACK'. An attacker exploiting the vulnerabilities could force the vulnerable system to reuse cryptographic session keys, enabling a range of cryptographic attacks against the ciphers used in WPA1 and WPA2. These vulnerabilities are only being fixed for certain Broadcom wifi chips, and might still be present in firmware for other wifi hardware. For Debian 8 'Jessie', these problems have been fixed in version 20161130-4~deb8u1. This version also adds new firmware and packages for use with Linux 4.9, and re-adds firmware-{adi,ralink} as transitional packages. We recommend that you upgrade your firmware-nonfree packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-14
    modified 2018-11-13
    plugin id 118888
    published 2018-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118888
    title Debian DLA-1573-1 : firmware-nonfree security update (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3160-1.NASL
    description This update for the Linux Kernel 3.12.61-52_69 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104965
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104965
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3160-1) (KRACK)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-2907.NASL
    description An update for wpa_supplicant is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) Red Hat would like to thank CERT for reporting these issues. Upstream acknowledges Mathy Vanhoef (University of Leuven) as the original reporter of these issues.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 103881
    published 2017-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103881
    title CentOS 7 : wpa_supplicant (CESA-2017:2907) (KRACK)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-2911.NASL
    description An update for wpa_supplicant is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13087) Red Hat would like to thank CERT for reporting these issues. Upstream acknowledges Mathy Vanhoef (University of Leuven) as the original reporter of these issues. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-29
    modified 2018-11-27
    plugin id 119233
    published 2018-11-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119233
    title Virtuozzo 6 : wpa_supplicant (VZLSA-2017-2911)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2745-1.NASL
    description This update for wpa_supplicant fixes the security issues : - Several vulnerabilities in standard conforming implementations of the WPA2 protocol have been discovered and published under the code name KRACK. This update remedies those issues in a backwards compatible manner, i.e. the updated wpa_supplicant can interface properly with both vulnerable and patched implementations of WPA2, but an attacker won't be able to exploit the KRACK weaknesses in those connections anymore even if the other party is still vulnerable. [bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 103917
    published 2017-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103917
    title SUSE SLED12 / SLES12 Security Update : wpa_supplicant (SUSE-SU-2017:2745-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3151-1.NASL
    description This update for the Linux Kernel 3.12.60-52_63 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104958
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104958
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3151-1) (KRACK)
  • NASL family Windows
    NASL id INTEL_SA_00101_WLAN.NASL
    description The Intel wireless network adapter driver installed on the remote host is affected by multiple vulnerabilities in the WPA2 protocol.
    last seen 2018-09-01
    modified 2018-07-13
    plugin id 103870
    published 2017-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103870
    title Intel Wireless Driver Wi-Fi Protected Access II (WPA2) Multiple Vulnerabilities (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3118-1.NASL
    description This update for the Linux Kernel 3.12.69-60_64_32 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104872
    published 2017-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104872
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3118-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2908-1.NASL
    description The SUSE Linux Enterprise 12 SP1 LTS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388). - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667). - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192 (bnc#1045327). - CVE-2017-15265: Use-after-free vulnerability in the Linux kernel allowed local users to have unspecified impact via vectors related to /dev/snd/seq (bnc#1062520). - CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation. (bnc#1039354). - CVE-2017-12153: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410). - CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the 'CR8-load exiting' and 'CR8-store exiting' L0 vmcs02 controls exist in cases where L1 omits the 'use TPR shadow' vmcs12 control, which allowed KVM L2 guest OS users to obtain read and write access to the hardware CR8 register (bnc#1058507). - CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982). - CVE-2017-14140: The move_pages system call in mm/migrate.c in the Linux kernel doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR (bnc#1057179). - CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588). - CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152). - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148). - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994). - CVE-2017-7482: A potential memory corruption was fixed in decoding of krb5 principals in the kernels kerberos handling. (bnc#1046107). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bnc#1048275). - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645). - CVE-2017-7518: The Linux kernel was vulnerable to an incorrect debug exception(#DB) error. It could occur while emulating a syscall instruction and potentially lead to guest privilege escalation. (bsc#1045922). - CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1037182 bsc#1038982). - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1037183 bsc#1038981). - CVE-2017-1000380: sound/core/timer.c in the Linux kernel was vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents might have been disclosed when a read and an ioctl happen at the same time (bnc#1044125). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431). - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary (could happen due to bootloader vulns, e.g. Google Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has partial control over the command line) could overflow the parport_nr array in the following code, by appending many (>LP_NO) 'lp=none' arguments to the command line (bnc#1039456). - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885). - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1040069). - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039883). - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882). - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bnc#1038879). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bnc#1038544). - CVE-2017-7889: The mm subsystem in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allowed local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c (bnc#1034405). The following new features were implemented : - the r8152 network driver was updated to support Realtek RTL8152/RTL8153 Based USB Ethernet Adapters (fate#321482) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104271
    published 2017-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104271
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2908-1) (KRACK) (Stack Clash)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3150-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_48 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104957
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104957
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3150-1) (KRACK)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2907.NASL
    description An update for wpa_supplicant is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) Red Hat would like to thank CERT for reporting these issues. Upstream acknowledges Mathy Vanhoef (University of Leuven) as the original reporter of these issues.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 103916
    published 2017-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103916
    title RHEL 7 : wpa_supplicant (RHSA-2017:2907) (KRACK)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2907.NASL
    description From Red Hat Security Advisory 2017:2907 : An update for wpa_supplicant is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) Red Hat would like to thank CERT for reporting these issues. Upstream acknowledges Mathy Vanhoef (University of Leuven) as the original reporter of these issues.
    last seen 2018-09-01
    modified 2018-07-24
    plugin id 103914
    published 2017-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103914
    title Oracle Linux 7 : wpa_supplicant (ELSA-2017-2907) (KRACK)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS17_OCT_4041691.NASL
    description The remote Windows host is missing security update 4041691. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2017-11765, CVE-2017-11814) - An elevation of privilege vulnerability exists when the Windows Update Delivery Optimization does not properly enforce file share permissions. An attacker who successfully exploited the vulnerability could overwrite files that require higher privileges than what the attacker already has. (CVE-2017-11829) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11762, CVE-2017-11763) - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11783) - A remote code execution vulnerability exists in Windows Domain Name System (DNS) DNSAPI.dll when it fails to properly handle DNS responses. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. (CVE-2017-11779) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11798, CVE-2017-11799, CVE-2017-11800, CVE-2017-11802, CVE-2017-11804, CVE-2017-11808, CVE-2017-11811, CVE-2017-11812) - A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2017-8717, CVE-2017-8718) - A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this vulnerability could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine. (CVE-2017-11823, CVE-2017-8715) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2017-11817) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11793, CVE-2017-11810) - An elevation of privilege vulnerability exists in the default Windows SMB Server configuration which allows anonymous users to remotely access certain named pipes that are also configured to allow anonymous access to users who are logged on locally. An unauthenticated attacker who successfully exploits this configuration error could remotely send specially crafted requests to certain services that accept requests via named pipes. (CVE-2017-11782) - An Information disclosure vulnerability exists when Windows Search improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11772) - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2017-11824) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory via the Microsoft Windows Text Services Framework. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-8727) - An Security Feature bypass vulnerability exists in Microsoft Windows storage when it fails to validate an integrity-level check. An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level. The update addresses the vulnerability by correcting how Microsoft storage validates an integrity-level check. (CVE-2017-11818) - A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11771) - An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests. An authenticated attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server. (CVE-2017-11815) - A denial of service vulnerability exists in the Microsoft Server Block Message (SMB) when an attacker sends specially crafted requests to the server. An attacker who exploited this vulnerability could cause the affected system to crash. To attempt to exploit this issue, an attacker would need to send specially crafted SMB requests to the target system. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. The security update addresses the vulnerability by correcting the manner in which SMB handles specially crafted client requests. (CVE-2017-11781) - An elevation of privilege vulnerability exists when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-8689, CVE-2017-8694) - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server. (CVE-2017-11780) - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-8693) - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2017-11816) - A remote code execution vulnerability exists in the way the scripting engine handle objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11809) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2017-11785) - A remote code execution vulnerability exists in the way that certain Windows components handle the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11769) - A remote code execution vulnerability exists in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-8726) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11790) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11822) - A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network. (CVE-2017-13080)
    last seen 2018-09-01
    modified 2018-08-03
    plugin id 103749
    published 2017-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103749
    title KB4041691: Windows 10 Version 1607 and Windows Server 2016 October 2017 Cumulative Update (KRACK)
  • NASL family Firewalls
    NASL id PFSENSE_2_3_5.NASL
    description According to its self-reported version number, the remote pfSense install is affected by multiple vulnerabilities as stated in the referenced vendor advisories.
    last seen 2018-12-10
    modified 2018-12-07
    plugin id 109037
    published 2018-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109037
    title pfSense < 2.3.5 Multiple Vulnerabilities (KRACK)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3455-1.NASL
    description Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly handled WPA2. A remote attacker could use this issue with key reinstallation attacks to obtain sensitive information. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled invalid characters in passphrase parameters. A remote attacker could use this issue to cause a denial of service. (CVE-2016-4476) Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled invalid characters in passphrase parameters. A local attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. (CVE-2016-4477). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 103863
    published 2017-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103863
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : wpa vulnerabilities (USN-3455-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3119-1.NASL
    description This update for the Linux Kernel 3.12.61-52_89 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104873
    published 2017-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104873
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3119-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3132-1.NASL
    description This update for the Linux Kernel 3.12.61-52_92 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104880
    published 2017-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104880
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3132-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3103-1.NASL
    description This update for the Linux Kernel 3.12.61-52_80 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104805
    published 2017-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104805
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3103-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3157-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_54 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104963
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104963
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3157-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3117-1.NASL
    description This update for the Linux Kernel 3.12.60-52_60 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104871
    published 2017-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104871
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3117-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3131-1.NASL
    description This update for the Linux Kernel 3.12.69-60_64_29 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104879
    published 2017-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104879
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3131-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3125-1.NASL
    description This update for the Linux Kernel 3.12.61-52_86 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104876
    published 2017-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104876
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3125-1) (KRACK)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3505-1.NASL
    description Mathy Vanhoef discovered that the firmware for several Intel WLAN devices incorrectly handled WPA2 in relation to Wake on WLAN. A remote attacker could use this issue with key reinstallation attacks to obtain sensitive information. (CVE-2017-13080, CVE-2017-13081). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 105038
    published 2017-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105038
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : linux-firmware vulnerabilities (USN-3505-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3148-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_57 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104955
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104955
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3148-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2869-1.NASL
    description The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.90 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000252: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c (bnc#1058038). - CVE-2017-10810: Memory leak in the virtio_gpu_object_create function in drivers/gpu/drm/virtio/virtgpu_object.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering object-initialization failures (bnc#1047277). - CVE-2017-11472: The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel did not flush the operand cache and causes a kernel stack dump, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table (bnc#1049580). - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603). - CVE-2017-12134: The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation (bnc#1051790 bnc#1053919). - CVE-2017-12153: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410). - CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the 'CR8-load exiting' and 'CR8-store exiting' L0 vmcs02 controls exist in cases where L1 omits the 'use TPR shadow' vmcs12 control, which allowed KVM L2 guest OS users to obtain read and write access to the hardware CR8 register (bnc#1058507). - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667). - CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588). - CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982). - CVE-2017-14489: The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel allowed local users to cause a denial of service (panic) by leveraging incorrect length validation (bnc#1059051). - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388). - CVE-2017-7518: The Linux kernel was vulnerable to an incorrect debug exception(#DB) error. It could occur while emulating a syscall instruction and potentially lead to guest privilege escalation. (bsc#1045922). - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104253
    published 2017-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104253
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2869-1) (KRACK)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS17_OCT_4041689.NASL
    description The remote Windows host is missing security update 4041689. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2017-11765, CVE-2017-11814) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11762, CVE-2017-11763) - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11783) - A remote code execution vulnerability exists in Windows Domain Name System (DNS) DNSAPI.dll when it fails to properly handle DNS responses. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. (CVE-2017-11779) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11798, CVE-2017-11799, CVE-2017-11800, CVE-2017-11802, CVE-2017-11804, CVE-2017-11808, CVE-2017-11811, CVE-2017-11812) - A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2017-8717, CVE-2017-8718) - A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this vulnerability could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine. (CVE-2017-11823, CVE-2017-8715) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2017-11817) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11793, CVE-2017-11810) - An Information disclosure vulnerability exists when Windows Search improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11772) - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2017-11824) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory via the Microsoft Windows Text Services Framework. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-8727) - An Security Feature bypass vulnerability exists in Microsoft Windows storage when it fails to validate an integrity-level check. An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level. The update addresses the vulnerability by correcting how Microsoft storage validates an integrity-level check. (CVE-2017-11818) - A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11771) - An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests. An authenticated attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server. (CVE-2017-11815) - A denial of service vulnerability exists in the Microsoft Server Block Message (SMB) when an attacker sends specially crafted requests to the server. An attacker who exploited this vulnerability could cause the affected system to crash. To attempt to exploit this issue, an attacker would need to send specially crafted SMB requests to the target system. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. The security update addresses the vulnerability by correcting the manner in which SMB handles specially crafted client requests. (CVE-2017-11781) - An elevation of privilege vulnerability exists when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-8689, CVE-2017-8694) - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server. (CVE-2017-11780) - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-8693) - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2017-11816) - A remote code execution vulnerability exists in the way the scripting engine handle objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11809) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2017-11785) - A remote code execution vulnerability exists in the way that certain Windows components handle the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11769) - A remote code execution vulnerability exists in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-8726) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11790) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11822) - A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network. (CVE-2017-13080)
    last seen 2018-09-01
    modified 2018-08-03
    plugin id 103747
    published 2017-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103747
    title KB4041689: Windows 10 Version 1511 October 2017 Cumulative Update (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3152-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_51 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104959
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104959
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3152-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2752-1.NASL
    description This update for wpa_supplicant fixes the following issues : - Several vulnerabilities in standard conforming implementations of the WPA2 protocol have been discovered and published under the code name KRACK. This update remedies those issues in a backwards compatible manner, i.e. the updated wpa_supplicant can interface properly with both vulnerable and patched implementations of WPA2, but an attacker won't be able to exploit the KRACK weaknesses in those connections anymore even if the other party is still vulnerable. [bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 103920
    published 2017-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103920
    title SUSE SLES11 Security Update : wpa_supplicant (SUSE-SU-2017:2752-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3124-1.NASL
    description This update for the Linux Kernel 3.12.67-60_64_21 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104875
    published 2017-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104875
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3124-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3146-1.NASL
    description This update for the Linux Kernel 3.12.61-52_77 fixes several issues. The following security issues were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bsc#1064392) - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bsc#1063671, bsc#1066472, bsc#1066471) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104953
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104953
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3146-1) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2847-1.NASL
    description The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.92 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000252: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c (bnc#1058038). - CVE-2017-11472: The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel did not flush the operand cache and causes a kernel stack dump, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table (bnc#1049580). - CVE-2017-12134: The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation (bnc#1051790 bsc#1053919). - CVE-2017-12153: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410). - CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the 'CR8-load exiting' and 'CR8-store exiting' L0 vmcs02 controls exist in cases where L1 omits the 'use TPR shadow' vmcs12 control, which allowed KVM L2 guest OS users to obtain read and write access to the hardware CR8 register (bnc#1058507). - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1056061 1063479 1063667 1063671). - CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588). - CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982). - CVE-2017-14489: The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel allowed local users to cause a denial of service (panic) by leveraging incorrect length validation (bnc#1059051). - CVE-2017-15265: Use-after-free vulnerability in the Linux kernel before 4.14-rc5 allowed local users to have unspecified impact via vectors related to /dev/snd/seq (bnc#1062520). - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 104171
    published 2017-10-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104171
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2847-1) (KRACK)
  • NASL family Misc.
    NASL id MIKROTIK_KRACK.NASL
    description According to its self-reported version, the remote networking device is running a version of MikroTik 6.9.X prior to 6.39.3, 6.40.x < 6.40.4, or 6.41rc. It, therefore, vulnerable to multiple vulnerabilities discovered in the WPA2 handshake protocol.
    last seen 2018-09-01
    modified 2018-07-16
    plugin id 103857
    published 2017-10-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103857
    title MikroTik RouterOS < 6.39.3 / 6.40.4 / 6.41rc (KRACK)
  • NASL family Misc.
    NASL id ARUBAOS_KRACK.NASL
    description The version of ArubaOS on the remote device is affected by multiple vulnerabilities related to the KRACK attacks. This may allow an attacker to decrypt, replay, and forge some frames on a WPA2 encrypted network. Note: ArbuaOS devices are only vulnerable to CVE-2017-13077, CVE-2017-13078,CVE-2017-13079, CVE-2017-13080, and CVE-2017-13081 while operating as a Wi-Fi supplicant in Mesh mode.
    last seen 2018-11-16
    modified 2018-11-15
    plugin id 103855
    published 2017-10-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103855
    title ArubaOS WPA2 Key Reinstallation Vulnerabilities (KRACK)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS17_OCT_4041693.NASL
    description The remote Windows host is missing security update 4041687 or cumulative update 4041693. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory via the Microsoft Windows Text Services Framework. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-8727) - A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11771) - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2017-11824) - An elevation of privilege vulnerability exists when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-8689, CVE-2017-8694) - A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2017-8717, CVE-2017-8718) - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2017-11816) - An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests. An authenticated attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server. (CVE-2017-11815) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2017-11765, CVE-2017-11814) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11793, CVE-2017-11810) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11762, CVE-2017-11763) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11790) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2017-11817) - A denial of service vulnerability exists in the Microsoft Server Block Message (SMB) when an attacker sends specially crafted requests to the server. An attacker who exploited this vulnerability could cause the affected system to crash. To attempt to exploit this issue, an attacker would need to send specially crafted SMB requests to the target system. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. The security update addresses the vulnerability by correcting the manner in which SMB handles specially crafted client requests. (CVE-2017-11781) - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11783) - An Information disclosure vulnerability exists when Windows Search improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11772) - An Security Feature bypass vulnerability exists in Microsoft Windows storage when it fails to validate an integrity-level check. An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level. The update addresses the vulnerability by correcting how Microsoft storage validates an integrity-level check. (CVE-2017-11818) - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server. (CVE-2017-11780) - A remote code execution vulnerability exists in Windows Domain Name System (DNS) DNSAPI.dll when it fails to properly handle DNS responses. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. (CVE-2017-11779) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11813, CVE-2017-11822) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2017-11784, CVE-2017-11785) - A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network. (CVE-2017-13080)
    last seen 2018-09-01
    modified 2018-08-03
    plugin id 103750
    published 2017-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103750
    title Windows 8.1 and Windows Server 2012 R2 October 2017 Security Updates (KRACK)
  • NASL family Misc.
    NASL id APPLETV_11_1.NASL
    description According to its banner, the version of Apple TV on the remote device is prior to 11.1. It is, therefore, affected by multiple vulnerabilities as described in the HT208219 security advisory. Note that only 4th and 5th generation models are affected by these vulnerabilities.
    last seen 2018-12-15
    modified 2018-12-14
    plugin id 104387
    published 2017-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104387
    title Apple TV < 11.1 Multiple Vulnerabilities
redhat via4
advisories
  • rhsa
    id RHSA-2017:2907
  • rhsa
    id RHSA-2017:2911
rpms
  • wpa_supplicant-1:2.6-5.el7_4.1
  • wpa_supplicant-1:0.7.3-9.el6_9.2
refmap via4
bid 101274
cert-vn VU#228519
cisco 20171016 Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II
confirm
debian DSA-3999
freebsd FreeBSD-SA-17:07
gentoo GLSA-201711-03
misc
mlist
  • [debian-lts-announce] 20171210 [SECURITY] [DLA 1200-1] linux security update
  • [debian-lts-announce] 20181113 [SECURITY] [DLA 1573-1] firmware-nonfree security update
sectrack
  • 1039572
  • 1039573
  • 1039576
  • 1039577
  • 1039578
  • 1039581
  • 1039585
  • 1039703
suse
  • SUSE-SU-2017:2745
  • SUSE-SU-2017:2752
  • openSUSE-SU-2017:2755
ubuntu USN-3455-1
the hacker news via4
Last major update 17-10-2017 - 09:29
Published 17-10-2017 - 09:29
Last modified 13-11-2018 - 06:29
Back to Top