ID CVE-2017-1000112
Summary Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
References
Vulnerable Configurations
  • Linux Kernel 4.13.9
    cpe:2.3:o:linux:linux_kernel:4.13.9
CVSS
Base: 6.9
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
exploit-db via4
  • description Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP). CVE-2017-1000112. Local exploit for Linux platform
    id EDB-ID:43418
    last seen 2018-01-24
    modified 2017-08-13
    published 2017-08-13
    reporter Exploit-DB
    source https://www.exploit-db.com/download/43418/
    title Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)
  • description Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit). CVE-2017-1000112. Local exploit for Linux platform. Tags: Metasploit Framewo...
    file exploits/linux/local/45147.rb
    id EDB-ID:45147
    last seen 2018-08-03
    modified 2018-08-03
    platform linux
    port
    published 2018-08-03
    reporter Exploit-DB
    source https://www.exploit-db.com/download/45147/
    title Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)
    type local
metasploit via4
description This module attempts to gain root privileges on Linux systems by abusing UDP Fragmentation Offload (UFO). This exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 4.4.0-21 <= 4.4.0-89 and 4.8.0-34 <= 4.8.0-58, including Linux distros based on Ubuntu, such as Linux Mint. The target system must have unprivileged user namespaces enabled and SMAP disabled. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on various Ubuntu and Linux Mint systems, including: Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop; Ubuntu 16.04 4.8.0-53-generic; Linux Mint 17.3 4.4.0-89-generic; Linux Mint 18 4.8.0-58-generic
id MSF:EXPLOIT/LINUX/LOCAL/UFO_PRIVILEGE_ESCALATION
last seen 2019-03-21
modified 2019-01-10
published 2018-04-18
reliability Good
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/ufo_privilege_escalation.rb
title Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
nessus via4
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0029.NASL
    description An update of [ruby,cassandra,linux,libxml2] packages for PhotonOS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111878
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111878
    title Photon OS 1.0: Cassandra / Libxml2 / Linux / Ruby PHSA-2017-0029 (deprecated)
  • NASL family Junos Local Security Checks
    NASL id JUNIPER_SPACE_JSA_10838.NASL
    description According to its self-reported version number, the remote Junos Space version is prior to 17.2R1. It is, therefore, affected by multiple vulnerabilities.
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 108520
    published 2018-03-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108520
    title Juniper Junos Space < 17.2R1 Multiple Vulnerabilities (JSA10838)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2930-1.NASL
    description Description of changes: - [3.10.0-693.5.2.0.1.el7.OL7] - [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug 22552377] - Oracle Linux certificates (Alexey Petrenko) - Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petrenko at oracle.com) - Update x509.genkey [bug 24817676] [3.10.0-693.5.2.el7] - [mm] page_cgroup: Fix Kernel bug during boot with memory cgroups enabled (Larry Woodman) [1491970 1483747] - Revert: [mm] Fix Kernel bug during boot with memory cgroups enabled (Larry Woodman) [1491970 1483747] [3.10.0-693.5.1.el7] - [netdrv] i40e: point wb_desc at the nvm_wb_desc during i40e_read_nvm_aq (Stefan Assmann) [1491972 1484232] - [netdrv] i40e: avoid NVM acquire deadlock during NVM update (Stefan Assmann) [1491972 1484232] - [mm] Fix Kernel bug during boot with memory cgroups enabled (Larry Woodman) [1491970 1483747] - [fs] nfsv4: Ensure we don't re-test revoked and freed stateids (Dave Wysochanski) [1491969 1459733] - [netdrv] bonding: commit link status change after propose (Jarod Wilson) [1491121 1469790] - [mm] page_alloc: ratelimit PFNs busy info message (Jonathan Toppins) [1491120 1383179] - [netdrv] cxgb4: avoid crash on PCI error recovery path (Gustavo Duarte) [1489872 1456990] - [scsi] Add STARGET_CREATED_REMOVE state to scsi_target_state (Ewan Milne) [1489814 1468727] - [net] tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Davide Caratti) [1488341 1487061] {CVE-2017-14106} - [net] tcp: fix 0 divide in __tcp_select_window() (Davide Caratti) [1488341 1487061] {CVE-2017-14106} - [net] sctp: Avoid out-of-bounds reads from address storage (Stefano Brivio) [1484356 1484355] {CVE-2017-7558} - [net] udp: consistently apply ufo or fragmentation (Davide Caratti) [1481530 1481535] {CVE-2017-1000112} - [net] udp: account for current skb length when deciding about UFO (Davide Caratti) [1481530 1481535] {CVE-2017-1000112} - [net] ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output (Davide Caratti) [1481530 1481535] {CVE-2017-1000112} - [net] udp: avoid ufo handling on IP payload compression packets (Stefano Brivio) [1490263 1464161] - [pci] hv: Use vPCI protocol version 1.2 (Vitaly Kuznetsov) [1478256 1459202] - [pci] hv: Add vPCI version protocol negotiation (Vitaly Kuznetsov) [1478256 1459202] - [pci] hv: Use page allocation for hbus structure (Vitaly Kuznetsov) [1478256 1459202] - [pci] hv: Fix comment formatting and use proper integer fields (Vitaly Kuznetsov) [1478256 1459202] - [net] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() (Stefano Brivio) [1477007 1477010] {CVE-2017-7542} - [net] ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [1477007 1477010] {CVE-2017-7542} - [net] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (Hannes Frederic Sowa) [1435672 1435670] {CVE-2017-7184} - [net] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window (Hannes Frederic Sowa) [1435672 1435670] {CVE-2017-7184} - [net] l2cap: prevent stack overflow on incoming bluetooth packet (Neil Horman) [1489788 1489789] {CVE-2017-1000251} [3.10.0-693.4.1.el7] - [fs] nfsv4: Add missing nfs_put_lock_context() (Benjamin Coddington) [1487271 1476826] - [fs] nfs: discard nfs_lockowner structure (Benjamin Coddington) [1487271 1476826] - [fs] nfsv4: enhance nfs4_copy_lock_stateid to use a flock stateid if there is one (Benjamin Coddington) [1487271 1476826] - [fs] nfsv4: change nfs4_select_rw_stateid to take a lock_context inplace of lock_owner (Benjamin Coddington) [1487271 1476826] - [fs] nfsv4: change nfs4_do_setattr to take an open_context instead of a nfs4_state (Benjamin Coddington) [1487271 1476826] - [fs] nfsv4: add flock_owner to open context (Benjamin Coddington) [1487271 1476826] - [fs] nfs: remove l_pid field from nfs_lockowner (Benjamin Coddington) [1487271 1476826] - [x86] platform/uv/bau: Disable BAU on single hub configurations (Frank Ramsay) [1487159 1487160 1472455 1473353] - [x86] platform/uv/bau: Fix congested_response_us not taking effect (Frank Ramsay) [1487159 1472455] - [fs] cifs: Disable encryption capability for RHEL 7.4 kernel (Sachin Prabhu) [1485445 1485445] - [fs] sunrpc: Handle EADDRNOTAVAIL on connection failures (Dave Wysochanski) [1484269 1479043] - [fs] include/linux/printk.h: include pr_fmt in pr_debug_ratelimited (Sachin Prabhu) [1484267 1472823] - [fs] printk: pr_debug_ratelimited: check state first to reduce 'callbacks suppressed' messages (Sachin Prabhu) [1484267 1472823] - [net] packet: fix tp_reserve race in packet_set_ring (Stefano Brivio) [1481938 1481940] {CVE-2017-1000111} - [fs] proc: revert /proc//maps [stack:TID] annotation (Waiman Long) [1481724 1448534] - [net] ping: check minimum size on ICMP header length (Matteo Croce) [1481578 1481573] {CVE-2016-8399} - [ipc] mqueue: fix a use-after-free in sys_mq_notify() (Davide Caratti) [1476128 1476126] {CVE-2017-11176} - [netdrv] brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (Stanislaw Gruszka) [1474778 1474784] {CVE-2017-7541} [3.10.0-693.3.1.el7] - [block] blk-mq-tag: fix wakeup hang after tag resize (Ming Lei) [1487281 1472434]
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 104088
    published 2017-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104088
    title Oracle Linux 7 : kernel (ELSA-2017-2930-1) (BlueBorne)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2791-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_60 fixes several issues. The following security bugs were fixed : - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call (bsc#1045327). - CVE-2017-1000112: Updated patch for this issue to be in sync with the other livepatches. Description of the issue: Prevent race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368, bsc#1052311). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038564). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 104030
    published 2017-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104030
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2791-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2775-1.NASL
    description This update for the Linux Kernel 3.12.61-52_92 fixes several issues. The following security bugs were fixed : - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call (bsc#1045327). - CVE-2017-1000112: Updated patch for this issue to be in sync with the other livepatches. Description of the issue: Prevent race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368, bsc#1052311). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem allowed remote attackers to cause a denial of service (system crash) via a long RPC reply (bsc#1046191). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 104015
    published 2017-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104015
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2775-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3384-2.NASL
    description USN-3384-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. (CVE-2017-1000112) Andrey Konovalov discovered a race condition in AF_PACKET socket option handling code in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-1000111). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 102419
    published 2017-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102419
    title Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3384-2)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-072.NASL
    description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. - Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 102592
    published 2017-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102592
    title Virtuozzo 7 : readykernel-patch (VZA-2017-072)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2150-1.NASL
    description The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.74 to the following security updates : - CVE-2017-1000111: fix race condition in net-packet code that could be exploited to cause out-of-bounds memory access (bsc#1052365). - CVE-2017-1000112: fix race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 102478
    published 2017-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102478
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2150-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0174.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0174 for details.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 105248
    published 2017-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105248
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0174) (BlueBorne) (Dirty COW) (Stack Clash)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-076.NASL
    description According to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. - Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing. - A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. - Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. - Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use after free) which may lead to memory corruption or other unspecified other impact. - The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 102922
    published 2017-09-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102922
    title Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-076)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2525-1.NASL
    description The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated receive various security and bugfixes. The following security bugs were fixed : - CVE-2016-5243: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#983212) - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415) - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c (bsc#1030593). - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently could not ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003) - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914) - CVE-2017-5970: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a denial of service (system crash) via (1) an application that made crafted system calls or possibly (2) IPv4 traffic with invalid IP options (bsc#1024938) - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bsc#1025235) - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024) - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722) - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly managed lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178) - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066) - CVE-2017-6951: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the 'dead' type (bsc#1029850). - CVE-2017-7184: The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size data after an XFRM_MSG_NEWAE update, which allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability (bsc#1030573) - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213) - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052) - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440) - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579) - CVE-2017-7482: Several missing length checks ticket decode allowing for information leak or potentially code execution (bsc#1046107). - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bsc#1038879). - CVE-2017-7533: Race condition in the fsnotify implementation in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions (bnc#1049483 1050677 ). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bsc#1033336) - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability. This requires a malicious PCI Card. (bnc#1037994). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038544). - CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1037182). - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1038981). - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882). - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bsc#1039883). - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885). - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bsc#1040069). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431). - CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152). - CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bnc#1048275). - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603). - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148). - CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588). - CVE-2017-1000112: Fixed a race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311). - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary could have overflowed the parport_nr array in the following code (bnc#1039456). - CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation (bnc#1039354). - CVE-2017-1000380: sound/core/timer.c in the Linux kernel was vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time (bnc#1044125). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103354
    published 2017-09-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103354
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2017:2525-1) (Stack Clash)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3386-1.NASL
    description Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. (CVE-2017-1000112) Andrey Konovalov discovered a race condition in AF_PACKET socket option handling code in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-1000111). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 102422
    published 2017-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102422
    title Ubuntu 14.04 LTS : linux vulnerabilities (USN-3386-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3981.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks. - CVE-2017-7518 Andy Lutomirski discovered that KVM is prone to an incorrect debug exception (#DB) error occurring while emulating a syscall instruction. A process inside a guest can take advantage of this flaw for privilege escalation inside a guest. - CVE-2017-7558 (stretch only) Stefano Brivio of Red Hat discovered that the SCTP subsystem is prone to a data leak vulnerability due to an out-of-bounds read flaw, allowing to leak up to 100 uninitialized bytes to userspace. - CVE-2017-10661 (jessie only) Dmitry Vyukov of Google reported that the timerfd facility does not properly handle certain concurrent operations on a single file descriptor. This allows a local attacker to cause a denial of service or potentially execute arbitrary code. - CVE-2017-11600 Bo Zhang reported that the xfrm subsystem does not properly validate one of the parameters to a netlink message. Local users with the CAP_NET_ADMIN capability can use this to cause a denial of service or potentially to execute arbitrary code. - CVE-2017-12134 / #866511 / XSA-229 Jan H. Schoenherr of Amazon discovered that when Linux is running in a Xen PV domain on an x86 system, it may incorrectly merge block I/O requests. A buggy or malicious guest may trigger this bug in dom0 or a PV driver domain, causing a denial of service or potentially execution of arbitrary code. This issue can be mitigated by disabling merges on the underlying back-end block devices, e.g.:echo 2 > /sys/block/nvme0n1/queue/nomerges - CVE-2017-12146 (stretch only) Adrian Salido of Google reported a race condition in access to the'driver_override' attribute for platform devices in sysfs. If unprivileged users are permitted to access this attribute, this might allow them to gain privileges. - CVE-2017-12153 Bo Zhang reported that the cfg80211 (wifi) subsystem does not properly validate the parameters to a netlink message. Local users with the CAP_NET_ADMIN capability (in any user namespace with a wifi device) can use this to cause a denial of service. - CVE-2017-12154 Jim Mattson of Google reported that the KVM implementation for Intel x86 processors did not correctly handle certain nested hypervisor configurations. A malicious guest (or nested guest in a suitable L1 hypervisor) could use this for denial of service. - CVE-2017-14106 Andrey Konovalov discovered that a user-triggerable division by zero in the tcp_disconnect() function could result in local denial of service. - CVE-2017-14140 Otto Ebeling reported that the move_pages() system call performed insufficient validation of the UIDs of the calling and target processes, resulting in a partial ASLR bypass. This made it easier for local users to exploit vulnerabilities in programs installed with the set-UID permission bit set. - CVE-2017-14156 'sohu0106' reported an information leak in the atyfb video driver. A local user with access to a framebuffer device handled by this driver could use this to obtain sensitive information. - CVE-2017-14340 Richard Wareing discovered that the XFS implementation allows the creation of files with the 'realtime' flag on a filesystem with no realtime device, which can result in a crash (oops). A local user with access to an XFS filesystem that does not have a realtime device can use this for denial of service. - CVE-2017-14489 ChunYu Wang of Red Hat discovered that the iSCSI subsystem does not properly validate the length of a netlink message, leading to memory corruption. A local user with permission to manage iSCSI devices can use this for denial of service or possibly to execute arbitrary code. - CVE-2017-14497 (stretch only) Benjamin Poirier of SUSE reported that vnet headers are not properly handled within the tpacket_rcv() function in the raw packet (af_packet) feature. A local user with the CAP_NET_RAW capability can take advantage of this flaw to cause a denial of service (buffer overflow, and disk and memory corruption) or have other impact. - CVE-2017-1000111 Andrey Konovalov of Google reported a race condition in the raw packet (af_packet) feature. Local users with the CAP_NET_RAW capability can use this for denial of service or possibly to execute arbitrary code. - CVE-2017-1000112 Andrey Konovalov of Google reported a race condition flaw in the UDP Fragmentation Offload (UFO) code. A local user can use this flaw for denial of service or possibly to execute arbitrary code. - CVE-2017-1000251 / #875881 Armis Labs discovered that the Bluetooth subsystem does not properly validate L2CAP configuration responses, leading to a stack-based buffer overflow. This is one of several vulnerabilities dubbed 'Blueborne'. A nearby attacker can use this to cause a denial of service or possibly to execute arbitrary code on a system with Bluetooth enabled. - CVE-2017-1000252 (stretch only) Jan H. Schoenherr of Amazon reported that the KVM implementation for Intel x86 processors did not correctly validate interrupt injection requests. A local user with permission to use KVM could use this for denial of service. - CVE-2017-1000370 The Qualys Research Labs reported that a large argument or environment list can result in ASLR bypass for 32-bit PIE binaries. - CVE-2017-1000371 The Qualys Research Labs reported that a large argument or environment list can result in a stack/heap clash for 32-bit PIE binaries. - CVE-2017-1000380 Alexander Potapenko of Google reported a race condition in the ALSA (sound) timer driver, leading to an information leak. A local user with permission to access sound devices could use this to obtain sensitive information. Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited by any local user.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 103365
    published 2017-09-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103365
    title Debian DSA-3981-1 : linux - security update (BlueBorne) (Stack Clash)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2497-1.NASL
    description This update for the Linux Kernel 3.12.61-52_83 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply (bsc#1046191). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103293
    published 2017-09-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103293
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2497-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2930.NASL
    description From Red Hat Security Advisory 2017:2930 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) * The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat). Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/node/3212921.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 104001
    published 2017-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104001
    title Oracle Linux 7 : kernel (ELSA-2017-2930)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2447-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_51 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1038564, bsc#1042892). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038564). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103213
    published 2017-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103213
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2447-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2508-1.NASL
    description This update for the Linux Kernel 3.12.60-52_60 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103298
    published 2017-09-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103298
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2508-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2510-1.NASL
    description This update for the Linux Kernel 3.12.61-52_66 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103300
    published 2017-09-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103300
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2510-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3635.NASL
    description Description of changes: [4.1.12-103.9.2.el7uek] - Revert 'drivers/char/mem.c: deny access in open operation when securelevel is set' (Brian Maly) [Orabug: 27037811] [4.1.12-103.9.1.el7uek] - xfs: use dedicated log worker wq to avoid deadlock with cil wq (Brian Foster) [Orabug: 27013241] - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (Xin Long) [Orabug: 26988633] {CVE-2017-14489} - nvme: honor RTD3 Entry Latency for shutdowns (Martin K. Petersen) [Orabug: 26999097] - ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27013220] {CVE-2017-7542} - udp: consistently apply ufo or fragmentation (Willem de Bruijn) [Orabug: 27013227] {CVE-2017-1000112} - drivers/char/mem.c: deny access in open operation when securelevel is set (Ethan Zhao) [Orabug: 26943884] [4.1.12-103.8.1.el7uek] - tcp: fix tcp_mark_head_lost to check skb len before fragmenting (Neal Cardwell) [Orabug: 26923675] - timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899775] {CVE-2017-10661} - kvm: nVMX: Don't allow L2 to access the hardware CR8 (Jim Mattson) {CVE-2017-12154} {CVE-2017-12154} - brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (Tim Tianyang Chen) [Orabug: 26880590] {CVE-2017-7541} - crypto: ahash - Fix EINPROGRESS notification callback (Herbert Xu) [Orabug: 26916575] {CVE-2017-7618} - ovl: use O_LARGEFILE in ovl_copy_up() (David Howells) [Orabug: 25953280] - rxrpc: Fix several cases where a padded len isn't checked in ticket decode (David Howells) [Orabug: 26880508] {CVE-2017-7482} {CVE-2017-7482} - tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) [Orabug: 26813385] {CVE-2017-14106}
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 104369
    published 2017-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104369
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3635)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2437-1.NASL
    description This update for the Linux Kernel 3.12.69-60_64_29 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103182
    published 2017-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103182
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2437-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2438-1.NASL
    description This update for the Linux Kernel 3.12.62-60_64_8 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103183
    published 2017-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103183
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2438-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3200.NASL
    description From Red Hat Security Advisory 2017:3200 : An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Red Hat would like to thank Willem de Bruijn for reporting CVE-2017-1000111 and Andrey Konovalov for reporting CVE-2017-1000112. Bug Fix(es) : * When the operating system was booted with Red Hat Enterprise Virtualization, and the eh_deadline sysfs parameter was set to 10s, the Storage Area Network (SAN) issues caused eh_deadline to trigger with no handler. Consequently, a kernel panic occurred. This update fixes the lpfc driver, thus preventing the kernel panic under described circumstances. (BZ #1487220) * When an NFS server returned the NFS4ERR_BAD_SEQID error to an OPEN request, the open-owner was removed from the state_owners rbtree. Consequently, NFS4 client infinite loop that required a reboot to recover occurred. This update changes NFS4ERR_BAD_SEQID handling to leave the open-owner in the state_owners rbtree by updating the create_time parameter so that it looks like a new open-owner. As a result, an NFS4 client is now able to recover without falling into the infinite recovery loop after receiving NFS4ERR_BAD_SEQID. (BZ#1491123) * If an NFS client attempted to mount NFSv3 shares from an NFS server exported directly to the client's IP address, and this NFS client had already mounted other shares that originated from the same server but were exported to the subnetwork which this client was part of, the auth.unix.ip cache expiration was not handled correctly. Consequently, the client received the 'stale file handle' errors when trying to mount the share. This update fixes handling of the cache expiration, and the NFSv3 shares now mount as expected without producing the 'stale file handle' errors. (BZ #1497976) * When running a script that raised the tx ring count to its maximum value supported by the Solarflare Network Interface Controller (NIC) driver, the EF10 family NICs allowed the settings exceeding the hardware's capability. Consequently, the Solarflare hardware became unusable with Red Hat Entepripse Linux 6. This update fixes the sfc driver, so that the tx ring can have maximum 2048 entries for all EF10 NICs. As a result, the Solarflare hardware no longer becomes unusable with Red Hat Entepripse Linux 6 due to this bug. (BZ#1498019)
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 104617
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104617
    title Oracle Linux 6 : kernel (ELSA-2017-3200)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-3200.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Red Hat would like to thank Willem de Bruijn for reporting CVE-2017-1000111 and Andrey Konovalov for reporting CVE-2017-1000112. Bug Fix(es) : * When the operating system was booted with Red Hat Enterprise Virtualization, and the eh_deadline sysfs parameter was set to 10s, the Storage Area Network (SAN) issues caused eh_deadline to trigger with no handler. Consequently, a kernel panic occurred. This update fixes the lpfc driver, thus preventing the kernel panic under described circumstances. (BZ #1487220) * When an NFS server returned the NFS4ERR_BAD_SEQID error to an OPEN request, the open-owner was removed from the state_owners rbtree. Consequently, NFS4 client infinite loop that required a reboot to recover occurred. This update changes NFS4ERR_BAD_SEQID handling to leave the open-owner in the state_owners rbtree by updating the create_time parameter so that it looks like a new open-owner. As a result, an NFS4 client is now able to recover without falling into the infinite recovery loop after receiving NFS4ERR_BAD_SEQID. (BZ#1491123) * If an NFS client attempted to mount NFSv3 shares from an NFS server exported directly to the client's IP address, and this NFS client had already mounted other shares that originated from the same server but were exported to the subnetwork which this client was part of, the auth.unix.ip cache expiration was not handled correctly. Consequently, the client received the 'stale file handle' errors when trying to mount the share. This update fixes handling of the cache expiration, and the NFSv3 shares now mount as expected without producing the 'stale file handle' errors. (BZ #1497976) * When running a script that raised the tx ring count to its maximum value supported by the Solarflare Network Interface Controller (NIC) driver, the EF10 family NICs allowed the settings exceeding the hardware's capability. Consequently, the Solarflare hardware became unusable with Red Hat Entepripse Linux 6. This update fixes the sfc driver, so that the tx ring can have maximum 2048 entries for all EF10 NICs. As a result, the Solarflare hardware no longer becomes unusable with Red Hat Entepripse Linux 6 due to this bug. (BZ#1498019)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104566
    published 2017-11-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104566
    title RHEL 6 : kernel (RHSA-2017:3200)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-4336D64E21.NASL
    description The 4.12.8 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 102717
    published 2017-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102717
    title Fedora 26 : kernel (2017-4336d64e21)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-930.NASL
    description The openSUSE Leap 42.3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000111: Fixed a race condition in net-packet code that could be exploited to cause out-of-bounds memory access (bsc#1052365). - CVE-2017-1000112: Fixed a race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311). - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994). The following non-security bugs were fixed : - acpi/nfit: Add support of NVDIMM memory error notification in ACPI 6.2 (bsc#1052325). - acpi/nfit: Issue Start ARS to retrieve existing records (bsc#1052325). - bcache: force trigger gc (bsc#1038078). - bcache: only recovery I/O error for writethrough mode (bsc#1043652). - block: do not allow updates through sysfs until registration completes (bsc#1047027). - config: disable CONFIG_RT_GROUP_SCHED (bsc#1052204). - drivers: hv: : As a bandaid, increase HV_UTIL_TIMEOUT from 30 to 60 seconds (bnc#1039153) - drivers: hv: Fix a typo (fate#320485). - drivers: hv: util: Make hv_poll_channel() a little more efficient (fate#320485). - drivers: hv: vmbus: Close timing hole that can corrupt per-cpu page (fate#320485). - drivers: hv: vmbus: Fix error code returned by vmbus_post_msg() (fate#320485). - Fix kABI breakage with CONFIG_RT_GROUP_SCHED=n (bsc#1052204). - hv_netvsc: change netvsc device default duplex to FULL (fate#320485). - hv_netvsc: Fix the carrier state error when data path is off (fate#320485). - hv_netvsc: Remove unnecessary var link_state from struct netvsc_device_info (fate#320485). - hyperv: fix warning about missing prototype (fate#320485). - hyperv: netvsc: Neaten netvsc_send_pkt by using a temporary (fate#320485). - hyperv: remove unnecessary return variable (fate#320485). - i40e/i40evf: Fix use after free in Rx cleanup path (bsc#1051689). - IB/hfi1: Wait for QSFP modules to initialize (bsc#1019151). - ibmvnic: Check for transport event on driver resume (bsc#1051556, bsc#1052709). - ibmvnic: Initialize SCRQ's during login renegotiation (bsc#1052223). - ibmvnic: Report rx buffer return codes as netdev_dbg (bsc#1052794). - iommu/amd: Enable ga_log_intr when enabling guest_mode (bsc1052533). - iommu/amd: Fix schedule-while-atomic BUG in initialization code (bsc1052533). - KABI protect struct acpi_nfit_desc (bsc#1052325). - kabi/severities: add drivers/scsi/hisi_sas to kabi severities - libnvdimm: fix badblock range handling of ARS range (bsc#1023175). - libnvdimm, pmem: fix a NULL pointer BUG in nd_pmem_notify (bsc#1023175). - net: add netdev_lockdep_set_classes() helper (fate#320485). - net: hyperv: use new api ethtool_{get|set}_link_ksettings (fate#320485). - net/mlx4_core: Fixes missing capability bit in flags2 capability dump (bsc#1015337). - net/mlx4_core: Fix namespace misalignment in QinQ VST support commit (bsc#1015337). - net/mlx4_core: Fix sl_to_vl_change bit offset in flags2 dump (bsc#1015337). - netsvc: Remove upstream commit e14b4db7a567 netvsc: fix race during initialization will be replaced by following changes - netsvc: Revert 'netvsc: optimize calculation of number of slots' (fate#320485). - netvsc: add comments about callback's and NAPI (fate#320485). - netvsc: Add #include's for csum_* function declarations (fate#320485). - netvsc: add rtnl annotations in rndis (fate#320485). - netvsc: add some rtnl_dereference annotations (fate#320485). - netvsc: avoid race with callback (fate#320485). - netvsc: change logic for change mtu and set_queues (fate#320485). - netvsc: change max channel calculation (fate#320485). - netvsc: change order of steps in setting queues (fate#320485). - netvsc: Deal with rescinded channels correctly (fate#320485). - netvsc: do not access netdev->num_rx_queues directly (fate#320485). - netvsc: do not overload variable in same function (fate#320485). - netvsc: do not print pointer value in error message (fate#320485). - netvsc: eliminate unnecessary skb == NULL checks (fate#320485). - netvsc: enable GRO (fate#320485). - netvsc: Fix a bug in sub-channel handling (fate#320485). - netvsc: fix and cleanup rndis_filter_set_packet_filter (fate#320485). - netvsc: fix calculation of available send sections (fate#320485). - netvsc: fix dereference before null check errors (fate#320485). - netvsc: fix error unwind on device setup failure (fate#320485). - netvsc: fix hang on netvsc module removal (fate#320485). - netvsc: fix NAPI performance regression (fate#320485). - netvsc: fix net poll mode (fate#320485). - netvsc: fix netvsc_set_channels (fate#320485). - netvsc: fix ptr_ret.cocci warnings (fate#320485). - netvsc: fix rcu dereference warning from ethtool (fate#320485). - netvsc: fix RCU warning in get_stats (fate#320485). - netvsc: fix return value for set_channels (fate#320485). - netvsc: fix rtnl deadlock on unregister of vf (fate#320485, bsc#1052442). - netvsc: fix use after free on module removal (fate#320485). - netvsc: fix warnings reported by lockdep (fate#320485). - netvsc: fold in get_outbound_net_device (fate#320485). - netvsc: force link update after MTU change (fate#320485). - netvsc: handle offline mtu and channel change (fate#320485). - netvsc: implement NAPI (fate#320485). - netvsc: include rtnetlink.h (fate#320485). - netvsc: Initialize all channel related state prior to opening the channel (fate#320485). - netvsc: make sure and unregister datapath (fate#320485, bsc#1052899). - netvsc: make sure napi enabled before vmbus_open (fate#320485). - netvsc: mark error cases as unlikely (fate#320485). - netvsc: move filter setting to rndis_device (fate#320485). - netvsc: need napi scheduled during removal (fate#320485). - netvsc: need rcu_derefence when accessing internal device info (fate#320485). - netvsc: optimize calculation of number of slots (fate#320485). - netvsc: optimize receive completions (fate#320485). - netvsc: pass net_device to netvsc_init_buf and netvsc_connect_vsp (fate#320485). - netvsc: prefetch the first incoming ring element (fate#320485). - netvsc: Properly initialize the return value (fate#320485). - netvsc: remove bogus rtnl_unlock (fate#320485). - netvsc: remove no longer used max_num_rss queues (fate#320485). - netvsc: Remove redundant use of ipv6_hdr() (fate#320485). - netvsc: remove unnecessary indirection of page_buffer (fate#320485). - netvsc: remove unnecessary lock on shutdown (fate#320485). - netvsc: remove unused #define (fate#320485). - netvsc: replace netdev_alloc_skb_ip_align with napi_alloc_skb (fate#320485). - netvsc: save pointer to parent netvsc_device in channel table (fate#320485). - netvsc: signal host if receive ring is emptied (fate#320485). - netvsc: transparent VF management (fate#320485, bsc#1051979). - netvsc: use ERR_PTR to avoid dereference issues (fate#320485). - netvsc: use hv_get_bytes_to_read (fate#320485). - netvsc: use napi_consume_skb (fate#320485). - netvsc: use RCU to protect inner device structure (fate#320485). - netvsc: uses RCU instead of removal flag (fate#320485). - netvsc: use typed pointer for internal state (fate#320485). - nvme: fabrics commands should use the fctype field for data direction (bsc#1043805). - powerpc/perf: Fix SDAR_MODE value for continous sampling on Power9 (bsc#1053043 (git-fixes)). - powerpc/tm: Fix saving of TM SPRs in core dump (fate#318470, git-fixes 08e1c01d6aed). - qeth: fix L3 next-hop im xmit qeth hdr (bnc#1052773, LTC#157374). - rdma/bnxt_re: checking for NULL instead of IS_ERR() (bsc#1052925). - scsi: aacraid: fix PCI error recovery path (bsc#1048912). - scsi_devinfo: fixup string compare (bsc#1037404). - scsi_dh_alua: suppress errors from unsupported devices (bsc#1038792). - scsi: hisi_sas: add pci_dev in hisi_hba struct (bsc#1049298). - scsi: hisi_sas: add v2 hw internal abort timeout workaround (bsc#1049298). - scsi: hisi_sas: controller reset for multi-bits ECC and AXI fatal errors (bsc#1049298). - scsi: hisi_sas: fix NULL deference when TMF timeouts (bsc#1049298). - scsi: hisi_sas: fix timeout check in hisi_sas_internal_task_abort() (bsc#1049298). - scsi: hisi_sas: optimise DMA slot memory (bsc#1049298). - scsi: hisi_sas: optimise the usage of hisi_hba.lock (bsc#1049298). - scsi: hisi_sas: relocate get_ata_protocol() (bsc#1049298). - scsi: hisi_sas: workaround a SoC SATA IO processing bug (bsc#1049298). - scsi: hisi_sas: workaround SoC about abort timeout bug (bsc#1049298). - scsi: hisi_sas: workaround STP link SoC bug (bsc#1049298). - scsi: lpfc: do not double count abort errors (bsc#1048912). - scsi: lpfc: fix linking against modular NVMe support (bsc#1048912). - scsi: qedi: Fix return code in qedi_ep_connect() (bsc#1048912). - scsi: storvsc: Prefer kcalloc over kzalloc with multiply (fate#320485). - scsi: storvsc: remove return at end of void function (fate#320485). - tools: hv: Add clean up for included files in Ubuntu net config (fate#320485). - tools: hv: Add clean up function for Ubuntu config (fate#320485). - tools: hv: properly handle long paths (fate#320485). - tools: hv: set allow-hotplug for VF on Ubuntu (fate#320485). - tools: hv: set hotplug for VF on Suse (fate#320485). - tools: hv: vss: Thaw the filesystem and continue if freeze call has timed out (fate#320485). - vfs: fix missing inode_get_dev sites (bsc#1052049). - vmbus: cleanup header file style (fate#320485). - vmbus: expose debug info for drivers (fate#320485). - vmbus: fix spelling errors (fate#320485). - vmbus: introduce in-place packet iterator (fate#320485). - vmbus: only reschedule tasklet if time limit exceeded (fate#320485). - vmbus: re-enable channel tasklet (fate#320485). - vmbus: remove unnecessary initialization (fate#320485). - vmbus: remove useless return's (fate#320485). - x86/dmi: Switch dmi_remap() from ioremap() to ioremap_cache() (bsc#1051399). - x86/hyperv: Check frequency MSRs presence according to the specification (fate#320485). - The package release number was increased to be higher than the Leap 42.2 package (boo#1053531).
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 102510
    published 2017-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102510
    title openSUSE Security Update : the Linux Kernel (openSUSE-2017-930)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2131-1.NASL
    description The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.74 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000111: fix race condition in net-packet code that could be exploited to cause out-of-bounds memory access (bsc#1052365). - CVE-2017-1000112: fix race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 102415
    published 2017-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102415
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2131-1)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-073.NASL
    description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. - Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 102593
    published 2017-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102593
    title Virtuozzo 7 : readykernel-patch (VZA-2017-073)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-2930.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) * The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat). Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/node/3212921.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104106
    published 2017-10-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104106
    title CentOS 7 : kernel (CESA-2017:2930)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0167.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Revert 'drivers/char/mem.c: deny access in open operation when securelevel is set' (Brian Maly) [Orabug: 27037811] - xfs: use dedicated log worker wq to avoid deadlock with cil wq (Brian Foster) [Orabug: 27013241] - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (Xin Long) [Orabug: 26988633] (CVE-2017-14489) - nvme: honor RTD3 Entry Latency for shutdowns (Martin K. Petersen) - ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27013220] (CVE-2017-7542) - udp: consistently apply ufo or fragmentation (Willem de Bruijn) [Orabug: 27013227] (CVE-2017-1000112) - drivers/char/mem.c: deny access in open operation when securelevel is set (Ethan Zhao) [Orabug: 26943884] - tcp: fix tcp_mark_head_lost to check skb len before fragmenting (Neal Cardwell) [Orabug: 26923675] - timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899775] (CVE-2017-10661) - kvm: nVMX: Don't allow L2 to access the hardware CR8 (Jim Mattson) (CVE-2017-12154) (CVE-2017-12154) - brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx (Tim Tianyang Chen) [Orabug: 26880590] (CVE-2017-7541) - crypto: ahash - Fix EINPROGRESS notification callback (Herbert Xu) [Orabug: 26916575] (CVE-2017-7618) - ovl: use O_LARGEFILE in ovl_copy_up (David Howells) [Orabug: 25953280] - rxrpc: Fix several cases where a padded len isn't checked in ticket decode (David Howells) [Orabug: 26880508] (CVE-2017-7482) (CVE-2017-7482) - tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) [Orabug: 26813385] (CVE-2017-14106)
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 104453
    published 2017-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104453
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0167)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2930.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) * The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat). Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/node/3212921.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104003
    published 2017-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104003
    title RHEL 7 : kernel (RHSA-2017:2930)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2918.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) * The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) * A flaw was found where the XFS filesystem code mishandles a user-settable inode flag in the Linux kernel prior to 4.14-rc1. This can cause a local denial of service via a kernel panic. (CVE-2017-14340, Moderate) Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat) and the CVE-2017-14340 issue was discovered by Dave Chinner (Red Hat). Bug Fix(es) : * kernel-rt packages have been upgraded to the 3.10.0-693.5.2 source tree, which provides number of bug fixes over the previous version. (BZ#1489085)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104090
    published 2017-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104090
    title RHEL 6 : MRG (RHSA-2017:2918)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2439-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_45 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103184
    published 2017-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103184
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2439-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0163.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27011255] (CVE-2017-7542) - udp: consistently apply ufo or fragmentation (Willem de Bruijn) [Orabug: 26921320] (CVE-2017-1000112)
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 104202
    published 2017-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104202
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0163)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-929.NASL
    description The openSUSE Leap 42.2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000111: Fixed a race condition in net-packet code that could be exploited to cause out-of-bounds memory access (bsc#1052365). - CVE-2017-1000112: Fixed a race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311). - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994). The following non-security bugs were fixed : - IB/hfi1: Wait for QSFP modules to initialize (bsc#1019151). - bcache: force trigger gc (bsc#1038078). - bcache: only recovery I/O error for writethrough mode (bsc#1043652). - block: do not allow updates through sysfs until registration completes (bsc#1047027). - ibmvnic: Check for transport event on driver resume (bsc#1051556, bsc#1052709). - ibmvnic: Initialize SCRQ's during login renegotiation (bsc#1052223). - ibmvnic: Report rx buffer return codes as netdev_dbg (bsc#1052794). - iommu/amd: Fix schedule-while-atomic BUG in initialization code (bsc1052533). - libnvdimm, pmem: fix a NULL pointer BUG in nd_pmem_notify (bsc#1023175). - libnvdimm: fix badblock range handling of ARS range (bsc#1023175). - qeth: fix L3 next-hop im xmit qeth hdr (bnc#1052773, LTC#157374). - scsi_devinfo: fixup string compare (bsc#1037404). - scsi_dh_alua: suppress errors from unsupported devices (bsc#1038792). - vfs: fix missing inode_get_dev sites (bsc#1052049). - x86/dmi: Switch dmi_remap() from ioremap() to ioremap_cache() (bsc#1051399).
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 102509
    published 2017-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102509
    title openSUSE Security Update : the Linux Kernel (openSUSE-2017-929)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2142-1.NASL
    description The SUSE Linux Enterprise 12 kernel was updated to 3.12.61 to the following security updates : - CVE-2017-1000111: fix race condition in net-packet code that could be exploited to cause out-of-bounds memory access (bsc#1052365). - CVE-2017-1000112: fix race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 102475
    published 2017-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102475
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2142-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-868.NASL
    description Exploitable memory corruption due to UFO to non-UFO path switch (CVE-2017-1000112) heap out-of-bounds in AF_PACKET sockets (CVE-2017-1000111) The mq_notify function in the Linux kernel does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176 )
    last seen 2019-02-21
    modified 2018-08-31
    plugin id 102367
    published 2017-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102367
    title Amazon Linux AMI : kernel (ALAS-2017-868)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3631.NASL
    description Description of changes: [4.1.12-103.7.4.el7uek] - ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27011255] {CVE-2017-7542} - udp: consistently apply ufo or fragmentation (Willem de Bruijn) [Orabug: 26921320] {CVE-2017-1000112}
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 104167
    published 2017-10-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104167
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3631)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3659.NASL
    description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 105247
    published 2017-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105247
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3659) (BlueBorne) (Dirty COW) (Stack Clash)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-73F71456D7.NASL
    description The 4.12.8 stable kernel update contains a number of important fixes across the tree. ---- The 4.12.5 kernel rebase contains new features and many bug fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 102718
    published 2017-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102718
    title Fedora 25 : kernel (2017-73f71456d7)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2423-1.NASL
    description This update for the Linux Kernel 3.12.67-60_64_24 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103179
    published 2017-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103179
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2423-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2509-1.NASL
    description This update for the Linux Kernel 3.12.60-52_57 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103299
    published 2017-09-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103299
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2509-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-4071.NASL
    description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 109156
    published 2018-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109156
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4071) (Dirty COW) (Meltdown) (Spectre)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2436-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_40 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103181
    published 2017-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103181
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2436-1)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0029_LINUX.NASL
    description An update of the linux package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121724
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121724
    title Photon OS 1.0: Linux PHSA-2017-0029
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2500-1.NASL
    description This update for the Linux Kernel 3.12.61-52_80 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103296
    published 2017-09-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103296
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2500-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20171019_KERNEL_ON_SL7_X.NASL
    description Security Fix(es) : - Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) - A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) - An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) - A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) - Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) - An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) - A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) - The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user- space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) - A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 104008
    published 2017-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104008
    title Scientific Linux Security Update : kernel on SL7.x x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2931.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) * The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat). Bug Fix(es) : * The kernel-rt packages have been upgraded to the 3.10.0-693.5.2 source tree, which provides number of bug fixes over the previous version. (BZ# 1489084)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104004
    published 2017-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104004
    title RHEL 7 : kernel-rt (RHSA-2017:2931)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0035.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0035 for details.
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 109158
    published 2018-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109158
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0035) (Dirty COW) (Meltdown) (Spectre)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20171115_KERNEL_ON_SL6_X.NASL
    description Security Fix(es) : - A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) - An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) - A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Bug Fix(es) : - When the operating system was booted with RHEV/oVirt, and the eh_deadline sysfs parameter was set to 10s, the Storage Area Network (SAN) issues caused eh_deadline to trigger with no handler. Consequently, a kernel panic occurred. This update fixes the lpfc driver, thus preventing the kernel panic under described circumstances. - When an NFS server returned the NFS4ERR_BAD_SEQID error to an OPEN request, the open-owner was removed from the state_owners rbtree. Consequently, NFS4 client infinite loop that required a reboot to recover occurred. This update changes NFS4ERR_BAD_SEQID handling to leave the open-owner in the state_owners rbtree by updating the create_time parameter so that it looks like a new open-owner. As a result, an NFS4 client is now able to recover without falling into the infinite recovery loop after receiving NFS4ERR_BAD_SEQID. - If an NFS client attempted to mount NFSv3 shares from an NFS server exported directly to the client's IP address, and this NFS client had already mounted other shares that originated from the same server but were exported to the subnetwork which this client was part of, the auth.unix.ip cache expiration was not handled correctly. Consequently, the client received the 'stale file handle' errors when trying to mount the share. This update fixes handling of the cache expiration, and the NFSv3 shares now mount as expected without producing the 'stale file handle' errors. - When running a script that raised the tx ring count to its maximum value supported by the Solarflare Network Interface Controller (NIC) driver, the EF10 family NICs allowed the settings exceeding the hardware's capability. Consequently, the Solarflare hardware became unusable with Scientific Linux 6. This update fixes the sfc driver, so that the tx ring can have maximum 2048 entries for all EF10 NICs. As a result, the Solarflare hardware no longer becomes unusable.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 104623
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104623
    title Scientific Linux Security Update : kernel on SL6.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3265-1.NASL
    description The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-16649: The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel allowed local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067085). - CVE-2017-16535: The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066700). - CVE-2017-15102: The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel allowed local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference (bnc#1066705). - CVE-2017-16531: drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor (bnc#1066671). - CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066650). - CVE-2017-16525: The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup (bnc#1066618). - CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066573). - CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066606). - CVE-2017-16527: sound/usb/mixer.c in the Linux kernel allowed local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066625). - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667). - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192 (bnc#1045327). - CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c (bnc#1062520). - CVE-2017-14489: The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel allowed local users to cause a denial of service (panic) by leveraging incorrect length validation (bnc#1059051). - CVE-2017-14340: The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel did not verify that a filesystem has a realtime device, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory (bnc#1058524). - CVE-2017-14140: The move_pages system call in mm/migrate.c in the Linux kernel doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR (bnc#1057179). - CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588). - CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152). - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148). - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994). - CVE-2017-1000112: An exploitable memory corruption due to UFO to non-UFO path switch was fixed. (bnc#1052311 bnc#1052365). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 105172
    published 2017-12-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105172
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2017:3265-1) (KRACK)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-3200.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Red Hat would like to thank Willem de Bruijn for reporting CVE-2017-1000111 and Andrey Konovalov for reporting CVE-2017-1000112. Bug Fix(es) : * When the operating system was booted with Red Hat Enterprise Virtualization, and the eh_deadline sysfs parameter was set to 10s, the Storage Area Network (SAN) issues caused eh_deadline to trigger with no handler. Consequently, a kernel panic occurred. This update fixes the lpfc driver, thus preventing the kernel panic under described circumstances. (BZ #1487220) * When an NFS server returned the NFS4ERR_BAD_SEQID error to an OPEN request, the open-owner was removed from the state_owners rbtree. Consequently, NFS4 client infinite loop that required a reboot to recover occurred. This update changes NFS4ERR_BAD_SEQID handling to leave the open-owner in the state_owners rbtree by updating the create_time parameter so that it looks like a new open-owner. As a result, an NFS4 client is now able to recover without falling into the infinite recovery loop after receiving NFS4ERR_BAD_SEQID. (BZ#1491123) * If an NFS client attempted to mount NFSv3 shares from an NFS server exported directly to the client's IP address, and this NFS client had already mounted other shares that originated from the same server but were exported to the subnetwork which this client was part of, the auth.unix.ip cache expiration was not handled correctly. Consequently, the client received the 'stale file handle' errors when trying to mount the share. This update fixes handling of the cache expiration, and the NFSv3 shares now mount as expected without producing the 'stale file handle' errors. (BZ #1497976) * When running a script that raised the tx ring count to its maximum value supported by the Solarflare Network Interface Controller (NIC) driver, the EF10 family NICs allowed the settings exceeding the hardware's capability. Consequently, the Solarflare hardware became unusable with Red Hat Entepripse Linux 6. This update fixes the sfc driver, so that the tx ring can have maximum 2048 entries for all EF10 NICs. As a result, the Solarflare hardware no longer becomes unusable with Red Hat Entepripse Linux 6 due to this bug. (BZ#1498019)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104583
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104583
    title CentOS 6 : kernel (CESA-2017:3200)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2475-1.NASL
    description This update for the Linux Kernel 3.12.61-52_86 fixes several issues. The following security bugs were fixed : - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply (bsc#1046191). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103247
    published 2017-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103247
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2475-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2476-1.NASL
    description This update for the Linux Kernel 3.12.61-52_89 fixes several issues. The following security bugs were fixed : - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply (bsc#1046191). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103248
    published 2017-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103248
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2476-1)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-071.NASL
    description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. - Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 102591
    published 2017-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102591
    title Virtuozzo 7 : readykernel-patch (VZA-2017-071)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2440-1.NASL
    description This update for the Linux Kernel 3.12.69-60_64_32 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103185
    published 2017-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103185
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2440-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2506-1.NASL
    description This update for the Linux Kernel 3.12.60-52_63 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103297
    published 2017-09-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103297
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2506-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3385-1.NASL
    description Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. (CVE-2017-1000112) Andrey Konovalov discovered a race condition in AF_PACKET socket option handling code in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-1000111). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 102420
    published 2017-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102420
    title Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities (USN-3385-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2499-1.NASL
    description This update for the Linux Kernel 3.12.61-52_77 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103295
    published 2017-09-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103295
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2499-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2424-1.NASL
    description This update for the Linux Kernel 3.12.67-60_64_21 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103180
    published 2017-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103180
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2424-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3385-2.NASL
    description USN-3385-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. (CVE-2017-1000112) Andrey Konovalov discovered a race condition in AF_PACKET socket option handling code in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-1000111). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 102421
    published 2017-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102421
    title Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3385-2)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2511-1.NASL
    description This update for the Linux Kernel 3.12.61-52_72 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103301
    published 2017-09-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103301
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2511-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2441-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_48 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103186
    published 2017-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103186
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2441-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2448-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_57 fixes several issues. The following security bugs were fixed : - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1038564, bsc#1042892). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038564). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103214
    published 2017-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103214
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2448-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2286-1.NASL
    description The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.82 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000111: Fixed a race condition in net-packet code that could be exploited to cause out-of-bounds memory access (bsc#1052365). - CVE-2017-1000112: Fixed a race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311). - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603). - CVE-2017-7533: Race condition in the fsnotify implementation in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions (bnc#1049483 bnc#1050677). - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645). - CVE-2017-10810: Memory leak in the virtio_gpu_object_create function in drivers/gpu/drm/virtio/virtgpu_object.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering object-initialization failures (bnc#1047277). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 102838
    published 2017-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102838
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2286-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2446-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_54 fixes several issues. The following security bugs were fixed : - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1038564, bsc#1042892). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038564). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103212
    published 2017-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103212
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2446-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2442-1.NASL
    description This update for the Linux Kernel 3.12.69-60_64_35 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103210
    published 2017-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103210
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2442-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3384-1.NASL
    description Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. (CVE-2017-1000112) Andrey Konovalov discovered a race condition in AF_PACKET socket option handling code in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-1000111). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 102418
    published 2017-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102418
    title Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3384-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2498-1.NASL
    description This update for the Linux Kernel 3.12.61-52_69 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103294
    published 2017-09-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103294
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2498-1)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1271.NASL
    description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an MMU potential stack buffer overrun.(CVE-2017-12188) - A vulnerability was found in the Key Management sub component of the Linux kernel, where when trying to issue a KEYTCL_READ on negative key would lead to a NULL pointer dereference. A local attacker could use this flaw to crash the kernel.(CVE-2017-12192) - security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192.(CVE-2017-15274) - Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.(CVE-2017-1000111) - Use-after-free vulnerability in the Linux kernel before 4.14-rc5 allows local users to have unspecified impact via vectors related to /dev/snd/seq.(CVE-2017-15265) - net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.(CVE-2017-15649) - The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0.(CVE-2017-14991) - An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges.(CVE-2017-1000112) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 104296
    published 2017-11-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104296
    title EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1256.NASL
    description According to the version of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges.(CVE-2017-1000112) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 104281
    published 2017-11-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104281
    title EulerOS 2.0 SP2 : kernel (EulerOS-SA-2017-1256)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2443-1.NASL
    description This update for the Linux Kernel 3.12.67-60_64_18 fixes several issues. The following security bugs were fixed : - CVE-2017-1000112: Prevent a race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103211
    published 2017-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103211
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2443-1)
packetstorm via4
data source https://packetstormsecurity.com/files/download/148795/ufo_privilege_escalation.rb.txt
id PACKETSTORM:148795
last seen 2018-08-04
published 2018-08-03
reporter h00die
source https://packetstormsecurity.com/files/148795/Linux-Kernel-UDP-Fragmentation-Offset-UFO-Privilege-Escalation.html
title Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
redhat via4
advisories
  • bugzilla
    id 1487295
    title CVE-2017-14106 kernel: Divide-by-zero in __tcp_select_window
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment kernel is earlier than 0:3.10.0-693.5.2.el7
          oval oval:com.redhat.rhsa:tst:20172930017
        • comment kernel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842006
      • AND
        • comment kernel-abi-whitelists is earlier than 0:3.10.0-693.5.2.el7
          oval oval:com.redhat.rhsa:tst:20172930005
        • comment kernel-abi-whitelists is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131645028
      • AND
        • comment kernel-bootwrapper is earlier than 0:3.10.0-693.5.2.el7
          oval oval:com.redhat.rhsa:tst:20172930033
        • comment kernel-bootwrapper is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842010
      • AND
        • comment kernel-debug is earlier than 0:3.10.0-693.5.2.el7
          oval oval:com.redhat.rhsa:tst:20172930021
        • comment kernel-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842012
      • AND
        • comment kernel-debug-devel is earlier than 0:3.10.0-693.5.2.el7
          oval oval:com.redhat.rhsa:tst:20172930025
        • comment kernel-debug-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842014
      • AND
        • comment kernel-devel is earlier than 0:3.10.0-693.5.2.el7
          oval oval:com.redhat.rhsa:tst:20172930011
        • comment kernel-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842016
      • AND
        • comment kernel-doc is earlier than 0:3.10.0-693.5.2.el7
          oval oval:com.redhat.rhsa:tst:20172930007
        • comment kernel-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842024
      • AND
        • comment kernel-headers is earlier than 0:3.10.0-693.5.2.el7
          oval oval:com.redhat.rhsa:tst:20172930013
        • comment kernel-headers is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842008
      • AND
        • comment kernel-kdump is earlier than 0:3.10.0-693.5.2.el7
          oval oval:com.redhat.rhsa:tst:20172930009
        • comment kernel-kdump is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842018
      • AND
        • comment kernel-kdump-devel is earlier than 0:3.10.0-693.5.2.el7
          oval oval:com.redhat.rhsa:tst:20172930019
        • comment kernel-kdump-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842020
      • AND
        • comment kernel-tools is earlier than 0:3.10.0-693.5.2.el7
          oval oval:com.redhat.rhsa:tst:20172930029
        • comment kernel-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678010
      • AND
        • comment kernel-tools-libs is earlier than 0:3.10.0-693.5.2.el7
          oval oval:com.redhat.rhsa:tst:20172930027
        • comment kernel-tools-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678012
      • AND
        • comment kernel-tools-libs-devel is earlier than 0:3.10.0-693.5.2.el7
          oval oval:com.redhat.rhsa:tst:20172930031
        • comment kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678020
      • AND
        • comment perf is earlier than 0:3.10.0-693.5.2.el7
          oval oval:com.redhat.rhsa:tst:20172930023
        • comment perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842022
      • AND
        • comment python-perf is earlier than 0:3.10.0-693.5.2.el7
          oval oval:com.redhat.rhsa:tst:20172930015
        • comment python-perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111530020
    rhsa
    id RHSA-2017:2930
    released 2017-10-19
    severity Important
    title RHSA-2017:2930: kernel security and bug fix update (Important)
  • bugzilla
    id 1489084
    title kernel-rt: update to the RHEL7.4.z batch#2 source tree
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment kernel-rt is earlier than 0:3.10.0-693.5.2.rt56.626.el7
          oval oval:com.redhat.rhsa:tst:20172931011
        • comment kernel-rt is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727006
      • AND
        • comment kernel-rt-debug is earlier than 0:3.10.0-693.5.2.rt56.626.el7
          oval oval:com.redhat.rhsa:tst:20172931009
        • comment kernel-rt-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727014
      • AND
        • comment kernel-rt-debug-devel is earlier than 0:3.10.0-693.5.2.rt56.626.el7
          oval oval:com.redhat.rhsa:tst:20172931017
        • comment kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727016
      • AND
        • comment kernel-rt-debug-kvm is earlier than 0:3.10.0-693.5.2.rt56.626.el7
          oval oval:com.redhat.rhsa:tst:20172931019
        • comment kernel-rt-debug-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161051024
      • AND
        • comment kernel-rt-devel is earlier than 0:3.10.0-693.5.2.rt56.626.el7
          oval oval:com.redhat.rhsa:tst:20172931023
        • comment kernel-rt-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727012
      • AND
        • comment kernel-rt-doc is earlier than 0:3.10.0-693.5.2.rt56.626.el7
          oval oval:com.redhat.rhsa:tst:20172931005
        • comment kernel-rt-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727018
      • AND
        • comment kernel-rt-kvm is earlier than 0:3.10.0-693.5.2.rt56.626.el7
          oval oval:com.redhat.rhsa:tst:20172931007
        • comment kernel-rt-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161051016
      • AND
        • comment kernel-rt-trace is earlier than 0:3.10.0-693.5.2.rt56.626.el7
          oval oval:com.redhat.rhsa:tst:20172931015
        • comment kernel-rt-trace is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727008
      • AND
        • comment kernel-rt-trace-devel is earlier than 0:3.10.0-693.5.2.rt56.626.el7
          oval oval:com.redhat.rhsa:tst:20172931013
        • comment kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727010
      • AND
        • comment kernel-rt-trace-kvm is earlier than 0:3.10.0-693.5.2.rt56.626.el7
          oval oval:com.redhat.rhsa:tst:20172931021
        • comment kernel-rt-trace-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161051018
    rhsa
    id RHSA-2017:2931
    released 2017-10-19
    severity Important
    title RHSA-2017:2931: kernel-rt security and bug fix update (Important)
  • bugzilla
    id 1487295
    title CVE-2017-14106 kernel: Divide-by-zero in __tcp_select_window
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment kernel is earlier than 0:2.6.32-696.16.1.el6
          oval oval:com.redhat.rhsa:tst:20173200025
        • comment kernel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842006
      • AND
        • comment kernel-abi-whitelists is earlier than 0:2.6.32-696.16.1.el6
          oval oval:com.redhat.rhsa:tst:20173200009
        • comment kernel-abi-whitelists is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131645028
      • AND
        • comment kernel-bootwrapper is earlier than 0:2.6.32-696.16.1.el6
          oval oval:com.redhat.rhsa:tst:20173200029
        • comment kernel-bootwrapper is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842010
      • AND
        • comment kernel-debug is earlier than 0:2.6.32-696.16.1.el6
          oval oval:com.redhat.rhsa:tst:20173200017
        • comment kernel-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842012
      • AND
        • comment kernel-debug-devel is earlier than 0:2.6.32-696.16.1.el6
          oval oval:com.redhat.rhsa:tst:20173200013
        • comment kernel-debug-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842014
      • AND
        • comment kernel-devel is earlier than 0:2.6.32-696.16.1.el6
          oval oval:com.redhat.rhsa:tst:20173200023
        • comment kernel-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842016
      • AND
        • comment kernel-doc is earlier than 0:2.6.32-696.16.1.el6
          oval oval:com.redhat.rhsa:tst:20173200007
        • comment kernel-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842024
      • AND
        • comment kernel-firmware is earlier than 0:2.6.32-696.16.1.el6
          oval oval:com.redhat.rhsa:tst:20173200005
        • comment kernel-firmware is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842026
      • AND
        • comment kernel-headers is earlier than 0:2.6.32-696.16.1.el6
          oval oval:com.redhat.rhsa:tst:20173200015
        • comment kernel-headers is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842008
      • AND
        • comment kernel-kdump is earlier than 0:2.6.32-696.16.1.el6
          oval oval:com.redhat.rhsa:tst:20173200021
        • comment kernel-kdump is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842018
      • AND
        • comment kernel-kdump-devel is earlier than 0:2.6.32-696.16.1.el6
          oval oval:com.redhat.rhsa:tst:20173200027
        • comment kernel-kdump-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842020
      • AND
        • comment perf is earlier than 0:2.6.32-696.16.1.el6
          oval oval:com.redhat.rhsa:tst:20173200011
        • comment perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842022
      • AND
        • comment python-perf is earlier than 0:2.6.32-696.16.1.el6
          oval oval:com.redhat.rhsa:tst:20173200019
        • comment python-perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111530020
    rhsa
    id RHSA-2017:3200
    released 2017-11-14
    severity Important
    title RHSA-2017:3200: kernel security and bug fix update (Important)
  • rhsa
    id RHSA-2017:2918
rpms
  • kernel-0:3.10.0-693.5.2.el7
  • kernel-abi-whitelists-0:3.10.0-693.5.2.el7
  • kernel-bootwrapper-0:3.10.0-693.5.2.el7
  • kernel-debug-0:3.10.0-693.5.2.el7
  • kernel-debug-devel-0:3.10.0-693.5.2.el7
  • kernel-devel-0:3.10.0-693.5.2.el7
  • kernel-doc-0:3.10.0-693.5.2.el7
  • kernel-headers-0:3.10.0-693.5.2.el7
  • kernel-kdump-0:3.10.0-693.5.2.el7
  • kernel-kdump-devel-0:3.10.0-693.5.2.el7
  • kernel-tools-0:3.10.0-693.5.2.el7
  • kernel-tools-libs-0:3.10.0-693.5.2.el7
  • kernel-tools-libs-devel-0:3.10.0-693.5.2.el7
  • perf-0:3.10.0-693.5.2.el7
  • python-perf-0:3.10.0-693.5.2.el7
  • kernel-rt-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-devel-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-kvm-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-devel-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-doc-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-kvm-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-devel-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-kvm-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-0:2.6.32-696.16.1.el6
  • kernel-abi-whitelists-0:2.6.32-696.16.1.el6
  • kernel-bootwrapper-0:2.6.32-696.16.1.el6
  • kernel-debug-0:2.6.32-696.16.1.el6
  • kernel-debug-devel-0:2.6.32-696.16.1.el6
  • kernel-devel-0:2.6.32-696.16.1.el6
  • kernel-doc-0:2.6.32-696.16.1.el6
  • kernel-firmware-0:2.6.32-696.16.1.el6
  • kernel-headers-0:2.6.32-696.16.1.el6
  • kernel-kdump-0:2.6.32-696.16.1.el6
  • kernel-kdump-devel-0:2.6.32-696.16.1.el6
  • perf-0:2.6.32-696.16.1.el6
  • python-perf-0:2.6.32-696.16.1.el6
refmap via4
bid 100262
debian DSA-3981
exploit-db 45147
misc https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112
mlist [oss-security] 20170810 Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch
sectrack 1039162
Last major update 04-10-2017 - 21:29
Published 04-10-2017 - 21:29
Last modified 05-08-2018 - 21:29
Back to Top