nessus
via4
|
NASL family | Oracle Linux Local Security Checks | NASL id | ORACLELINUX_ELSA-2017-2930-1.NASL | description | Description of changes:
- [3.10.0-693.5.2.0.1.el7.OL7]
- [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug
22552377]
- Oracle Linux certificates (Alexey Petrenko)
- Oracle Linux RHCK Module Signing Key was compiled into kernel
(olkmod_signing_key.x509)(alexey.petrenko at oracle.com)
- Update x509.genkey [bug 24817676]
[3.10.0-693.5.2.el7]
- [mm] page_cgroup: Fix Kernel bug during boot with memory cgroups
enabled (Larry Woodman) [1491970 1483747]
- Revert: [mm] Fix Kernel bug during boot with memory cgroups enabled
(Larry Woodman) [1491970 1483747]
[3.10.0-693.5.1.el7]
- [netdrv] i40e: point wb_desc at the nvm_wb_desc during
i40e_read_nvm_aq (Stefan Assmann) [1491972 1484232]
- [netdrv] i40e: avoid NVM acquire deadlock during NVM update (Stefan
Assmann) [1491972 1484232]
- [mm] Fix Kernel bug during boot with memory cgroups enabled (Larry
Woodman) [1491970 1483747]
- [fs] nfsv4: Ensure we don't re-test revoked and freed stateids (Dave
Wysochanski) [1491969 1459733]
- [netdrv] bonding: commit link status change after propose (Jarod
Wilson) [1491121 1469790]
- [mm] page_alloc: ratelimit PFNs busy info message (Jonathan Toppins)
[1491120 1383179]
- [netdrv] cxgb4: avoid crash on PCI error recovery path (Gustavo
Duarte) [1489872 1456990]
- [scsi] Add STARGET_CREATED_REMOVE state to scsi_target_state (Ewan
Milne) [1489814 1468727]
- [net] tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Davide
Caratti) [1488341 1487061] {CVE-2017-14106}
- [net] tcp: fix 0 divide in __tcp_select_window() (Davide Caratti)
[1488341 1487061] {CVE-2017-14106}
- [net] sctp: Avoid out-of-bounds reads from address storage (Stefano
Brivio) [1484356 1484355] {CVE-2017-7558}
- [net] udp: consistently apply ufo or fragmentation (Davide Caratti)
[1481530 1481535] {CVE-2017-1000112}
- [net] udp: account for current skb length when deciding about UFO
(Davide Caratti) [1481530 1481535] {CVE-2017-1000112}
- [net] ipv4: Should use consistent conditional judgement for ip
fragment in __ip_append_data and ip_finish_output (Davide Caratti)
[1481530 1481535] {CVE-2017-1000112}
- [net] udp: avoid ufo handling on IP payload compression packets
(Stefano Brivio) [1490263 1464161]
- [pci] hv: Use vPCI protocol version 1.2 (Vitaly Kuznetsov) [1478256
1459202]
- [pci] hv: Add vPCI version protocol negotiation (Vitaly Kuznetsov)
[1478256 1459202]
- [pci] hv: Use page allocation for hbus structure (Vitaly Kuznetsov)
[1478256 1459202]
- [pci] hv: Fix comment formatting and use proper integer fields (Vitaly
Kuznetsov) [1478256 1459202]
- [net] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()
(Stefano Brivio) [1477007 1477010] {CVE-2017-7542}
- [net] ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina
Dubroca) [1477007 1477010] {CVE-2017-7542}
- [net] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
(Hannes Frederic Sowa) [1435672 1435670] {CVE-2017-7184}
- [net] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL
replay_window (Hannes Frederic Sowa) [1435672 1435670] {CVE-2017-7184}
- [net] l2cap: prevent stack overflow on incoming bluetooth packet (Neil
Horman) [1489788 1489789] {CVE-2017-1000251}
[3.10.0-693.4.1.el7]
- [fs] nfsv4: Add missing nfs_put_lock_context() (Benjamin Coddington)
[1487271 1476826]
- [fs] nfs: discard nfs_lockowner structure (Benjamin Coddington)
[1487271 1476826]
- [fs] nfsv4: enhance nfs4_copy_lock_stateid to use a flock stateid if
there is one (Benjamin Coddington) [1487271 1476826]
- [fs] nfsv4: change nfs4_select_rw_stateid to take a lock_context
inplace of lock_owner (Benjamin Coddington) [1487271 1476826]
- [fs] nfsv4: change nfs4_do_setattr to take an open_context instead of
a nfs4_state (Benjamin Coddington) [1487271 1476826]
- [fs] nfsv4: add flock_owner to open context (Benjamin Coddington)
[1487271 1476826]
- [fs] nfs: remove l_pid field from nfs_lockowner (Benjamin Coddington)
[1487271 1476826]
- [x86] platform/uv/bau: Disable BAU on single hub configurations (Frank
Ramsay) [1487159 1487160 1472455 1473353]
- [x86] platform/uv/bau: Fix congested_response_us not taking effect
(Frank Ramsay) [1487159 1472455]
- [fs] cifs: Disable encryption capability for RHEL 7.4 kernel (Sachin
Prabhu) [1485445 1485445]
- [fs] sunrpc: Handle EADDRNOTAVAIL on connection failures (Dave
Wysochanski) [1484269 1479043]
- [fs] include/linux/printk.h: include pr_fmt in pr_debug_ratelimited
(Sachin Prabhu) [1484267 1472823]
- [fs] printk: pr_debug_ratelimited: check state first to reduce
'callbacks suppressed' messages (Sachin Prabhu) [1484267 1472823]
- [net] packet: fix tp_reserve race in packet_set_ring (Stefano Brivio)
[1481938 1481940] {CVE-2017-1000111}
- [fs] proc: revert /proc//maps [stack:TID] annotation (Waiman
Long) [1481724 1448534]
- [net] ping: check minimum size on ICMP header length (Matteo Croce)
[1481578 1481573] {CVE-2016-8399}
- [ipc] mqueue: fix a use-after-free in sys_mq_notify() (Davide Caratti)
[1476128 1476126] {CVE-2017-11176}
- [netdrv] brcmfmac: fix possible buffer overflow in
brcmf_cfg80211_mgmt_tx() (Stanislaw Gruszka) [1474778 1474784]
{CVE-2017-7541}
[3.10.0-693.3.1.el7]
- [block] blk-mq-tag: fix wakeup hang after tag resize (Ming Lei)
[1487281 1472434] | last seen | 2019-01-16 | modified | 2018-09-17 | plugin id | 104088 | published | 2017-10-23 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=104088 | title | Oracle Linux 7 : kernel (ELSA-2017-2930-1) (BlueBorne) |
NASL family | Junos Local Security Checks | NASL id | JUNIPER_SPACE_JSA_10838.NASL | description | According to its self-reported version number, the remote Junos Space
version is prior to 17.2R1. It is, therefore, affected by multiple
vulnerabilities. | last seen | 2019-01-16 | modified | 2018-08-03 | plugin id | 108520 | published | 2018-03-21 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=108520 | title | Juniper Junos Space < 17.2R1 Multiple Vulnerabilities (JSA10838) |
NASL family | Virtuozzo Local Security Checks | NASL id | VIRTUOZZO_VZA-2017-076.NASL | description | According to the versions of the parallels-server-bm-release /
vzkernel / etc packages installed, the Virtuozzo installation on the
remote host is affected by the following vulnerabilities :
- An integer overflow vulnerability in
ip6_find_1stfragopt() function was found. A local
attacker that has privileges (of CAP_NET_RAW) to open
raw socket can cause an infinite loop inside the
ip6_find_1stfragopt() function.
- Race condition in fs/timerfd.c in the Linux kernel
before 4.10.15 allows local users to gain privileges or
cause a denial of service (list corruption or
use-after-free) via simultaneous file-descriptor
operations that leverage improper might_cancel
queueing.
- A race condition issue leading to a use-after-free flaw
was found in the way the raw packet sockets are
implemented in the Linux kernel networking subsystem
handling synchronization. A local user able to open a
raw packet socket (requires the CAP_NET_RAW capability)
could use this flaw to elevate their privileges on the
system.
- Andrey Konovalov discovered a race condition in the UDP
Fragmentation Offload (UFO) code in the Linux kernel. A
local attacker could use this to cause a denial of
service or execute arbitrary code.
- Kernel memory corruption due to a buffer overflow was
found in brcmf_cfg80211_mgmt_tx() function in Linux
kernels from v3.9-rc1 to v4.13-rc1. The vulnerability
can be triggered by sending a crafted NL80211_CMD_FRAME
packet via netlink. This flaw is unlikely to be
triggered remotely as certain userspace code is needed
for this. An unprivileged local user could use this
flaw to induce kernel memory corruption on the system,
leading to a crash. Due to the nature of the flaw,
privilege escalation cannot be fully ruled out,
although we believe it is unlikely.
- The mq_notify function in the Linux kernel through
4.11.9 does not set the sock pointer to NULL upon entry
into the retry logic. During a user-space close of a
Netlink socket, it allows attackers to possibly cause a
situation where a value may be used after being freed
(use after free) which may lead to memory corruption or
other unspecified other impact.
- The tcp_disconnect function in net/ipv4/tcp.c in the
Linux kernel before 4.12 allows local users to cause a
denial of service (__tcp_select_window divide-by-zero
error and system crash) by triggering a disconnect
within a certain tcp_recvmsg code path.
Note that Tenable Network Security has extracted the preceding
description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | last seen | 2019-01-16 | modified | 2019-01-14 | plugin id | 102922 | published | 2017-09-05 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102922 | title | Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-076) |
NASL family | Virtuozzo Local Security Checks | NASL id | VIRTUOZZO_VZA-2017-072.NASL | description | According to the version of the vzkernel package and the
readykernel-patch installed, the Virtuozzo installation on the remote
host is affected by the following vulnerabilities :
- A race condition issue leading to a use-after-free flaw
was found in the way the raw packet sockets are
implemented in the Linux kernel networking subsystem
handling synchronization. A local user able to open a
raw packet socket (requires the CAP_NET_RAW capability)
could use this flaw to elevate their privileges on the
system.
- Andrey Konovalov discovered a race condition in the UDP
Fragmentation Offload (UFO) code in the Linux kernel. A
local attacker could use this to cause a denial of
service or execute arbitrary code.
Note that Tenable Network Security has extracted the preceding
description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | last seen | 2019-01-16 | modified | 2019-01-14 | plugin id | 102592 | published | 2017-08-21 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102592 | title | Virtuozzo 7 : readykernel-patch (VZA-2017-072) |
NASL family | Ubuntu Local Security Checks | NASL id | UBUNTU_USN-3384-2.NASL | description | USN-3384-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.
Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use
this to cause a denial of service or execute arbitrary code.
(CVE-2017-1000112)
Andrey Konovalov discovered a race condition in AF_PACKET socket
option handling code in the Linux kernel. A local unprivileged
attacker could use this to cause a denial of service or possibly
execute arbitrary code. (CVE-2017-1000111).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-12-01 | plugin id | 102419 | published | 2017-08-11 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102419 | title | Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3384-2) |
NASL family | Ubuntu Local Security Checks | NASL id | UBUNTU_USN-3385-2.NASL | description | USN-3385-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use
this to cause a denial of service or execute arbitrary code.
(CVE-2017-1000112)
Andrey Konovalov discovered a race condition in AF_PACKET socket
option handling code in the Linux kernel. A local unprivileged
attacker could use this to cause a denial of service or possibly
execute arbitrary code. (CVE-2017-1000111).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-12-01 | plugin id | 102421 | published | 2017-08-11 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102421 | title | Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3385-2) |
NASL family | Ubuntu Local Security Checks | NASL id | UBUNTU_USN-3385-1.NASL | description | Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use
this to cause a denial of service or execute arbitrary code.
(CVE-2017-1000112)
Andrey Konovalov discovered a race condition in AF_PACKET socket
option handling code in the Linux kernel. A local unprivileged
attacker could use this to cause a denial of service or possibly
execute arbitrary code. (CVE-2017-1000111).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-12-01 | plugin id | 102420 | published | 2017-08-11 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102420 | title | Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities (USN-3385-1) |
NASL family | Scientific Linux Local Security Checks | NASL id | SL_20171019_KERNEL_ON_SL7_X.NASL | description | Security Fix(es) :
- Out-of-bounds kernel heap access vulnerability was found
in xfrm, kernel's IP framework for transforming packets.
An error dealing with netlink messages from an
unprivileged user leads to arbitrary read/write and
privilege escalation. (CVE-2017-7184, Important)
- A race condition issue leading to a use-after-free flaw
was found in the way the raw packet sockets are
implemented in the Linux kernel networking subsystem
handling synchronization. A local user able to open a
raw packet socket (requires the CAP_NET_RAW capability)
could use this flaw to elevate their privileges on the
system. (CVE-2017-1000111, Important)
- An exploitable memory corruption flaw was found in the
Linux kernel. The append path can be erroneously
switched from UFO to non-UFO in ip_ufo_append_data()
when building an UFO packet with MSG_MORE option. If
unprivileged user namespaces are available, this flaw
can be exploited to gain root privileges.
(CVE-2017-1000112, Important)
- A flaw was found in the Linux networking subsystem where
a local attacker with CAP_NET_ADMIN capabilities could
cause an out-of-bounds memory access by creating a
smaller-than-expected ICMP header and sending to its
destination via sendto(). (CVE-2016-8399, Moderate)
- Kernel memory corruption due to a buffer overflow was
found in brcmf_cfg80211_mgmt_tx() function in Linux
kernels from v3.9-rc1 to v4.13-rc1. The vulnerability
can be triggered by sending a crafted NL80211_CMD_FRAME
packet via netlink. This flaw is unlikely to be
triggered remotely as certain userspace code is needed
for this. An unprivileged local user could use this flaw
to induce kernel memory corruption on the system,
leading to a crash. Due to the nature of the flaw,
privilege escalation cannot be fully ruled out, although
it is unlikely. (CVE-2017-7541, Moderate)
- An integer overflow vulnerability in
ip6_find_1stfragopt() function was found. A local
attacker that has privileges (of CAP_NET_RAW) to open
raw socket can cause an infinite loop inside the
ip6_find_1stfragopt() function. (CVE-2017-7542,
Moderate)
- A kernel data leak due to an out-of-bound read was found
in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill()
and sctp_get_sctp_info() functions present since version
4.7-rc1 through version 4.13. A data leak happens when
these functions fill in sockaddr data structures used to
export socket's diagnostic information. As a result, up
to 100 bytes of the slab data could be leaked to a
userspace. (CVE-2017-7558, Moderate)
- The mq_notify function in the Linux kernel through
4.11.9 does not set the sock pointer to NULL upon entry
into the retry logic. During a user- space close of a
Netlink socket, it allows attackers to possibly cause a
situation where a value may be used after being freed
(use-after-free) which may lead to memory corruption or
other unspecified other impact. (CVE-2017-11176,
Moderate)
- A divide-by-zero vulnerability was found in the
__tcp_select_window function in the Linux kernel. This
can result in a kernel panic causing a local denial of
service. (CVE-2017-14106, Moderate) | last seen | 2019-01-16 | modified | 2018-12-27 | plugin id | 104008 | published | 2017-10-20 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=104008 | title | Scientific Linux Security Update : kernel on SL7.x x86_64 |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2017-2931.NASL | description | An update for kernel-rt is now available for Red Hat Enterprise Linux
7.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The kernel-rt packages provide the Real Time Linux Kernel, which
enables fine-tuning for systems with extremely high determinism
requirements.
Security Fix(es) :
* Out-of-bounds kernel heap access vulnerability was found in xfrm,
kernel's IP framework for transforming packets. An error dealing with
netlink messages from an unprivileged user leads to arbitrary
read/write and privilege escalation. (CVE-2017-7184, Important)
* A race condition issue leading to a use-after-free flaw was found in
the way the raw packet sockets are implemented in the Linux kernel
networking subsystem handling synchronization. A local user able to
open a raw packet socket (requires the CAP_NET_RAW capability) could
use this flaw to elevate their privileges on the system.
(CVE-2017-1000111, Important)
* An exploitable memory corruption flaw was found in the Linux kernel.
The append path can be erroneously switched from UFO to non-UFO in
ip_ufo_append_data() when building an UFO packet with MSG_MORE option.
If unprivileged user namespaces are available, this flaw can be
exploited to gain root privileges. (CVE-2017-1000112, Important)
* A flaw was found in the Linux networking subsystem where a local
attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds
memory access by creating a smaller-than-expected ICMP header and
sending to its destination via sendto(). (CVE-2016-8399, Moderate)
* Kernel memory corruption due to a buffer overflow was found in
brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to
v4.13-rc1. The vulnerability can be triggered by sending a crafted
NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be
triggered remotely as certain userspace code is needed for this. An
unprivileged local user could use this flaw to induce kernel memory
corruption on the system, leading to a crash. Due to the nature of the
flaw, privilege escalation cannot be fully ruled out, although it is
unlikely. (CVE-2017-7541, Moderate)
* An integer overflow vulnerability in ip6_find_1stfragopt() function
was found. A local attacker that has privileges (of CAP_NET_RAW) to
open raw socket can cause an infinite loop inside the
ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)
* A kernel data leak due to an out-of-bound read was found in the
Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and
sctp_get_sctp_info() functions present since version 4.7-rc1 through
version 4.13. A data leak happens when these functions fill in
sockaddr data structures used to export socket's diagnostic
information. As a result, up to 100 bytes of the slab data could be
leaked to a userspace. (CVE-2017-7558, Moderate)
* The mq_notify function in the Linux kernel through 4.11.9 does not
set the sock pointer to NULL upon entry into the retry logic. During a
user-space close of a Netlink socket, it allows attackers to possibly
cause a situation where a value may be used after being freed
(use-after-free) which may lead to memory corruption or other
unspecified other impact. (CVE-2017-11176, Moderate)
* A divide-by-zero vulnerability was found in the __tcp_select_window
function in the Linux kernel. This can result in a kernel panic
causing a local denial of service. (CVE-2017-14106, Moderate)
Red Hat would like to thank Chaitin Security Research Lab for
reporting CVE-2017-7184; Willem de Bruijn for reporting
CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112.
The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat).
Bug Fix(es) :
* The kernel-rt packages have been upgraded to the 3.10.0-693.5.2
source tree, which provides number of bug fixes over the previous
version. (BZ# 1489084) | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 104004 | published | 2017-10-20 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=104004 | title | RHEL 7 : kernel-rt (RHSA-2017:2931) |
NASL family | Oracle Linux Local Security Checks | NASL id | ORACLELINUX_ELSA-2017-3632.NASL | description | Description of changes:
kernel-uek
[3.8.13-118.19.10.el7uek]
- mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang) [Orabug:
26643556] {CVE-2017-11176}
[3.8.13-118.19.9.el7uek]
- ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina
Dubroca) [Orabug: 27011273] {CVE-2017-7542}
- packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn)
[Orabug: 27002450] {CVE-2017-1000111}
[3.8.13-118.19.8.el7uek]
- mlx4_core: calculate log_num_mtt based on total system memory (Wei Lin
Guay) [Orabug: 26883934] - xen/x86: Add interface for querying amount
of host memory (Boris Ostrovsky) [Orabug: 26883934] | last seen | 2019-01-16 | modified | 2018-09-05 | plugin id | 104168 | published | 2017-10-26 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=104168 | title | Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3632) |
NASL family | Amazon Linux Local Security Checks | NASL id | ALA_ALAS-2017-868.NASL | description | Exploitable memory corruption due to UFO to non-UFO path switch
(CVE-2017-1000112)
heap out-of-bounds in AF_PACKET sockets (CVE-2017-1000111)
The mq_notify function in the Linux kernel does not set the sock
pointer to NULL upon entry into the retry logic. During a user-space
close of a Netlink socket, it allows attackers to possibly cause a
situation where a value may be used after being freed (use-after-free)
which may lead to memory corruption or other unspecified other impact.
(CVE-2017-11176 ) | last seen | 2019-01-16 | modified | 2018-08-31 | plugin id | 102367 | published | 2017-08-11 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102367 | title | Amazon Linux AMI : kernel (ALAS-2017-868) |
NASL family | OracleVM Local Security Checks | NASL id | ORACLEVM_OVMSA-2018-0015.NASL | description | The remote OracleVM system is missing necessary patches to address
critical security updates : please see Oracle VM Security Advisory
OVMSA-2018-0015 for details. | last seen | 2019-01-16 | modified | 2018-07-24 | plugin id | 106469 | published | 2018-01-30 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=106469 | title | OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0015) (BlueBorne) (Meltdown) (Spectre) (Stack Clash) |
NASL family | Debian Local Security Checks | NASL id | DEBIAN_DLA-1099.NASL | description | Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
CVE-2017-7482
Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does not
properly verify metadata, leading to information disclosure, denial of
service or potentially execution of arbitrary code.
CVE-2017-7542
An integer overflow vulnerability in the ip6_find_1stfragopt()
function was found allowing a local attacker with privileges to open
raw sockets to cause a denial of service.
CVE-2017-7889
Tommi Rantala and Brad Spengler reported that the mm subsystem does
not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism,
allowing a local attacker with access to /dev/mem to obtain sensitive
information or potentially execute arbitrary code.
CVE-2017-10661
Dmitry Vyukov of Google reported that the timerfd facility does not
properly handle certain concurrent operations on a single file
descriptor. This allows a local attacker to cause a denial of service
or potentially to execute arbitrary code.
CVE-2017-10911 / XSA-216
Anthony Perard of Citrix discovered an information leak flaw in Xen
blkif response handling, allowing a malicious unprivileged guest to
obtain sensitive information from the host or other guests.
CVE-2017-11176
It was discovered that the mq_notify() function does not set the sock
pointer to NULL upon entry into the retry logic. An attacker can take
advantage of this flaw during a userspace close of a Netlink socket to
cause a denial of service or potentially cause other impact.
CVE-2017-11600
bo Zhang reported that the xfrm subsystem does not properly validate
one of the parameters to a netlink message. Local users with the
CAP_NET_ADMIN capability can use this to cause a denial of service or
potentially to execute arbitrary code.
CVE-2017-12134 / #866511 / XSA-229
Jan H. Schönherr of Amazon discovered that when Linux is running
in a Xen PV domain on an x86 system, it may incorrectly merge block
I/O requests. A buggy or malicious guest may trigger this bug in dom0
or a PV driver domain, causing a denial of service or potentially
execution of arbitrary code.
This issue can be mitigated by disabling merges on the
underlying back-end block devices, e.g.: echo 2 >
/sys/block/nvme0n1/queue/nomerges
CVE-2017-12153
bo Zhang reported that the cfg80211 (wifi) subsystem does not properly
validate the parameters to a netlink message. Local users with the
CAP_NET_ADMIN capability on a system with a wifi device can use this
to cause a denial of service.
CVE-2017-12154
Jim Mattson of Google reported that the KVM implementation for Intel
x86 processors did not correctly handle certain nested hypervisor
configurations. A malicious guest (or nested guest in a suitable L1
hypervisor) could use this for denial of service.
CVE-2017-14106
Andrey Konovalov of Google reported that a specific sequence of
operations on a TCP socket could lead to division by zero. A local
user could use this for denial of service.
CVE-2017-14140
Otto Ebeling reported that the move_pages() system call permitted
users to discover the memory layout of a set-UID process running under
their real user-ID. This made it easier for local users to exploit
vulnerabilities in programs installed with the set-UID permission bit
set.
CVE-2017-14156
'sohu0106' reported an information leak in the atyfb video driver. A
local user with access to a framebuffer device handled by this driver
could use this to obtain sensitive information.
CVE-2017-14340
Richard Wareing discovered that the XFS implementation allows the
creation of files with the 'realtime' flag on a filesystem with no
realtime device, which can result in a crash (oops). A local user with
access to an XFS filesystem that does not have a realtime device can
use this for denial of service.
CVE-2017-14489
ChunYu of Red Hat discovered that the iSCSI subsystem does not
properly validate the length of a netlink message, leading to memory
corruption. A local user with permission to manage iSCSI devices can
use this for denial of service or possibly to execute arbitrary code.
CVE-2017-1000111
Andrey Konovalov of Google reported that a race condition in the raw
packet (af_packet) feature. Local users with the CAP_NET_RAW
capability can use this to cause a denial of service or possibly to
execute arbitrary code.
CVE-2017-1000251 / #875881
Armis Labs discovered that the Bluetooth subsystem does not properly
validate L2CAP configuration responses, leading to a stack buffer
overflow. This is one of several vulnerabilities dubbed 'Blueborne'. A
nearby attacker can use this to cause a denial of service or possibly
to execute arbitrary code on a system with Bluetooth enabled.
CVE-2017-1000363
Roee Hay reported that the lp driver does not properly bounds-check
passed arguments. This has no security impact in Debian.
CVE-2017-1000365
It was discovered that argument and environment pointers are not
properly taken into account by the size restrictions on arguments and
environmental strings passed through execve(). A local attacker can
take advantage of this flaw in conjunction with other flaws to execute
arbitrary code.
CVE-2017-1000380
Alexander Potapenko of Google reported a race condition in the ALSA
(sound) timer driver, leading to an information leak. A local user
with permission to access sound devices could use this to obtain
sensitive information.
For Debian 7 'Wheezy', these problems have been fixed in version
3.2.93-1. This version also includes bug fixes from upstream versions
up to and including 3.2.93.
For Debian 8 'Jessie', these problems have been fixed in version
3.16.43-2+deb8u4 or were fixed in an earlier version.
For Debian 9 'Stretch', these problems have been fixed in version
4.9.30-2+deb9u4 or were fixed in an earlier version.
We recommend that you upgrade your linux packages.
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues. | last seen | 2019-01-16 | modified | 2018-08-31 | plugin id | 103363 | published | 2017-09-21 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=103363 | title | Debian DLA-1099-1 : linux security update (BlueBorne) (Stack Clash) |
NASL family | Ubuntu Local Security Checks | NASL id | UBUNTU_USN-3384-1.NASL | description | Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use
this to cause a denial of service or execute arbitrary code.
(CVE-2017-1000112)
Andrey Konovalov discovered a race condition in AF_PACKET socket
option handling code in the Linux kernel. A local unprivileged
attacker could use this to cause a denial of service or possibly
execute arbitrary code. (CVE-2017-1000111).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-12-01 | plugin id | 102418 | published | 2017-08-11 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102418 | title | Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3384-1) |
NASL family | Fedora Local Security Checks | NASL id | FEDORA_2017-4336D64E21.NASL | description | The 4.12.8 stable kernel update contains a number of important fixes
across the tree.
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-08-03 | plugin id | 102717 | published | 2017-08-24 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102717 | title | Fedora 26 : kernel (2017-4336d64e21) |
NASL family | OracleVM Local Security Checks | NASL id | ORACLEVM_OVMSA-2017-0174.NASL | description | The remote OracleVM system is missing necessary patches to address
critical security updates : please see Oracle VM Security Advisory
OVMSA-2017-0174 for details. | last seen | 2019-01-16 | modified | 2018-09-05 | plugin id | 105248 | published | 2017-12-14 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=105248 | title | OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0174) (BlueBorne) (Dirty COW) (Stack Clash) |
NASL family | Oracle Linux Local Security Checks | NASL id | ORACLELINUX_ELSA-2017-3658.NASL | description | Description of changes:
[2.6.39-400.298.1.el6uek]
- ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei)
[Orabug: 23320090]
- tty: Fix race in pty_write() leading to NULL deref (Todd Vierling)
[Orabug: 24337879]
- xen-netfront: cast grant table reference first to type int (Dongli
Zhang) [Orabug: 25102637]
- xen-netfront: do not cast grant table reference to signed short
(Dongli Zhang) [Orabug: 25102637]
- RDS: Print failed rdma op details if failure is remote access error
(Rama Nichanamatlu) [Orabug: 25440316]
- ping: implement proper locking (Eric Dumazet) [Orabug: 26540288]
{CVE-2017-2671}
- KEYS: fix dereferencing NULL payload with nonzero length (Eric
Biggers) [Orabug: 26592013]
- oracleasm: Copy the integrity descriptor (Martin K. Petersen)
[Orabug: 26650039]
- mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook) [Orabug:
26675934] {CVE-2017-7889}
- fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE
(Abhi Das) [Orabug: 26797307]
- xscore: add dma address check (Zhu Yanjun) [Orabug: 27058559]
- more bio_map_user_iov() leak fixes (Al Viro) [Orabug: 27069045]
{CVE-2017-12190}
- fix unbalanced page refcounting in bio_map_user_iov (Vitaly
Mayatskikh) [Orabug: 27069045] {CVE-2017-12190}
- xsigo: [backport] Fix race in freeing aged Forwarding tables (Pradeep
Gopanapalli) [Orabug: 24823234]
- ocfs2: fix deadlock issue when taking inode lock at vfs entry points
(Eric Ren) [Orabug: 25671723]
- ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock
(Eric Ren) [Orabug: 25671723]
- net/packet: fix overflow in check for tp_reserve (Andrey Konovalov)
[Orabug: 26143563] {CVE-2017-7308}
- net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov)
[Orabug: 26143563] {CVE-2017-7308}
- char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau)
[Orabug: 26403941] {CVE-2017-1000363}
- ALSA: timer: Fix missing queue indices reset at
SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai) [Orabug: 26403958]
{CVE-2017-1000380}
- ALSA: timer: Fix race between read and ioctl (Takashi Iwai) [Orabug:
26403958] {CVE-2017-1000380}
- ALSA: timer: fix NULL pointer dereference in read()/ioctl() race
(Vegard Nossum) [Orabug: 26403958] {CVE-2017-1000380}
- ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai)
[Orabug: 26403958] {CVE-2017-1000380}
- ALSA: timer: Fix race at concurrent reads (Takashi Iwai) [Orabug:
26403958] {CVE-2017-1000380}
- ALSA: timer: Fix race among timer ioctls (Takashi Iwai) [Orabug:
26403958] {CVE-2017-1000380}
- ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben
Hutchings) [Orabug: 26403974] {CVE-2017-9074}
- ipv6: Check ip6_find_1stfragopt() return value properly. (David S.
Miller) [Orabug: 26403974] {CVE-2017-9074}
- ipv6: Prevent overrun when parsing v6 header options (Craig Gallek)
[Orabug: 26403974] {CVE-2017-9074}
- ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong)
[Orabug: 26404007] {CVE-2017-9077}
- aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug: 26643601]
{CVE-2016-10044}
- vfs: Commit to never having exectuables on proc and sysfs. (Eric W.
Biederman) [Orabug: 26643601] {CVE-2016-10044}
- vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun
Heo) [Orabug: 26643601] {CVE-2016-10044}
- x86/acpi: Prevent out of bound access caused by broken ACPI tables
(Seunghun Han) [Orabug: 26643652] {CVE-2017-11473}
- sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet)
[Orabug: 26650889] {CVE-2017-9075}
- saa7164: fix double fetch PCIe access condition (Steven Toth)
[Orabug: 26675148] {CVE-2017-8831}
- saa7164: fix sparse warnings (Hans Verkuil) [Orabug: 26675148]
{CVE-2017-8831}
- saa7164: get rid of warning: no previous prototype (Mauro Carvalho
Chehab) [Orabug: 26675148] {CVE-2017-8831}
- [scsi] lpfc 8.3.44: Fix kernel panics from corrupted ndlp (James
Smart) [Orabug: 26765341]
- timerfd: Protect the might cancel mechanism proper (Thomas Gleixner)
[Orabug: 26899791] {CVE-2017-10661}
- scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't
parse nlmsg properly (Xin Long) [Orabug: 26988628] {CVE-2017-14489}
- mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang) [Orabug:
26643562] {CVE-2017-11176}
- ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina
Dubroca) [Orabug: 27011278] {CVE-2017-7542}
- packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn)
[Orabug: 27002453] {CVE-2017-1000111}
- mlx4_core: calculate log_mtt based on total system memory (Wei Lin
Guay) [Orabug: 26867355]
- xen/x86: Add interface for querying amount of host memory (Boris
Ostrovsky) [Orabug: 26867355]
- fs/binfmt_elf.c: fix bug in loading of PIE binaries (Michael Davidson)
[Orabug: 26870958] {CVE-2017-1000253}
- Bluetooth: Properly check L2CAP config option output buffer length
(Ben Seri) [Orabug: 26796428] {CVE-2017-1000251}
- xen: fix bio vec merging (Roger Pau Monne) [Orabug: 26645562]
{CVE-2017-12134}
- fs/exec.c: account for argv/envp pointers (Kees Cook) [Orabug:
26638926] {CVE-2017-1000365} {CVE-2017-1000365}
- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume
Nault) [Orabug: 26586050] {CVE-2016-10200}
- xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz
Guzik) [Orabug: 26586024] {CVE-2016-9685}
- KEYS: Disallow keyrings beginning with '.' to be joined as session
keyrings (David Howells) [Orabug: 26586002] {CVE-2016-9604}
- ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet)
[Orabug: 26578202] {CVE-2017-9242}
- selinux: quiet the filesystem labeling behavior message (Paul Moore)
[Orabug: 25721485]
- RDS/IB: active bonding port state fix for intfs added late (Mukesh
Kacker) [Orabug: 25875426]
- HID: hid-cypress: validate length of report (Greg Kroah-Hartman)
[Orabug: 25891914] {CVE-2017-7273}
- udf: Remove repeated loads blocksize (Jan Kara) [Orabug: 25905722]
{CVE-2015-4167}
- udf: Check length of extended attributes and allocation descriptors
(Jan Kara) [Orabug: 25905722] {CVE-2015-4167}
- udf: Verify i_size when loading inode (Jan Kara) [Orabug: 25905722]
{CVE-2015-4167}
- btrfs: drop unused parameter from btrfs_item_nr (Ross Kirk) [Orabug:
25948102] {CVE-2014-9710}
- Btrfs: cleanup of function where fixup_low_keys() is called (Tsutomu
Itoh) [Orabug: 25948102] {CVE-2014-9710}
- Btrfs: remove unused argument of fixup_low_keys() (Tsutomu Itoh)
[Orabug: 25948102] {CVE-2014-9710}
- Btrfs: remove unused argument of btrfs_extend_item() (Tsutomu Itoh)
[Orabug: 25948102] {CVE-2014-9710}
- Btrfs: add support for asserts (Josef Bacik) [Orabug: 25948102]
{CVE-2014-9710}
- Btrfs: make xattr replace operations atomic (Filipe Manana) [Orabug:
25948102] {CVE-2014-9710}
- net: validate the range we feed to iov_iter_init() in
sys_sendto/sys_recvfrom (Al Viro) [Orabug: 25948149] {CVE-2015-2686}
- xsigo: Compute node crash on FC failover (Joe Jin) [Orabug: 25965445]
- PCI: Prevent VPD access for QLogic ISP2722 (Ethan Zhao) [Orabug:
25975513]
- PCI: Prevent VPD access for buggy devices (Babu Moger) [Orabug:
25975513]
- ipv4: try to cache dst_entries which would cause a redirect (Hannes
Frederic Sowa) [Orabug: 26032377] {CVE-2015-1465}
- mm: larger stack guard gap, between vmas (Hugh Dickins) [Orabug:
26326145] {CVE-2017-1000364}
- nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields)
[Orabug: 26366024] {CVE-2017-7645}
- dm mpath: allow ioctls to trigger pg init (Mikulas Patocka) [Orabug:
25645229]
- xen/manage: Always freeze/thaw processes when suspend/resuming (Ross
Lagerwall) [Orabug: 25795530]
- lpfc cannot establish connection with targets that send PRLI under P2P
mode (Joe Jin) [Orabug: 25955028] | last seen | 2019-01-16 | modified | 2018-09-05 | plugin id | 105145 | published | 2017-12-11 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=105145 | title | Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3658) (BlueBorne) (Stack Clash) |
NASL family | SuSE Local Security Checks | NASL id | SUSE_SU-2017-2150-1.NASL | description | The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.74 to the
following security updates :
- CVE-2017-1000111: fix race condition in net-packet code
that could be exploited to cause out-of-bounds memory
access (bsc#1052365).
- CVE-2017-1000112: fix race condition in net-packet code
that could have been exploited by unprivileged users to
gain root access. (bsc#1052311).
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-30 | plugin id | 102478 | published | 2017-08-14 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102478 | title | SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2150-1) |
NASL family | Virtuozzo Local Security Checks | NASL id | VIRTUOZZO_VZA-2017-071.NASL | description | According to the version of the vzkernel package and the
readykernel-patch installed, the Virtuozzo installation on the remote
host is affected by the following vulnerabilities :
- A race condition issue leading to a use-after-free flaw
was found in the way the raw packet sockets are
implemented in the Linux kernel networking subsystem
handling synchronization. A local user able to open a
raw packet socket (requires the CAP_NET_RAW capability)
could use this flaw to elevate their privileges on the
system.
- Andrey Konovalov discovered a race condition in the UDP
Fragmentation Offload (UFO) code in the Linux kernel. A
local attacker could use this to cause a denial of
service or execute arbitrary code.
Note that Tenable Network Security has extracted the preceding
description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | last seen | 2019-01-16 | modified | 2019-01-14 | plugin id | 102591 | published | 2017-08-21 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102591 | title | Virtuozzo 7 : readykernel-patch (VZA-2017-071) |
NASL family | Huawei Local Security Checks | NASL id | EULEROS_SA-2017-1271.NASL | description | According to the versions of the kernel packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :
- arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5,
when nested virtualisation is used, does not properly
traverse guest pagetable entries to resolve a guest
virtual address, which allows L1 guest OS users to
execute arbitrary code on the host OS or cause a denial
of service (incorrect index during page walking, and
host OS crash), aka an MMU potential stack buffer
overrun.(CVE-2017-12188)
- A vulnerability was found in the Key Management sub
component of the Linux kernel, where when trying to
issue a KEYTCL_READ on negative key would lead to a
NULL pointer dereference. A local attacker could use
this flaw to crash the kernel.(CVE-2017-12192)
- security/keys/keyctl.c in the Linux kernel before
4.11.5 does not consider the case of a NULL payload in
conjunction with a nonzero length value, which allows
local users to cause a denial of service (NULL pointer
dereference and OOPS) via a crafted add_key or keyctl
system call, a different vulnerability than
CVE-2017-12192.(CVE-2017-15274)
- Linux kernel: heap out-of-bounds in AF_PACKET sockets.
This new issue is analogous to previously disclosed
CVE-2016-8655. In both cases, a socket option that
changes socket state may race with safety checks in
packet_set_ring. Previously with PACKET_VERSION. This
time with PACKET_RESERVE. The solution is similar: lock
the socket for the update. This issue may be
exploitable, we did not investigate further. As this
issue affects PF_PACKET sockets, it requires
CAP_NET_RAW in the process namespace. But note that
with user namespaces enabled, any process can create a
namespace in which it has
CAP_NET_RAW.(CVE-2017-1000111)
- Use-after-free vulnerability in the Linux kernel before
4.14-rc5 allows local users to have unspecified impact
via vectors related to /dev/snd/seq.(CVE-2017-15265)
- net/packet/af_packet.c in the Linux kernel before
4.13.6 allows local users to gain privileges via
crafted system calls that trigger mishandling of
packet_fanout data structures, because of a race
condition (involving fanout_add and packet_do_bind)
that leads to a use-after-free, a different
vulnerability than CVE-2017-6346.(CVE-2017-15649)
- The sg_ioctl function in drivers/scsi/sg.c in the Linux
kernel before 4.13.4 allows local users to obtain
sensitive information from uninitialized kernel
heap-memory locations via an SG_GET_REQUEST_TABLE ioctl
call for /dev/sg0.(CVE-2017-14991)
- An exploitable memory corruption flaw was found in the
Linux kernel. The append path can be erroneously
switched from UFO to non-UFO in ip_ufo_append_data()
when building an UFO packet with MSG_MORE option. If
unprivileged user namespaces are available, this flaw
can be exploited to gain root
privileges.(CVE-2017-1000112)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-14 | plugin id | 104296 | published | 2017-11-01 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=104296 | title | EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271) |
NASL family | Fedora Local Security Checks | NASL id | FEDORA_2017-73F71456D7.NASL | description | The 4.12.8 stable kernel update contains a number of important fixes
across the tree.
----
The 4.12.5 kernel rebase contains new features and many bug fixes
across the tree.
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-08-03 | plugin id | 102718 | published | 2017-08-24 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102718 | title | Fedora 25 : kernel (2017-73f71456d7) |
NASL family | Ubuntu Local Security Checks | NASL id | UBUNTU_USN-3386-1.NASL | description | Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use
this to cause a denial of service or execute arbitrary code.
(CVE-2017-1000112)
Andrey Konovalov discovered a race condition in AF_PACKET socket
option handling code in the Linux kernel. A local unprivileged
attacker could use this to cause a denial of service or possibly
execute arbitrary code. (CVE-2017-1000111).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-12-01 | plugin id | 102422 | published | 2017-08-11 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102422 | title | Ubuntu 14.04 LTS : linux vulnerabilities (USN-3386-1) |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2017-2918.NASL | description | An update for kernel-rt is now available for Red Hat Enterprise MRG 2.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The kernel-rt packages provide the Real Time Linux Kernel, which
enables fine-tuning for systems with extremely high determinism
requirements.
Security Fix(es) :
* Out-of-bounds kernel heap access vulnerability was found in xfrm,
kernel's IP framework for transforming packets. An error dealing with
netlink messages from an unprivileged user leads to arbitrary
read/write and privilege escalation. (CVE-2017-7184, Important)
* A race condition issue leading to a use-after-free flaw was found in
the way the raw packet sockets are implemented in the Linux kernel
networking subsystem handling synchronization. A local user able to
open a raw packet socket (requires the CAP_NET_RAW capability) could
use this flaw to elevate their privileges on the system.
(CVE-2017-1000111, Important)
* An exploitable memory corruption flaw was found in the Linux kernel.
The append path can be erroneously switched from UFO to non-UFO in
ip_ufo_append_data() when building an UFO packet with MSG_MORE option.
If unprivileged user namespaces are available, this flaw can be
exploited to gain root privileges. (CVE-2017-1000112, Important)
* Kernel memory corruption due to a buffer overflow was found in
brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to
v4.13-rc1. The vulnerability can be triggered by sending a crafted
NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be
triggered remotely as certain userspace code is needed for this. An
unprivileged local user could use this flaw to induce kernel memory
corruption on the system, leading to a crash. Due to the nature of the
flaw, privilege escalation cannot be fully ruled out, although it is
unlikely. (CVE-2017-7541, Moderate)
* An integer overflow vulnerability in ip6_find_1stfragopt() function
was found. A local attacker that has privileges (of CAP_NET_RAW) to
open raw socket can cause an infinite loop inside the
ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)
* A kernel data leak due to an out-of-bound read was found in the
Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and
sctp_get_sctp_info() functions present since version 4.7-rc1 through
version 4.13. A data leak happens when these functions fill in
sockaddr data structures used to export socket's diagnostic
information. As a result, up to 100 bytes of the slab data could be
leaked to a userspace. (CVE-2017-7558, Moderate)
* The mq_notify function in the Linux kernel through 4.11.9 does not
set the sock pointer to NULL upon entry into the retry logic. During a
user-space close of a Netlink socket, it allows attackers to possibly
cause a situation where a value may be used after being freed
(use-after-free) which may lead to memory corruption or other
unspecified other impact. (CVE-2017-11176, Moderate)
* A divide-by-zero vulnerability was found in the __tcp_select_window
function in the Linux kernel. This can result in a kernel panic
causing a local denial of service. (CVE-2017-14106, Moderate)
* A flaw was found where the XFS filesystem code mishandles a
user-settable inode flag in the Linux kernel prior to 4.14-rc1. This
can cause a local denial of service via a kernel panic.
(CVE-2017-14340, Moderate)
Red Hat would like to thank Chaitin Security Research Lab for
reporting CVE-2017-7184; Willem de Bruijn for reporting
CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112.
The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat) and
the CVE-2017-14340 issue was discovered by Dave Chinner (Red Hat).
Bug Fix(es) :
* kernel-rt packages have been upgraded to the 3.10.0-693.5.2 source
tree, which provides number of bug fixes over the previous version.
(BZ#1489085) | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 104090 | published | 2017-10-23 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=104090 | title | RHEL 6 : MRG (RHSA-2017:2918) |
NASL family | SuSE Local Security Checks | NASL id | SUSE_SU-2017-2286-1.NASL | description | The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.82 to
receive various security and bugfixes. The following security bugs
were fixed :
- CVE-2017-1000111: Fixed a race condition in net-packet
code that could be exploited to cause out-of-bounds
memory access (bsc#1052365).
- CVE-2017-1000112: Fixed a race condition in net-packet
code that could have been exploited by unprivileged
users to gain root access. (bsc#1052311).
- CVE-2017-8831: The saa7164_bus_get function in
drivers/media/pci/saa7164/saa7164-bus.c in the Linux
kernel allowed local users to cause a denial of service
(out-of-bounds array access) or possibly have
unspecified other impact by changing a certain
sequence-number value, aka a 'double fetch'
vulnerability (bnc#1037994).
- CVE-2017-7542: The ip6_find_1stfragopt function in
net/ipv6/output_core.c in the Linux kernel allowed local
users to cause a denial of service (integer overflow and
infinite loop) by leveraging the ability to open a raw
socket (bnc#1049882).
- CVE-2017-11473: Buffer overflow in the
mp_override_legacy_irq() function in
arch/x86/kernel/acpi/boot.c in the Linux kernel allowed
local users to gain privileges via a crafted ACPI table
(bnc#1049603).
- CVE-2017-7533: Race condition in the fsnotify
implementation in the Linux kernel allowed local users
to gain privileges or cause a denial of service (memory
corruption) via a crafted application that leverages
simultaneous execution of the inotify_handle_event and
vfs_rename functions (bnc#1049483 bnc#1050677).
- CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021
1.c in the Linux kernel allowed local users to cause a
denial of service (buffer overflow and system crash) or
possibly gain privileges via a crafted NL80211_CMD_FRAME
Netlink packet (bnc#1049645).
- CVE-2017-10810: Memory leak in the
virtio_gpu_object_create function in
drivers/gpu/drm/virtio/virtgpu_object.c in the Linux
kernel allowed attackers to cause a denial of service
(memory consumption) by triggering object-initialization
failures (bnc#1047277).
The update package also includes non-security fixes. See advisory for
details.
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-30 | plugin id | 102838 | published | 2017-08-30 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102838 | title | SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2286-1) |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2017-3200.NASL | description | An update for kernel is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The kernel packages contain the Linux kernel, the core of any Linux
operating system.
Security Fix(es) :
* A race condition issue leading to a use-after-free flaw was found in
the way the raw packet sockets are implemented in the Linux kernel
networking subsystem handling synchronization. A local user able to
open a raw packet socket (requires the CAP_NET_RAW capability) could
use this flaw to elevate their privileges on the system.
(CVE-2017-1000111, Important)
* An exploitable memory corruption flaw was found in the Linux kernel.
The append path can be erroneously switched from UFO to non-UFO in
ip_ufo_append_data() when building an UFO packet with MSG_MORE option.
If unprivileged user namespaces are available, this flaw can be
exploited to gain root privileges. (CVE-2017-1000112, Important)
* A divide-by-zero vulnerability was found in the __tcp_select_window
function in the Linux kernel. This can result in a kernel panic
causing a local denial of service. (CVE-2017-14106, Moderate)
Red Hat would like to thank Willem de Bruijn for reporting
CVE-2017-1000111 and Andrey Konovalov for reporting CVE-2017-1000112.
Bug Fix(es) :
* When the operating system was booted with Red Hat Enterprise
Virtualization, and the eh_deadline sysfs parameter was set to 10s,
the Storage Area Network (SAN) issues caused eh_deadline to trigger
with no handler. Consequently, a kernel panic occurred. This update
fixes the lpfc driver, thus preventing the kernel panic under
described circumstances. (BZ #1487220)
* When an NFS server returned the NFS4ERR_BAD_SEQID error to an OPEN
request, the open-owner was removed from the state_owners rbtree.
Consequently, NFS4 client infinite loop that required a reboot to
recover occurred. This update changes NFS4ERR_BAD_SEQID handling to
leave the open-owner in the state_owners rbtree by updating the
create_time parameter so that it looks like a new open-owner. As a
result, an NFS4 client is now able to recover without falling into the
infinite recovery loop after receiving NFS4ERR_BAD_SEQID. (BZ#1491123)
* If an NFS client attempted to mount NFSv3 shares from an NFS server
exported directly to the client's IP address, and this NFS client had
already mounted other shares that originated from the same server but
were exported to the subnetwork which this client was part of, the
auth.unix.ip cache expiration was not handled correctly. Consequently,
the client received the 'stale file handle' errors when trying to
mount the share. This update fixes handling of the cache expiration,
and the NFSv3 shares now mount as expected without producing the
'stale file handle' errors. (BZ #1497976)
* When running a script that raised the tx ring count to its maximum
value supported by the Solarflare Network Interface Controller (NIC)
driver, the EF10 family NICs allowed the settings exceeding the
hardware's capability. Consequently, the Solarflare hardware became
unusable with Red Hat Entepripse Linux 6. This update fixes the sfc
driver, so that the tx ring can have maximum 2048 entries for all EF10
NICs. As a result, the Solarflare hardware no longer becomes unusable
with Red Hat Entepripse Linux 6 due to this bug. (BZ#1498019) | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 104566 | published | 2017-11-15 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=104566 | title | RHEL 6 : kernel (RHSA-2017:3200) |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2017-2930.NASL | description | An update for kernel is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The kernel packages contain the Linux kernel, the core of any Linux
operating system.
Security Fix(es) :
* Out-of-bounds kernel heap access vulnerability was found in xfrm,
kernel's IP framework for transforming packets. An error dealing with
netlink messages from an unprivileged user leads to arbitrary
read/write and privilege escalation. (CVE-2017-7184, Important)
* A race condition issue leading to a use-after-free flaw was found in
the way the raw packet sockets are implemented in the Linux kernel
networking subsystem handling synchronization. A local user able to
open a raw packet socket (requires the CAP_NET_RAW capability) could
use this flaw to elevate their privileges on the system.
(CVE-2017-1000111, Important)
* An exploitable memory corruption flaw was found in the Linux kernel.
The append path can be erroneously switched from UFO to non-UFO in
ip_ufo_append_data() when building an UFO packet with MSG_MORE option.
If unprivileged user namespaces are available, this flaw can be
exploited to gain root privileges. (CVE-2017-1000112, Important)
* A flaw was found in the Linux networking subsystem where a local
attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds
memory access by creating a smaller-than-expected ICMP header and
sending to its destination via sendto(). (CVE-2016-8399, Moderate)
* Kernel memory corruption due to a buffer overflow was found in
brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to
v4.13-rc1. The vulnerability can be triggered by sending a crafted
NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be
triggered remotely as certain userspace code is needed for this. An
unprivileged local user could use this flaw to induce kernel memory
corruption on the system, leading to a crash. Due to the nature of the
flaw, privilege escalation cannot be fully ruled out, although it is
unlikely. (CVE-2017-7541, Moderate)
* An integer overflow vulnerability in ip6_find_1stfragopt() function
was found. A local attacker that has privileges (of CAP_NET_RAW) to
open raw socket can cause an infinite loop inside the
ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)
* A kernel data leak due to an out-of-bound read was found in the
Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and
sctp_get_sctp_info() functions present since version 4.7-rc1 through
version 4.13. A data leak happens when these functions fill in
sockaddr data structures used to export socket's diagnostic
information. As a result, up to 100 bytes of the slab data could be
leaked to a userspace. (CVE-2017-7558, Moderate)
* The mq_notify function in the Linux kernel through 4.11.9 does not
set the sock pointer to NULL upon entry into the retry logic. During a
user-space close of a Netlink socket, it allows attackers to possibly
cause a situation where a value may be used after being freed
(use-after-free) which may lead to memory corruption or other
unspecified other impact. (CVE-2017-11176, Moderate)
* A divide-by-zero vulnerability was found in the __tcp_select_window
function in the Linux kernel. This can result in a kernel panic
causing a local denial of service. (CVE-2017-14106, Moderate)
Red Hat would like to thank Chaitin Security Research Lab for
reporting CVE-2017-7184; Willem de Bruijn for reporting
CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112.
The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat).
Space precludes documenting all of the bug fixes and enhancements
included in this advisory. To see the complete list of bug fixes and
enhancements, refer to the following KnowledgeBase article:
https://access.redhat.com/node/3212921. | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 104003 | published | 2017-10-20 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=104003 | title | RHEL 7 : kernel (RHSA-2017:2930) |
NASL family | Scientific Linux Local Security Checks | NASL id | SL_20171115_KERNEL_ON_SL6_X.NASL | description | Security Fix(es) :
- A race condition issue leading to a use-after-free flaw
was found in the way the raw packet sockets are
implemented in the Linux kernel networking subsystem
handling synchronization. A local user able to open a
raw packet socket (requires the CAP_NET_RAW capability)
could use this flaw to elevate their privileges on the
system. (CVE-2017-1000111, Important)
- An exploitable memory corruption flaw was found in the
Linux kernel. The append path can be erroneously
switched from UFO to non-UFO in ip_ufo_append_data()
when building an UFO packet with MSG_MORE option. If
unprivileged user namespaces are available, this flaw
can be exploited to gain root privileges.
(CVE-2017-1000112, Important)
- A divide-by-zero vulnerability was found in the
__tcp_select_window function in the Linux kernel. This
can result in a kernel panic causing a local denial of
service. (CVE-2017-14106, Moderate)
Bug Fix(es) :
- When the operating system was booted with RHEV/oVirt,
and the eh_deadline sysfs parameter was set to 10s, the
Storage Area Network (SAN) issues caused eh_deadline to
trigger with no handler. Consequently, a kernel panic
occurred. This update fixes the lpfc driver, thus
preventing the kernel panic under described
circumstances.
- When an NFS server returned the NFS4ERR_BAD_SEQID error
to an OPEN request, the open-owner was removed from the
state_owners rbtree. Consequently, NFS4 client infinite
loop that required a reboot to recover occurred. This
update changes NFS4ERR_BAD_SEQID handling to leave the
open-owner in the state_owners rbtree by updating the
create_time parameter so that it looks like a new
open-owner. As a result, an NFS4 client is now able to
recover without falling into the infinite recovery loop
after receiving NFS4ERR_BAD_SEQID.
- If an NFS client attempted to mount NFSv3 shares from an
NFS server exported directly to the client's IP address,
and this NFS client had already mounted other shares
that originated from the same server but were exported
to the subnetwork which this client was part of, the
auth.unix.ip cache expiration was not handled correctly.
Consequently, the client received the 'stale file
handle' errors when trying to mount the share. This
update fixes handling of the cache expiration, and the
NFSv3 shares now mount as expected without producing the
'stale file handle' errors.
- When running a script that raised the tx ring count to
its maximum value supported by the Solarflare Network
Interface Controller (NIC) driver, the EF10 family NICs
allowed the settings exceeding the hardware's
capability. Consequently, the Solarflare hardware became
unusable with Scientific Linux 6. This update fixes the
sfc driver, so that the tx ring can have maximum 2048
entries for all EF10 NICs. As a result, the Solarflare
hardware no longer becomes unusable. | last seen | 2019-01-16 | modified | 2018-12-27 | plugin id | 104623 | published | 2017-11-16 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=104623 | title | Scientific Linux Security Update : kernel on SL6.x i386/x86_64 |
NASL family | Oracle Linux Local Security Checks | NASL id | ORACLELINUX_ELSA-2017-3200.NASL | description | From Red Hat Security Advisory 2017:3200 :
An update for kernel is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The kernel packages contain the Linux kernel, the core of any Linux
operating system.
Security Fix(es) :
* A race condition issue leading to a use-after-free flaw was found in
the way the raw packet sockets are implemented in the Linux kernel
networking subsystem handling synchronization. A local user able to
open a raw packet socket (requires the CAP_NET_RAW capability) could
use this flaw to elevate their privileges on the system.
(CVE-2017-1000111, Important)
* An exploitable memory corruption flaw was found in the Linux kernel.
The append path can be erroneously switched from UFO to non-UFO in
ip_ufo_append_data() when building an UFO packet with MSG_MORE option.
If unprivileged user namespaces are available, this flaw can be
exploited to gain root privileges. (CVE-2017-1000112, Important)
* A divide-by-zero vulnerability was found in the __tcp_select_window
function in the Linux kernel. This can result in a kernel panic
causing a local denial of service. (CVE-2017-14106, Moderate)
Red Hat would like to thank Willem de Bruijn for reporting
CVE-2017-1000111 and Andrey Konovalov for reporting CVE-2017-1000112.
Bug Fix(es) :
* When the operating system was booted with Red Hat Enterprise
Virtualization, and the eh_deadline sysfs parameter was set to 10s,
the Storage Area Network (SAN) issues caused eh_deadline to trigger
with no handler. Consequently, a kernel panic occurred. This update
fixes the lpfc driver, thus preventing the kernel panic under
described circumstances. (BZ #1487220)
* When an NFS server returned the NFS4ERR_BAD_SEQID error to an OPEN
request, the open-owner was removed from the state_owners rbtree.
Consequently, NFS4 client infinite loop that required a reboot to
recover occurred. This update changes NFS4ERR_BAD_SEQID handling to
leave the open-owner in the state_owners rbtree by updating the
create_time parameter so that it looks like a new open-owner. As a
result, an NFS4 client is now able to recover without falling into the
infinite recovery loop after receiving NFS4ERR_BAD_SEQID. (BZ#1491123)
* If an NFS client attempted to mount NFSv3 shares from an NFS server
exported directly to the client's IP address, and this NFS client had
already mounted other shares that originated from the same server but
were exported to the subnetwork which this client was part of, the
auth.unix.ip cache expiration was not handled correctly. Consequently,
the client received the 'stale file handle' errors when trying to
mount the share. This update fixes handling of the cache expiration,
and the NFSv3 shares now mount as expected without producing the
'stale file handle' errors. (BZ #1497976)
* When running a script that raised the tx ring count to its maximum
value supported by the Solarflare Network Interface Controller (NIC)
driver, the EF10 family NICs allowed the settings exceeding the
hardware's capability. Consequently, the Solarflare hardware became
unusable with Red Hat Entepripse Linux 6. This update fixes the sfc
driver, so that the tx ring can have maximum 2048 entries for all EF10
NICs. As a result, the Solarflare hardware no longer becomes unusable
with Red Hat Entepripse Linux 6 due to this bug. (BZ#1498019) | last seen | 2019-01-16 | modified | 2018-08-03 | plugin id | 104617 | published | 2017-11-16 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=104617 | title | Oracle Linux 6 : kernel (ELSA-2017-3200) |
NASL family | Oracle Linux Local Security Checks | NASL id | ORACLELINUX_ELSA-2017-3659.NASL | description | The remote Oracle Linux host is missing a security update for
the Unbreakable Enterprise kernel package(s). | last seen | 2019-01-16 | modified | 2018-09-05 | plugin id | 105247 | published | 2017-12-14 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=105247 | title | Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3659) (BlueBorne) (Dirty COW) (Stack Clash) |
NASL family | Oracle Linux Local Security Checks | NASL id | ORACLELINUX_ELSA-2017-3633.NASL | description | Description of changes:
[2.6.39-400.297.11.el6uek]
- mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang) [Orabug:
26643562] {CVE-2017-11176}
- ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina
Dubroca) [Orabug: 27011278] {CVE-2017-7542}
- packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn)
[Orabug: 27002453] {CVE-2017-1000111}
[2.6.39-400.297.10.el6uek]
- mlx4_core: calculate log_mtt based on total system memory (Wei Lin
Guay) [Orabug: 26867355] - xen/x86: Add interface for querying amount
of host memory (Boris Ostrovsky) [Orabug: 26867355] | last seen | 2019-01-16 | modified | 2018-09-05 | plugin id | 104169 | published | 2017-10-26 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=104169 | title | Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3633) |
NASL family | Virtuozzo Local Security Checks | NASL id | VIRTUOZZO_VZA-2017-073.NASL | description | According to the version of the vzkernel package and the
readykernel-patch installed, the Virtuozzo installation on the remote
host is affected by the following vulnerabilities :
- A race condition issue leading to a use-after-free flaw
was found in the way the raw packet sockets are
implemented in the Linux kernel networking subsystem
handling synchronization. A local user able to open a
raw packet socket (requires the CAP_NET_RAW capability)
could use this flaw to elevate their privileges on the
system.
- Andrey Konovalov discovered a race condition in the UDP
Fragmentation Offload (UFO) code in the Linux kernel. A
local attacker could use this to cause a denial of
service or execute arbitrary code.
Note that Tenable Network Security has extracted the preceding
description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | last seen | 2019-01-16 | modified | 2019-01-14 | plugin id | 102593 | published | 2017-08-21 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102593 | title | Virtuozzo 7 : readykernel-patch (VZA-2017-073) |
NASL family | CentOS Local Security Checks | NASL id | CENTOS_RHSA-2017-3200.NASL | description | An update for kernel is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The kernel packages contain the Linux kernel, the core of any Linux
operating system.
Security Fix(es) :
* A race condition issue leading to a use-after-free flaw was found in
the way the raw packet sockets are implemented in the Linux kernel
networking subsystem handling synchronization. A local user able to
open a raw packet socket (requires the CAP_NET_RAW capability) could
use this flaw to elevate their privileges on the system.
(CVE-2017-1000111, Important)
* An exploitable memory corruption flaw was found in the Linux kernel.
The append path can be erroneously switched from UFO to non-UFO in
ip_ufo_append_data() when building an UFO packet with MSG_MORE option.
If unprivileged user namespaces are available, this flaw can be
exploited to gain root privileges. (CVE-2017-1000112, Important)
* A divide-by-zero vulnerability was found in the __tcp_select_window
function in the Linux kernel. This can result in a kernel panic
causing a local denial of service. (CVE-2017-14106, Moderate)
Red Hat would like to thank Willem de Bruijn for reporting
CVE-2017-1000111 and Andrey Konovalov for reporting CVE-2017-1000112.
Bug Fix(es) :
* When the operating system was booted with Red Hat Enterprise
Virtualization, and the eh_deadline sysfs parameter was set to 10s,
the Storage Area Network (SAN) issues caused eh_deadline to trigger
with no handler. Consequently, a kernel panic occurred. This update
fixes the lpfc driver, thus preventing the kernel panic under
described circumstances. (BZ #1487220)
* When an NFS server returned the NFS4ERR_BAD_SEQID error to an OPEN
request, the open-owner was removed from the state_owners rbtree.
Consequently, NFS4 client infinite loop that required a reboot to
recover occurred. This update changes NFS4ERR_BAD_SEQID handling to
leave the open-owner in the state_owners rbtree by updating the
create_time parameter so that it looks like a new open-owner. As a
result, an NFS4 client is now able to recover without falling into the
infinite recovery loop after receiving NFS4ERR_BAD_SEQID. (BZ#1491123)
* If an NFS client attempted to mount NFSv3 shares from an NFS server
exported directly to the client's IP address, and this NFS client had
already mounted other shares that originated from the same server but
were exported to the subnetwork which this client was part of, the
auth.unix.ip cache expiration was not handled correctly. Consequently,
the client received the 'stale file handle' errors when trying to
mount the share. This update fixes handling of the cache expiration,
and the NFSv3 shares now mount as expected without producing the
'stale file handle' errors. (BZ #1497976)
* When running a script that raised the tx ring count to its maximum
value supported by the Solarflare Network Interface Controller (NIC)
driver, the EF10 family NICs allowed the settings exceeding the
hardware's capability. Consequently, the Solarflare hardware became
unusable with Red Hat Entepripse Linux 6. This update fixes the sfc
driver, so that the tx ring can have maximum 2048 entries for all EF10
NICs. As a result, the Solarflare hardware no longer becomes unusable
with Red Hat Entepripse Linux 6 due to this bug. (BZ#1498019) | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 104583 | published | 2017-11-16 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=104583 | title | CentOS 6 : kernel (CESA-2017:3200) |
NASL family | SuSE Local Security Checks | NASL id | SUSE_SU-2017-2142-1.NASL | description | The SUSE Linux Enterprise 12 kernel was updated to 3.12.61 to the
following security updates :
- CVE-2017-1000111: fix race condition in net-packet code
that could be exploited to cause out-of-bounds memory
access (bsc#1052365).
- CVE-2017-1000112: fix race condition in net-packet code
that could have been exploited by unprivileged users to
gain root access. (bsc#1052311).
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-30 | plugin id | 102475 | published | 2017-08-14 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102475 | title | SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2142-1) |
NASL family | SuSE Local Security Checks | NASL id | OPENSUSE-2017-930.NASL | description | The openSUSE Leap 42.3 kernel was updated to receive various security
and bugfixes.
The following security bugs were fixed :
- CVE-2017-1000111: Fixed a race condition in net-packet
code that could be exploited to cause out-of-bounds
memory access (bsc#1052365).
- CVE-2017-1000112: Fixed a race condition in net-packet
code that could have been exploited by unprivileged
users to gain root access. (bsc#1052311).
- CVE-2017-8831: The saa7164_bus_get function in
drivers/media/pci/saa7164/saa7164-bus.c in the Linux
kernel allowed local users to cause a denial of service
(out-of-bounds array access) or possibly have
unspecified other impact by changing a certain
sequence-number value, aka a 'double fetch'
vulnerability (bnc#1037994).
The following non-security bugs were fixed :
- acpi/nfit: Add support of NVDIMM memory error
notification in ACPI 6.2 (bsc#1052325).
- acpi/nfit: Issue Start ARS to retrieve existing records
(bsc#1052325).
- bcache: force trigger gc (bsc#1038078).
- bcache: only recovery I/O error for writethrough mode
(bsc#1043652).
- block: do not allow updates through sysfs until
registration completes (bsc#1047027).
- config: disable CONFIG_RT_GROUP_SCHED (bsc#1052204).
- drivers: hv: : As a bandaid, increase HV_UTIL_TIMEOUT
from 30 to 60 seconds (bnc#1039153)
- drivers: hv: Fix a typo (fate#320485).
- drivers: hv: util: Make hv_poll_channel() a little more
efficient (fate#320485).
- drivers: hv: vmbus: Close timing hole that can corrupt
per-cpu page (fate#320485).
- drivers: hv: vmbus: Fix error code returned by
vmbus_post_msg() (fate#320485).
- Fix kABI breakage with CONFIG_RT_GROUP_SCHED=n
(bsc#1052204).
- hv_netvsc: change netvsc device default duplex to FULL
(fate#320485).
- hv_netvsc: Fix the carrier state error when data path is
off (fate#320485).
- hv_netvsc: Remove unnecessary var link_state from struct
netvsc_device_info (fate#320485).
- hyperv: fix warning about missing prototype
(fate#320485).
- hyperv: netvsc: Neaten netvsc_send_pkt by using a
temporary (fate#320485).
- hyperv: remove unnecessary return variable
(fate#320485).
- i40e/i40evf: Fix use after free in Rx cleanup path
(bsc#1051689).
- IB/hfi1: Wait for QSFP modules to initialize
(bsc#1019151).
- ibmvnic: Check for transport event on driver resume
(bsc#1051556, bsc#1052709).
- ibmvnic: Initialize SCRQ's during login renegotiation
(bsc#1052223).
- ibmvnic: Report rx buffer return codes as netdev_dbg
(bsc#1052794).
- iommu/amd: Enable ga_log_intr when enabling guest_mode
(bsc1052533).
- iommu/amd: Fix schedule-while-atomic BUG in
initialization code (bsc1052533).
- KABI protect struct acpi_nfit_desc (bsc#1052325).
- kabi/severities: add drivers/scsi/hisi_sas to kabi
severities
- libnvdimm: fix badblock range handling of ARS range
(bsc#1023175).
- libnvdimm, pmem: fix a NULL pointer BUG in
nd_pmem_notify (bsc#1023175).
- net: add netdev_lockdep_set_classes() helper
(fate#320485).
- net: hyperv: use new api
ethtool_{get|set}_link_ksettings (fate#320485).
- net/mlx4_core: Fixes missing capability bit in flags2
capability dump (bsc#1015337).
- net/mlx4_core: Fix namespace misalignment in QinQ VST
support commit (bsc#1015337).
- net/mlx4_core: Fix sl_to_vl_change bit offset in flags2
dump (bsc#1015337).
- netsvc: Remove upstream commit e14b4db7a567 netvsc: fix
race during initialization will be replaced by following
changes
- netsvc: Revert 'netvsc: optimize calculation of number
of slots' (fate#320485).
- netvsc: add comments about callback's and NAPI
(fate#320485).
- netvsc: Add #include's for csum_* function declarations
(fate#320485).
- netvsc: add rtnl annotations in rndis (fate#320485).
- netvsc: add some rtnl_dereference annotations
(fate#320485).
- netvsc: avoid race with callback (fate#320485).
- netvsc: change logic for change mtu and set_queues
(fate#320485).
- netvsc: change max channel calculation (fate#320485).
- netvsc: change order of steps in setting queues
(fate#320485).
- netvsc: Deal with rescinded channels correctly
(fate#320485).
- netvsc: do not access netdev->num_rx_queues directly
(fate#320485).
- netvsc: do not overload variable in same function
(fate#320485).
- netvsc: do not print pointer value in error message
(fate#320485).
- netvsc: eliminate unnecessary skb == NULL checks
(fate#320485).
- netvsc: enable GRO (fate#320485).
- netvsc: Fix a bug in sub-channel handling (fate#320485).
- netvsc: fix and cleanup rndis_filter_set_packet_filter
(fate#320485).
- netvsc: fix calculation of available send sections
(fate#320485).
- netvsc: fix dereference before null check errors
(fate#320485).
- netvsc: fix error unwind on device setup failure
(fate#320485).
- netvsc: fix hang on netvsc module removal (fate#320485).
- netvsc: fix NAPI performance regression (fate#320485).
- netvsc: fix net poll mode (fate#320485).
- netvsc: fix netvsc_set_channels (fate#320485).
- netvsc: fix ptr_ret.cocci warnings (fate#320485).
- netvsc: fix rcu dereference warning from ethtool
(fate#320485).
- netvsc: fix RCU warning in get_stats (fate#320485).
- netvsc: fix return value for set_channels (fate#320485).
- netvsc: fix rtnl deadlock on unregister of vf
(fate#320485, bsc#1052442).
- netvsc: fix use after free on module removal
(fate#320485).
- netvsc: fix warnings reported by lockdep (fate#320485).
- netvsc: fold in get_outbound_net_device (fate#320485).
- netvsc: force link update after MTU change
(fate#320485).
- netvsc: handle offline mtu and channel change
(fate#320485).
- netvsc: implement NAPI (fate#320485).
- netvsc: include rtnetlink.h (fate#320485).
- netvsc: Initialize all channel related state prior to
opening the channel (fate#320485).
- netvsc: make sure and unregister datapath (fate#320485,
bsc#1052899).
- netvsc: make sure napi enabled before vmbus_open
(fate#320485).
- netvsc: mark error cases as unlikely (fate#320485).
- netvsc: move filter setting to rndis_device
(fate#320485).
- netvsc: need napi scheduled during removal
(fate#320485).
- netvsc: need rcu_derefence when accessing internal
device info (fate#320485).
- netvsc: optimize calculation of number of slots
(fate#320485).
- netvsc: optimize receive completions (fate#320485).
- netvsc: pass net_device to netvsc_init_buf and
netvsc_connect_vsp (fate#320485).
- netvsc: prefetch the first incoming ring element
(fate#320485).
- netvsc: Properly initialize the return value
(fate#320485).
- netvsc: remove bogus rtnl_unlock (fate#320485).
- netvsc: remove no longer used max_num_rss queues
(fate#320485).
- netvsc: Remove redundant use of ipv6_hdr()
(fate#320485).
- netvsc: remove unnecessary indirection of page_buffer
(fate#320485).
- netvsc: remove unnecessary lock on shutdown
(fate#320485).
- netvsc: remove unused #define (fate#320485).
- netvsc: replace netdev_alloc_skb_ip_align with
napi_alloc_skb (fate#320485).
- netvsc: save pointer to parent netvsc_device in channel
table (fate#320485).
- netvsc: signal host if receive ring is emptied
(fate#320485).
- netvsc: transparent VF management (fate#320485,
bsc#1051979).
- netvsc: use ERR_PTR to avoid dereference issues
(fate#320485).
- netvsc: use hv_get_bytes_to_read (fate#320485).
- netvsc: use napi_consume_skb (fate#320485).
- netvsc: use RCU to protect inner device structure
(fate#320485).
- netvsc: uses RCU instead of removal flag (fate#320485).
- netvsc: use typed pointer for internal state
(fate#320485).
- nvme: fabrics commands should use the fctype field for
data direction (bsc#1043805).
- powerpc/perf: Fix SDAR_MODE value for continous sampling
on Power9 (bsc#1053043 (git-fixes)).
- powerpc/tm: Fix saving of TM SPRs in core dump
(fate#318470, git-fixes 08e1c01d6aed).
- qeth: fix L3 next-hop im xmit qeth hdr (bnc#1052773,
LTC#157374).
- rdma/bnxt_re: checking for NULL instead of IS_ERR()
(bsc#1052925).
- scsi: aacraid: fix PCI error recovery path
(bsc#1048912).
- scsi_devinfo: fixup string compare (bsc#1037404).
- scsi_dh_alua: suppress errors from unsupported devices
(bsc#1038792).
- scsi: hisi_sas: add pci_dev in hisi_hba struct
(bsc#1049298).
- scsi: hisi_sas: add v2 hw internal abort timeout
workaround (bsc#1049298).
- scsi: hisi_sas: controller reset for multi-bits ECC and
AXI fatal errors (bsc#1049298).
- scsi: hisi_sas: fix NULL deference when TMF timeouts
(bsc#1049298).
- scsi: hisi_sas: fix timeout check in
hisi_sas_internal_task_abort() (bsc#1049298).
- scsi: hisi_sas: optimise DMA slot memory (bsc#1049298).
- scsi: hisi_sas: optimise the usage of hisi_hba.lock
(bsc#1049298).
- scsi: hisi_sas: relocate get_ata_protocol()
(bsc#1049298).
- scsi: hisi_sas: workaround a SoC SATA IO processing bug
(bsc#1049298).
- scsi: hisi_sas: workaround SoC about abort timeout bug
(bsc#1049298).
- scsi: hisi_sas: workaround STP link SoC bug
(bsc#1049298).
- scsi: lpfc: do not double count abort errors
(bsc#1048912).
- scsi: lpfc: fix linking against modular NVMe support
(bsc#1048912).
- scsi: qedi: Fix return code in qedi_ep_connect()
(bsc#1048912).
- scsi: storvsc: Prefer kcalloc over kzalloc with multiply
(fate#320485).
- scsi: storvsc: remove return at end of void function
(fate#320485).
- tools: hv: Add clean up for included files in Ubuntu net
config (fate#320485).
- tools: hv: Add clean up function for Ubuntu config
(fate#320485).
- tools: hv: properly handle long paths (fate#320485).
- tools: hv: set allow-hotplug for VF on Ubuntu
(fate#320485).
- tools: hv: set hotplug for VF on Suse (fate#320485).
- tools: hv: vss: Thaw the filesystem and continue if
freeze call has timed out (fate#320485).
- vfs: fix missing inode_get_dev sites (bsc#1052049).
- vmbus: cleanup header file style (fate#320485).
- vmbus: expose debug info for drivers (fate#320485).
- vmbus: fix spelling errors (fate#320485).
- vmbus: introduce in-place packet iterator (fate#320485).
- vmbus: only reschedule tasklet if time limit exceeded
(fate#320485).
- vmbus: re-enable channel tasklet (fate#320485).
- vmbus: remove unnecessary initialization (fate#320485).
- vmbus: remove useless return's (fate#320485).
- x86/dmi: Switch dmi_remap() from ioremap() to
ioremap_cache() (bsc#1051399).
- x86/hyperv: Check frequency MSRs presence according to
the specification (fate#320485).
- The package release number was increased to be higher
than the Leap 42.2 package (boo#1053531). | last seen | 2019-01-16 | modified | 2018-08-03 | plugin id | 102510 | published | 2017-08-16 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102510 | title | openSUSE Security Update : the Linux Kernel (openSUSE-2017-930) |
NASL family | OracleVM Local Security Checks | NASL id | ORACLEVM_OVMSA-2017-0164.NASL | description | The remote OracleVM system is missing necessary patches to address
critical security updates :
- mqueue: fix a use-after-free in sys_mq_notify (Cong
Wang) [Orabug: 26643556] (CVE-2017-11176)
- ipv6: avoid overflow of offset in ip6_find_1stfragopt
(Sabrina Dubroca) [Orabug: 27011273] (CVE-2017-7542)
- packet: fix tp_reserve race in packet_set_ring (Willem
de Bruijn) [Orabug: 27002450] (CVE-2017-1000111)
- mlx4_core: calculate log_num_mtt based on total system
memory (Wei Lin Guay) [Orabug: 26883934]
- xen/x86: Add interface for querying amount of host
memory (Boris Ostrovsky) [Orabug: 26883934] | last seen | 2019-01-16 | modified | 2018-09-05 | plugin id | 104203 | published | 2017-10-27 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=104203 | title | OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0164) |
NASL family | CentOS Local Security Checks | NASL id | CENTOS_RHSA-2017-2930.NASL | description | An update for kernel is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The kernel packages contain the Linux kernel, the core of any Linux
operating system.
Security Fix(es) :
* Out-of-bounds kernel heap access vulnerability was found in xfrm,
kernel's IP framework for transforming packets. An error dealing with
netlink messages from an unprivileged user leads to arbitrary
read/write and privilege escalation. (CVE-2017-7184, Important)
* A race condition issue leading to a use-after-free flaw was found in
the way the raw packet sockets are implemented in the Linux kernel
networking subsystem handling synchronization. A local user able to
open a raw packet socket (requires the CAP_NET_RAW capability) could
use this flaw to elevate their privileges on the system.
(CVE-2017-1000111, Important)
* An exploitable memory corruption flaw was found in the Linux kernel.
The append path can be erroneously switched from UFO to non-UFO in
ip_ufo_append_data() when building an UFO packet with MSG_MORE option.
If unprivileged user namespaces are available, this flaw can be
exploited to gain root privileges. (CVE-2017-1000112, Important)
* A flaw was found in the Linux networking subsystem where a local
attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds
memory access by creating a smaller-than-expected ICMP header and
sending to its destination via sendto(). (CVE-2016-8399, Moderate)
* Kernel memory corruption due to a buffer overflow was found in
brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to
v4.13-rc1. The vulnerability can be triggered by sending a crafted
NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be
triggered remotely as certain userspace code is needed for this. An
unprivileged local user could use this flaw to induce kernel memory
corruption on the system, leading to a crash. Due to the nature of the
flaw, privilege escalation cannot be fully ruled out, although it is
unlikely. (CVE-2017-7541, Moderate)
* An integer overflow vulnerability in ip6_find_1stfragopt() function
was found. A local attacker that has privileges (of CAP_NET_RAW) to
open raw socket can cause an infinite loop inside the
ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)
* A kernel data leak due to an out-of-bound read was found in the
Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and
sctp_get_sctp_info() functions present since version 4.7-rc1 through
version 4.13. A data leak happens when these functions fill in
sockaddr data structures used to export socket's diagnostic
information. As a result, up to 100 bytes of the slab data could be
leaked to a userspace. (CVE-2017-7558, Moderate)
* The mq_notify function in the Linux kernel through 4.11.9 does not
set the sock pointer to NULL upon entry into the retry logic. During a
user-space close of a Netlink socket, it allows attackers to possibly
cause a situation where a value may be used after being freed
(use-after-free) which may lead to memory corruption or other
unspecified other impact. (CVE-2017-11176, Moderate)
* A divide-by-zero vulnerability was found in the __tcp_select_window
function in the Linux kernel. This can result in a kernel panic
causing a local denial of service. (CVE-2017-14106, Moderate)
Red Hat would like to thank Chaitin Security Research Lab for
reporting CVE-2017-7184; Willem de Bruijn for reporting
CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112.
The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat).
Space precludes documenting all of the bug fixes and enhancements
included in this advisory. To see the complete list of bug fixes and
enhancements, refer to the following KnowledgeBase article:
https://access.redhat.com/node/3212921. | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 104106 | published | 2017-10-24 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=104106 | title | CentOS 7 : kernel (CESA-2017:2930) |
NASL family | SuSE Local Security Checks | NASL id | OPENSUSE-2017-929.NASL | description | The openSUSE Leap 42.2 kernel was updated to receive various security
and bugfixes.
The following security bugs were fixed :
- CVE-2017-1000111: Fixed a race condition in net-packet
code that could be exploited to cause out-of-bounds
memory access (bsc#1052365).
- CVE-2017-1000112: Fixed a race condition in net-packet
code that could have been exploited by unprivileged
users to gain root access. (bsc#1052311).
- CVE-2017-8831: The saa7164_bus_get function in
drivers/media/pci/saa7164/saa7164-bus.c in the Linux
kernel allowed local users to cause a denial of service
(out-of-bounds array access) or possibly have
unspecified other impact by changing a certain
sequence-number value, aka a 'double fetch'
vulnerability (bnc#1037994).
The following non-security bugs were fixed :
- IB/hfi1: Wait for QSFP modules to initialize
(bsc#1019151).
- bcache: force trigger gc (bsc#1038078).
- bcache: only recovery I/O error for writethrough mode
(bsc#1043652).
- block: do not allow updates through sysfs until
registration completes (bsc#1047027).
- ibmvnic: Check for transport event on driver resume
(bsc#1051556, bsc#1052709).
- ibmvnic: Initialize SCRQ's during login renegotiation
(bsc#1052223).
- ibmvnic: Report rx buffer return codes as netdev_dbg
(bsc#1052794).
- iommu/amd: Fix schedule-while-atomic BUG in
initialization code (bsc1052533).
- libnvdimm, pmem: fix a NULL pointer BUG in
nd_pmem_notify (bsc#1023175).
- libnvdimm: fix badblock range handling of ARS range
(bsc#1023175).
- qeth: fix L3 next-hop im xmit qeth hdr (bnc#1052773,
LTC#157374).
- scsi_devinfo: fixup string compare (bsc#1037404).
- scsi_dh_alua: suppress errors from unsupported devices
(bsc#1038792).
- vfs: fix missing inode_get_dev sites (bsc#1052049).
- x86/dmi: Switch dmi_remap() from ioremap() to
ioremap_cache() (bsc#1051399). | last seen | 2019-01-16 | modified | 2018-08-03 | plugin id | 102509 | published | 2017-08-16 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102509 | title | openSUSE Security Update : the Linux Kernel (openSUSE-2017-929) |
NASL family | SuSE Local Security Checks | NASL id | SUSE_SU-2017-2131-1.NASL | description | The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.74 to
receive various security and bugfixes. The following security bugs
were fixed :
- CVE-2017-1000111: fix race condition in net-packet code
that could be exploited to cause out-of-bounds memory
access (bsc#1052365).
- CVE-2017-1000112: fix race condition in net-packet code
that could have been exploited by unprivileged users to
gain root access. (bsc#1052311).
The update package also includes non-security fixes. See advisory for
details.
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-30 | plugin id | 102415 | published | 2017-08-11 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=102415 | title | SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2131-1) |
NASL family | OracleVM Local Security Checks | NASL id | ORACLEVM_OVMSA-2017-0173.NASL | description | The remote OracleVM system is missing necessary patches to address
critical security updates :
- tty: Fix race in pty_write leading to NULL deref (Todd
Vierling)
- ocfs2/dlm: ignore cleaning the migration mle that is
inuse (xuejiufei) [Orabug: 26479780]
- KEYS: fix dereferencing NULL payload with nonzero length
(Eric Biggers) [Orabug: 26592025]
- oracleasm: Copy the integrity descriptor (Martin K.
Petersen)
- mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook)
[Orabug: 26675925] (CVE-2017-7889)
- xscore: add dma address check (Zhu Yanjun) [Orabug:
27058468]
- more bio_map_user_iov leak fixes (Al Viro) [Orabug:
27069042] (CVE-2017-12190)
- fix unbalanced page refcounting in bio_map_user_iov
(Vitaly Mayatskikh) [Orabug: 27069042] (CVE-2017-12190)
- nvme: Drop nvmeq->q_lock before dma_pool_alloc, so as to
prevent hard lockups (Aruna Ramakrishna) [Orabug:
25409587]
- nvme: Handle PM1725 HIL reset (Martin K. Petersen)
[Orabug: 26277600]
- char: lp: fix possible integer overflow in lp_setup
(Willy Tarreau) [Orabug: 26403940] (CVE-2017-1000363)
- ALSA: timer: Fix missing queue indices reset at
SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai) [Orabug:
26403956] (CVE-2017-1000380)
- ALSA: timer: Fix race between read and ioctl (Takashi
Iwai) [Orabug: 26403956] (CVE-2017-1000380)
- ALSA: timer: fix NULL pointer dereference in read/ioctl
race (Vegard Nossum) [Orabug: 26403956]
(CVE-2017-1000380)
- ALSA: timer: Fix negative queue usage by racy accesses
(Takashi Iwai) [Orabug: 26403956] (CVE-2017-1000380)
- ALSA: timer: Fix race at concurrent reads (Takashi Iwai)
[Orabug: 26403956] (CVE-2017-1000380)
- ALSA: timer: Fix race among timer ioctls (Takashi Iwai)
[Orabug: 26403956] (CVE-2017-1000380)
- ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG
Cong) [Orabug: 26404005] (CVE-2017-9077)
- ocfs2: fix deadlock issue when taking inode lock at vfs
entry points (Eric Ren) [Orabug: 26427126]
- ocfs2/dlmglue: prepare tracking logic to avoid recursive
cluster lock (Eric Ren) [Orabug: 26427126]
- ping: implement proper locking (Eric Dumazet) [Orabug:
26540286] (CVE-2017-2671)
- aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug:
26643598] (CVE-2016-10044)
- vfs: Commit to never having exectuables on proc and
sysfs. (Eric W. Biederman) [Orabug: 26643598]
(CVE-2016-10044)
- vfs, writeback: replace FS_CGROUP_WRITEBACK with
SB_I_CGROUPWB (Tejun Heo) [Orabug: 26643598]
(CVE-2016-10044)
- x86/acpi: Prevent out of bound access caused by broken
ACPI tables (Seunghun Han) [Orabug: 26643645]
(CVE-2017-11473)
- sctp: do not inherit ipv6_[mc|ac|fl]_list from parent
(Eric Dumazet) [Orabug: 26650883] (CVE-2017-9075)
- [media] saa7164: fix double fetch PCIe access condition
(Steven Toth) [Orabug: 26675142] (CVE-2017-8831)
- [media] saa7164: fix sparse warnings (Hans Verkuil)
[Orabug: 26675142] (CVE-2017-8831)
- fs: __generic_file_splice_read retry lookup on
AOP_TRUNCATED_PAGE (Abhi Das) [Orabug: 26797306]
- timerfd: Protect the might cancel mechanism proper
(Thomas Gleixner) [Orabug: 26899787] (CVE-2017-10661)
- scsi: scsi_transport_iscsi: fix the issue that
iscsi_if_rx doesn't parse nlmsg properly (Xin Long)
[Orabug: 26988627] (CVE-2017-14489)
- mqueue: fix a use-after-free in sys_mq_notify (Cong
Wang) [Orabug: 26643556] (CVE-2017-11176)
- ipv6: avoid overflow of offset in ip6_find_1stfragopt
(Sabrina Dubroca) [Orabug: 27011273] (CVE-2017-7542)
- packet: fix tp_reserve race in packet_set_ring (Willem
de Bruijn) [Orabug: 27002450] (CVE-2017-1000111)
- mlx4_core: calculate log_num_mtt based on total system
memory (Wei Lin Guay) [Orabug: 26883934]
- xen/x86: Add interface for querying amount of host
memory (Boris Ostrovsky) [Orabug: 26883934]
- Bluetooth: Properly check L2CAP config option output
buffer length (Ben Seri) [Orabug: 26796364]
(CVE-2017-1000251)
- xen: fix bio vec merging (Roger Pau Monne) [Orabug:
26645550] (CVE-2017-12134)
- fs/exec.c: account for argv/envp pointers (Kees Cook)
[Orabug: 26638921] (CVE-2017-1000365) (CVE-2017-1000365)
- l2tp: fix racy SOCK_ZAPPED flag check in
l2tp_ip[,6]_bind (Guillaume Nault) [Orabug: 26586047]
(CVE-2016-10200)
- xfs: fix two memory leaks in xfs_attr_list.c error paths
(Mateusz Guzik) [Orabug: 26586022] (CVE-2016-9685)
- KEYS: Disallow keyrings beginning with '.' to be joined
as session keyrings (David Howells) [Orabug: 26585994]
(CVE-2016-9604)
- ipv6: fix out of bound writes in __ip6_append_data (Eric
Dumazet) [Orabug: 26578198] (CVE-2017-9242)
- posix_acl: Clear SGID bit when setting file permissions
(Jan Kara) [Orabug: 25507344] (CVE-2016-7097)
(CVE-2016-7097)
- nfsd: check for oversized NFSv2/v3 arguments (J. Bruce
Fields) [Orabug: 26366022] (CVE-2017-7645) | last seen | 2019-01-16 | modified | 2018-09-05 | plugin id | 105147 | published | 2017-12-11 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=105147 | title | OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0173) (BlueBorne) (Stack Clash) |
NASL family | Oracle Linux Local Security Checks | NASL id | ORACLELINUX_ELSA-2017-3657.NASL | description | Description of changes:
[3.8.13-118.20.1.el7uek]
- tty: Fix race in pty_write() leading to NULL deref (Todd Vierling)
[Orabug: 25392692]
- ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei)
[Orabug: 26479780]
- KEYS: fix dereferencing NULL payload with nonzero length (Eric
Biggers) [Orabug: 26592025]
- oracleasm: Copy the integrity descriptor (Martin K. Petersen)
[Orabug: 26649818]
- mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook) [Orabug:
26675925] {CVE-2017-7889}
- xscore: add dma address check (Zhu Yanjun) [Orabug: 27058468]
- more bio_map_user_iov() leak fixes (Al Viro) [Orabug: 27069042]
{CVE-2017-12190}
- fix unbalanced page refcounting in bio_map_user_iov (Vitaly
Mayatskikh) [Orabug: 27069042] {CVE-2017-12190}
- nvme: Drop nvmeq->q_lock before dma_pool_alloc(), so as to prevent
hard lockups (Aruna Ramakrishna) [Orabug: 25409587]
- nvme: Handle PM1725 HIL reset (Martin K. Petersen) [Orabug: 26277600]
- char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau)
[Orabug: 26403940] {CVE-2017-1000363}
- ALSA: timer: Fix missing queue indices reset at
SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai) [Orabug: 26403956]
{CVE-2017-1000380}
- ALSA: timer: Fix race between read and ioctl (Takashi Iwai) [Orabug:
26403956] {CVE-2017-1000380}
- ALSA: timer: fix NULL pointer dereference in read()/ioctl() race
(Vegard Nossum) [Orabug: 26403956] {CVE-2017-1000380}
- ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai)
[Orabug: 26403956] {CVE-2017-1000380}
- ALSA: timer: Fix race at concurrent reads (Takashi Iwai) [Orabug:
26403956] {CVE-2017-1000380}
- ALSA: timer: Fix race among timer ioctls (Takashi Iwai) [Orabug:
26403956] {CVE-2017-1000380}
- ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong)
[Orabug: 26404005] {CVE-2017-9077}
- ocfs2: fix deadlock issue when taking inode lock at vfs entry points
(Eric Ren) [Orabug: 26427126]
- ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock
(Eric Ren) [Orabug: 26427126]
- ping: implement proper locking (Eric Dumazet) [Orabug: 26540286]
{CVE-2017-2671}
- aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug: 26643598]
{CVE-2016-10044}
- vfs: Commit to never having exectuables on proc and sysfs. (Eric W.
Biederman) [Orabug: 26643598] {CVE-2016-10044}
- vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun
Heo) [Orabug: 26643598] {CVE-2016-10044}
- x86/acpi: Prevent out of bound access caused by broken ACPI tables
(Seunghun Han) [Orabug: 26643645] {CVE-2017-11473}
- sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet)
[Orabug: 26650883] {CVE-2017-9075}
- [media] saa7164: fix double fetch PCIe access condition (Steven Toth)
[Orabug: 26675142] {CVE-2017-8831}
- [media] saa7164: fix sparse warnings (Hans Verkuil) [Orabug:
26675142] {CVE-2017-8831}
- fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE
(Abhi Das) [Orabug: 26797306]
- timerfd: Protect the might cancel mechanism proper (Thomas Gleixner)
[Orabug: 26899787] {CVE-2017-10661}
- scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't
parse nlmsg properly (Xin Long) [Orabug: 26988627] {CVE-2017-14489}
- mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang) [Orabug:
26643556] {CVE-2017-11176}
- ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina
Dubroca) [Orabug: 27011273] {CVE-2017-7542}
- packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn)
[Orabug: 27002450] {CVE-2017-1000111}
- mlx4_core: calculate log_num_mtt based on total system memory (Wei Lin
Guay) [Orabug: 26883934]
- xen/x86: Add interface for querying amount of host memory (Boris
Ostrovsky) [Orabug: 26883934]
- Bluetooth: Properly check L2CAP config option output buffer length
(Ben Seri) [Orabug: 26796364] {CVE-2017-1000251}
- xen: fix bio vec merging (Roger Pau Monne) [Orabug: 26645550]
{CVE-2017-12134}
- fs/exec.c: account for argv/envp pointers (Kees Cook) [Orabug:
26638921] {CVE-2017-1000365} {CVE-2017-1000365}
- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume
Nault) [Orabug: 26586047] {CVE-2016-10200}
- xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz
Guzik) [Orabug: 26586022] {CVE-2016-9685}
- KEYS: Disallow keyrings beginning with '.' to be joined as session
keyrings (David Howells) [Orabug: 26585994] {CVE-2016-9604}
- ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet)
[Orabug: 26578198] {CVE-2017-9242}
- posix_acl: Clear SGID bit when setting file permissions (Jan Kara)
[Orabug: 25507344] {CVE-2016-7097} {CVE-2016-7097}
- nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields)
[Orabug: 26366022] {CVE-2017-7645} | last seen | 2019-01-16 | modified | 2018-09-05 | plugin id | 105144 | published | 2017-12-11 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=105144 | title | Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3657) (BlueBorne) (Stack Clash) |
NASL family | Oracle Linux Local Security Checks | NASL id | ORACLELINUX_ELSA-2017-2930.NASL | description | From Red Hat Security Advisory 2017:2930 :
An update for kernel is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The kernel packages contain the Linux kernel, the core of any Linux
operating system.
Security Fix(es) :
* Out-of-bounds kernel heap access vulnerability was found in xfrm,
kernel's IP framework for transforming packets. An error dealing with
netlink messages from an unprivileged user leads to arbitrary
read/write and privilege escalation. (CVE-2017-7184, Important)
* A race condition issue leading to a use-after-free flaw was found in
the way the raw packet sockets are implemented in the Linux kernel
networking subsystem handling synchronization. A local user able to
open a raw packet socket (requires the CAP_NET_RAW capability) could
use this flaw to elevate their privileges on the system.
(CVE-2017-1000111, Important)
* An exploitable memory corruption flaw was found in the Linux kernel.
The append path can be erroneously switched from UFO to non-UFO in
ip_ufo_append_data() when building an UFO packet with MSG_MORE option.
If unprivileged user namespaces are available, this flaw can be
exploited to gain root privileges. (CVE-2017-1000112, Important)
* A flaw was found in the Linux networking subsystem where a local
attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds
memory access by creating a smaller-than-expected ICMP header and
sending to its destination via sendto(). (CVE-2016-8399, Moderate)
* Kernel memory corruption due to a buffer overflow was found in
brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to
v4.13-rc1. The vulnerability can be triggered by sending a crafted
NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be
triggered remotely as certain userspace code is needed for this. An
unprivileged local user could use this flaw to induce kernel memory
corruption on the system, leading to a crash. Due to the nature of the
flaw, privilege escalation cannot be fully ruled out, although it is
unlikely. (CVE-2017-7541, Moderate)
* An integer overflow vulnerability in ip6_find_1stfragopt() function
was found. A local attacker that has privileges (of CAP_NET_RAW) to
open raw socket can cause an infinite loop inside the
ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)
* A kernel data leak due to an out-of-bound read was found in the
Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and
sctp_get_sctp_info() functions present since version 4.7-rc1 through
version 4.13. A data leak happens when these functions fill in
sockaddr data structures used to export socket's diagnostic
information. As a result, up to 100 bytes of the slab data could be
leaked to a userspace. (CVE-2017-7558, Moderate)
* The mq_notify function in the Linux kernel through 4.11.9 does not
set the sock pointer to NULL upon entry into the retry logic. During a
user-space close of a Netlink socket, it allows attackers to possibly
cause a situation where a value may be used after being freed
(use-after-free) which may lead to memory corruption or other
unspecified other impact. (CVE-2017-11176, Moderate)
* A divide-by-zero vulnerability was found in the __tcp_select_window
function in the Linux kernel. This can result in a kernel panic
causing a local denial of service. (CVE-2017-14106, Moderate)
Red Hat would like to thank Chaitin Security Research Lab for
reporting CVE-2017-7184; Willem de Bruijn for reporting
CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112.
The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat).
Space precludes documenting all of the bug fixes and enhancements
included in this advisory. To see the complete list of bug fixes and
enhancements, refer to the following KnowledgeBase article:
https://access.redhat.com/node/3212921. | last seen | 2019-01-16 | modified | 2018-09-05 | plugin id | 104001 | published | 2017-10-20 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=104001 | title | Oracle Linux 7 : kernel (ELSA-2017-2930) |
NASL family | Debian Local Security Checks | NASL id | DEBIAN_DSA-3981.NASL | description | Several vulnerabilities have been discovered in the Linux kernel that
may lead to privilege escalation, denial of service or information
leaks.
- CVE-2017-7518
Andy Lutomirski discovered that KVM is prone to an
incorrect debug exception (#DB) error occurring while
emulating a syscall instruction. A process inside a
guest can take advantage of this flaw for privilege
escalation inside a guest.
- CVE-2017-7558 (stretch only)
Stefano Brivio of Red Hat discovered that the SCTP
subsystem is prone to a data leak vulnerability due to
an out-of-bounds read flaw, allowing to leak up to 100
uninitialized bytes to userspace.
- CVE-2017-10661 (jessie only)
Dmitry Vyukov of Google reported that the timerfd
facility does not properly handle certain concurrent
operations on a single file descriptor. This allows a
local attacker to cause a denial of service or
potentially execute arbitrary code.
- CVE-2017-11600
Bo Zhang reported that the xfrm subsystem does not
properly validate one of the parameters to a netlink
message. Local users with the CAP_NET_ADMIN capability
can use this to cause a denial of service or potentially
to execute arbitrary code.
- CVE-2017-12134 / #866511 / XSA-229
Jan H. Schoenherr of Amazon discovered that when Linux
is running in a Xen PV domain on an x86 system, it may
incorrectly merge block I/O requests. A buggy or
malicious guest may trigger this bug in dom0 or a PV
driver domain, causing a denial of service or
potentially execution of arbitrary code.
This issue can be mitigated by disabling merges on the underlying
back-end block devices, e.g.:echo 2 >
/sys/block/nvme0n1/queue/nomerges
- CVE-2017-12146 (stretch only)
Adrian Salido of Google reported a race condition in
access to the'driver_override' attribute for platform
devices in sysfs. If unprivileged users are permitted to
access this attribute, this might allow them to gain
privileges.
- CVE-2017-12153
Bo Zhang reported that the cfg80211 (wifi) subsystem
does not properly validate the parameters to a netlink
message. Local users with the CAP_NET_ADMIN capability
(in any user namespace with a wifi device) can use this
to cause a denial of service.
- CVE-2017-12154
Jim Mattson of Google reported that the KVM
implementation for Intel x86 processors did not
correctly handle certain nested hypervisor
configurations. A malicious guest (or nested guest in a
suitable L1 hypervisor) could use this for denial of
service.
- CVE-2017-14106
Andrey Konovalov discovered that a user-triggerable
division by zero in the tcp_disconnect() function could
result in local denial of service.
- CVE-2017-14140
Otto Ebeling reported that the move_pages() system call
performed insufficient validation of the UIDs of the
calling and target processes, resulting in a partial
ASLR bypass. This made it easier for local users to
exploit vulnerabilities in programs installed with the
set-UID permission bit set.
- CVE-2017-14156
'sohu0106' reported an information leak in the atyfb
video driver. A local user with access to a framebuffer
device handled by this driver could use this to obtain
sensitive information.
- CVE-2017-14340
Richard Wareing discovered that the XFS implementation
allows the creation of files with the 'realtime' flag on
a filesystem with no realtime device, which can result
in a crash (oops). A local user with access to an XFS
filesystem that does not have a realtime device can use
this for denial of service.
- CVE-2017-14489
ChunYu Wang of Red Hat discovered that the iSCSI
subsystem does not properly validate the length of a
netlink message, leading to memory corruption. A local
user with permission to manage iSCSI devices can use
this for denial of service or possibly to execute
arbitrary code.
- CVE-2017-14497 (stretch only)
Benjamin Poirier of SUSE reported that vnet headers are
not properly handled within the tpacket_rcv() function
in the raw packet (af_packet) feature. A local user with
the CAP_NET_RAW capability can take advantage of this
flaw to cause a denial of service (buffer overflow, and
disk and memory corruption) or have other impact.
- CVE-2017-1000111
Andrey Konovalov of Google reported a race condition in
the raw packet (af_packet) feature. Local users with the
CAP_NET_RAW capability can use this for denial of
service or possibly to execute arbitrary code.
- CVE-2017-1000112
Andrey Konovalov of Google reported a race condition
flaw in the UDP Fragmentation Offload (UFO) code. A
local user can use this flaw for denial of service or
possibly to execute arbitrary code.
- CVE-2017-1000251 / #875881
Armis Labs discovered that the Bluetooth subsystem does
not properly validate L2CAP configuration responses,
leading to a stack-based buffer overflow. This is one of
several vulnerabilities dubbed 'Blueborne'. A nearby
attacker can use this to cause a denial of service or
possibly to execute arbitrary code on a system with
Bluetooth enabled.
- CVE-2017-1000252 (stretch only)
Jan H. Schoenherr of Amazon reported that the KVM
implementation for Intel x86 processors did not
correctly validate interrupt injection requests. A local
user with permission to use KVM could use this for
denial of service.
- CVE-2017-1000370
The Qualys Research Labs reported that a large argument
or environment list can result in ASLR bypass for 32-bit
PIE binaries.
- CVE-2017-1000371
The Qualys Research Labs reported that a large argument
or environment list can result in a stack/heap clash for
32-bit PIE binaries.
- CVE-2017-1000380
Alexander Potapenko of Google reported a race condition
in the ALSA (sound) timer driver, leading to an
information leak. A local user with permission to access
sound devices could use this to obtain sensitive
information.
Debian disables unprivileged user namespaces by default, but if they
are enabled (via the kernel.unprivileged_userns_clone sysctl) then
CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited
by any local user. | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 103365 | published | 2017-09-21 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=103365 | title | Debian DSA-3981-1 : linux - security update (BlueBorne) (Stack Clash) |
|