ID CVE-2017-7273
Summary The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux kernel 4.x before 4.9.4 allows physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report.
References
Vulnerable Configurations
  • Linux Kernel 4.0
    cpe:2.3:o:linux:linux_kernel:4.0
  • Linux Kernel 4.0.0
    cpe:2.3:o:linux:linux_kernel:4.0.0
  • Linux Kernel 4.0.2
    cpe:2.3:o:linux:linux_kernel:4.0.2
  • Linux Kernel 4.0.3
    cpe:2.3:o:linux:linux_kernel:4.0.3
  • Linux Kernel 4.0.4
    cpe:2.3:o:linux:linux_kernel:4.0.4
  • Linux Kernel 4.0.5
    cpe:2.3:o:linux:linux_kernel:4.0.5
  • Linux Kernel 4.0.6
    cpe:2.3:o:linux:linux_kernel:4.0.6
  • Linux Kernel 4.0.7
    cpe:2.3:o:linux:linux_kernel:4.0.7
  • Linux Kernel 4.0.8
    cpe:2.3:o:linux:linux_kernel:4.0.8
  • Linux Kernel 4.0.9
    cpe:2.3:o:linux:linux_kernel:4.0.9
  • Linux Kernel 4.1.0
    cpe:2.3:o:linux:linux_kernel:4.1.0
  • Linux Kernel 4.1.10
    cpe:2.3:o:linux:linux_kernel:4.1.10
  • Linux Kernel 4.1.11
    cpe:2.3:o:linux:linux_kernel:4.1.11
  • Linux Kernel 4.1.12
    cpe:2.3:o:linux:linux_kernel:4.1.12
  • Linux Kernel 4.1.13
    cpe:2.3:o:linux:linux_kernel:4.1.13
  • Linux Kernel 4.1.14
    cpe:2.3:o:linux:linux_kernel:4.1.14
  • Linux Kernel 4.1.15
    cpe:2.3:o:linux:linux_kernel:4.1.15
  • Linux Kernel 4.1.16
    cpe:2.3:o:linux:linux_kernel:4.1.16
  • Linux Kernel 4.1.17
    cpe:2.3:o:linux:linux_kernel:4.1.17
  • Linux Kernel 4.1.18
    cpe:2.3:o:linux:linux_kernel:4.1.18
  • Linux Kernel 4.1.19
    cpe:2.3:o:linux:linux_kernel:4.1.19
  • Linux Kernel 4.1.2
    cpe:2.3:o:linux:linux_kernel:4.1.2
  • Linux Kernel 4.1.20
    cpe:2.3:o:linux:linux_kernel:4.1.20
  • Linux Kernel 4.1.21
    cpe:2.3:o:linux:linux_kernel:4.1.21
  • Linux Kernel 4.1.22
    cpe:2.3:o:linux:linux_kernel:4.1.22
  • Linux Kernel 4.1.23
    cpe:2.3:o:linux:linux_kernel:4.1.23
  • Linux Kernel 4.1.3
    cpe:2.3:o:linux:linux_kernel:4.1.3
  • Linux Kernel 4.1.33
    cpe:2.3:o:linux:linux_kernel:4.1.33
  • Linux Kernel 4.1.4
    cpe:2.3:o:linux:linux_kernel:4.1.4
  • Linux Kernel 4.1.5
    cpe:2.3:o:linux:linux_kernel:4.1.5
  • Linux Kernel 4.1.6
    cpe:2.3:o:linux:linux_kernel:4.1.6
  • Linux Kernel 4.1.7
    cpe:2.3:o:linux:linux_kernel:4.1.7
  • Linux Kernel 4.1.8
    cpe:2.3:o:linux:linux_kernel:4.1.8
  • Linux Kernel 4.1.9
    cpe:2.3:o:linux:linux_kernel:4.1.9
  • Linux Kernel 4.10
    cpe:2.3:o:linux:linux_kernel:4.10
  • Linux Kernel 4.10.1
    cpe:2.3:o:linux:linux_kernel:4.10.1
  • Linux Kernel 4.10.2
    cpe:2.3:o:linux:linux_kernel:4.10.2
  • Linux Kernel 4.10.4
    cpe:2.3:o:linux:linux_kernel:4.10.4
  • Linux Kernel 4.2.0
    cpe:2.3:o:linux:linux_kernel:4.2.0
  • Linux Kernel 4.2.1
    cpe:2.3:o:linux:linux_kernel:4.2.1
  • Linux Kernel 4.2.2
    cpe:2.3:o:linux:linux_kernel:4.2.2
  • Linux Kernel 4.2.3
    cpe:2.3:o:linux:linux_kernel:4.2.3
  • Linux Kernel 4.2.4
    cpe:2.3:o:linux:linux_kernel:4.2.4
  • Linux Kernel 4.2.5
    cpe:2.3:o:linux:linux_kernel:4.2.5
  • Linux Kernel 4.2.7
    cpe:2.3:o:linux:linux_kernel:4.2.7
  • Linux Kernel 4.2.8
    cpe:2.3:o:linux:linux_kernel:4.2.8
  • Linux Kernel 4.3 Release Candidate 7
    cpe:2.3:o:linux:linux_kernel:4.3:rc7
  • Linux Kernel 4.3.0
    cpe:2.3:o:linux:linux_kernel:4.3.0
  • Linux Kernel 4.3.1
    cpe:2.3:o:linux:linux_kernel:4.3.1
  • Linux Kernel 4.3.2
    cpe:2.3:o:linux:linux_kernel:4.3.2
  • Linux Kernel 4.3.3
    cpe:2.3:o:linux:linux_kernel:4.3.3
  • Linux Kernel 4.3.5
    cpe:2.3:o:linux:linux_kernel:4.3.5
  • Linux Kernel 4.3.6
    cpe:2.3:o:linux:linux_kernel:4.3.6
  • Linux Kernel 4.4 Release Candidate 8
    cpe:2.3:o:linux:linux_kernel:4.4:rc8
  • Linux Kernel 4.4.0
    cpe:2.3:o:linux:linux_kernel:4.4.0
  • Linux Kernel 4.4.1
    cpe:2.3:o:linux:linux_kernel:4.4.1
  • Linux Kernel 4.4.2
    cpe:2.3:o:linux:linux_kernel:4.4.2
  • Linux Kernel 4.4.22
    cpe:2.3:o:linux:linux_kernel:4.4.22
  • Linux Kernel 4.4.23
    cpe:2.3:o:linux:linux_kernel:4.4.23
  • Linux Kernel 4.4.24
    cpe:2.3:o:linux:linux_kernel:4.4.24
  • Linux Kernel 4.4.25
    cpe:2.3:o:linux:linux_kernel:4.4.25
  • Linux Kernel 4.4.26
    cpe:2.3:o:linux:linux_kernel:4.4.26
  • Linux Kernel 4.4.27
    cpe:2.3:o:linux:linux_kernel:4.4.27
  • Linux Kernel 4.4.28
    cpe:2.3:o:linux:linux_kernel:4.4.28
  • Linux Kernel 4.4.3
    cpe:2.3:o:linux:linux_kernel:4.4.3
  • Linux Kernel 4.4.32
    cpe:2.3:o:linux:linux_kernel:4.4.32
  • Linux Kernel 4.4.4
    cpe:2.3:o:linux:linux_kernel:4.4.4
  • Linux Kernel 4.4.5
    cpe:2.3:o:linux:linux_kernel:4.4.5
  • Linux Kernel 4.4.6
    cpe:2.3:o:linux:linux_kernel:4.4.6
  • Linux Kernel 4.4.7
    cpe:2.3:o:linux:linux_kernel:4.4.7
  • Linux Kernel 4.4.8
    cpe:2.3:o:linux:linux_kernel:4.4.8
  • Linux Kernel 4.4.9
    cpe:2.3:o:linux:linux_kernel:4.4.9
  • Linux Kernel 4.5.0
    cpe:2.3:o:linux:linux_kernel:4.5.0
  • Linux Kernel 4.5.0 Release Candidate 7
    cpe:2.3:o:linux:linux_kernel:4.5.0:rc7
  • Linux Kernel 4.5.1
    cpe:2.3:o:linux:linux_kernel:4.5.1
  • Linux Kernel 4.5.2
    cpe:2.3:o:linux:linux_kernel:4.5.2
  • Linux Kernel 4.5.3
    cpe:2.3:o:linux:linux_kernel:4.5.3
  • Linux Kernel 4.5.4
    cpe:2.3:o:linux:linux_kernel:4.5.4
  • Linux Kernel 4.5.5
    cpe:2.3:o:linux:linux_kernel:4.5.5
  • Linux Kernel 4.5.7
    cpe:2.3:o:linux:linux_kernel:4.5.7
  • Linux Kernel 4.6
    cpe:2.3:o:linux:linux_kernel:4.6
  • Linux Kernel 4.6.2
    cpe:2.3:o:linux:linux_kernel:4.6.2
  • Linux Kernel 4.6.3
    cpe:2.3:o:linux:linux_kernel:4.6.3
  • Linux Kernel 4.6.4
    cpe:2.3:o:linux:linux_kernel:4.6.4
  • Linux Kernel 4.6.5
    cpe:2.3:o:linux:linux_kernel:4.6.5
  • Linux Kernel 4.6.6
    cpe:2.3:o:linux:linux_kernel:4.6.6
  • Linux Kernel 4.6.7
    cpe:2.3:o:linux:linux_kernel:4.6.7
  • Linux Kernel 4.7
    cpe:2.3:o:linux:linux_kernel:4.7
  • Linux Kernel 4.7 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:4.7:rc6
  • Linux Kernel 4.7.4
    cpe:2.3:o:linux:linux_kernel:4.7.4
  • Linux Kernel 4.7.6
    cpe:2.3:o:linux:linux_kernel:4.7.6
  • Linux Kernel 4.8
    cpe:2.3:o:linux:linux_kernel:4.8
  • Linux Kernel 4.8.1
    cpe:2.3:o:linux:linux_kernel:4.8.1
  • Linux Kernel 4.8.10
    cpe:2.3:o:linux:linux_kernel:4.8.10
  • Linux Kernel 4.8.11
    cpe:2.3:o:linux:linux_kernel:4.8.11
  • Linux Kernel 4.8.12
    cpe:2.3:o:linux:linux_kernel:4.8.12
  • Linux Kernel 4.8.14
    cpe:2.3:o:linux:linux_kernel:4.8.14
  • Linux Kernel 4.8.16
    cpe:2.3:o:linux:linux_kernel:4.8.16
  • Linux Kernel 4.8.17
    cpe:2.3:o:linux:linux_kernel:4.8.17
  • Linux Kernel 4.8.2
    cpe:2.3:o:linux:linux_kernel:4.8.2
  • Linux Kernel 4.8.3
    cpe:2.3:o:linux:linux_kernel:4.8.3
  • Linux Kernel 4.8.4
    cpe:2.3:o:linux:linux_kernel:4.8.4
  • Linux Kernel 4.8.5
    cpe:2.3:o:linux:linux_kernel:4.8.5
  • Linux Kernel 4.8.6
    cpe:2.3:o:linux:linux_kernel:4.8.6
  • Linux Kernel 4.8.7
    cpe:2.3:o:linux:linux_kernel:4.8.7
  • Linux Kernel 4.8.8
    cpe:2.3:o:linux:linux_kernel:4.8.8
  • Linux Kernel 4.8.9
    cpe:2.3:o:linux:linux_kernel:4.8.9
  • Linux Kernel 4.9.2
    cpe:2.3:o:linux:linux_kernel:4.9.2
  • Linux Kernel 4.9.3
    cpe:2.3:o:linux:linux_kernel:4.9.3
  • Linux Kernel 4.9.1
    cpe:2.3:o:linux:linux_kernel:4.9.1
CVSS
Base: 4.6 (as of 31-03-2017 - 23:02)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3361-1.NASL
    description USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Please note that this update changes the Linux HWE kernel to the 4.10 based kernel from Ubuntu 17.04, superseding the 4.8 based HWE kernel from Ubuntu 16.10. Ben Harris discovered that the Linux kernel would strip extended privilege attributes of files when performing a failed unprivileged system call. A local attacker could use this to cause a denial of service. (CVE-2015-1350) Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208) Peter Pi discovered that the colormap handling for frame buffer devices in the Linux kernel contained an integer overflow. A local attacker could use this to disclose sensitive information (kernel memory). (CVE-2016-8405) It was discovered that an integer overflow existed in the InfiniBand RDMA over ethernet (RXE) transport implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-8636) Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084) CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191) It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604) Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet discovered that the netfiler subsystem in the Linux kernel mishandled IPv6 packet reassembly. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9755) Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS. (CVE-2017-2583) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory). (CVE-2017-2584) Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596) It was discovered that SELinux in the Linux kernel did not properly handle empty writes to /proc/pid/attr. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2618) Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2017-2671) It was discovered that the freelist-randomization in the SLAB memory allocator allowed duplicate freelist entries. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-5546) It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549) It was discovered that a fencepost error existed in the pipe_advance() function in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5550) It was discovered that the Linux kernel did not clear the setgid bit during a setxattr call on a tmpfs filesystem. A local attacker could use this to gain elevated group privileges. (CVE-2017-5551) Murray McAllister discovered that an integer overflow existed in the VideoCore DRM driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-5576) Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669) Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897) Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970) Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001) Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214) Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-6345) It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346) Andrey Konovalov discovered that the IP layer in the Linux kernel made improper assumptions about internal data layout when performing checksums. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6347) Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348) Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7187) It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261) It was discovered that the USB Cypress HID drivers for the Linux kernel did not properly validate reported information from the device. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-7273) Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472) It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616) Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618) Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645) Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889) Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895) It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924) It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion). (CVE-2017-8925) Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 101929
    published 2017-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101929
    title Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3361-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0145.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0145 for details.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 102774
    published 2017-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102774
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0145) (Stack Clash)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3597.NASL
    description Description of changes: [2.6.39-400.297.5.el6uek] - selinux: quiet the filesystem labeling behavior message (Paul Moore) [Orabug: 25721485] - RDS/IB: active bonding port state fix for intfs added late (Mukesh Kacker) [Orabug: 25875426] - HID: hid-cypress: validate length of report (Greg Kroah-Hartman) [Orabug: 25891914] {CVE-2017-7273} - udf: Remove repeated loads blocksize (Jan Kara) [Orabug: 25905722] {CVE-2015-4167} - udf: Check length of extended attributes and allocation descriptors (Jan Kara) [Orabug: 25905722] {CVE-2015-4167} - udf: Verify i_size when loading inode (Jan Kara) [Orabug: 25905722] {CVE-2015-4167} - btrfs: drop unused parameter from btrfs_item_nr (Ross Kirk) [Orabug: 25948102] {CVE-2014-9710} - Btrfs: cleanup of function where fixup_low_keys() is called (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710} - Btrfs: remove unused argument of fixup_low_keys() (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710} - Btrfs: remove unused argument of btrfs_extend_item() (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710} - Btrfs: add support for asserts (Josef Bacik) [Orabug: 25948102] {CVE-2014-9710} - Btrfs: make xattr replace operations atomic (Filipe Manana) [Orabug: 25948102] {CVE-2014-9710} - net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom (Al Viro) [Orabug: 25948149] {CVE-2015-2686} - xsigo: Compute node crash on FC failover (Joe Jin) [Orabug: 25965445] - PCI: Prevent VPD access for QLogic ISP2722 (Ethan Zhao) [Orabug: 25975513] - PCI: Prevent VPD access for buggy devices (Babu Moger) [Orabug: 25975513] - ipv4: try to cache dst_entries which would cause a redirect (Hannes Frederic Sowa) [Orabug: 26032377] {CVE-2015-1465}
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 102061
    published 2017-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102061
    title Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3597)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-922.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts. CVE-2016-2188 Ralf Spenneberg of OpenSource Security reported that the iowarrior device driver did not sufficiently validate USB descriptors. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash). CVE-2016-9604 It was discovered that the keyring subsystem allowed a process to set a special internal keyring as its session keyring. The security impact in this version of the kernel is unknown. CVE-2016-10200 Baozeng Ding and Andrey Konovalov reported a race condition in the L2TP implementation which could corrupt its table of bound sockets. A local user could use this to cause a denial of service (crash) or possibly for privilege escalation. CVE-2017-2647 / CVE-2017-6951 idl3r reported that the keyring subsystem would allow a process to search for 'dead' keys, causing a NULL pointer dereference. A local user could use this to cause a denial of service (crash). CVE-2017-2671 Daniel Jiang discovered a race condition in the ping socket implementation. A local user with access to ping sockets could use this to cause a denial of service (crash) or possibly for privilege escalation. This feature is not accessible to any users by default. CVE-2017-5967 Xing Gao reported that the /proc/timer_list file showed information about all processes, not considering PID namespaces. If timer debugging was enabled by a privileged user, this leaked information to processes contained in PID namespaces. CVE-2017-5970 Andrey Konovalov discovered a denial of service flaw in the IPv4 networking code. This can be triggered by a local or remote attacker if a local UDP or raw socket has the IP_RETOPTS option enabled. CVE-2017-7184 Chaitin Security Research Lab discovered that the net xfrm subsystem did not sufficiently validate replay state parameters, allowing a heap buffer overflow. This can be used by a local user with the CAP_NET_ADMIN capability for privilege escalation. CVE-2017-7261 Vladis Dronov and Murray McAllister reported that the vmwgfx driver did not sufficiently validate rendering surface parameters. In a VMware guest, this can be used by a local user to cause a denial of service (crash). CVE-2017-7273 Benoit Camredon reported that the hid-cypress driver did not sufficiently validate HID reports. This possibly allowed a physically present user with a specially designed USB device to cause a denial of service (crash). CVE-2017-7294 Li Qiang reported that the vmwgfx driver did not sufficiently validate rendering surface parameters. In a VMware guest, this can be used by a local user to cause a denial of service (crash) or possibly for privilege escalation. CVE-2017-7308 Andrey Konovalov reported that the packet socket (AF_PACKET) implementation did not sufficiently validate buffer parameters. This can be used by a local user with the CAP_NET_RAW capability for privilege escalation. CVE-2017-7472 Eric Biggers reported that the keyring subsystem allowed a thread to create new thread keyrings repeatedly, causing a memory leak. This can be used by a local user to cause a denial of service (memory exhaustion). CVE-2017-7616 Chris Salls reported an information leak in the 32-bit big-endian compatibility implementations of set_mempolicy() and mbind(). This does not affect any architecture supported in Debian 7 LTS. CVE-2017-7618 Sabrina Dubroca reported that the cryptographic hash subsystem does not correctly handle submission of unaligned data to a device that is already busy, resulting in infinite recursion. On some systems this can be used by local users to cause a denial of service (crash). For Debian 7 'Wheezy', these problems have been fixed in version 3.2.88-1. This version also includes bug fixes from upstream version 3.2.88, and fixes some older security issues in the keyring, packet socket and cryptographic hash subsystems that do not have CVE IDs. For Debian 8 'Jessie', most of these problems have been fixed in version 3.16.43-1 which will be part of the next point release. We recommend that you upgrade your linux packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 99733
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99733
    title Debian DLA-922-1 : linux security update
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0126.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0126 for details.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 102064
    published 2017-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102064
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0126) (Stack Clash)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2019-13937-1.NASL
    description The SUSE Linux Enterprise 12 SP3 kernel was updated to 3.0.101 to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-9516: In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1108498). CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841). CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743). CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714). CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1118319). CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152). CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused (bnc#1113769). CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751). CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825). CVE-2017-7273: The cp_report_fixup function in drivers/hid/hid-cypress.c allowed physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report (bnc#1031240). CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674). CVE-2017-1000407: Fixed a denial of service, which was caused by flooding the diagnostic port 0x80 an exception leading to a kernel panic (bnc#1071021). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-30
    plugin id 121468
    published 2019-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121468
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2019:13937-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3595.NASL
    description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 102059
    published 2017-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102059
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3595) (Stack Clash)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-3746-1.NASL
    description The SUSE Linux Enterprise 11 SP4 kernel was updated to 3.0.101-108.81 to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-18281: An issue was discovered in the Linux kernel, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused (bnc#1113769). CVE-2018-18710: An issue was discovered in the Linux kernel, an information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751). CVE-2018-18386: drivers/tty/n_tty.c in the Linux kernel allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825). CVE-2017-7273: The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux kernel 4.x allowed physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report (bnc#1031240). CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674). CVE-2017-1000407: An denial of service issue was discovered in the Linux kernel, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic (bnc#1071021). CVE-2018-9516: An issue was discovered in the Linux kernel, the copy_to_user() inside the HID code does not correctly check the length before executing (bsc#1108498). CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely (bnc#1107829). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-13
    plugin id 118952
    published 2018-11-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118952
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2018:3746-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0015.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0015 for details.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 106469
    published 2018-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106469
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0015) (BlueBorne) (Meltdown) (Spectre) (Stack Clash)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3609.NASL
    description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 102773
    published 2017-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102773
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3609) (Stack Clash)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3658.NASL
    description Description of changes: [2.6.39-400.298.1.el6uek] - ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei) [Orabug: 23320090] - tty: Fix race in pty_write() leading to NULL deref (Todd Vierling) [Orabug: 24337879] - xen-netfront: cast grant table reference first to type int (Dongli Zhang) [Orabug: 25102637] - xen-netfront: do not cast grant table reference to signed short (Dongli Zhang) [Orabug: 25102637] - RDS: Print failed rdma op details if failure is remote access error (Rama Nichanamatlu) [Orabug: 25440316] - ping: implement proper locking (Eric Dumazet) [Orabug: 26540288] {CVE-2017-2671} - KEYS: fix dereferencing NULL payload with nonzero length (Eric Biggers) [Orabug: 26592013] - oracleasm: Copy the integrity descriptor (Martin K. Petersen) [Orabug: 26650039] - mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook) [Orabug: 26675934] {CVE-2017-7889} - fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE (Abhi Das) [Orabug: 26797307] - xscore: add dma address check (Zhu Yanjun) [Orabug: 27058559] - more bio_map_user_iov() leak fixes (Al Viro) [Orabug: 27069045] {CVE-2017-12190} - fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh) [Orabug: 27069045] {CVE-2017-12190} - xsigo: [backport] Fix race in freeing aged Forwarding tables (Pradeep Gopanapalli) [Orabug: 24823234] - ocfs2: fix deadlock issue when taking inode lock at vfs entry points (Eric Ren) [Orabug: 25671723] - ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (Eric Ren) [Orabug: 25671723] - net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143563] {CVE-2017-7308} - net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143563] {CVE-2017-7308} - char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) [Orabug: 26403941] {CVE-2017-1000363} - ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix race between read and ioctl (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: fix NULL pointer dereference in read()/ioctl() race (Vegard Nossum) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix race at concurrent reads (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix race among timer ioctls (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben Hutchings) [Orabug: 26403974] {CVE-2017-9074} - ipv6: Check ip6_find_1stfragopt() return value properly. (David S. Miller) [Orabug: 26403974] {CVE-2017-9074} - ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) [Orabug: 26403974] {CVE-2017-9074} - ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) [Orabug: 26404007] {CVE-2017-9077} - aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug: 26643601] {CVE-2016-10044} - vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman) [Orabug: 26643601] {CVE-2016-10044} - vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo) [Orabug: 26643601] {CVE-2016-10044} - x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han) [Orabug: 26643652] {CVE-2017-11473} - sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) [Orabug: 26650889] {CVE-2017-9075} - saa7164: fix double fetch PCIe access condition (Steven Toth) [Orabug: 26675148] {CVE-2017-8831} - saa7164: fix sparse warnings (Hans Verkuil) [Orabug: 26675148] {CVE-2017-8831} - saa7164: get rid of warning: no previous prototype (Mauro Carvalho Chehab) [Orabug: 26675148] {CVE-2017-8831} - [scsi] lpfc 8.3.44: Fix kernel panics from corrupted ndlp (James Smart) [Orabug: 26765341] - timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899791] {CVE-2017-10661} - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (Xin Long) [Orabug: 26988628] {CVE-2017-14489} - mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang) [Orabug: 26643562] {CVE-2017-11176} - ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27011278] {CVE-2017-7542} - packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) [Orabug: 27002453] {CVE-2017-1000111} - mlx4_core: calculate log_mtt based on total system memory (Wei Lin Guay) [Orabug: 26867355] - xen/x86: Add interface for querying amount of host memory (Boris Ostrovsky) [Orabug: 26867355] - fs/binfmt_elf.c: fix bug in loading of PIE binaries (Michael Davidson) [Orabug: 26870958] {CVE-2017-1000253} - Bluetooth: Properly check L2CAP config option output buffer length (Ben Seri) [Orabug: 26796428] {CVE-2017-1000251} - xen: fix bio vec merging (Roger Pau Monne) [Orabug: 26645562] {CVE-2017-12134} - fs/exec.c: account for argv/envp pointers (Kees Cook) [Orabug: 26638926] {CVE-2017-1000365} {CVE-2017-1000365} - l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume Nault) [Orabug: 26586050] {CVE-2016-10200} - xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz Guzik) [Orabug: 26586024] {CVE-2016-9685} - KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (David Howells) [Orabug: 26586002] {CVE-2016-9604} - ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) [Orabug: 26578202] {CVE-2017-9242} - selinux: quiet the filesystem labeling behavior message (Paul Moore) [Orabug: 25721485] - RDS/IB: active bonding port state fix for intfs added late (Mukesh Kacker) [Orabug: 25875426] - HID: hid-cypress: validate length of report (Greg Kroah-Hartman) [Orabug: 25891914] {CVE-2017-7273} - udf: Remove repeated loads blocksize (Jan Kara) [Orabug: 25905722] {CVE-2015-4167} - udf: Check length of extended attributes and allocation descriptors (Jan Kara) [Orabug: 25905722] {CVE-2015-4167} - udf: Verify i_size when loading inode (Jan Kara) [Orabug: 25905722] {CVE-2015-4167} - btrfs: drop unused parameter from btrfs_item_nr (Ross Kirk) [Orabug: 25948102] {CVE-2014-9710} - Btrfs: cleanup of function where fixup_low_keys() is called (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710} - Btrfs: remove unused argument of fixup_low_keys() (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710} - Btrfs: remove unused argument of btrfs_extend_item() (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710} - Btrfs: add support for asserts (Josef Bacik) [Orabug: 25948102] {CVE-2014-9710} - Btrfs: make xattr replace operations atomic (Filipe Manana) [Orabug: 25948102] {CVE-2014-9710} - net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom (Al Viro) [Orabug: 25948149] {CVE-2015-2686} - xsigo: Compute node crash on FC failover (Joe Jin) [Orabug: 25965445] - PCI: Prevent VPD access for QLogic ISP2722 (Ethan Zhao) [Orabug: 25975513] - PCI: Prevent VPD access for buggy devices (Babu Moger) [Orabug: 25975513] - ipv4: try to cache dst_entries which would cause a redirect (Hannes Frederic Sowa) [Orabug: 26032377] {CVE-2015-1465} - mm: larger stack guard gap, between vmas (Hugh Dickins) [Orabug: 26326145] {CVE-2017-1000364} - nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields) [Orabug: 26366024] {CVE-2017-7645} - dm mpath: allow ioctls to trigger pg init (Mikulas Patocka) [Orabug: 25645229] - xen/manage: Always freeze/thaw processes when suspend/resuming (Ross Lagerwall) [Orabug: 25795530] - lpfc cannot establish connection with targets that send PRLI under P2P mode (Joe Jin) [Orabug: 25955028]
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 105145
    published 2017-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105145
    title Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3658) (BlueBorne) (Stack Clash)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3406-1.NASL
    description It was discovered that an out of bounds read vulnerability existed in the associative array implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2016-7914) It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261) It was discovered that the USB Cypress HID drivers for the Linux kernel did not properly validate reported information from the device. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-7273) A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487) Huang Weller discovered that the ext4 filesystem implementation in the Linux kernel mishandled a needs-flushing-before-commit list. A local attacker could use this to expose sensitive information. (CVE-2017-7495) It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 102820
    published 2017-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102820
    title Ubuntu 14.04 LTS : linux vulnerabilities (USN-3406-1)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL22012502.NASL
    description The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux kernel 4.x before 4.9.4 allows physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report. (CVE-2017-7273)
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 99641
    published 2017-04-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99641
    title F5 Networks BIG-IP : Linux kernel vulnerability (K22012502)
refmap via4
bid 97190
confirm
Last major update 03-04-2017 - 10:07
Published 27-03-2017 - 13:59
Back to Top