ID CVE-2015-7613
Summary Race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c.
References
Vulnerable Configurations
  • Linux Kernel 4.2.3
    cpe:2.3:o:linux:linux_kernel:4.2.3
CVSS
Base: 6.9 (as of 19-10-2015 - 14:47)
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2761-1.NASL
    description Dmitry Vyukov discovered that the Linux kernel did not properly initialize IPC object state in certain situations. A local attacker could use this to escalate their privileges, expose confidential information, or cause a denial of service (system crash). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 86295
    published 2015-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86295
    title Ubuntu 14.04 LTS : linux vulnerability (USN-2761-1)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL90230486.NASL
    description Race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c. (CVE-2015-7613)
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 87436
    published 2015-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87436
    title F5 Networks BIG-IP : Linux kernel vulnerability (K90230486)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2764-1.NASL
    description Dmitry Vyukov discovered that the Linux kernel did not properly initialize IPC object state in certain situations. A local attacker could use this to escalate their privileges, expose confidential information, or cause a denial of service (system crash). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 86298
    published 2015-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86298
    title Ubuntu 14.04 LTS : linux-lts-utopic vulnerability (USN-2764-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2763-1.NASL
    description Dmitry Vyukov discovered that the Linux kernel did not properly initialize IPC object state in certain situations. A local attacker could use this to escalate their privileges, expose confidential information, or cause a denial of service (system crash). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 86297
    published 2015-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86297
    title Ubuntu 12.04 LTS : linux-lts-trusty vulnerability (USN-2763-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0037.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0037 for details.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 90019
    published 2016-03-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90019
    title OracleVM 3.2 : kernel-uek (OVMSA-2016-0037)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-DCC260F2F2.NASL
    description kernel-4.1.10-200.fc22 - Linxu v4.1.10 - Add patch to fix soft lockups in network stack (rhbz 1266691) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-28
    plugin id 89435
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89435
    title Fedora 22 : kernel-4.1.10-200.fc22 (2015-dcc260f2f2)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2587.NASL
    description Updated kernel packages that fix three security issues, several bugs, and one enhancement are now available for Red Hat Enterprise Linux 7.1 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) is handled. A privileged user inside a guest could use this flaw to create denial of service conditions on the host kernel. (CVE-2015-5307, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the CVE-2015-5307 issue. This update also fixes the following bugs and adds one enhancement : * When setting up an ESP IPsec connection, the aes_ctr algorithm did not work for ESP on a Power little endian VM host. As a consequence, a kernel error was previously returned and the connection failed to be established. A set of patches has been provided to fix this bug, and aes_ctr works for ESP in the described situation as expected. (BZ#1247127) * The redistribute3() function distributed entries across 3 nodes. However, some entries were moved an incorrect way, breaking the ordering. As a result, BUG() in the dm-btree-remove.c:shift() function occurred when entries were removed from the btree. A patch has been provided to fix this bug, and redistribute3() now works as expected. (BZ#1263945) * When booting an mpt2sas adapter in a huge DDW enabled slot on Power, the kernel previously generated a warning followed by a call trace. The provided patch set enhances the Power kernel to be able to support IOMMU as a fallback for the cases where the coherent mask of the device is not suitable for direct DMA. As a result, neither the warning nor the call trace occur in this scenario. (BZ#1267133) * If the client mounted /exports and tried to execute the 'chown -R' command across the entire mountpoint, a warning about a circular directory structure was previously returned because mount points all had the same inode number. A set of patches has been provided to fix this bug, and mount points are now assigned with unique inode numbers as expected. (BZ#1273239) * Due to a validation error of in-kernel MMIO tracing, a VM became previously unresponsive when connected to Red Hat Enterprise Virtualization Hypervisor. The provided patch fixes this bug by dropping the check in MMIO handler, and a VM continues running as expected. (BZ#1275149) * The NFS client could previously fail to send a CLOSE operation if the file was opened with O_WRONLY and the server restarted after the OPEN. Consequently, the server appeared in a state that could block other NFS operations from completing. The client's state flags have been modified to catch this condition and correctly CLOSE the file. (BZ#1275298) * This update sets multicast filters for multicast packets when the interface is not in promiscuous mode. This change has an impact on the RAR usage such that SR-IOV has some RARs reserved for its own usage as well. (BZ#1265091) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 88572
    published 2016-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88572
    title RHEL 7 : kernel (RHSA-2015:2587)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2762-1.NASL
    description Dmitry Vyukov discovered that the Linux kernel did not properly initialize IPC object state in certain situations. A local attacker could use this to escalate their privileges, expose confidential information, or cause a denial of service (system crash). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 86296
    published 2015-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86296
    title Ubuntu 15.04 : linux vulnerability (USN-2762-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-D7E074BA30.NASL
    description kernel-4.1.10-100.fc21 - Linxu v4.1.10 - Add patch to fix soft lockups in network stack (rhbz 1266691) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-28
    plugin id 89427
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89427
    title Fedora 21 : kernel-4.1.10-100.fc21 (2015-d7e074ba30)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2792-1.NASL
    description Dmitry Vyukov discovered that the Linux kernel did not properly initialize IPC object state in certain situations. A local attacker could use this to escalate their privileges, expose confidential information, or cause a denial of service (system crash). (CVE-2015-7613) It was discovered that the Linux kernel did not check if a new IPv6 MTU set by a user space application was valid. A remote attacker could forge a route advertisement with an invalid MTU that a user space daemon like NetworkManager would honor and apply to the kernel, causing a denial of service. (CVE-2015-0272) It was discovered that in certain situations, a directory could be renamed outside of a bind mounted location. An attacker could use this to escape bind mount containment and gain access to sensitive information. (CVE-2015-2925) Moein Ghasemzadeh discovered that the USB WhiteHEAT serial driver contained hardcoded attributes about the USB devices. An attacker could construct a fake WhiteHEAT USB device that, when inserted, causes a denial of service (system crash). (CVE-2015-5257). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 86783
    published 2015-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86783
    title Ubuntu 12.04 LTS : linux vulnerabilities (USN-2792-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1727-1.NASL
    description The SUSE Linux Enterprise 12 kernel was updated to 3.12.48-52.27 to receive various security and bugfixes. Following security bugs were fixed : - CVE-2015-7613: A flaw was found in the Linux kernel IPC code that could lead to arbitrary code execution. The ipc_addid() function initialized a shared object that has unset uid/gid values. Since the fields are not initialized, the check can falsely succeed. (bsc#948536) - CVE-2015-5156: When a guests KVM network devices is in a bridge configuration the kernel can create a situation in which packets are fragmented in an unexpected fashion. The GRO functionality can create a situation in which multiple SKB's are chained together in a single packets fraglist (by design). (bsc#940776) - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform mishandles IRET faults in processing NMIs that occurred during userspace execution, which might allow local users to gain privileges by triggering an NMI (bsc#938706). - CVE-2015-6252: A flaw was found in the way the Linux kernel's vhost driver treated userspace provided log file descriptor when processing the VHOST_SET_LOG_FD ioctl command. The file descriptor was never released and continued to consume kernel memory. A privileged local user with access to the /dev/vhost-net files could use this flaw to create a denial-of-service attack (bsc#942367). - CVE-2015-5697: The get_bitmap_file function in drivers/md/md.c in the Linux kernel before 4.1.6 does not initialize a certain bitmap data structure, which allows local users to obtain sensitive information from kernel memory via a GET_BITMAP_FILE ioctl call. (bnc#939994) - CVE-2015-6937: A NULL pointer dereference flaw was found in the Reliable Datagram Sockets (RDS) implementation allowing a local user to cause system DoS. A verification was missing that the underlying transport exists when a connection was created. (bsc#945825) - CVE-2015-5283: A NULL pointer dereference flaw was found in SCTP implementation allowing a local user to cause system DoS. Creation of multiple sockets in parallel when system doesn't have SCTP module loaded can lead to kernel panic. (bsc#947155) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 86378
    published 2015-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86378
    title SUSE SLED12 / SLES12 Security Update : kernel-source (SUSE-SU-2015:1727-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2765-1.NASL
    description Dmitry Vyukov discovered that the Linux kernel did not properly initialize IPC object state in certain situations. A local attacker could use this to escalate their privileges, expose confidential information, or cause a denial of service (system crash). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 86299
    published 2015-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86299
    title Ubuntu 14.04 LTS : linux-lts-vivid vulnerability (USN-2765-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-2636.NASL
    description From Red Hat Security Advisory 2015:2636 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * It was found that the Linux kernel's keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-7872, Important) Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the CVE-2015-5307 issue. This update also fixes the following bugs : * Previously, Human Interface Device (HID) ran a report on an unaligned buffer, which could cause a page fault interrupt and an oops when the end of the report was read. This update fixes this bug by padding the end of the report with extra bytes, so the reading of the report never crosses a page boundary. As a result, a page fault and subsequent oops no longer occur. (BZ#1268203) * The NFS client was previously failing to detect a directory loop for some NFS server directory structures. This failure could cause NFS inodes to remain referenced after attempting to unmount the file system, leading to a kernel crash. Loop checks have been added to VFS, which effectively prevents this problem from occurring. (BZ#1272858) * Due to a race whereby the nfs_wb_pages_cancel() and nfs_commit_release_pages() calls both removed a request from the nfs_inode struct type, the kernel panicked with negative nfs_inode.npages count. The provided upstream patch performs the required serialization by holding the inode i_lock over the check of PagePrivate and locking the request, thus preventing the race and kernel panic from occurring. (BZ#1273721) * Due to incorrect URB_ISO_ASAP semantics, playing an audio file using a USB sound card could previously fail for some hardware configurations. This update fixes the bug, and playing audio from a USB sound card now works as expected. (BZ#1273916) * Inside hugetlb, region data structures were protected by a combination of a memory map semaphore and a single hugetlb instance mutex. However, a page-fault scalability improvement backported to the kernel on previous releases removed the single hugetlb instance mutex and introduced a new mutex table, making the locking combination insufficient, leading to possible race windows that could cause corruption and undefined behavior. This update fixes the problem by introducing a required spinlock to the region tracking functions for proper serialization. The problem only affects software using huge pages through hugetlb interface. (BZ#1274599) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 87396
    published 2015-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87396
    title Oracle Linux 6 : kernel (ELSA-2015-2636)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2152.NASL
    description Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 7. This is the second regular update. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. (CVE-2010-5313, CVE-2014-7842, Moderate) * A flaw was found in the way the Linux kernel's KVM subsystem handled non-canonical addresses when emulating instructions that change the RIP (for example, branches or calls). A guest user with access to an I/O or MMIO region could use this flaw to crash the guest. (CVE-2014-3647, Moderate) * It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker could use this flaw to lock up the system. (CVE-2014-8171, Moderate) * A race condition flaw was found between the chown and execve system calls. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate) * A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-4170, Moderate) * A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate) * A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-6526, Moderate) * A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low) * An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process. (CVE-2014-9419, Low) * It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Red Hat Enterprise Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor. (CVE-2015-0239, Low) * A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86972
    published 2015-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86972
    title RHEL 7 : kernel (RHSA-2015:2152)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-2636.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * It was found that the Linux kernel's keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-7872, Important) Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the CVE-2015-5307 issue. This update also fixes the following bugs : * Previously, Human Interface Device (HID) ran a report on an unaligned buffer, which could cause a page fault interrupt and an oops when the end of the report was read. This update fixes this bug by padding the end of the report with extra bytes, so the reading of the report never crosses a page boundary. As a result, a page fault and subsequent oops no longer occur. (BZ#1268203) * The NFS client was previously failing to detect a directory loop for some NFS server directory structures. This failure could cause NFS inodes to remain referenced after attempting to unmount the file system, leading to a kernel crash. Loop checks have been added to VFS, which effectively prevents this problem from occurring. (BZ#1272858) * Due to a race whereby the nfs_wb_pages_cancel() and nfs_commit_release_pages() calls both removed a request from the nfs_inode struct type, the kernel panicked with negative nfs_inode.npages count. The provided upstream patch performs the required serialization by holding the inode i_lock over the check of PagePrivate and locking the request, thus preventing the race and kernel panic from occurring. (BZ#1273721) * Due to incorrect URB_ISO_ASAP semantics, playing an audio file using a USB sound card could previously fail for some hardware configurations. This update fixes the bug, and playing audio from a USB sound card now works as expected. (BZ#1273916) * Inside hugetlb, region data structures were protected by a combination of a memory map semaphore and a single hugetlb instance mutex. However, a page-fault scalability improvement backported to the kernel on previous releases removed the single hugetlb instance mutex and introduced a new mutex table, making the locking combination insufficient, leading to possible race windows that could cause corruption and undefined behavior. This update fixes the problem by introducing a required spinlock to the region tracking functions for proper serialization. The problem only affects software using huge pages through hugetlb interface. (BZ#1274599) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87381
    published 2015-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87381
    title CentOS 6 : kernel (CESA-2015:2636)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2411.NASL
    description Updated kernel-rt packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker able to continuously spawn new processes within a single memory-constrained cgroup during an OOM event could use this flaw to lock up the system. (CVE-2014-8171, Moderate) * A race condition flaw was found between the chown and execve system calls. When changing the owner of a setuid user binary to root, the race condition could momentarily make the binary setuid root. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate) * A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system by holding a reference to the ldisc lock during tty shutdown, causing a deadlock. (CVE-2015-4170, Moderate) * A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate) * A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low) * An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process. (CVE-2014-9419, Low) * A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low) Red Hat would like to thank Linn Crosetto of HP for reporting the CVE-2015-7837 issue. The CVE-2015-5283 issue was discovered by Ji Jianwen from Red Hat engineering. The kernel-rt packages have been upgraded to version 3.10.0-326.rt56.204, which provides a number of bug fixes and enhancements. (BZ#1201915, BZ#1211724) This update also fixes several bugs and adds multiple enhancements. Refer to the following Red Hat Knowledgebase article for information on the most significant of these changes : https://access.redhat.com/articles/2055783 All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 88571
    published 2016-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88571
    title RHEL 7 : kernel-rt (RHSA-2015:2411)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-603.NASL
    description A race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c. (CVE-2015-7613) Linux kernels built with the name spaces support(CONFIG_NAMESPACE) is vulnerable to a potential privilege escalation flaw. It could occur when a process within a container escapes the intended bind mounts to access the full file system. A privileged user inside a container could use this flaw to potentially gain full privileges on a system. (CVE-2015-2925) A NULL pointer dereference vulnerability was found in the Linux kernel's TCP stack, in net/netfilter/nf_nat_redirect.c in the nf_nat_redirect_ipv4() function. A remote, unauthenticated user could exploit this flaw to create a system crash (denial of service). (CVE-2015-8787)
    last seen 2019-02-21
    modified 2018-04-19
    plugin id 86634
    published 2015-10-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86634
    title Amazon Linux AMI : kernel (ALAS-2015-603)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-325.NASL
    description This update fixes the CVEs described below. CVE-2015-2925 Jann Horn discovered that when a subdirectory of a filesystem was bind-mounted into a chroot or mount namespace, a user that should be confined to that chroot or namespace could access the whole of that filesystem if they had write permission on an ancestor of the subdirectory. This is not a common configuration for this kernel version. CVE-2015-5257 Moein Ghasemzadeh of Istuary Innovation Labs reported that a USB device could cause a denial of service (crash) by imitating a Whiteheat USB serial device but presenting a smaller number of endpoints. CVE-2015-7613 Dmitry Vyukov discovered that System V IPC objects (message queues and shared memory segments) were made accessible before their ownership and other attributes were fully initialised. If a local user can race against another user or service creating a new IPC object, this may result in unauthorised information disclosure, unauthorised information modification, denial of service and/or privilege escalation. A similar issue existed with System V semaphore arrays, but was less severe because they were always cleared before being fully initialised. For the oldoldstable distribution (squeeze), these problems have been fixed in version 2.6.32-48squeeze16. For the oldstable distribution (wheezy), these problems will be fixed in version 3.2.68-1+deb7u5. For the stable distribution (jessie), these problems will be fixed in version 3.16.7-ckt11-1+deb8u5 or have been fixed earlier. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 86357
    published 2015-10-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86357
    title Debian DLA-325-1 : linux-2.6 security update
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3503.NASL
    description Description of changes: kernel-uek [2.6.32-400.37.15.el6uek] - ipc/sem.c: fully initialize sem_array before making it visible (Manfred Spraul) [Orabug: 22250043] {CVE-2015-7613} - Initialize msg/shm IPC objects before doing ipc_addid() (Linus Torvalds) [Orabug: 22250043] {CVE-2015-7613} - crypto: add missing crypto module aliases (Mathias Krause) [Orabug: 22249655] {CVE-2013-7421} {CVE-2014-9644} - crypto: include crypto- module prefix in template (Kees Cook) [Orabug: 22249655] {CVE-2013-7421} {CVE-2014-9644} - crypto: prefix module autoloading with 'crypto-' (Kees Cook) [Orabug: 22249655] {CVE-2013-7421} {CVE-2014-9644} [2.6.32-400.37.14.el6uek] - KVM: add arg to ac_interception() missing from 'KVM: x86: work around infinite loop in microcode when #AC is delivered' (Chuck Anderson) [Orabug: 22336493] {CVE-2015-5307} [2.6.32-400.37.13.el6uek] - KVM: svm: unconditionally intercept #DB (Paolo Bonzini) [Orabug: 22336518] {CVE-2015-8104} {CVE-2015-8104} - KVM: x86: work around infinite loop in microcode when #AC is delivered (Eric Northup) [Orabug: 22336493] {CVE-2015-5307} {CVE-2015-5307}
    last seen 2019-02-21
    modified 2016-10-28
    plugin id 87836
    published 2016-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87836
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3503)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-2152.NASL
    description From Red Hat Security Advisory 2015:2152 : Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 7. This is the second regular update. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. (CVE-2010-5313, CVE-2014-7842, Moderate) * A flaw was found in the way the Linux kernel's KVM subsystem handled non-canonical addresses when emulating instructions that change the RIP (for example, branches or calls). A guest user with access to an I/O or MMIO region could use this flaw to crash the guest. (CVE-2014-3647, Moderate) * It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker could use this flaw to lock up the system. (CVE-2014-8171, Moderate) * A race condition flaw was found between the chown and execve system calls. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate) * A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-4170, Moderate) * A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate) * A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-6526, Moderate) * A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low) * An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process. (CVE-2014-9419, Low) * It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Red Hat Enterprise Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor. (CVE-2015-0239, Low) * A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low)
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 87090
    published 2015-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87090
    title Oracle Linux 7 : kernel (ELSA-2015-2152)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-43145298F4.NASL
    description The 4.2.3 stable kernel update contains a number of important fixes across the tree. kernel-4.2.3-300.fc23 - Linux v4.2.3 - Netdev fix race in resq_queue_unlink Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-28
    plugin id 89222
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89222
    title Fedora 23 : kernel-4.2.3-300.fc23 (2015-43145298f4)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3372.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, unauthorised information disclosure or unauthorised information modification. - CVE-2015-2925 Jann Horn discovered that when a subdirectory of a filesystem was bind-mounted into a chroot or mount namespace, a user that should be confined to that chroot or namespace could access the whole of that filesystem if they had write permission on an ancestor of the subdirectory. This is not a common configuration for wheezy, and the issue has previously been fixed for jessie. - CVE-2015-5257 Moein Ghasemzadeh of Istuary Innovation Labs reported that a USB device could cause a denial of service (crash) by imitating a Whiteheat USB serial device but presenting a smaller number of endpoints. - CVE-2015-5283 Marcelo Ricardo Leitner discovered that creating multiple SCTP sockets at the same time could cause a denial of service (crash) if the sctp module had not previously been loaded. This issue only affects jessie. - CVE-2015-7613 Dmitry Vyukov discovered that System V IPC objects (message queues and shared memory segments) were made accessible before their ownership and other attributes were fully initialised. If a local user can race against another user or service creating a new IPC object, this may result in unauthorised information disclosure, unauthorised information modification, denial of service and/or privilege escalation. A similar issue existed with System V semaphore arrays, but was less severe because they were always cleared before being fully initialised.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86375
    published 2015-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86375
    title Debian DSA-3372-1 : linux - security update
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1018.NASL
    description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system.(CVE-2015-2925) - A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system.(CVE-2015-7613) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 99781
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99781
    title EulerOS 2.0 SP1 : kernel (EulerOS-SA-2016-1018)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3502.NASL
    description Description of changes: [2.6.39-400.264.13.el6uek] - KEYS: Don't permit request_key() to construct a new keyring (David Howells) [Orabug: 22373449] {CVE-2015-7872} [2.6.39-400.264.12.el6uek] - crypto: add missing crypto module aliases (Mathias Krause) [Orabug: 22249656] {CVE-2013-7421} {CVE-2014-9644} - crypto: include crypto- module prefix in template (Kees Cook) [Orabug: 22249656] {CVE-2013-7421} {CVE-2014-9644} - crypto: prefix module autoloading with 'crypto-' (Kees Cook) [Orabug: 22249656] {CVE-2013-7421} {CVE-2014-9644} [2.6.39-400.264.11.el6uek] - KVM: x86: Don't report guest userspace emulation error to userspace (Nadav Amit) [Orabug: 22249615] {CVE-2010-5313} {CVE-2014-7842} [2.6.39-400.264.9.el6uek] - msg_unlock() in wrong spot after applying 'Initialize msg/shm IPC objects before doing ipc_addid()' (Chuck Anderson) [Orabug: 22250044] {CVE-2015-7613} {CVE-2015-7613} [2.6.39-400.264.8.el6uek] - ipc/sem.c: fully initialize sem_array before making it visible (Manfred Spraul) [Orabug: 22250044] {CVE-2015-7613} - Initialize msg/shm IPC objects before doing ipc_addid() (Linus Torvalds) [Orabug: 22250044] {CVE-2015-7613} [2.6.39-400.264.7.el6uek] - KVM: svm: unconditionally intercept #DB (Paolo Bonzini) [Orabug: 22333698] {CVE-2015-8104} {CVE-2015-8104} - KVM: x86: work around infinite loop in microcode when #AC is delivered (Eric Northup) [Orabug: 22333689] {CVE-2015-5307} {CVE-2015-5307} [2.6.39-400.264.6.el6uek] - mlx4_core: Introduce restrictions for PD update (Ajaykumar Hotchandani) - IPoIB: Drop priv->lock before calling ipoib_send() (Wengang Wang) - IPoIB: serialize changing on tx_outstanding (Wengang Wang) [Orabug: 21861366] - IB/mlx4: Implement IB_QP_CREATE_USE_GFP_NOIO (Jiri Kosina) - IB: Add a QP creation flag to use GFP_NOIO allocations (Or Gerlitz) - IB: Return error for unsupported QP creation flags (Or Gerlitz) - IB/ipoib: Calculate csum only when skb->ip_summed is CHECKSUM_PARTIAL (Yuval Shaia) [Orabug: 20873175]
    last seen 2019-02-21
    modified 2016-10-28
    plugin id 87835
    published 2016-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87835
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3502)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-3101.NASL
    description Description of changes: kernel-uek [3.8.13-118.2.1.el7uek] - ipc/sem.c: fully initialize sem_array before making it visible (Manfred Spraul) [Orabug: 22277382] {CVE-2015-7613} - ipc: fix msg newqueue add (Guru Anbalagane) [Orabug: 22277382] {CVE-2015-7613} [3.8.13-118.1.1.el7uek] - sctp: fix race on protocol/netns initialization (Marcelo Ricardo Leitner) [Orabug: 22249981] {CVE-2015-5283} - Initialize msg/shm IPC objects before doing ipc_addid() (Linus Torvalds) [Orabug: 22250045] {CVE-2015-7613} - ixgbe: reset copper phy power mode (Ethan Zhao) [Orabug: 22271769]
    last seen 2019-02-21
    modified 2016-10-28
    plugin id 87098
    published 2015-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87098
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2015-3101)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0057.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 99163
    published 2017-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99163
    title OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-2152.NASL
    description Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 7. This is the second regular update. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. (CVE-2010-5313, CVE-2014-7842, Moderate) * A flaw was found in the way the Linux kernel's KVM subsystem handled non-canonical addresses when emulating instructions that change the RIP (for example, branches or calls). A guest user with access to an I/O or MMIO region could use this flaw to crash the guest. (CVE-2014-3647, Moderate) * It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker could use this flaw to lock up the system. (CVE-2014-8171, Moderate) * A race condition flaw was found between the chown and execve system calls. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate) * A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-4170, Moderate) * A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate) * A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-6526, Moderate) * A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low) * An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process. (CVE-2014-9419, Low) * It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Red Hat Enterprise Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor. (CVE-2015-0239, Low) * A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87135
    published 2015-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87135
    title CentOS 7 : kernel (CESA-2015:2152)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0150.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - ipc/sem.c: fully initialize sem_array before making it visible (Manfred Spraul) [Orabug: 22277382] (CVE-2015-7613) - ipc: fix msg newqueue add (Guru Anbalagane) [Orabug: 22277382] (CVE-2015-7613) - sctp: fix race on protocol/netns initialization (Marcelo Ricardo Leitner) [Orabug: 22249981] (CVE-2015-5283) - Initialize msg/shm IPC objects before doing ipc_addid (Linus Torvalds) [Orabug: 22250045] (CVE-2015-7613) - ixgbe: reset copper phy power mode (Ethan Zhao) [Orabug: 22271769]
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 87167
    published 2015-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87167
    title OracleVM 3.3 : kernel-uek (OVMSA-2015-0150)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20151119_KERNEL_ON_SL7_X.NASL
    description * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. (CVE-2010-5313, CVE-2014-7842, Moderate) * A flaw was found in the way the Linux kernel's KVM subsystem handled non-canonical addresses when emulating instructions that change the RIP (for example, branches or calls). A guest user with access to an I/O or MMIO region could use this flaw to crash the guest. (CVE-2014-3647, Moderate) * It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker could use this flaw to lock up the system. (CVE-2014-8171, Moderate) * A race condition flaw was found between the chown and execve system calls. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate) * A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-4170, Moderate) * A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate) * A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-6526, Moderate) * A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low) * An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process. (CVE-2014-9419, Low) * It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Scientific Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor. (CVE-2015-0239, Low) * A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low)
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 87559
    published 2015-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87559
    title Scientific Linux Security Update : kernel on SL7.x x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2636.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * It was found that the Linux kernel's keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-7872, Important) Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the CVE-2015-5307 issue. This update also fixes the following bugs : * Previously, Human Interface Device (HID) ran a report on an unaligned buffer, which could cause a page fault interrupt and an oops when the end of the report was read. This update fixes this bug by padding the end of the report with extra bytes, so the reading of the report never crosses a page boundary. As a result, a page fault and subsequent oops no longer occur. (BZ#1268203) * The NFS client was previously failing to detect a directory loop for some NFS server directory structures. This failure could cause NFS inodes to remain referenced after attempting to unmount the file system, leading to a kernel crash. Loop checks have been added to VFS, which effectively prevents this problem from occurring. (BZ#1272858) * Due to a race whereby the nfs_wb_pages_cancel() and nfs_commit_release_pages() calls both removed a request from the nfs_inode struct type, the kernel panicked with negative nfs_inode.npages count. The provided upstream patch performs the required serialization by holding the inode i_lock over the check of PagePrivate and locking the request, thus preventing the race and kernel panic from occurring. (BZ#1273721) * Due to incorrect URB_ISO_ASAP semantics, playing an audio file using a USB sound card could previously fail for some hardware configurations. This update fixes the bug, and playing audio from a USB sound card now works as expected. (BZ#1273916) * Inside hugetlb, region data structures were protected by a combination of a memory map semaphore and a single hugetlb instance mutex. However, a page-fault scalability improvement backported to the kernel on previous releases removed the single hugetlb instance mutex and introduced a new mutex table, making the locking combination insufficient, leading to possible race windows that could cause corruption and undefined behavior. This update fixes the problem by introducing a required spinlock to the region tracking functions for proper serialization. The problem only affects software using huge pages through hugetlb interface. (BZ#1274599) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87398
    published 2015-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87398
    title RHEL 6 : kernel (RHSA-2015:2636)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20151215_KERNEL_ON_SL6_X.NASL
    description - A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) - It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) - A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) - It was found that the Linux kernel's keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-7872, Important) This update also fixes the following bugs : - Previously, Human Interface Device (HID) ran a report on an unaligned buffer, which could cause a page fault interrupt and an oops when the end of the report was read. This update fixes this bug by padding the end of the report with extra bytes, so the reading of the report never crosses a page boundary. As a result, a page fault and subsequent oops no longer occur. - The NFS client was previously failing to detect a directory loop for some NFS server directory structures. This failure could cause NFS inodes to remain referenced after attempting to unmount the file system, leading to a kernel crash. Loop checks have been added to VFS, which effectively prevents this problem from occurring. - Due to a race whereby the nfs_wb_pages_cancel() and nfs_commit_release_pages() calls both removed a request from the nfs_inode struct type, the kernel panicked with negative nfs_inode.npages count. The provided upstream patch performs the required serialization by holding the inode i_lock over the check of PagePrivate and locking the request, thus preventing the race and kernel panic from occurring. - Due to incorrect URB_ISO_ASAP semantics, playing an audio file using a USB sound card could previously fail for some hardware configurations. This update fixes the bug, and playing audio from a USB sound card now works as expected. - Inside hugetlb, region data structures were protected by a combination of a memory map semaphore and a single hugetlb instance mutex. However, a page-fault scalability improvement backported to the kernel on previous releases removed the single hugetlb instance mutex and introduced a new mutex table, making the locking combination insufficient, leading to possible race windows that could cause corruption and undefined behavior. This update fixes the problem by introducing a required spinlock to the region tracking functions for proper serialization. The problem only affects software using huge pages through hugetlb interface. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 87403
    published 2015-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87403
    title Scientific Linux Security Update : kernel on SL6.x i386/x86_64
redhat via4
advisories
rhsa
id RHSA-2015:2636
rpms
  • kernel-0:3.10.0-327.el7
  • kernel-abi-whitelists-0:3.10.0-327.el7
  • kernel-bootwrapper-0:3.10.0-327.el7
  • kernel-debug-0:3.10.0-327.el7
  • kernel-debug-devel-0:3.10.0-327.el7
  • kernel-devel-0:3.10.0-327.el7
  • kernel-doc-0:3.10.0-327.el7
  • kernel-headers-0:3.10.0-327.el7
  • kernel-kdump-0:3.10.0-327.el7
  • kernel-kdump-devel-0:3.10.0-327.el7
  • kernel-tools-0:3.10.0-327.el7
  • kernel-tools-libs-0:3.10.0-327.el7
  • kernel-tools-libs-devel-0:3.10.0-327.el7
  • perf-0:3.10.0-327.el7
  • python-perf-0:3.10.0-327.el7
  • kernel-rt-0:3.10.0-327.rt56.204.el7
  • kernel-rt-debug-0:3.10.0-327.rt56.204.el7
  • kernel-rt-debug-devel-0:3.10.0-327.rt56.204.el7
  • kernel-rt-devel-0:3.10.0-327.rt56.204.el7
  • kernel-rt-doc-0:3.10.0-327.rt56.204.el7
  • kernel-rt-trace-0:3.10.0-327.rt56.204.el7
  • kernel-rt-trace-devel-0:3.10.0-327.rt56.204.el7
  • kernel-0:2.6.32-573.12.1.el6
  • kernel-abi-whitelists-0:2.6.32-573.12.1.el6
  • kernel-bootwrapper-0:2.6.32-573.12.1.el6
  • kernel-debug-0:2.6.32-573.12.1.el6
  • kernel-debug-devel-0:2.6.32-573.12.1.el6
  • kernel-devel-0:2.6.32-573.12.1.el6
  • kernel-doc-0:2.6.32-573.12.1.el6
  • kernel-firmware-0:2.6.32-573.12.1.el6
  • kernel-headers-0:2.6.32-573.12.1.el6
  • kernel-kdump-0:2.6.32-573.12.1.el6
  • kernel-kdump-devel-0:2.6.32-573.12.1.el6
  • perf-0:2.6.32-573.12.1.el6
  • python-perf-0:2.6.32-573.12.1.el6
refmap via4
bid 76977
confirm
debian DSA-3372
mlist [oss-security] 20151001 CVE Request: Unauthorized access to IPC objects with SysV shm
sectrack
  • 1034094
  • 1034592
suse
  • SUSE-SU-2015:1727
  • SUSE-SU-2015:2084
  • SUSE-SU-2015:2085
  • SUSE-SU-2015:2086
  • SUSE-SU-2015:2087
  • SUSE-SU-2015:2089
  • SUSE-SU-2015:2090
  • SUSE-SU-2015:2091
ubuntu
  • USN-2761-1
  • USN-2762-1
  • USN-2763-1
  • USN-2764-1
  • USN-2765-1
  • USN-2792-1
Last major update 07-12-2016 - 22:13
Published 19-10-2015 - 06:59
Back to Top