ID CVE-2017-7294
Summary The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 does not validate addition of certain levels data, which allows local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device.
References
Vulnerable Configurations
  • Linux Kernel 4.10.6
    cpe:2.3:o:linux:linux_kernel:4.10.6
CVSS
Base: 7.2 (as of 30-03-2017 - 13:51)
Impact:
Exploitability:
CWE CWE-190
CAPEC
  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-562.NASL
    description The openSUSE Leap 42.1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-7618: crypto/ahash.c in the Linux kernel allowed attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue (bnc#1033340). - CVE-2016-10318: A missing authorization check in the fscrypt_process_policy function in fs/crypto/policy.c in the ext4 and f2fs filesystem encryption support in the Linux kernel allowed a user to assign an encryption policy to a directory owned by a different user, potentially creating a denial of service (bnc#1032435). - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bnc#1033336). - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579). - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003). - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440). - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052). - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213). The following non-security bugs were fixed : - ata: ahci_xgene: free structure returned by acpi_get_object_info() (bsc#1033518). - doc/README.SUSE: update links to KMP manual - ext4: do not perform data journaling when data is encrypted (bsc#1012876). - ext4: fix use-after-iput when fscrypt contexts are inconsistent (bsc#1012829). - ext4: mark inode dirty after converting inline directory (bsc#1012876). - ext4: reject inodes with negative size (bsc#1012876). - fs, seqfile: always allow oom killer (bsc#1012876). - ipv6: make ECMP route replacement less greedy (bsc#930399). - l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 (bsc#1028415). - mm: filemap: do not plant shadow entries without radix tree node (bsc#1012876). - netfilter: allow logging from non-init namespaces (bsc#970083). - nfsd4: minor NFSv2/v3 write decoding cleanup (bsc#1034670 CVE#2017-7645). - nfsd: check for oversized NFSv2/v3 arguments (bsc#1034670 CVE#2017-7645). - nfsd: stricter decoding of write-like NFSv2/v3 ops (bsc#1034670 CVE#2017-7645).
    last seen 2018-09-01
    modified 2018-05-18
    plugin id 100044
    published 2017-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100044
    title openSUSE Security Update : the Linux Kernel (openSUSE-2017-562)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-532.NASL
    description The openSUSE Leap 42.2 kernel was updated to 4.4.62 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-7618: crypto/ahash.c in the Linux kernel allowed attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue (bnc#1033340). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362). - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bnc#986365). - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bnc#1033336). - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003). - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579). - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440). - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052). - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213). - CVE-2017-7374: Use-after-free vulnerability in fs/crypto/ in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely (bnc#1032006). The following non-security bugs were fixed : - acpi, nfit: fix acpi_nfit_flush_probe() crash (bsc#1031717). - acpi, nfit: fix extended status translations for ACPI DSMs (bsc#1031717). - arm64: hugetlb: fix the wrong address for several functions (bsc#1032681). - arm64: hugetlb: fix the wrong return value for huge_ptep_set_access_flags (bsc#1032681). - arm64: hugetlb: remove the wrong pmd check in find_num_contig() (bsc#1032681). - arm64: Use full path in KBUILD_IMAGE definition (bsc#1010032). - arm: Use full path in KBUILD_IMAGE definition (bsc#1010032). - blacklist.conf: 73667e31a153 x86/hyperv: Hide unused label - blacklist.conf: Add ed10858 ('scsi: smartpqi: fix time handling') to blacklist - blacklist.conf: blacklist 9770404a which was subsequently reverted - blacklist.conf: Blacklist f2fs fix - blacklist.conf: Blacklist unneeded commit, because of a partial backport. - blacklist.conf: Split SP2 and SP3 entries to ease merging - blacklist: Fix blacklisting of 0c313cb20732 - block: copy NOMERGE flag from bio to request (bsc#1030070). - bonding: fix 802.3ad aggregator reselection (bsc#1029514). - btrfs: add transaction space reservation tracepoints (bsc#1012452). - btrfs: allow unlink to exceed subvolume quota (bsc#1019614). - btrfs: avoid uninitialized variable warning (bsc#1012452). - btrfs: __btrfs_buffered_write: Reserve/release extents aligned to block size (bsc#1012452). - btrfs: btrfs_ioctl_clone: Truncate complete page after performing clone operation (bsc#1012452). - btrfs: btrfs_page_mkwrite: Reserve space in sectorsized units (bsc#1012452). - btrfs: btrfs_submit_direct_hook: Handle map_length < bio vector length (bsc#1012452). - btrfs: change how we update the global block rsv (bsc#1012452). - btrfs: Change qgroup_meta_rsv to 64bit (bsc#1019614). - btrfs: check reserved when deciding to background flush (bsc#1012452). - btrfs: Clean pte corresponding to page straddling i_size (bsc#1012452). - btrfs: Compute and look up csums based on sectorsized blocks (bsc#1012452). - btrfs: csum_tree_block: return proper errno value (bsc#1012452). - btrfs: device add and remove: use GFP_KERNEL (bsc#1012452). - btrfs: Direct I/O read: Work on sectorsized blocks (bsc#1012452). - btrfs: do not write corrupted metadata blocks to disk (bsc#1012452). - btrfs: extent same: use GFP_KERNEL for page array allocations (bsc#1012452). - btrfs: fallback to vmalloc in btrfs_compare_tree (bsc#1012452). - btrfs: fallocate: use GFP_KERNEL (bsc#1012452). - btrfs: fallocate: Work with sectorsized blocks (bsc#1012452). - btrfs: Fix block size returned to user space (bsc#1012452). - btrfs: fix build warning (bsc#1012452). - btrfs: fix delalloc accounting after copy_from_user faults (bsc#1012452). - btrfs: fix extent_same allowing destination offset beyond i_size (bsc#1012452). - btrfs: fix handling of faults from btrfs_copy_from_user (bsc#1012452). - btrfs: fix invalid reference in replace_path (bsc#1012452). - btrfs: fix listxattrs not listing all xattrs packed in the same item (bsc#1012452). - btrfs: fix lockdep deadlock warning due to dev_replace (bsc#1012452). - btrfs: fix truncate_space_check (bsc#1012452). - btrfs: Improve FL_KEEP_SIZE handling in fallocate (bsc#1012452). - btrfs: let callers of btrfs_alloc_root pass gfp flags (bsc#1012452). - btrfs: Limit inline extents to root->sectorsize (bsc#1012452). - btrfs: make sure we stay inside the bvec during __btrfs_lookup_bio_sums (bsc#1012452). - btrfs: Output more info for enospc_debug mount option (bsc#1012452). - btrfs: Print Warning only if ENOSPC_DEBUG is enabled (bsc#1012452). - btrfs: qgroups: Retry after commit on getting EDQUOT (bsc#1019614). - btrfs: reada: add all reachable mirrors into reada device list (bsc#1012452). - btrfs: reada: Add missed segment checking in reada_find_zone (bsc#1012452). - btrfs: reada: Avoid many times of empty loop (bsc#1012452). - btrfs: reada: avoid undone reada extents in btrfs_reada_wait (bsc#1012452). - btrfs: reada: bypass adding extent when all zone failed (bsc#1012452). - btrfs: reada: Fix a debug code typo (bsc#1012452). - btrfs: reada: Fix in-segment calculation for reada (bsc#1012452). - btrfs: reada: ignore creating reada_extent for a non-existent device (bsc#1012452). - btrfs: reada: Jump into cleanup in direct way for __readahead_hook() (bsc#1012452). - btrfs: reada: limit max works count (bsc#1012452). - btrfs: reada: Move is_need_to_readahead contition earlier (bsc#1012452). - btrfs: reada: move reada_extent_put to place after __readahead_hook() (bsc#1012452). - btrfs: reada: Pass reada_extent into __readahead_hook directly (bsc#1012452). - btrfs: reada: reduce additional fs_info->reada_lock in reada_find_zone (bsc#1012452). - btrfs: reada: Remove level argument in severial functions (bsc#1012452). - btrfs: reada: simplify dev->reada_in_flight processing (bsc#1012452). - btrfs: reada: Use fs_info instead of root in __readahead_hook's argument (bsc#1012452). - btrfs: reada: use GFP_KERNEL everywhere (bsc#1012452). - btrfs: readdir: use GFP_KERNEL (bsc#1012452). - btrfs: remove redundant error check (bsc#1012452). - btrfs: Reset IO error counters before start of device replacing (bsc#1012452). - btrfs: scrub: use GFP_KERNEL on the submission path (bsc#1012452). - btrfs: Search for all ordered extents that could span across a page (bsc#1012452). - btrfs: send: use GFP_KERNEL everywhere (bsc#1012452). - btrfs: switch to kcalloc in btrfs_cmp_data_prepare (bsc#1012452). - btrfs: Use (eb->start, seq) as search key for tree modification log (bsc#1012452). - btrfs: use proper type for failrec in extent_state (bsc#1012452). - ceph: fix recursively call between ceph_set_acl and __ceph_setattr (bsc#1034902). - cgroup/pids: remove spurious suspicious RCU usage warning (bnc#1031831). - cxgb4: Add control net_device for configuring PCIe VF (bsc#1021424). - cxgb4: Add llseek operation for flash debugfs entry (bsc#1021424). - cxgb4: add new routine to get adapter info (bsc#1021424). - cxgb4: Add PCI device ID for new adapter (bsc#1021424). - cxgb4: Add port description for new cards (bsc#1021424). - cxgb4: Add support to enable logging of firmware mailbox commands (bsc#1021424). - cxgb4: Check for firmware errors in the mailbox command loop (bsc#1021424). - cxgb4: correct device ID of T6 adapter (bsc#1021424). - cxgb4/cxgb4vf: Add set VF mac address support (bsc#1021424). - cxgb4/cxgb4vf: Allocate more queues for 25G and 100G adapter (bsc#1021424). - cxgb4/cxgb4vf: Assign netdev->dev_port with port ID (bsc#1021424). - cxgb4/cxgb4vf: Display 25G and 100G link speed (bsc#1021424). - cxgb4/cxgb4vf: Remove deprecated module parameters (bsc#1021424). - cxgb4: DCB message handler needs to use correct portid to netdev mapping (bsc#1021424). - cxgb4: Decode link down reason code obtained from firmware (bsc#1021424). - cxgb4: Do not assume FW_PORT_CMD reply is always port info msg (bsc#1021424). - cxgb4: do not call napi_hash_del() (bsc#1021424). - cxgb4: Do not sleep when mbox cmd is issued from interrupt context (bsc#1021424). - cxgb4: Enable SR-IOV configuration via PCI sysfs interface (bsc#1021424). - cxgb4: Fix issue while re-registering VF mgmt netdev (bsc#1021424). - cxgb4: MU requested by Chelsio (bsc#1021424). - cxgb4: Properly decode port module type (bsc#1021424). - cxgb4: Refactor t4_port_init function (bsc#1021424). - cxgb4: Reset dcb state machine and tx queue prio only if dcb is enabled (bsc#1021424). - cxgb4: Support compressed error vector for T6 (bsc#1021424). - cxgb4: Synchronize access to mailbox (bsc#1021424). - cxgb4: update latest firmware version supported (bsc#1021424). - device-dax: fix private mapping restriction, permit read-only (bsc#1031717). - drivers: hv: util: do not forget to init host_ts.lock (bsc#1031206). - drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg() (fate#320485, bsc#1023287, bsc#1028217). - drm/i915: Fix crash after S3 resume with DP MST mode change (bsc#1029634). - drm/i915: Introduce Kabypoint PCH for Kabylake H/DT (bsc#1032581). - drm/i915: Only enable hotplug interrupts if the display interrupts are enabled (bsc#1031717). - ext4: fix use-after-iput when fscrypt contexts are inconsistent (bsc#1012829). - hid: usbhid: Quirk a AMI virtual mouse and keyboard with ALWAYS_POLL (bsc#1022340). - hv: export current Hyper-V clocksource (bsc#1031206). - hv_utils: implement Hyper-V PTP source (bsc#1031206). - ibmvnic: Allocate number of rx/tx buffers agreed on by firmware (fate#322021, bsc#1031512). - ibmvnic: Call napi_disable instead of napi_enable in failure path (fate#322021, bsc#1031512). - ibmvnic: Correct ibmvnic handling of device open/close (fate#322021, bsc#1031512). - ibmvnic: Fix endian errors in error reporting output (fate#322021, bsc#1031512). - ibmvnic: Fix endian error when requesting device capabilities (fate#322021, bsc#1031512). - ibmvnic: Fix initial MTU settings (bsc#1031512). - ibmvnic: Fix overflowing firmware/hardware TX queue (fate#322021, bsc#1031512). - ibmvnic: Free tx/rx scrq pointer array when releasing sub-crqs (fate#322021, bsc#1031512). - ibmvnic: Handle processing of CRQ messages in a tasklet (fate#322021, bsc#1031512). - ibmvnic: Initialize completion variables before starting work (fate#322021, bsc#1031512). - ibmvnic: Make CRQ interrupt tasklet wait for all capabilities crqs (fate#322021, bsc#1031512). - ibmvnic: Move ibmvnic adapter intialization to its own routine (fate#322021, bsc#1031512). - ibmvnic: Move login and queue negotiation into ibmvnic_open (fate#322021, bsc#1031512). - ibmvnic: Move login to its own routine (fate#322021, bsc#1031512). - ibmvnic: Use common counter for capabilities checks (fate#322021, bsc#1031512). - ibmvnic: use max_mtu instead of req_mtu for MTU range check (bsc#1031512). - iommu/vt-d: Make sure IOMMUs are off when intel_iommu=off (bsc#1031208). - iscsi-target: Return error if unable to add network portal (bsc#1032803). - kABI: restore ttm_ref_object_add parameters (kabi). - kgr: Mark eeh_event_handler() kthread safe using a timeout (bsc#1031662). - kvm: svm: add support for RDTSCP (bsc#1033117). - l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 (bsc#1028415). - libcxgb: add library module for Chelsio drivers (bsc#1021424). - libnvdimm, pfn: fix memmap reservation size versus 4K alignment (bsc#1031717). - locking/semaphore: Add down_interruptible_timeout() (bsc#1031662). - md: handle read-only member devices better (bsc#1033281). - mem-hotplug: fix node spanned pages when we have a movable node (bnc#1034671). - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bnc#1030118). - mm/memblock.c: fix memblock_next_valid_pfn() (bnc#1031200). - mm: page_alloc: skip over regions of invalid pfns where possible (bnc#1031200). - netfilter: allow logging from non-init namespaces (bsc#970083). - net: ibmvnic: Remove unused net_stats member from struct ibmvnic_adapter (fate#322021, bsc#1031512). - nfs: flush out dirty data on file fput() (bsc#1021762). - nvme: Delete created IO queues on reset (bsc#1031717). - overlayfs: compat, fix incorrect dentry use in ovl_rename2 (bsc#1032400). - overlayfs: compat, use correct dentry to detect compat mode in ovl_compat_is_whiteout (bsc#1032400). - ping: implement proper locking (bsc#1031003). - powerpc/fadump: Reserve memory at an offset closer to bottom of RAM (bsc#1032141). - powerpc/fadump: Update fadump documentation (bsc#1032141). - Revert 'btrfs: qgroup: Move half of the qgroup accounting time out of' (bsc#1017461 bsc#1033885). - Revert 'btrfs: qgroup: Move half of the qgroup accounting time out of' This reverts commit f69c1d0f6254c73529a48fd2f87815d047ad7288. - Revert 'Revert 'btrfs: qgroup: Move half of the qgroup accounting time' This reverts commit 8567943ca56d937acfc417947cba917de653b09c. - sbp-target: Fix second argument of percpu_ida_alloc() (bsc#1032803). - scsi: cxgb4i: libcxgbi: cxgb4: add T6 iSCSI completion feature (bsc#1021424). - scsi_error: count medium access timeout only once per EH run (bsc#993832, bsc#1032345). - scsi: ipr: do not set DID_PASSTHROUGH on CHECK CONDITION (bsc#1034419). - scsi: ipr: Driver version 2.6.4 (bsc#1031555, fate#321595). - scsi: ipr: Error path locking fixes (bsc#1031555, fate#321595). - scsi: ipr: Fix abort path race condition (bsc#1031555, fate#321595). - scsi: ipr: Fix missed EH wakeup (bsc#1031555, fate#321595). - scsi: ipr: Fix SATA EH hang (bsc#1031555, fate#321595). - scsi: ipr: Remove redundant initialization (bsc#1031555, fate#321595). - scsi_transport_fc: do not call queue_work under lock (bsc#1013887). - scsi_transport_fc: fixup race condition in fc_rport_final_delete() (bsc#1013887). - scsi_transport_fc: return -EBUSY for deleted vport (bsc#1013887). - sysfs: be careful of error returns from ops->show() (bsc#1028883). - thp: fix MADV_DONTNEED vs. numa balancing race (bnc#1027974). - thp: reduce indentation level in change_huge_pmd() (bnc#1027974). - tpm: fix checks for policy digest existence in tpm2_seal_trusted() (bsc#1034048, Pending fixes 2017-04-10). - tpm: fix RC value check in tpm2_seal_trusted (bsc#1034048, Pending fixes 2017-04-10). - tpm: fix: set continueSession attribute for the unseal operation (bsc#1034048, Pending fixes 2017-04-10). - vmxnet3: segCnt can be 1 for LRO packets (bsc#988065). - x86/CPU/AMD: Fix Zen SMT topology (bsc#1027512). - x86/ioapic: Change prototype of acpi_ioapic_add() (bsc#1027153, bsc#1027616). - x86/ioapic: Fix incorrect pointers in ioapic_setup_resources() (bsc#1027153, bsc#1027616). - x86/ioapic: Fix IOAPIC failing to request resource (bsc#1027153, bsc#1027616). - x86/ioapic: fix kABI (hide added include) (bsc#1027153, bsc#1027616). - x86/ioapic: Fix lost IOAPIC resource after hot-removal and hotadd (bsc#1027153, bsc#1027616). - x86/ioapic: Fix setup_res() failing to get resource (bsc#1027153, bsc#1027616). - x86/ioapic: Ignore root bridges without a companion ACPI device (bsc#1027153, bsc#1027616). - x86/ioapic: Simplify ioapic_setup_resources() (bsc#1027153, bsc#1027616). - x86/ioapic: Support hot-removal of IOAPICs present during boot (bsc#1027153, bsc#1027616). - x86/mce: Fix copy/paste error in exception table entries (fate#319858). - x86/platform/uv: Fix calculation of Global Physical Address (bsc#1031147). - x86/ras/therm_throt: Do not log a fake MCE for thermal events (bsc#1028027). - xen: Use machine addresses in /sys/kernel/vmcoreinfo when PV (bsc#1014136) - xgene_enet: remove bogus forward declarations (bsc#1032673).
    last seen 2018-09-01
    modified 2018-05-18
    plugin id 99927
    published 2017-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99927
    title openSUSE Security Update : the Linux Kernel (openSUSE-2017-532)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0011.NASL
    description An update of [krb5,linux] packages for PhotonOS has been released.
    last seen 2018-09-19
    modified 2018-09-17
    plugin id 111860
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111860
    title Photon OS 1.0: Krb5 / Linux PHSA-2017-0011
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-1062.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power) * kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important) * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) * Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important) * kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) * kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate) * kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate) * kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) * kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate) * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate) * kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate) * kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate) * kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) * kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate) * kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) * kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate) * kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate) * kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) * Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate) * kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) * kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate) * kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate) * kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low) Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633; Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat). For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 109380
    published 2018-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109380
    title CentOS 7 : kernel (CESA-2018:1062)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-922.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts. CVE-2016-2188 Ralf Spenneberg of OpenSource Security reported that the iowarrior device driver did not sufficiently validate USB descriptors. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash). CVE-2016-9604 It was discovered that the keyring subsystem allowed a process to set a special internal keyring as its session keyring. The security impact in this version of the kernel is unknown. CVE-2016-10200 Baozeng Ding and Andrey Konovalov reported a race condition in the L2TP implementation which could corrupt its table of bound sockets. A local user could use this to cause a denial of service (crash) or possibly for privilege escalation. CVE-2017-2647 / CVE-2017-6951 idl3r reported that the keyring subsystem would allow a process to search for 'dead' keys, causing a NULL pointer dereference. A local user could use this to cause a denial of service (crash). CVE-2017-2671 Daniel Jiang discovered a race condition in the ping socket implementation. A local user with access to ping sockets could use this to cause a denial of service (crash) or possibly for privilege escalation. This feature is not accessible to any users by default. CVE-2017-5967 Xing Gao reported that the /proc/timer_list file showed information about all processes, not considering PID namespaces. If timer debugging was enabled by a privileged user, this leaked information to processes contained in PID namespaces. CVE-2017-5970 Andrey Konovalov discovered a denial of service flaw in the IPv4 networking code. This can be triggered by a local or remote attacker if a local UDP or raw socket has the IP_RETOPTS option enabled. CVE-2017-7184 Chaitin Security Research Lab discovered that the net xfrm subsystem did not sufficiently validate replay state parameters, allowing a heap buffer overflow. This can be used by a local user with the CAP_NET_ADMIN capability for privilege escalation. CVE-2017-7261 Vladis Dronov and Murray McAllister reported that the vmwgfx driver did not sufficiently validate rendering surface parameters. In a VMware guest, this can be used by a local user to cause a denial of service (crash). CVE-2017-7273 Benoit Camredon reported that the hid-cypress driver did not sufficiently validate HID reports. This possibly allowed a physically present user with a specially designed USB device to cause a denial of service (crash). CVE-2017-7294 Li Qiang reported that the vmwgfx driver did not sufficiently validate rendering surface parameters. In a VMware guest, this can be used by a local user to cause a denial of service (crash) or possibly for privilege escalation. CVE-2017-7308 Andrey Konovalov reported that the packet socket (AF_PACKET) implementation did not sufficiently validate buffer parameters. This can be used by a local user with the CAP_NET_RAW capability for privilege escalation. CVE-2017-7472 Eric Biggers reported that the keyring subsystem allowed a thread to create new thread keyrings repeatedly, causing a memory leak. This can be used by a local user to cause a denial of service (memory exhaustion). CVE-2017-7616 Chris Salls reported an information leak in the 32-bit big-endian compatibility implementations of set_mempolicy() and mbind(). This does not affect any architecture supported in Debian 7 LTS. CVE-2017-7618 Sabrina Dubroca reported that the cryptographic hash subsystem does not correctly handle submission of unaligned data to a device that is already busy, resulting in infinite recursion. On some systems this can be used by local users to cause a denial of service (crash). For Debian 7 'Wheezy', these problems have been fixed in version 3.2.88-1. This version also includes bug fixes from upstream version 3.2.88, and fixes some older security issues in the keyring, packet socket and cryptographic hash subsystems that do not have CVE IDs. For Debian 8 'Jessie', most of these problems have been fixed in version 3.16.43-1 which will be part of the next point release. We recommend that you upgrade your linux packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-07-09
    plugin id 99733
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99733
    title Debian DLA-922-1 : linux security update
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3343-2.NASL
    description USN 3343-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. USN 3335-2 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. It was discovered that a use-after-free vulnerability in the core voltage regulator driver of the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2014-9940) It was discovered that a buffer overflow existed in the trace subsystem in the Linux kernel. A privileged local attacker could use this to execute arbitrary code. (CVE-2017-0605) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) It was discovered that a double-free vulnerability existed in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack in the Linux kernel was performing its over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-15
    plugin id 101153
    published 2017-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101153
    title Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-3343-2)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3291-3.NASL
    description USN-3291-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7187) It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 100267
    published 2017-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100267
    title Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3291-3)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3293-1.NASL
    description Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596) Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7187) It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) Jason Donenfeld discovered a heap overflow in the MACsec module in the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7477) It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 100255
    published 2017-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100255
    title Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3293-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0676.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important) * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) * Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important) * kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) * kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate) * kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate) * kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) * kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate) * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate) * kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate) * kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate) * kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) * kernel: Incorrect handling in arch/x86/include/asm/ mmu_context.h:init_new_context function allowing use-after-free (CVE-2017-17053, Moderate) * kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate) * kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) * kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate) * kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate) * kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) * Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate) * kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) * kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate) * kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate) * kernel: unlimiting the stack disables ASLR (CVE-2016-3672, Low) * kernel: Missing permission check in move_pages system call (CVE-2017-14140, Low) * kernel: NULL pointer dereference in rngapi_reset function (CVE-2017-15116, Low) * kernel: Improper error handling of VM_SHARED hugetlbfs mapping in mm/ hugetlb.c (CVE-2017-15127, Low) * kernel: Integer overflow in futex.c:futux_requeue can lead to denial of service or unspecified impact (CVE-2018-6927, Low) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat). Additional Changes : See the Red Hat Enterprise Linux 7.5 Release Notes linked from References.
    last seen 2018-11-27
    modified 2018-11-26
    plugin id 108984
    published 2018-04-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108984
    title RHEL 7 : kernel-rt (RHSA-2018:0676)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1062.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power) * kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important) * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) * Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important) * kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) * kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate) * kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate) * kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) * kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate) * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate) * kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate) * kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate) * kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) * kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate) * kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) * kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate) * kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate) * kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) * Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate) * kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) * kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate) * kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate) * kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low) Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633; Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat). For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen 2018-11-27
    modified 2018-11-26
    plugin id 108997
    published 2018-04-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108997
    title RHEL 7 : kernel (RHSA-2018:1062)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180410_KERNEL_ON_SL7_X.NASL
    description Security Fix(es) : - hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power) - kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important) - kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) - Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important) - kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) - kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate) - kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate) - kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) - kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate) - kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate) - kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate) - kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate) - kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) - kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate) - kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) - kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate) - kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) - kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate) - kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) - Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate) - kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) - kernel: Kernel address information leak in drivers/acpi/sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate) - kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate) - kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low) Additional Changes :
    last seen 2018-09-01
    modified 2018-05-04
    plugin id 109449
    published 2018-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109449
    title Scientific Linux Security Update : kernel on SL7.x x86_64 (Meltdown)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-1062.NASL
    description From Red Hat Security Advisory 2018:1062 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power) * kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important) * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) * Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important) * kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) * kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate) * kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate) * kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) * kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate) * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate) * kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate) * kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate) * kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) * kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate) * kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) * kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate) * kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate) * kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) * Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate) * kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) * kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate) * kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate) * kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low) Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633; Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat). For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen 2018-10-18
    modified 2018-10-17
    plugin id 109113
    published 2018-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109113
    title Oracle Linux 7 : kernel (ELSA-2018-1062)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3343-1.NASL
    description USN 3335-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. It was discovered that a use-after-free vulnerability in the core voltage regulator driver of the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2014-9940) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) It was discovered that a double-free vulnerability existed in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack in the Linux kernel was performing its over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 101152
    published 2017-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101152
    title Ubuntu 14.04 LTS : linux vulnerabilities (USN-3343-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3291-1.NASL
    description Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7187) It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 100252
    published 2017-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100252
    title Ubuntu 16.04 LTS : linux vulnerabilities (USN-3291-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1247-1.NASL
    description The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2015-1350: The VFS subsystem in the Linux kernel provided an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allowed local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program (bnc#914939). - CVE-2016-2117: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly enabled scatter/gather I/O, which allowed remote attackers to obtain sensitive information from kernel memory by reading packet data (bnc#968697). - CVE-2016-3070: The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel improperly interacted with mm/migrate.c, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move (bnc#979215). - CVE-2016-5243: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#983212). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077). - CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel mismanages the #BP and #OF exceptions, which allowed guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest (bnc#1015703). - CVE-2016-10044: The aio_mount function in fs/aio.c in the Linux kernel did not properly restrict execute access, which made it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call (bnc#1023992). - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415). - CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel did not properly validate meta block groups, which allowed physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image (bnc#1023377). - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003). - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914). - CVE-2017-5897: The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allowed remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access (bnc#1023762). - CVE-2017-5970: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a denial of service (system crash) via (1) an application that made crafted system calls or possibly (2) IPv4 traffic with invalid IP options (bnc#1024938). - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bnc#1025235). - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024). - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722). - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that a certain destructor exists in required circumstances, which allowed local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (bnc#1027190). - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that made PACKET_FANOUT setsockopt system calls (bnc#1027189). - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly managed lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178). - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066). - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213). - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052). - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440). - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579). - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bnc#1033336). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 100150
    published 2017-05-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100150
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1247-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2525-1.NASL
    description The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated receive various security and bugfixes. The following security bugs were fixed : - CVE-2016-5243: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#983212) - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415) - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c (bsc#1030593). - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently could not ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003) - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914) - CVE-2017-5970: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a denial of service (system crash) via (1) an application that made crafted system calls or possibly (2) IPv4 traffic with invalid IP options (bsc#1024938) - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bsc#1025235) - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024) - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722) - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly managed lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178) - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066) - CVE-2017-6951: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the 'dead' type (bsc#1029850). - CVE-2017-7184: The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size data after an XFRM_MSG_NEWAE update, which allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability (bsc#1030573) - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213) - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052) - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440) - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579) - CVE-2017-7482: Several missing length checks ticket decode allowing for information leak or potentially code execution (bsc#1046107). - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bsc#1038879). - CVE-2017-7533: Race condition in the fsnotify implementation in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions (bnc#1049483 1050677 ). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bsc#1033336) - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability. This requires a malicious PCI Card. (bnc#1037994). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038544). - CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1037182). - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1038981). - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882). - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bsc#1039883). - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885). - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bsc#1040069). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431). - CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152). - CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bnc#1048275). - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603). - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148). - CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588). - CVE-2017-1000112: Fixed a race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311). - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary could have overflowed the parport_nr array in the following code (bnc#1039456). - CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation (bnc#1039354). - CVE-2017-1000380: sound/core/timer.c in the Linux kernel was vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time (bnc#1044125). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 103354
    published 2017-09-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103354
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2017:2525-1) (Stack Clash)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1360-1.NASL
    description The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.74 to receive various security and bugfixes. Notable new/improved features : - Improved support for Hyper-V - Support for the tcp_westwood TCP scheduling algorithm The following security bugs were fixed : - CVE-2017-8106: The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel allowed privileged KVM guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a single-context INVEPT instruction with a NULL EPT pointer (bsc#1035877). - CVE-2017-6951: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the 'dead' type. (bsc#1029850). - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c. (bsc#1030593) - CVE-2016-9604: This fixes handling of keyrings starting with '.' in KEYCTL_JOIN_SESSION_KEYRING, which could have allowed local users to manipulate privileged keyrings (bsc#1035576) - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation. (bnc#1033336). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. (bsc#1034670). - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579) - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently could not ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003) - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440) - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052) - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213) - CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel mismanaged the #BP and #OF exceptions, which allowed guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest (bsc#1015703). - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914). - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415) - CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel did not properly validate meta block groups, which allowed physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image (bnc#1023377). - CVE-2017-5897: The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allowed remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access (bsc#1023762). - CVE-2017-5986: A race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bsc#1025235). - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024) - CVE-2016-9191: The cgroup offline implementation in the Linux kernel mishandled certain drain operations, which allowed local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application (bnc#1008842) - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly managed lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178). - CVE-2016-10044: The aio_mount function in fs/aio.c in the Linux kernel did not properly restrict execute access, which made it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call (bnc#1023992). - CVE-2016-3070: The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel improperly interacts with mm/migrate.c, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move (bnc#979215). - CVE-2016-5243: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#983212). - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that a certain destructor exists in required circumstances, which allowed local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (bnc#1027190) - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that made PACKET_FANOUT setsockopt system calls (bnc#1027189) - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066) - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bsc#1025235). - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722) - CVE-2016-2117: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly enables scatter/gather I/O, which allowed remote attackers to obtain sensitive information from kernel memory by reading packet data (bnc#968697) - CVE-2015-1350: The VFS subsystem in the Linux kernel provided an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allowed local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program (bsc#914939). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bsc#1003077). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 100320
    published 2017-05-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100320
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1360-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-4108.NASL
    description Description of changes: [4.1.12-124.15.1.el7uek] - netfilter: nfnetlink_cthelper: Add missing permission checks (Kevin Cernekee) [Orabug: 27260771] {CVE-2017-17448} - netlink: Add netns check on taps (Kevin Cernekee) [Orabug: 27260799] {CVE-2017-17449} - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li) [Orabug: 27290606] {CVE-2017-17741} {CVE-2017-17741} - xprtrdma: Detect unreachable NFS/RDMA servers more reliably (Chuck Lever) [Orabug: 27587008] - sunrpc: Export xprt_force_disconnect() (Chuck Lever) [Orabug: 27587008] - sunrpc: Allow xprt->ops->timer method to sleep (Chuck Lever) [Orabug: 27587008] - KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit (Haozhong Zhang) [Orabug: 27720128] - x86/microcode: probe CPU features on microcode update (Ankur Arora) [Orabug: 27878230] - x86/microcode: microcode_write() should not reference boot_cpu_data (Ankur Arora) [Orabug: 27878230] - x86/cpufeatures: use cpu_data in init_scattered_cpuid_flags() (Ankur Arora) [Orabug: 27878230] - mm/pagewalk.c: report holes in hugetlb ranges (Jann Horn) [Orabug: 27913118] {CVE-2017-16994} - KEYS: don't let add_key() update an uninstantiated key (David Howells) [Orabug: 27913330] {CVE-2017-15299} - drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() (Murray McAllister) [Orabug: 27913367] {CVE-2017-7294} - vmscan: Support multiple kswapd threads per node (Buddy Lumpkin) [Orabug: 27913411] - tcp: don't use F-RTO on non-recurring timeouts (Yuchung Cheng) [Orabug: 27901860] - net/rds: ib: Release correct number of frags (Hå kon Bugge) [Orabug: 27924161] - crypto: rng - Remove old low-level rng interface (Herbert Xu) [Orabug: 27926676] {CVE-2017-15116} - crypto: drbg - Convert to new rng interface (Herbert Xu) [Orabug: 27926676] {CVE-2017-15116} - crypto: ansi_cprng - Convert to new rng interface (Herbert Xu) [Orabug: 27926676] {CVE-2017-15116} - crypto: krng - Convert to new rng interface (Herbert Xu) [Orabug: 27926676] {CVE-2017-15116} - RDS: Heap OOB write in rds_message_alloc_sgs() (Mohamed Ghannam) [Orabug: 27934066] {CVE-2018-5332} - net: Fix double free and memory corruption in get_net_ns_by_id() (Eric W. Biederman) [Orabug: 27934789] {CVE-2017-15129}
    last seen 2018-09-02
    modified 2018-05-16
    plugin id 109828
    published 2018-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109828
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4108)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3335-1.NASL
    description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) It was discovered that a use-after-free vulnerability in the core voltage regulator driver of the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2014-9940) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 100933
    published 2017-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100933
    title Ubuntu 14.04 LTS : linux, linux-meta vulnerabilities (USN-3335-1) (Stack Clash)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3291-2.NASL
    description USN-3291-1 fixed vulnerabilities in the generic Linux kernel. This update provides the corresponding updates for the Linux kernel built for specific processors and cloud environments. Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7187) It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 100266
    published 2017-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100266
    title Ubuntu 16.04 LTS : linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities (USN-3291-2)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1183-1.NASL
    description The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.58 to receive various security and bugfixes. Notable new/improved features : - Improved support for Hyper-V - Support for Matrox G200eH3 - Support for tcp_westwood The following security bugs were fixed : - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently could not ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003). - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579). - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440). - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052). - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213). - CVE-2017-7374: Use-after-free vulnerability in fs/crypto/ in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely (bnc#1032006). - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415). - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that a certain destructor exists in required circumstances, which allowed local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (bnc#1027190). - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that made PACKET_FANOUT setsockopt system calls (bnc#1027189). - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066). - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722). - CVE-2016-2117: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly enables scatter/gather I/O, which allowed remote attackers to obtain sensitive information from kernel memory by reading packet data (bnc#968697). - CVE-2017-6347: The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel had incorrect expectations about skb data layout, which allowed local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission (bnc#1027179). - CVE-2016-9191: The cgroup offline implementation in the Linux kernel mishandled certain drain operations, which allowed local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application (bnc#1008842). - CVE-2017-2596: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel improperly emulated the VMXON instruction, which allowed KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references (bnc#1022785). - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 100023
    published 2017-05-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100023
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1183-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3342-1.NASL
    description USN 3326-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Ingo Molnar discovered that the VideoCore DRM driver in the Linux kernel did not return an error after detecting certain overflows. A local attacker could exploit this issue to cause a denial of service (OOPS). (CVE-2017-5577) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) It was discovered that a double-free vulnerability existed in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack in the Linux kernel was performing its over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 101150
    published 2017-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101150
    title Ubuntu 16.10 : linux, linux-raspi2 vulnerabilities (USN-3342-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1301-1.NASL
    description The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. Notable new features : - Toleration of newer crypto hardware for z Systems - USB 2.0 Link power management for Haswell-ULT The following security bugs were fixed : - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579) - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently could not ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003) - CVE-2017-7184: The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size data after an XFRM_MSG_NEWAE update, which allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability (bsc#1030573). - CVE-2017-5970: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a denial of service (system crash) via (1) an application that made crafted system calls or possibly (2) IPv4 traffic with invalid IP options (bsc#1024938). - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bsc#1033336). - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440) - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052) - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213) - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly managed lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178) - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914) - CVE-2015-3288: mm/memory.c in the Linux kernel mishandled anonymous pages, which allowed local users to gain privileges or cause a denial of service (page tainting) via a crafted application that triggers writing to page zero (bsc#979021). - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415) - CVE-2016-5243: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#983212) - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application (bnc#1027066) - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722) - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024) - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bsc#1025235) - CVE-2015-8970: crypto/algif_skcipher.c in the Linux kernel did not verify that a setkey operation has been performed on an AF_ALG socket an accept system call is processed, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted application that does not supply a key, related to the lrw_crypt function in crypto/lrw.c (bsc#1008374). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-11-30
    plugin id 100214
    published 2017-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100214
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2017:1301-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3342-2.NASL
    description USN-3342-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.10 for Ubuntu 16.04 LTS. USN-3333-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Ingo Molnar discovered that the VideoCore DRM driver in the Linux kernel did not return an error after detecting certain overflows. A local attacker could exploit this issue to cause a denial of service (OOPS). (CVE-2017-5577) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) It was discovered that a double-free vulnerability existed in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack in the Linux kernel was performing its over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 101151
    published 2017-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101151
    title Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3342-2)
redhat via4
advisories
  • rhsa
    id RHSA-2018:0676
  • rhsa
    id RHSA-2018:1062
rpms
  • kernel-rt-0:3.10.0-862.rt56.804.el7
  • kernel-rt-debug-0:3.10.0-862.rt56.804.el7
  • kernel-rt-debug-devel-0:3.10.0-862.rt56.804.el7
  • kernel-rt-debug-kvm-0:3.10.0-862.rt56.804.el7
  • kernel-rt-devel-0:3.10.0-862.rt56.804.el7
  • kernel-rt-doc-0:3.10.0-862.rt56.804.el7
  • kernel-rt-kvm-0:3.10.0-862.rt56.804.el7
  • kernel-rt-trace-0:3.10.0-862.rt56.804.el7
  • kernel-rt-trace-devel-0:3.10.0-862.rt56.804.el7
  • kernel-rt-trace-kvm-0:3.10.0-862.rt56.804.el7
  • kernel-0:3.10.0-862.el7
  • kernel-abi-whitelists-0:3.10.0-862.el7
  • kernel-bootwrapper-0:3.10.0-862.el7
  • kernel-debug-0:3.10.0-862.el7
  • kernel-debug-devel-0:3.10.0-862.el7
  • kernel-devel-0:3.10.0-862.el7
  • kernel-doc-0:3.10.0-862.el7
  • kernel-headers-0:3.10.0-862.el7
  • kernel-kdump-0:3.10.0-862.el7
  • kernel-kdump-devel-0:3.10.0-862.el7
  • kernel-tools-0:3.10.0-862.el7
  • kernel-tools-libs-0:3.10.0-862.el7
  • kernel-tools-libs-devel-0:3.10.0-862.el7
  • perf-0:3.10.0-862.el7
  • python-perf-0:3.10.0-862.el7
refmap via4
bid 97177
misc
Last major update 31-03-2017 - 14:14
Published 28-03-2017 - 22:59
Last modified 11-04-2018 - 21:29
Back to Top