ID CVE-2017-2596
Summary The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references.
References
Vulnerable Configurations
  • Linux Kernel 4.9.8
    cpe:2.3:o:linux:linux_kernel:4.9.8
CVSS
Base: 4.9 (as of 07-02-2017 - 10:59)
Impact:
Exploitability:
CWE CWE-772
CAPEC
  • HTTP DoS
    An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-472052EBE5.NASL
    description The 4.9.7 update contains a number of important fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-02-21
    plugin id 97033
    published 2017-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97033
    title Fedora 25 : kernel (2017-472052ebe5)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-392B319BB5.NASL
    description The 4.9.7 update contains a number of important fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-02-21
    plugin id 97032
    published 2017-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97032
    title Fedora 24 : kernel (2017-392b319bb5)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0056.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Revert 'x86/mm: Expand the exception table logic to allow new handling options' (Brian Maly) [Orabug: 25790387] (CVE-2016-9644) - Revert 'fix minor infoleak in get_user_ex' (Brian Maly) [Orabug: 25790387] (CVE-2016-9644) - x86/mm: Expand the exception table logic to allow new handling options (Tony Luck) [Orabug: 25790387] (CVE-2016-9644) - rebuild bumping release - net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766898] (CVE-2016-8399) (CVE-2016-8399) - sg_write/bsg_write is not fit to be called under KERNEL_DS (Al Viro) [Orabug: 25765436] (CVE-2016-10088) - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25751984] (CVE-2017-7187) - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: 25696677] (CVE-2017-2636) - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: 25696677] (CVE-2017-2636) - If Slot Status indicates changes in both Data Link Layer Status and Presence Detect, prioritize the Link status change. (Jack Vogel) - PCI: pciehp: Leave power indicator on when enabling already-enabled slot (Ashok Raj) [Orabug: 25353783] - firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451520] (CVE-2016-8633) - usbnet: cleanup after bind in probe (Oliver Neukum) [Orabug: 25463898] (CVE-2016-3951) - cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind (Bjø rn Mork) [Orabug: 25463898] (CVE-2016-3951) - cdc_ncm: Add support for moving NDP to end of NCM frame (Enrico Mioso) [Orabug: 25463898] (CVE-2016-3951) - x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert) [Orabug: 25463918] (CVE-2016-3672) - kvm: fix page struct leak in handle_vmon (Paolo Bonzini) [Orabug: 25507133] (CVE-2017-2596) - crypto: mcryptd - Check mcryptd algorithm compatibility (tim) [Orabug: 25507153] (CVE-2016-10147) - kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) (Jim Mattson) [Orabug: 25507188] (CVE-2016-9588) - KVM: x86: drop error recovery in em_jmp_far and em_ret_far (Radim Krč má ř ) [Orabug: 25507213] (CVE-2016-9756) - tcp: take care of truncations done by sk_filter (Eric Dumazet) [Orabug: 25507226] (CVE-2016-8645) - rose: limit sk_filter trim to payload (Willem de Bruijn) [Orabug: 25507226] (CVE-2016-8645) - tipc: check minimum bearer MTU (Michal Kubeč ek) [Orabug: 25507239] (CVE-2016-8632) (CVE-2016-8632) - fix minor infoleak in get_user_ex (Al Viro) [Orabug: 25507269] (CVE-2016-9178) - scsi: arcmsr: Simplify user_len checking (Borislav Petkov) [Orabug: 25507319] (CVE-2016-7425) - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer (Dan Carpenter) [Orabug: 25507319] (CVE-2016-7425) - tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng) [Orabug: 25507341] (CVE-2016-7097) (CVE-2016-7097) - posix_acl: Clear SGID bit when setting file permissions (Jan Kara) [Orabug: 25507341] (CVE-2016-7097) (CVE-2016-7097) - ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366] (CVE-2015-8952) - ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366] (CVE-2015-8952) - mbcache2: reimplement mbcache (Jan Kara) [Orabug: 25512366] (CVE-2015-8952) - USB: digi_acceleport: do sanity checking for the number of ports (Oliver Neukum) [Orabug: 25512466] (CVE-2016-3140) - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet) [Orabug: 25682419] (CVE-2017-6345) - net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli Cohen) - ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) [Orabug: 25698300] (CVE-2017-5970) - perf/core: Fix concurrent sys_perf_event_open vs. 'move_group' race (Peter Zijlstra) [Orabug: 25698751] (CVE-2017-6001) - ip6_gre: fix ip6gre_err invalid reads (Eric Dumazet) [Orabug: 25699015] (CVE-2017-5897) - mpt3sas: Don't spam logs if logging level is 0 (Johannes Thumshirn) - xen-netfront: cast grant table reference first to type int (Dongli Zhang) - xen-netfront: do not cast grant table reference to signed short (Dongli Zhang)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 99162
    published 2017-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99162
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3361-1.NASL
    description USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Please note that this update changes the Linux HWE kernel to the 4.10 based kernel from Ubuntu 17.04, superseding the 4.8 based HWE kernel from Ubuntu 16.10. Ben Harris discovered that the Linux kernel would strip extended privilege attributes of files when performing a failed unprivileged system call. A local attacker could use this to cause a denial of service. (CVE-2015-1350) Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208) Peter Pi discovered that the colormap handling for frame buffer devices in the Linux kernel contained an integer overflow. A local attacker could use this to disclose sensitive information (kernel memory). (CVE-2016-8405) It was discovered that an integer overflow existed in the InfiniBand RDMA over ethernet (RXE) transport implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-8636) Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084) CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191) It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604) Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet discovered that the netfiler subsystem in the Linux kernel mishandled IPv6 packet reassembly. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9755) Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS. (CVE-2017-2583) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory). (CVE-2017-2584) Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596) It was discovered that SELinux in the Linux kernel did not properly handle empty writes to /proc/pid/attr. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2618) Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2017-2671) It was discovered that the freelist-randomization in the SLAB memory allocator allowed duplicate freelist entries. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-5546) It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549) It was discovered that a fencepost error existed in the pipe_advance() function in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5550) It was discovered that the Linux kernel did not clear the setgid bit during a setxattr call on a tmpfs filesystem. A local attacker could use this to gain elevated group privileges. (CVE-2017-5551) Murray McAllister discovered that an integer overflow existed in the VideoCore DRM driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-5576) Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669) Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897) Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970) Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001) Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214) Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-6345) It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346) Andrey Konovalov discovered that the IP layer in the Linux kernel made improper assumptions about internal data layout when performing checksums. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6347) Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348) Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7187) It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261) It was discovered that the USB Cypress HID drivers for the Linux kernel did not properly validate reported information from the device. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-7273) Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472) It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616) Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618) Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645) Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889) Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895) It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924) It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion). (CVE-2017-8925) Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 101929
    published 2017-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101929
    title Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3361-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-1842-1.NASL
    description The remote Oracle Linux host is missing a security update for the kernel package(s).
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 102511
    published 2017-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102511
    title Oracle Linux 7 : kernel (ELSA-2017-1842-1) (Stack Clash)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1183-1.NASL
    description The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.58 to receive various security and bugfixes. Notable new/improved features : - Improved support for Hyper-V - Support for Matrox G200eH3 - Support for tcp_westwood The following security bugs were fixed : - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently could not ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003). - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579). - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440). - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052). - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213). - CVE-2017-7374: Use-after-free vulnerability in fs/crypto/ in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely (bnc#1032006). - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415). - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that a certain destructor exists in required circumstances, which allowed local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (bnc#1027190). - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that made PACKET_FANOUT setsockopt system calls (bnc#1027189). - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066). - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722). - CVE-2016-2117: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly enables scatter/gather I/O, which allowed remote attackers to obtain sensitive information from kernel memory by reading packet data (bnc#968697). - CVE-2017-6347: The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel had incorrect expectations about skb data layout, which allowed local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission (bnc#1027179). - CVE-2016-9191: The cgroup offline implementation in the Linux kernel mishandled certain drain operations, which allowed local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application (bnc#1008842). - CVE-2017-2596: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel improperly emulated the VMXON instruction, which allowed KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references (bnc#1022785). - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 100023
    published 2017-05-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100023
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1183-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2077.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important) * A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important) * It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important) This update also fixes multiple Moderate and Low impact security issues : * CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685 Documentation for these issues is available from the Release Notes document linked from the References section. Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat). Additional Changes : For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2019-02-06
    plugin id 102151
    published 2017-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102151
    title RHEL 7 : kernel-rt (RHSA-2017:2077)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-1842.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important) * A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important) * It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important) This update also fixes multiple Moderate and Low impact security issues : * CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685 Documentation for these issues is available from the Release Notes document linked from the References section. Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat). Additional Changes : For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2019-02-06
    plugin id 102143
    published 2017-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102143
    title RHEL 7 : kernel (RHSA-2017:1842) (Stack Clash)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-1842.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important) * A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important) * It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important) This update also fixes multiple Moderate and Low impact security issues : * CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685 Documentation for these issues is available from the Release Notes document linked from the References section. Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat). Additional Changes : For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2019-02-06
    plugin id 102734
    published 2017-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102734
    title CentOS 7 : kernel (CESA-2017:1842) (Stack Clash)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3312-2.NASL
    description USN-3312-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that the netfilter netlink implementation in the Linux kernel did not properly validate batch messages. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information or cause a denial of service. (CVE-2016-7917) Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() function in the Linux kernel. A local attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-8632) It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604) Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596) Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2017-2671) Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001) Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472) Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618) Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645) Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889) Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895) It was discovered that a use-after-free vulnerability existed in the device driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-7913) Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 100665
    published 2017-06-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100665
    title Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3312-2)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-418.NASL
    description The openSUSE Leap 42.2 kernel was updated to 4.4.56 fix various security issues and bugs. The following security bugs were fixed : - CVE-2017-7184: The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size data after an XFRM_MSG_NEWAE update, which allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52 (bnc#1030573). - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bnc#1027565). - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that a certain destructor exists in required circumstances, which allowed local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (bnc#1027190). - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that made PACKET_FANOUT setsockopt system calls (bnc#1027189). - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1025235). - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722). - CVE-2016-2117: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly enables scatter/gather I/O, which allowed remote attackers to obtain sensitive information from kernel memory by reading packet data (bnc#968697). - CVE-2017-6347: The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel has incorrect expectations about skb data layout, which allowed local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission (bnc#1027179). - CVE-2016-9191: The cgroup offline implementation in the Linux kernel mishandled certain drain operations, which allowed local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application, as demonstrated by trinity (bnc#1008842). - CVE-2017-2596: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel improperly emulates the VMXON instruction, which allowed KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references (bnc#1022785). The following non-security bugs were fixed : - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC (bsc#1028819). - ACPI, ioapic: Clear on-stack resource before using it (bsc#1028819). - ACPI: Remove platform devices from a bus on removal (bsc#1028819). - add mainline tag to one hyperv patch - bnx2x: allow adding VLANs while interface is down (bsc#1027273). - btrfs: backref: Fix soft lockup in __merge_refs function (bsc#1017641). - btrfs: incremental send, do not delay rename when parent inode is new (bsc#1028325). - btrfs: incremental send, do not issue invalid rmdir operations (bsc#1028325). - btrfs: qgroup: Move half of the qgroup accounting time out of commit trans (bsc#1017461). - btrfs: send, fix failure to rename top level inode due to name collision (bsc#1028325). - btrfs: serialize subvolume mounts with potentially mismatching rw flags (bsc#951844 bsc#1024015) - crypto: algif_hash - avoid zero-sized array (bnc#1007962). - cxgb4vf: do not offload Rx checksums for IPv6 fragments (bsc#1026692). - drivers: hv: vmbus: Prevent sending data on a rescinded channel (fate#320485, bug#1028217). - drm/i915: Add intel_uncore_suspend / resume functions (bsc#1011913). - drm/i915: Listen for PMIC bus access notifications (bsc#1011913). - drm/mgag200: Added support for the new device G200eH3 (bsc#1007959, fate#322780) - ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986). - Fix kABI breakage of dccp in 4.4.56 (stable-4.4.56). - futex: Add missing error handling to FUTEX_REQUEUE_PI (bsc#969755). - futex: Fix potential use-after-free in FUTEX_REQUEUE_PI (bsc#969755). - i2c: designware-baytrail: Acquire P-Unit access on bus acquire (bsc#1011913). - i2c: designware-baytrail: Call pmic_bus_access_notifier_chain (bsc#1011913). - i2c: designware-baytrail: Fix race when resetting the semaphore (bsc#1011913). - i2c: designware-baytrail: Only check iosf_mbi_available() for shared hosts (bsc#1011913). - i2c: designware: Disable pm for PMIC i2c-bus even if there is no _SEM method (bsc#1011913). - i2c-designware: increase timeout (bsc#1011913). - i2c: designware: Never suspend i2c-busses used for accessing the system PMIC (bsc#1011913). - i2c: designware: Rename accessor_flags to flags (bsc#1011913). - kABI: protect struct iscsi_conn (kabi). - kABI: protect struct se_node_acl (kabi). - kABI: restore can_rx_register parameters (kabi). - kgr/module: make a taint flag module-specific (fate#313296). - kgr: remove all arch-specific kgraft header files (fate#313296). - l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415). - l2tp: fix lookup for sockets not bound to a device in l2tp_ip (bsc#1028415). - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind() (bsc#1028415). - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() (bsc#1028415). - l2tp: lock socket before checking flags in connect() (bsc#1028415). - md/raid1: add rcu protection to rdev in fix_read_error (References: bsc#998106,bsc#1020048,bsc#982783). - md/raid1: fix a use-after-free bug (bsc#998106,bsc#1020048,bsc#982783). - md/raid1: handle flush request correctly (bsc#998106,bsc#1020048,bsc#982783). - md/raid1: Refactor raid1_make_request (bsc#998106,bsc#1020048,bsc#982783). - mm: fix set pageblock migratetype in deferred struct page init (bnc#1027195). - mm/page_alloc: Remove useless parameter of __free_pages_boot_core (bnc#1027195). - module: move add_taint_module() to a header file (fate#313296). - net/ena: change condition for host attribute configuration (bsc#1026509). - net/ena: change driver's default timeouts (bsc#1026509). - net: ena: change the return type of ena_set_push_mode() to be void (bsc#1026509). - net: ena: Fix error return code in ena_device_init() (bsc#1026509). - net/ena: fix ethtool RSS flow configuration (bsc#1026509). - net/ena: fix NULL dereference when removing the driver after device reset failed (bsc#1026509). - net/ena: fix potential access to freed memory during device reset (bsc#1026509). - net/ena: fix queues number calculation (bsc#1026509). - net/ena: fix RSS default hash configuration (bsc#1026509). - net/ena: reduce the severity of ena printouts (bsc#1026509). - net/ena: refactor ena_get_stats64 to be atomic context safe (bsc#1026509). - net/ena: remove ntuple filter support from device feature list (bsc#1026509). - net: ena: remove superfluous check in ena_remove() (bsc#1026509). - net: ena: Remove unnecessary pci_set_drvdata() (bsc#1026509). - net/ena: update driver version to 1.1.2 (bsc#1026509). - net/ena: use READ_ONCE to access completion descriptors (bsc#1026509). - net: ena: use setup_timer() and mod_timer() (bsc#1026509). - net/mlx4_core: Avoid command timeouts during VF driver device shutdown (bsc#1028017). - net/mlx4_core: Avoid delays during VF driver device shutdown (bsc#1028017). - net/mlx4_core: Fix racy CQ (Completion Queue) free (bsc#1028017). - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT transitions (bsc#1028017). - net/mlx4_core: Use cq quota in SRIOV when creating completion EQs (bsc#1028017). - net/mlx4_en: Fix bad WQE issue (bsc#1028017). - NFS: do not try to cross a mountpount when there isn't one there (bsc#1028041). - nvme: Do not suspend admin queue that wasn't created (bsc#1026505). - nvme: Suspend all queues before deletion (bsc#1026505). - PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal (fate#320485, bug#1028217). - PCI: hv: Use device serial number as PCI domain (fate#320485, bug#1028217). - powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895). - RAID1: a new I/O barrier implementation to remove resync window (bsc#998106,bsc#1020048,bsc#982783). - RAID1: avoid unnecessary spin locks in I/O barrier code (bsc#998106,bsc#1020048,bsc#982783). - Revert 'give up on gcc ilog2() constant optimizations' (kabi). - Revert 'net: introduce device min_header_len' (kabi). - Revert 'net/mlx4_en: Avoid unregister_netdev at shutdown flow' (bsc#1028017). - Revert 'nfit, libnvdimm: fix interleave set cookie calculation' (kabi). - Revert 'RDMA/core: Fix incorrect structure packing for booleans' (kabi). - Revert 'target: Fix NULL dereference during LUN lookup + active I/O shutdown' (kabi). - rtlwifi: rtl_usb: Fix missing entry in USB driver's private data (bsc#1026462). - s390/kmsg: add missing kmsg descriptions (bnc#1025683, LTC#151573). - s390/mm: fix zone calculation in arch_add_memory() (bnc#1025683, LTC#152318). - sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting (bsc#1018419). - scsi_dh_alua: Do not modify the interval value for retries (bsc#1012910). - scsi: do not print 'reservation conflict' for TEST UNIT READY (bsc#1027054). - softirq: Let ksoftirqd do its job (bsc#1019618). - supported.conf: Add tcp_westwood as supported module (fate#322432) - taint/module: Clean up global and module taint flags handling (fate#313296). - Update mainline reference in patches.drivers/drm-ast-Fix-memleaks-in-error-path-in-as t_fb_create.patch See (bsc#1028158) for the context in which this was discovered upstream. - x86/apic/uv: Silence a shift wrapping warning (bsc#1023866). - x86/mce: Do not print MCEs when mcelog is active (bsc#1013994). - x86, mm: fix gup_pte_range() vs DAX mappings (bsc#1026405). - x86/mm/gup: Simplify get_user_pages() PTE bit handling (bsc#1026405). - x86/platform/intel/iosf_mbi: Add a mutex for P-Unit access (bsc#1011913). - x86/platform/intel/iosf_mbi: Add a PMIC bus access notifier (bsc#1011913). - x86/platform: Remove warning message for duplicate NMI handlers (bsc#1029220). - x86/platform/UV: Add basic CPU NMI health check (bsc#1023866). - x86/platform/UV: Add Support for UV4 Hubless NMIs (bsc#1023866). - x86/platform/UV: Add Support for UV4 Hubless systems (bsc#1023866). - x86/platform/UV: Clean up the NMI code to match current coding style (bsc#1023866). - x86/platform/UV: Clean up the UV APIC code (bsc#1023866). - x86/platform/UV: Ensure uv_system_init is called when necessary (bsc#1023866). - x86/platform/UV: Fix 2 socket config problem (bsc#1023866). - x86/platform/UV: Fix panic with missing UVsystab support (bsc#1023866). - x86/platform/UV: Initialize PCH GPP_D_0 NMI Pin to be NMI source (bsc#1023866). - x86/platform/UV: Verify NMI action is valid, default is standard (bsc#1023866). - xen-blkfront: correct maximum segment accounting (bsc#1018263). - xen-blkfront: do not call talk_to_blkback when already connected to blkback. - xen/blkfront: Fix crash if backend does not follow the right states. - xen-blkfront: free resources if xlvbd_alloc_gendisk fails. - xen/netback: set default upper limit of tx/rx queues to 8 (bnc#1019163). - xen/netfront: set default upper limit of tx/rx queues to 8 (bnc#1019163). - xfs: do not take the IOLOCK exclusive for direct I/O page invalidation (bsc#1015609).
    last seen 2019-02-21
    modified 2017-04-03
    plugin id 99156
    published 2017-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99156
    title openSUSE Security Update : the Linux Kernel (openSUSE-2017-418)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-419.NASL
    description The openSUSE Leap 42.1 kernel was updated to 4.1.39 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914). - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly manages lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178). - CVE-2017-7184: The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size data after an XFRM_MSG_NEWAE update, which allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52 (bnc#1030573). - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bnc#1027565). - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that a certain destructor exists in required circumstances, which allowed local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (bnc#1027190). - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that made PACKET_FANOUT setsockopt system calls (bnc#1027189). - CVE-2017-6347: The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel has incorrect expectations about skb data layout, which allowed local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission (bnc#1027179). - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1025235). - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722). - CVE-2016-2117: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly enables scatter/gather I/O, which allowed remote attackers to obtain sensitive information from kernel memory by reading packet data (bnc#968697). - CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel did not properly validate meta block groups, which allowed physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image (bnc#1023377). - CVE-2017-2596: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel improperly emulates the VMXON instruction, which allowed KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references (bnc#1022785). - CVE-2017-2583: The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel improperly emulates a 'MOV SS, NULL selector' instruction, which allowed guest OS users to cause a denial of service (guest OS crash) or gain guest OS privileges via a crafted application (bnc#1020602). - CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt (bnc#1019851). The following non-security bugs were fixed : - Fix kABI breakage of musb struct in 4.1.39 (stable 4.1.39). - Revert 'ptrace: Capture the ptracer's creds not PT_PTRACE_CAP' (stable 4.1.39). - ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986). - ext4: validate s_first_meta_bg at mount time (bsc#1023377). - kabi/severities: Ignore x86/kvm kABI changes for 4.1.39 - l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415). - l2tp: fix lookup for sockets not bound to a device in l2tp_ip (bsc#1028415). - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind() (bsc#1028415). - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() (bsc#1028415). - l2tp: lock socket before checking flags in connect() (bsc#1028415). - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bsc#1030118).
    last seen 2019-02-21
    modified 2017-04-05
    plugin id 99157
    published 2017-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99157
    title openSUSE Security Update : the Linux Kernel (openSUSE-2017-419)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3293-1.NASL
    description Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596) Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7187) It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) Jason Donenfeld discovered a heap overflow in the MACsec module in the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7477) It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 100255
    published 2017-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100255
    title Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3293-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3791.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts. - CVE-2016-6786 / CVE-2016-6787 It was discovered that the performance events subsystem does not properly manage locks during certain migrations, allowing a local attacker to escalate privileges. This can be mitigated by disabling unprivileged use of performance events:sysctl kernel.perf_event_paranoid=3 - CVE-2016-8405 Peter Pi of Trend Micro discovered that the frame buffer video subsystem does not properly check bounds while copying color maps to userspace, causing a heap buffer out-of-bounds read, leading to information disclosure. - CVE-2016-9191 CAI Qian discovered that reference counting is not properly handled within proc_sys_readdir in the sysctl implementation, allowing a local denial of service (system hang) or possibly privilege escalation. - CVE-2017-2583 Xiaohan Zhang reported that KVM for amd64 does not correctly emulate loading of a null stack selector. This can be used by a user in a guest VM for denial of service (on an Intel CPU) or to escalate privileges within the VM (on an AMD CPU). - CVE-2017-2584 Dmitry Vyukov reported that KVM for x86 does not correctly emulate memory access by the SGDT and SIDT instructions, which can result in a use-after-free and information leak. - CVE-2017-2596 Dmitry Vyukov reported that KVM leaks page references when emulating a VMON for a nested hypervisor. This can be used by a privileged user in a guest VM for denial of service or possibly to gain privileges in the host. - CVE-2017-2618 It was discovered that an off-by-one in the handling of SELinux attributes in /proc/pid/attr could result in local denial of service. - CVE-2017-5549 It was discovered that the KLSI KL5KUSB105 serial USB device driver could log the contents of uninitialised kernel memory, resulting in an information leak. - CVE-2017-5551 Jan Kara found that changing the POSIX ACL of a file on tmpfs never cleared its set-group-ID flag, which should be done if the user changing it is not a member of the group-owner. In some cases, this would allow the user-owner of an executable to gain the privileges of the group-owner. - CVE-2017-5897 Andrey Konovalov discovered an out-of-bounds read flaw in the ip6gre_err function in the IPv6 networking code. - CVE-2017-5970 Andrey Konovalov discovered a denial-of-service flaw in the IPv4 networking code. This can be triggered by a local or remote attacker if a local UDP or raw socket has the IP_RETOPTS option enabled. - CVE-2017-6001 Di Shen discovered a race condition between concurrent calls to the performance events subsystem, allowing a local attacker to escalate privileges. This flaw exists because of an incomplete fix of CVE-2016-6786. This can be mitigated by disabling unprivileged use of performance events: sysctl kernel.perf_event_paranoid=3 - CVE-2017-6074 Andrey Konovalov discovered a use-after-free vulnerability in the DCCP networking code, which could result in denial of service or local privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:echo >> /etc/modprobe.d/disable-dccp.conf install dccp false
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 97357
    published 2017-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97357
    title Debian DSA-3791-1 : linux - security update
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3533.NASL
    description Description of changes: [4.1.12-61.1.33.el7uek] - Revert 'x86/mm: Expand the exception table logic to allow new handling options' (Brian Maly) [Orabug: 25790387] {CVE-2016-9644} - Revert 'fix minor infoleak in get_user_ex()' (Brian Maly) [Orabug: 25790387] {CVE-2016-9644} [4.1.12-61.1.32.el7uek] - x86/mm: Expand the exception table logic to allow new handling options (Tony Luck) [Orabug: 25790387] {CVE-2016-9644} [4.1.12-61.1.31.el7uek] - rebuild bumping release [4.1.12-61.1.30.el7uek] - net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766898] {CVE-2016-8399} {CVE-2016-8399} - sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro) [Orabug: 25765436] {CVE-2016-10088} - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25751984] {CVE-2017-7187} [4.1.12-61.1.29.el7uek] - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: 25696677] {CVE-2017-2636} - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: 25696677] {CVE-2017-2636} - If Slot Status indicates changes in both Data Link Layer Status and Presence Detect, prioritize the Link status change. (Jack Vogel) [Orabug: 25353783] - PCI: pciehp: Leave power indicator on when enabling already-enabled slot (Ashok Raj) [Orabug: 25353783] - firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451520] {CVE-2016-8633} - usbnet: cleanup after bind() in probe() (Oliver Neukum) [Orabug: 25463898] {CVE-2016-3951} - cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind (Bjø rn Mork) [Orabug: 25463898] {CVE-2016-3951} - cdc_ncm: Add support for moving NDP to end of NCM frame (Enrico Mioso) [Orabug: 25463898] {CVE-2016-3951} - x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert) [Orabug: 25463918] {CVE-2016-3672} - kvm: fix page struct leak in handle_vmon (Paolo Bonzini) [Orabug: 25507133] {CVE-2017-2596} - crypto: mcryptd - Check mcryptd algorithm compatibility (tim) [Orabug: 25507153] {CVE-2016-10147} - kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) (Jim Mattson) [Orabug: 25507188] {CVE-2016-9588} - KVM: x86: drop error recovery in em_jmp_far and em_ret_far (Radim Krč má ř ) [Orabug: 25507213] {CVE-2016-9756} - tcp: take care of truncations done by sk_filter() (Eric Dumazet) [Orabug: 25507226] {CVE-2016-8645} - rose: limit sk_filter trim to payload (Willem de Bruijn) [Orabug: 25507226] {CVE-2016-8645} - tipc: check minimum bearer MTU (Michal Kubeč ek) [Orabug: 25507239] {CVE-2016-8632} {CVE-2016-8632} - fix minor infoleak in get_user_ex() (Al Viro) [Orabug: 25507269] {CVE-2016-9178} - scsi: arcmsr: Simplify user_len checking (Borislav Petkov) [Orabug: 25507319] {CVE-2016-7425} - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan Carpenter) [Orabug: 25507319] {CVE-2016-7425} - tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng) [Orabug: 25507341] {CVE-2016-7097} {CVE-2016-7097} - posix_acl: Clear SGID bit when setting file permissions (Jan Kara) [Orabug: 25507341] {CVE-2016-7097} {CVE-2016-7097} - ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366] {CVE-2015-8952} - ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366] {CVE-2015-8952} - mbcache2: reimplement mbcache (Jan Kara) [Orabug: 25512366] {CVE-2015-8952} - USB: digi_acceleport: do sanity checking for the number of ports (Oliver Neukum) [Orabug: 25512466] {CVE-2016-3140} - net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet) [Orabug: 25682419] {CVE-2017-6345} - net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli Cohen) [Orabug: 25697847] - ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) [Orabug: 25698300] {CVE-2017-5970} - perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race (Peter Zijlstra) [Orabug: 25698751] {CVE-2017-6001} - ip6_gre: fix ip6gre_err() invalid reads (Eric Dumazet) [Orabug: 25699015] {CVE-2017-5897} - mpt3sas: Don't spam logs if logging level is 0 (Johannes Thumshirn) [Orabug: 25699035] - xen-netfront: cast grant table reference first to type int (Dongli Zhang) - xen-netfront: do not cast grant table reference to signed short (Dongli Zhang)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 99159
    published 2017-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99159
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3533)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-1842.NASL
    description From Red Hat Security Advisory 2017:1842 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important) * A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important) * It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important) This update also fixes multiple Moderate and Low impact security issues : * CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685 Documentation for these issues is available from the Release Notes document linked from the References section. Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat). Additional Changes : For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2019-02-06
    plugin id 102281
    published 2017-08-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102281
    title Oracle Linux 7 : kernel (ELSA-2017-1842) (Stack Clash)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170801_KERNEL_ON_SL7_X.NASL
    description Security Fix(es) : - An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important) - A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important) - It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft- lockup the system and thus cause denial of service. (CVE-2017-8797, Important) This update also fixes multiple Moderate and Low impact security issues : - CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 102645
    published 2017-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102645
    title Scientific Linux Security Update : kernel on SL7.x x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3312-1.NASL
    description It was discovered that the netfilter netlink implementation in the Linux kernel did not properly validate batch messages. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information or cause a denial of service. (CVE-2016-7917) Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() function in the Linux kernel. A local attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-8632) It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604) Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596) Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2017-2671) Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001) Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472) Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618) Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645) Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889) Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895) It was discovered that a use-after-free vulnerability existed in the device driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-7913) Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 100664
    published 2017-06-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100664
    title Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities (USN-3312-1)
redhat via4
advisories
  • rhsa
    id RHSA-2017:1842
  • rhsa
    id RHSA-2017:2077
rpms
  • kernel-0:3.10.0-693.el7
  • kernel-abi-whitelists-0:3.10.0-693.el7
  • kernel-bootwrapper-0:3.10.0-693.el7
  • kernel-debug-0:3.10.0-693.el7
  • kernel-debug-devel-0:3.10.0-693.el7
  • kernel-devel-0:3.10.0-693.el7
  • kernel-doc-0:3.10.0-693.el7
  • kernel-headers-0:3.10.0-693.el7
  • kernel-kdump-0:3.10.0-693.el7
  • kernel-kdump-devel-0:3.10.0-693.el7
  • kernel-tools-0:3.10.0-693.el7
  • kernel-tools-libs-0:3.10.0-693.el7
  • kernel-tools-libs-devel-0:3.10.0-693.el7
  • perf-0:3.10.0-693.el7
  • python-perf-0:3.10.0-693.el7
  • kernel-rt-0:3.10.0-693.rt56.617.el7
  • kernel-rt-debug-0:3.10.0-693.rt56.617.el7
  • kernel-rt-debug-devel-0:3.10.0-693.rt56.617.el7
  • kernel-rt-debug-kvm-0:3.10.0-693.rt56.617.el7
  • kernel-rt-devel-0:3.10.0-693.rt56.617.el7
  • kernel-rt-doc-0:3.10.0-693.rt56.617.el7
  • kernel-rt-kvm-0:3.10.0-693.rt56.617.el7
  • kernel-rt-trace-0:3.10.0-693.rt56.617.el7
  • kernel-rt-trace-devel-0:3.10.0-693.rt56.617.el7
  • kernel-rt-trace-kvm-0:3.10.0-693.rt56.617.el7
refmap via4
bid 95878
confirm https://bugzilla.redhat.com/show_bug.cgi?id=1417812
debian DSA-3791
mlist [oss-security] 20170131 CVE-2017-2596 Kernel: kvm: page reference leakage in handle_vmon
Last major update 07-02-2017 - 14:33
Published 06-02-2017 - 01:59
Last modified 02-10-2019 - 20:03
Back to Top