ID CVE-2016-0728
Summary The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.
References
Vulnerable Configurations
  • Google Android Operating System 4.0
    cpe:2.3:o:google:android:4.0
  • Google Android Operating System 4.0.1
    cpe:2.3:o:google:android:4.0.1
  • Google Android Operating System 4.0.2
    cpe:2.3:o:google:android:4.0.2
  • Google Android Operating System 4.0.3
    cpe:2.3:o:google:android:4.0.3
  • Google Android Operating System 4.0.4
    cpe:2.3:o:google:android:4.0.4
  • Google Android Operating System 4.1
    cpe:2.3:o:google:android:4.1
  • Google Android Operating System 4.1.2
    cpe:2.3:o:google:android:4.1.2
  • Google Android Operating System 4.2 (Jelly Bean)
    cpe:2.3:o:google:android:4.2
  • Google Android Operating System 4.2.1
    cpe:2.3:o:google:android:4.2.1
  • Google Android Operating System 4.2.2
    cpe:2.3:o:google:android:4.2.2
  • Google Android Operating System 4.3
    cpe:2.3:o:google:android:4.3
  • Google Android Operating System 4.3.1
    cpe:2.3:o:google:android:4.3.1
  • Google Android Operating System 4.4
    cpe:2.3:o:google:android:4.4
  • Google Android Operating System 4.4.1
    cpe:2.3:o:google:android:4.4.1
  • Google Android Operating System 4.4.2
    cpe:2.3:o:google:android:4.4.2
  • Google Android Operating System 4.4.3
    cpe:2.3:o:google:android:4.4.3
  • Google Android Operating System 5.0
    cpe:2.3:o:google:android:5.0
  • Google Android 5.0.1
    cpe:2.3:o:google:android:5.0.1
  • Google Android 5.0.2
    cpe:2.3:o:google:android:5.0.2
  • Google Android 5.1
    cpe:2.3:o:google:android:5.1
  • Google Android 5.1.0
    cpe:2.3:o:google:android:5.1.0
  • Google Android 5.1.1
    cpe:2.3:o:google:android:5.1.1
  • Google Android 6.0
    cpe:2.3:o:google:android:6.0
  • Google Android 6.0.1
    cpe:2.3:o:google:android:6.0.1
  • cpe:2.3:a:hp:server_migration_pack:7.5
    cpe:2.3:a:hp:server_migration_pack:7.5
  • Linux Kernel 4.4
    cpe:2.3:o:linux:linux_kernel:4.4
CVSS
Base: 7.2 (as of 15-06-2016 - 10:41)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Linux Kernel REFCOUNT Overflow/Use-After-Free in Keyrings. CVE-2016-0728. Local exploit for linux platform
    file exploits/linux/local/39277.c
    id EDB-ID:39277
    last seen 2016-02-04
    modified 2016-01-19
    platform linux
    port
    published 2016-01-19
    reporter Perception Point Team
    source https://www.exploit-db.com/download/39277/
    title Linux Kernel REFCOUNT Overflow/Use-After-Free in Keyrings
    type local
  • description Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2). CVE-2016-0728. Local exploit for linux platform
    id EDB-ID:40003
    last seen 2016-06-22
    modified 2016-01-19
    published 2016-01-19
    reporter Federico Bento
    source https://www.exploit-db.com/download/40003/
    title Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root 2
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-124.NASL
    description The openSUSE 13.1 kernel was updated to receive various security and bugfixes. Following security bugs were fixed : - CVE-2016-0728: A reference leak in keyring handling with join_session_keyring() could lead to local attackers gain root privileges. (bsc#962075). - CVE-2015-7550: A local user could have triggered a race between read and revoke in keyctl (bnc#958951). - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel did not verify an address length, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application (bnc#959190). - CVE-2015-8543: The networking implementation in the Linux kernel did not validate protocol identifiers for certain protocol families, which allowed local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application (bnc#958886). - CVE-2014-8989: The Linux kernel did not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allowed local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a 'negative groups' issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c (bnc#906545). - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux kernel on the x86_64 platform mishandles IRET faults in processing NMIs that occurred during userspace execution, which might allow local users to gain privileges by triggering an NMI (bnc#937969). - CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel through 4.2.3 did not ensure that certain slot numbers are valid, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call (bnc#949936). - CVE-2015-8104: The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c (bnc#954404). - CVE-2015-5307: The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c (bnc#953527). - CVE-2014-9529: Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel allowed local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key (bnc#912202). - CVE-2015-7990: Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6937 (bnc#952384 953052). - CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound (bnc#945825). - CVE-2015-7885: The dgnc_mgmt_ioctl function in drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel through 4.3.3 did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel memory via a crafted application (bnc#951627). - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel did not validate attempted changes to the MTU value, which allowed context-dependent attackers to cause a denial of service (packet loss) via a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface, as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager product (bnc#955354). - CVE-2015-8767: A case can occur when sctp_accept() is called by the user during a heartbeat timeout event after the 4-way handshake. Since sctp_assoc_migrate() changes both assoc->base.sk and assoc->ep, the bh_sock_lock in sctp_generate_heartbeat_event() will be taken with the listening socket but released with the new association socket. The result is a deadlock on any future attempts to take the listening socket lock. (bsc#961509) - CVE-2015-8575: Validate socket address length in sco_sock_bind() to prevent information leak (bsc#959399). - CVE-2015-8551, CVE-2015-8552: xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled (bsc#957990). - CVE-2015-8550: Compiler optimizations in the XEN PV backend drivers could have lead to double fetch vulnerabilities, causing denial of service or arbitrary code execution (depending on the configuration) (bsc#957988). The following non-security bugs were fixed : - ALSA: hda - Disable 64bit address for Creative HDA controllers (bnc#814440). - ALSA: hda - Fix noise problems on Thinkpad T440s (boo#958504). - Input: aiptek - fix crash on detecting device without endpoints (bnc#956708). - KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y (boo#956934). - KVM: x86: update masterclock values on TSC writes (bsc#961739). - NFS: Fix a NULL pointer dereference of migration recovery ops for v4.2 client (bsc#960839). - apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task (bsc#921949). - blktap: also call blkif_disconnect() when frontend switched to closed (bsc#952976). - blktap: refine mm tracking (bsc#952976). - cdrom: Random writing support for BD-RE media (bnc#959568). - genksyms: Handle string literals with spaces in reference files (bsc#958510). - ipv4: Do not increase PMTU with Datagram Too Big message (bsc#955224). - ipv6: distinguish frag queues by device for multicast and link-local packets (bsc#955422). - ipv6: fix tunnel error handling (bsc#952579). - route: Use ipv4_mtu instead of raw rt_pmtu (bsc#955224). - uas: Add response iu handling (bnc#954138). - usbvision fix overflow of interfaces array (bnc#950998). - x86/evtchn: make use of PHYSDEVOP_map_pirq. - xen/pciback: Do not allow MSI-X ops if PCI_COMMAND_MEMORY is not set (bsc#957990 XSA-157).
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 88545
    published 2016-02-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88545
    title openSUSE Security Update : the Linux Kernel (openSUSE-2016-124)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-5D43766E33.NASL
    description Update to latest upstream stable release, Linux v4.3.4. Elan touchpad fixes. ---- Update to 4.3.y stable series. Fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 89554
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89554
    title Fedora 22 : kernel-4.3.4-200.fc22 (2016-5d43766e33)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-136.NASL
    description The openSUSE 13.2 kernel was updated to receive various security and bugfixes. Following security bugs were fixed : - CVE-2016-0728: A reference leak in keyring handling with join_session_keyring() could lead to local attackers gain root privileges. (bsc#962075). - CVE-2015-7550: A local user could have triggered a race between read and revoke in keyctl (bnc#958951). - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel did not verify an address length, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application (bnc#959190). - CVE-2015-8543: The networking implementation in the Linux kernel did not validate protocol identifiers for certain protocol families, which allowed local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application (bnc#958886). - CVE-2014-8989: The Linux kernel did not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allowed local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a 'negative groups' issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c (bnc#906545). - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux kernel on the x86_64 platform mishandles IRET faults in processing NMIs that occurred during userspace execution, which might allow local users to gain privileges by triggering an NMI (bnc#937969). - CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel through 4.2.3 did not ensure that certain slot numbers are valid, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call (bnc#949936). - CVE-2015-8104: The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c (bnc#954404). - CVE-2015-5307: The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c (bnc#953527). - CVE-2014-9529: Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel allowed local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key (bnc#912202). - CVE-2015-7990: Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6937 (bnc#952384 953052). - CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound (bnc#945825). - CVE-2015-7885: The dgnc_mgmt_ioctl function in drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel through 4.3.3 did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel memory via a crafted application (bnc#951627). - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel did not validate attempted changes to the MTU value, which allowed context-dependent attackers to cause a denial of service (packet loss) via a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface, as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager product (bnc#955354). - CVE-2015-8767: A case can occur when sctp_accept() is called by the user during a heartbeat timeout event after the 4-way handshake. Since sctp_assoc_migrate() changes both assoc->base.sk and assoc->ep, the bh_sock_lock in sctp_generate_heartbeat_event() will be taken with the listening socket but released with the new association socket. The result is a deadlock on any future attempts to take the listening socket lock. (bsc#961509) - CVE-2015-8575: Validate socket address length in sco_sock_bind() to prevent information leak (bsc#959399). - CVE-2015-8551, CVE-2015-8552: xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled (bsc#957990). - CVE-2015-8550: Compiler optimizations in the XEN PV backend drivers could have lead to double fetch vulnerabilities, causing denial of service or arbitrary code execution (depending on the configuration) (bsc#957988). The following non-security bugs were fixed : - ALSA: hda - Disable 64bit address for Creative HDA controllers (bnc#814440). - ALSA: hda - Fix noise problems on Thinkpad T440s (boo#958504). - Input: aiptek - fix crash on detecting device without endpoints (bnc#956708). - KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y (boo#956934). - KVM: x86: update masterclock values on TSC writes (bsc#961739). - NFS: Fix a NULL pointer dereference of migration recovery ops for v4.2 client (bsc#960839). - apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task (bsc#921949). - blktap: also call blkif_disconnect() when frontend switched to closed (bsc#952976). - blktap: refine mm tracking (bsc#952976). - cdrom: Random writing support for BD-RE media (bnc#959568). - genksyms: Handle string literals with spaces in reference files (bsc#958510). - ipv4: Do not increase PMTU with Datagram Too Big message (bsc#955224). - ipv6: distinguish frag queues by device for multicast and link-local packets (bsc#955422). - ipv6: fix tunnel error handling (bsc#952579). - route: Use ipv4_mtu instead of raw rt_pmtu (bsc#955224). - uas: Add response iu handling (bnc#954138). - usbvision fix overflow of interfaces array (bnc#950998). - x86/evtchn: make use of PHYSDEVOP_map_pirq. - xen/pciback: Do not allow MSI-X ops if PCI_COMMAND_MEMORY is not set (bsc#957990 XSA-157).
    last seen 2019-02-21
    modified 2018-09-04
    plugin id 88605
    published 2016-02-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88605
    title openSUSE Security Update : the Linux Kernel (openSUSE-2016-136)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0103.NASL
    description Updated kernel packages that fix three security issues, multiple bugs, and one enhancement are now available for Red Hat Enterprise Linux 7.1 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #DB (debug exception) is handled. A privileged user inside a guest could use this flaw to create denial of service conditions on the host kernel. (CVE-2015-8104, Important) * A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2016-0728, Important) * It was found that the fix for CVE-2015-1805 incorrectly kept buffer offset and buffer length in sync on a failed atomic read, potentially resulting in a pipe buffer state corruption. A local, unprivileged user could use this flaw to crash the system or leak kernel memory to user space. (CVE-2016-0774, Moderate) Red Hat would like to thank the Perception Point research team for reporting the CVE-2016-0728 issue. The security impact of the CVE-2016-0774 issue was discovered by Red Hat. Bug fixes : * NMI watchdog of guests using legacy LVT0-based NMI delivery did not work with APICv. Now, NMI works with LVT0 regardless of APICv. (BZ#1244726) * Parallel file-extending direct I/O writes could previously race to update the size of the file. If they executed out-of-order, the file size could move backwards and push a previously completed write beyond the end of the file, causing it to be lost. (BZ#1258942) * The GHES NMI handler had a global spin lock that significantly increased the latency of each perf sample collection. This update simplifies locking inside the handler. (BZ#1280200) * Sometimes, iptables rules are updated along with ip rules, and routes are reloaded. Previously, skb->sk was mistakenly attached to some IPv6 forwarding traffic packets, which could cause kernel panic. Now, such packets are checked and not processed. (BZ#1281700) * The NUMA node was not reported for PCI adapters, which affected every POWER system deployed with Red Hat Enterprise Linux 7 and caused significant decrease in the system performance. (BZ#1283525) * Processing packets with a lot of different IPv6 source addresses caused the kernel to return warnings concerning soft-lockups due to high lock contention and latency increase. (BZ#1285369) * Running edge triggered interrupts with an ack notifier when simultaneously reconfiguring the Intel I/O IOAPIC did not work correctly, so EOI in the interrupt did not cause a VM to exit if APICv was enabled. Consequently, the VM sometimes became unresponsive. (BZ#1287001) * Block device readahead was artificially limited, so the read performance was poor, especially on RAID devices. Now, per-device readahead limits are used for each device, which has improved read performance. (BZ#1287548) * Identical expectations could not be tracked simultaneously even if they resided in different connection tracking zones. Now, an expectation insert attempt is rejected only if the zone is also identical. (BZ#1290093) * The storvsc kernel driver for Microsoft Hyper-V storage was setting incorrect SRB flags, and Red Hat Enterprise Linux 7 guests running on Microsoft Hyper-V were experiencing slow I/O as well as I/O failures when they were connected to a virtual SAN. Now, SRB flags are set correctly. (BZ#1290095) * When a NUMA system with no memory in node 0 was used, the system terminated unexpectedly during boot or when using OpenVSwitch. Now, the kernel tries to allocate memory from other nodes when node 0 is not present. (BZ#1300950) Enhancement : * IPsec has been updated to provide many fixes and some enhancements. Of particular note is the ability to match on outgoing interfaces. (BZ#1287407)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 88558
    published 2016-02-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88558
    title RHEL 7 : kernel (RHSA-2016:0103)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-B59FD603BE.NASL
    description Backported i915, networking, and nouveau fixes tagged for stable from 4.4 upstream. Assorted fixes elsewhere. ---- A few bug fixes and backports of all the i915 patches queued for stable from 4.4. ---- A number of fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 89600
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89600
    title Fedora 23 : kernel-4.3.3-303.fc23 (2016-b59fd603be)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0064.NASL
    description Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2016-0728, Important) Red Hat would like to thank the Perception Point research team for reporting this issue. All kernel users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 88173
    published 2016-01-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88173
    title RHEL 7 : kernel (RHSA-2016:0064)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0065.NASL
    description Updated kernel-rt packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2016-0728, Important) Red Hat would like to thank the Perception Point research team for reporting this issue. All kernel-rt users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 88574
    published 2016-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88574
    title RHEL 7 : kernel-rt (RHSA-2016:0065)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3510.NASL
    description Description of changes: kernel-uek [4.1.12-32.1.2.el7uek] - KEYS: Fix keyring ref leak in join_session_keyring() (Yevgeny Pats) [Orabug: 22563965] {CVE-2016-0728} [4.1.12-32.1.1.el7uek] - ocfs2: return non-zero st_blocks for inline data (John Haxby) [Orabug: 22218243] - xen/events/fifo: Consume unprocessed events when a CPU dies (Ross Lagerwall) [Orabug: 22498877] - Revert 'xen/fb: allow xenfb initialization for hvm guests' (Konrad Rzeszutek Wilk) - xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set. (Konrad Rzeszutek Wilk) - xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled. (Konrad Rzeszutek Wilk) - xen/pciback: Do not install an IRQ handler for MSI interrupts. (Konrad Rzeszutek Wilk) - xen/pciback: Return error on XEN_PCI_OP_enable_msix when device has MSI or MSI-X enabled (Konrad Rzeszutek Wilk) - xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled (Konrad Rzeszutek Wilk) - xen/pciback: Save xen_pci_op commands before processing it (Konrad Rzeszutek Wilk) - xen-scsiback: safely copy requests (David Vrabel) - xen-blkback: read from indirect descriptors only once (Roger Pau Monné ) - xen-blkback: only read request operation from shared ring once (Roger Pau Monné ) - xen-netback: use RING_COPY_REQUEST() throughout (David Vrabel) - xen-netback: don't use last request to determine minimum Tx credit (David Vrabel) - xen: Add RING_COPY_REQUEST() (David Vrabel)
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 88033
    published 2016-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88033
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3510)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160125_KERNEL_ON_SL7_X.NASL
    description * A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2016-0728, Important) The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 88174
    published 2016-01-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88174
    title Scientific Linux Security Update : kernel on SL7.x x86_64
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3448.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial-of-service. - CVE-2013-4312 Tetsuo Handa discovered that it is possible for a process to open far more files than the process' limit leading to denial-of-service conditions. - CVE-2015-7566 Ralf Spenneberg of OpenSource Security reported that the visor driver crashes when a specially crafted USB device without bulk-out endpoint is detected. - CVE-2015-8767 An SCTP denial-of-service was discovered which can be triggered by a local attacker during a heartbeat timeout event after the 4-way handshake. - CVE-2016-0723 A use-after-free vulnerability was discovered in the TIOCGETD ioctl. A local attacker could use this flaw for denial-of-service. - CVE-2016-0728 The Perception Point research team discovered a use-after-free vulnerability in the keyring facility, possibly leading to local privilege escalation.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87995
    published 2016-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87995
    title Debian DSA-3448-1 : linux - security update
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2872-3.NASL
    description Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 88016
    published 2016-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88016
    title Ubuntu 15.10 : linux-raspi2 vulnerability (USN-2872-3)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2871-1.NASL
    description Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 88012
    published 2016-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88012
    title Ubuntu 15.04 : linux vulnerability (USN-2871-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0068.NASL
    description Updated kernel-rt packages that fix one security issue are now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2016-0728, Important) Red Hat would like to thank the Perception Point research team for reporting this issue. All kernel-rt users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 88405
    published 2016-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88405
    title RHEL 6 : MRG (RHSA-2016:0068)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-0205-1.NASL
    description The SUSE Linux Enterprise 12 kernel was updated to receive a security fix. Following security bug was fixed : - A reference leak in keyring handling with join_session_keyring() could lead to local attackers gain root privileges. (bsc#962075, CVE-2016-0728). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 88144
    published 2016-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88144
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:0205-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2873-1.NASL
    description Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 88017
    published 2016-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88017
    title Ubuntu 14.04 LTS : linux-lts-utopic vulnerability (USN-2873-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0005.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - KEYS: Fix keyring ref leak in join_session_keyring (Yevgeny Pats) [Orabug: 22563965] (CVE-2016-0728) - KEYS: Don't permit request_key to construct a new keyring (David Howells) [Orabug: 22373442] (CVE-2015-7872) - dcache: Handle escaped paths in prepend_path (Eric W. Biederman) - vfs: Test for and handle paths that are unreachable from their mnt_root (Eric W. Biederman) [Orabug: 22249875] - KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring (David Howells) [Orabug: 22373442] (CVE-2015-7872) - KEYS: Fix race between key destruction and finding a keyring by name (David Howells) [Orabug: 22373442]
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 88034
    published 2016-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88034
    title OracleVM 3.3 : kernel-uek (OVMSA-2016-0005)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3509.NASL
    description Description of changes: kernel-uek [3.8.13-118.2.5.el7uek] - KEYS: Fix keyring ref leak in join_session_keyring() (Yevgeny Pats) [Orabug: 22563965] {CVE-2016-0728}
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 88032
    published 2016-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88032
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3509)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2870-2.NASL
    description Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 88011
    published 2016-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88011
    title Ubuntu 12.04 LTS : linux-lts-trusty vulnerability (USN-2870-2)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2872-2.NASL
    description Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 88015
    published 2016-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88015
    title Ubuntu 14.04 LTS : linux-lts-wily vulnerability (USN-2872-2)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2872-1.NASL
    description Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 88014
    published 2016-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88014
    title Ubuntu 15.10 : linux vulnerability (USN-2872-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2871-2.NASL
    description Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 88013
    published 2016-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88013
    title Ubuntu 14.04 LTS : linux-lts-vivid vulnerability (USN-2871-2)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-0186-1.NASL
    description The SUSE Linux Enterprise 12 SP1 kernel was updated to receive a security fix. Following security bug was fixed : - A reference leak in keyring handling with join_session_keyring() could lead to local attackers gain root privileges. (bsc#962075, CVE-2016-0728). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 88140
    published 2016-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88140
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:0186-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-116.NASL
    description The Linux kernel for openSUSE Leap 42.1 was updated to the 4.1.15 stable release, and also includes security and bugfixes. Following security bugs were fixed : - CVE-2016-0728: A reference leak in keyring handling with join_session_keyring() could lead to local attackers gain root privileges. (bsc#962075). - CVE-2015-7550: A local user could have triggered a race between read and revoke in keyctl (bnc#958951). - CVE-2015-8767: A case can occur when sctp_accept() is called by the user during a heartbeat timeout event after the 4-way handshake. Since sctp_assoc_migrate() changes both assoc->base.sk and assoc->ep, the bh_sock_lock in sctp_generate_heartbeat_event() will be taken with the listening socket but released with the new association socket. The result is a deadlock on any future attempts to take the listening socket lock. (bsc#961509) - CVE-2015-8539: A negatively instantiated user key could have been used by a local user to leverage privileges (bnc#958463). - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel did not verify an address length, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application (bnc#959190). - CVE-2015-8543: The networking implementation in the Linux kernel did not validate protocol identifiers for certain protocol families, which allowed local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application (bnc#958886). - CVE-2015-8575: Validate socket address length in sco_sock_bind() to prevent information leak (bsc#959399). - CVE-2015-8551, CVE-2015-8552: xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled (bsc#957990). - CVE-2015-8550: Compiler optimizations in the XEN PV backend drivers could have lead to double fetch vulnerabilities, causing denial of service or arbitrary code execution (depending on the configuration) (bsc#957988). The following non-security bugs were fixed : - ALSA: hda - Add a fixup for Thinkpad X1 Carbon 2nd (bsc#958439). - ALSA: hda - Apply click noise workaround for Thinkpads generically (bsc#958439). - ALSA: hda - Fix noise problems on Thinkpad T440s (boo#958504). - ALSA: hda - Flush the pending probe work at remove (boo#960710). - ALSA: hda - Set codec to D3 at reboot/shutdown on Thinkpads (bsc#958439). - Add Cavium Thunderx network enhancements - Add RHEL to kernel-obs-build - Backport amd xgbe fixes and features - Backport arm64 patches from SLE12-SP1-ARM. - Btrfs: fix the number of transaction units needed to remove a block group (bsc#950178). - Btrfs: use global reserve when deleting unused block group after ENOSPC (bsc#950178). - Documentation: nousb is a module parameter (bnc#954324). - Driver for IBM System i/p VNIC protocol. - Enable CONFIG_PINCTRL_CHERRYVIEW (boo#954532) Needed for recent tablets/laptops. CONFIG_PINCTRL_BAYTRAIL is still disabled as it can't be built as a module. - Fix PCI generic host controller - Fix kABI breakage for max_dev_sectors addition to queue_limits (boo#961263). - HID: multitouch: Fetch feature reports on demand for Win8 devices (boo#954532). - HID: multitouch: fix input mode switching on some Elan panels (boo#954532). - Implement enable/disable for Display C6 state (boo#960021). - Input: aiptek - fix crash on detecting device without endpoints (bnc#956708). - Linux 4.1.15 (boo#954647 bsc#955422). - Move kabi patch to patches.kabi directory - Obsolete compat-wireless, rts5229 and rts_pstor KMPs These are found in SLE11-SP3, now replaced with the upstream drivers. - PCI: generic: Pass starting bus number to pci_scan_root_bus(). - Revert 'block: remove artifical max_hw_sectors cap' (boo#961263). - Set system time through RTC device - Update arm64 config files. Enabled DRM_AST in the vanilla kernel since it is now enabled in the default kernel. - Update config files: CONFIG_IBMVNIC=m - block/sd: Fix device-imposed transfer length limits (boo#961263). - block: bump BLK_DEF_MAX_SECTORS to 2560 (boo#961263). - drm/i915/skl: Add DC5 Trigger Sequence (boo#960021). - drm/i915/skl: Add DC6 Trigger sequence (boo#960021). - drm/i915/skl: Add support to load SKL CSR firmware (boo#960021). - drm/i915/skl: Add the INIT power domain to the MISC I/O power well (boo#960021). - drm/i915/skl: Deinit/init the display at suspend/resume (boo#960021). - drm/i915/skl: Fix DMC API version in firmware file name (boo#960021). - drm/i915/skl: Fix WaDisableChickenBitTSGBarrierAckForFFSliceCS (boo#960021). - drm/i915/skl: Fix stepping check for a couple of W/As (boo#960021). - drm/i915/skl: Fix the CTRL typo in the DPLL_CRTL1 defines (boo#960021). - drm/i915/skl: Implement WaDisableVFUnitClockGating (boo#960021). - drm/i915/skl: Implement enable/disable for Display C5 state (boo#960021). - drm/i915/skl: Make the Misc I/O power well part of the PLLS domain (boo#960021). - drm/i915/skl: add F0 stepping ID (boo#960021). - drm/i915/skl: enable WaForceContextSaveRestoreNonCoherent (boo#960021). - drm/i915: Clear crtc atomic flags at beginning of transaction (boo#960021). - drm/i915: Fix CSR MMIO address check (boo#960021). - drm/i915: Switch to full atomic helpers for plane updates/disable, take two (boo#960021). - drm/i915: set CDCLK if DPLL0 enabled during resuming from S3 (boo#960021). - ethernet/atheros/alx: sanitize buffer sizing and padding (boo#952621). - genksyms: Handle string literals with spaces in reference files (bsc#958510). - group-source-files: mark module.lds as devel file ld: cannot open linker script file /usr/src/linux-4.2.5-1/arch/arm/kernel/module.lds: No such file or directory - hwrng: core - sleep interruptible in read (bnc#962597). - ipv6: distinguish frag queues by device for multicast and link-local packets (bsc#955422). - kABI fixes for linux-4.1.15. - rpm/compute-PATCHVERSION.sh: Skip stale directories in the package dir - rpm/constraints.in: Bump disk space requirements up a bit Require 10GB on s390x, 20GB elsewhere. - rpm/constraints.in: Require 14GB worth of disk space on POWER The builds started to fail randomly due to ENOSPC errors. - rpm/kernel-binary.spec.in: Do not explicitly set DEBUG_SECTION_MISMATCH CONFIG_DEBUG_SECTION_MISMATCH is a selectable Kconfig option since 2.6.39 and is enabled in our configs. - rpm/kernel-binary.spec.in: Do not obsolete ocfs2-kmp (bnc#865259)865259 - rpm/kernel-binary.spec.in: Fix build if no UEFI certs are installed - rpm/kernel-binary.spec.in: Install libopenssl-devel for newer sign-file - rpm/kernel-binary.spec.in: No scriptlets in kernel-zfcpdump The kernel should not be added to the bootloader nor are there any KMPs. - rpm/kernel-binary.spec.in: Obsolete the -base package from SLE11 (bnc#865096) - rpm/kernel-binary.spec.in: Use parallel make in all invocations Also, remove the lengthy comment, since we are using a standard rpm macro now. - thinkpad_acpi: Do not yell on unsupported brightness interfaces (boo#957152). - usb: make 'nousb' a clear module parameter (bnc#954324). - usbvision fix overflow of interfaces array (bnc#950998). - x86/microcode/amd: Do not overwrite final patch levels (bsc#913996). - x86/microcode/amd: Extract current patch level read to a function (bsc#913996). - xen/pciback: Do not allow MSI-X ops if PCI_COMMAND_MEMORY is not set (bsc#957990 XSA-157). - xhci: refuse loading if nousb is used (bnc#954324).
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 88542
    published 2016-02-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88542
    title openSUSE Security Update : the Linux Kernel (openSUSE-2016-116)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0064.NASL
    description Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2016-0728, Important) Red Hat would like to thank the Perception Point research team for reporting this issue. All kernel users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 88148
    published 2016-01-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88148
    title CentOS 7 : kernel (CESA-2016:0064)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-0064.NASL
    description From Red Hat Security Advisory 2016:0064 : Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2016-0728, Important) Red Hat would like to thank the Perception Point research team for reporting this issue. All kernel users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 88168
    published 2016-01-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88168
    title Oracle Linux 7 : kernel (ELSA-2016-0064)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0057.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 99163
    published 2017-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99163
    title OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2870-1.NASL
    description Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 88010
    published 2016-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88010
    title Ubuntu 14.04 LTS : linux vulnerability (USN-2870-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-642.NASL
    description Perception Point Research identified a use-after-free vulnerability, representing a local privilege escalation vulnerability in the Linux kernel. Their post contains a detailed analysis of the bug. kernel-4.1.13-19.30.amzn1 and earlier versions are impacted.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 87991
    published 2016-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87991
    title Amazon Linux AMI : kernel (ALAS-2016-642)
packetstorm via4
data source https://packetstormsecurity.com/files/download/135330/linuxrefcount-uaf.txt
id PACKETSTORM:135330
last seen 2016-12-05
published 2016-01-20
reporter Perception Point Team
source https://packetstormsecurity.com/files/135330/Linux-Kernel-REFCOUNT-Overflow-Use-After-Free.html
title Linux Kernel REFCOUNT Overflow / Use-After-Free
redhat via4
advisories
  • bugzilla
    id 1297475
    title CVE-2016-0728 kernel: Possible use-after-free vulnerability in keyring facility
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment kernel is earlier than 0:3.10.0-327.4.5.el7
          oval oval:com.redhat.rhsa:tst:20160064023
        • comment kernel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842006
      • AND
        • comment kernel-abi-whitelists is earlier than 0:3.10.0-327.4.5.el7
          oval oval:com.redhat.rhsa:tst:20160064005
        • comment kernel-abi-whitelists is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131645028
      • AND
        • comment kernel-bootwrapper is earlier than 0:3.10.0-327.4.5.el7
          oval oval:com.redhat.rhsa:tst:20160064027
        • comment kernel-bootwrapper is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842010
      • AND
        • comment kernel-debug is earlier than 0:3.10.0-327.4.5.el7
          oval oval:com.redhat.rhsa:tst:20160064019
        • comment kernel-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842012
      • AND
        • comment kernel-debug-devel is earlier than 0:3.10.0-327.4.5.el7
          oval oval:com.redhat.rhsa:tst:20160064009
        • comment kernel-debug-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842014
      • AND
        • comment kernel-devel is earlier than 0:3.10.0-327.4.5.el7
          oval oval:com.redhat.rhsa:tst:20160064025
        • comment kernel-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842016
      • AND
        • comment kernel-doc is earlier than 0:3.10.0-327.4.5.el7
          oval oval:com.redhat.rhsa:tst:20160064007
        • comment kernel-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842024
      • AND
        • comment kernel-headers is earlier than 0:3.10.0-327.4.5.el7
          oval oval:com.redhat.rhsa:tst:20160064011
        • comment kernel-headers is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842008
      • AND
        • comment kernel-kdump is earlier than 0:3.10.0-327.4.5.el7
          oval oval:com.redhat.rhsa:tst:20160064013
        • comment kernel-kdump is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842018
      • AND
        • comment kernel-kdump-devel is earlier than 0:3.10.0-327.4.5.el7
          oval oval:com.redhat.rhsa:tst:20160064017
        • comment kernel-kdump-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842020
      • AND
        • comment kernel-tools is earlier than 0:3.10.0-327.4.5.el7
          oval oval:com.redhat.rhsa:tst:20160064029
        • comment kernel-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678010
      • AND
        • comment kernel-tools-libs is earlier than 0:3.10.0-327.4.5.el7
          oval oval:com.redhat.rhsa:tst:20160064033
        • comment kernel-tools-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678012
      • AND
        • comment kernel-tools-libs-devel is earlier than 0:3.10.0-327.4.5.el7
          oval oval:com.redhat.rhsa:tst:20160064031
        • comment kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678020
      • AND
        • comment perf is earlier than 0:3.10.0-327.4.5.el7
          oval oval:com.redhat.rhsa:tst:20160064015
        • comment perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842022
      • AND
        • comment python-perf is earlier than 0:3.10.0-327.4.5.el7
          oval oval:com.redhat.rhsa:tst:20160064021
        • comment python-perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111530020
    rhsa
    id RHSA-2016:0064
    released 2016-01-25
    severity Important
    title RHSA-2016:0064: kernel security update (Important)
  • bugzilla
    id 1297475
    title CVE-2016-0728 kernel: Possible use-after-free vulnerability in keyring facility
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment kernel-rt is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2
          oval oval:com.redhat.rhsa:tst:20160065013
        • comment kernel-rt is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727006
      • AND
        • comment kernel-rt-debug is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2
          oval oval:com.redhat.rhsa:tst:20160065015
        • comment kernel-rt-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727014
      • AND
        • comment kernel-rt-debug-devel is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2
          oval oval:com.redhat.rhsa:tst:20160065017
        • comment kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727016
      • AND
        • comment kernel-rt-devel is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2
          oval oval:com.redhat.rhsa:tst:20160065011
        • comment kernel-rt-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727012
      • AND
        • comment kernel-rt-doc is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2
          oval oval:com.redhat.rhsa:tst:20160065005
        • comment kernel-rt-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727018
      • AND
        • comment kernel-rt-trace is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2
          oval oval:com.redhat.rhsa:tst:20160065007
        • comment kernel-rt-trace is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727008
      • AND
        • comment kernel-rt-trace-devel is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2
          oval oval:com.redhat.rhsa:tst:20160065009
        • comment kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727010
    rhsa
    id RHSA-2016:0065
    released 2016-01-25
    severity Important
    title RHSA-2016:0065: kernel-rt security update (Important)
  • rhsa
    id RHSA-2016:0068
rpms
  • kernel-0:3.10.0-327.4.5.el7
  • kernel-abi-whitelists-0:3.10.0-327.4.5.el7
  • kernel-bootwrapper-0:3.10.0-327.4.5.el7
  • kernel-debug-0:3.10.0-327.4.5.el7
  • kernel-debug-devel-0:3.10.0-327.4.5.el7
  • kernel-devel-0:3.10.0-327.4.5.el7
  • kernel-doc-0:3.10.0-327.4.5.el7
  • kernel-headers-0:3.10.0-327.4.5.el7
  • kernel-kdump-0:3.10.0-327.4.5.el7
  • kernel-kdump-devel-0:3.10.0-327.4.5.el7
  • kernel-tools-0:3.10.0-327.4.5.el7
  • kernel-tools-libs-0:3.10.0-327.4.5.el7
  • kernel-tools-libs-devel-0:3.10.0-327.4.5.el7
  • perf-0:3.10.0-327.4.5.el7
  • python-perf-0:3.10.0-327.4.5.el7
  • kernel-rt-0:3.10.0-327.4.5.rt56.206.el7_2
  • kernel-rt-debug-0:3.10.0-327.4.5.rt56.206.el7_2
  • kernel-rt-debug-devel-0:3.10.0-327.4.5.rt56.206.el7_2
  • kernel-rt-devel-0:3.10.0-327.4.5.rt56.206.el7_2
  • kernel-rt-doc-0:3.10.0-327.4.5.rt56.206.el7_2
  • kernel-rt-trace-0:3.10.0-327.4.5.rt56.206.el7_2
  • kernel-rt-trace-devel-0:3.10.0-327.4.5.rt56.206.el7_2
refmap via4
bid 81054
confirm
debian DSA-3448
exploit-db 39277
fedora
  • FEDORA-2016-5d43766e33
  • FEDORA-2016-b59fd603be
hp HPSBHF03436
misc http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
mlist [oss-security] 20160119 Linux kernel: use after free in keyring facility.
sectrack 1034701
suse
  • SUSE-SU-2016:0205
  • SUSE-SU-2016:0341
  • SUSE-SU-2016:0745
  • SUSE-SU-2016:0746
  • SUSE-SU-2016:0747
  • SUSE-SU-2016:0750
  • SUSE-SU-2016:0751
  • SUSE-SU-2016:0752
  • SUSE-SU-2016:0753
  • SUSE-SU-2016:0755
  • SUSE-SU-2016:0756
  • SUSE-SU-2016:0757
ubuntu
  • USN-2870-1
  • USN-2870-2
  • USN-2871-1
  • USN-2871-2
  • USN-2872-1
  • USN-2872-2
  • USN-2872-3
  • USN-2873-1
the hacker news via4
id THN:2F321B0D3CF635D0F8D272948E9B31C9
last seen 2018-01-27
modified 2016-01-22
published 2016-01-19
reporter Mohit Kumar
source https://thehackernews.com/2016/01/linux-kernel-hacker.html
title Zero-Day Flaw Found in 'Linux Kernel' leaves Millions Vulnerable
Last major update 05-12-2016 - 22:05
Published 07-02-2016 - 22:59
Last modified 09-11-2017 - 21:29
Back to Top