ID CVE-2017-7558
Summary A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace.
References
Vulnerable Configurations
  • Linux Kernel 4.7
    cpe:2.3:o:linux:linux_kernel:4.7
  • Linux Kernel 4.7 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:4.7:rc1
  • Linux Kernel 4.7 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:4.7:rc2
  • Linux Kernel 4.7 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:4.7:rc3
  • Linux Kernel 4.7 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:4.7:rc4
  • Linux Kernel 4.7 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:4.7:rc5
  • Linux Kernel 4.7 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:4.7:rc6
  • Linux Kernel 4.7 Release Candidate 7
    cpe:2.3:o:linux:linux_kernel:4.7:rc7
  • Linux Kernel 4.7.1
    cpe:2.3:o:linux:linux_kernel:4.7.1
  • Linux Kernel 4.7.2
    cpe:2.3:o:linux:linux_kernel:4.7.2
  • Linux Kernel 4.7.3
    cpe:2.3:o:linux:linux_kernel:4.7.3
  • Linux Kernel 4.7.4
    cpe:2.3:o:linux:linux_kernel:4.7.4
  • Linux Kernel 4.7.5
    cpe:2.3:o:linux:linux_kernel:4.7.5
  • Linux Kernel 4.7.6
    cpe:2.3:o:linux:linux_kernel:4.7.6
  • Linux Kernel 4.7.7
    cpe:2.3:o:linux:linux_kernel:4.7.7
  • Linux Kernel 4.7.8
    cpe:2.3:o:linux:linux_kernel:4.7.8
  • Linux Kernel 4.7.9
    cpe:2.3:o:linux:linux_kernel:4.7.9
  • Linux Kernel 4.7.10
    cpe:2.3:o:linux:linux_kernel:4.7.10
  • Linux Kernel 4.8
    cpe:2.3:o:linux:linux_kernel:4.8
  • Linux Kernel 4.8.1
    cpe:2.3:o:linux:linux_kernel:4.8.1
  • Linux Kernel 4.8.2
    cpe:2.3:o:linux:linux_kernel:4.8.2
  • Linux Kernel 4.8.3
    cpe:2.3:o:linux:linux_kernel:4.8.3
  • Linux Kernel 4.8.4
    cpe:2.3:o:linux:linux_kernel:4.8.4
  • Linux Kernel 4.8.5
    cpe:2.3:o:linux:linux_kernel:4.8.5
  • Linux Kernel 4.8.6
    cpe:2.3:o:linux:linux_kernel:4.8.6
  • Linux Kernel 4.8.7
    cpe:2.3:o:linux:linux_kernel:4.8.7
  • Linux Kernel 4.8.8
    cpe:2.3:o:linux:linux_kernel:4.8.8
  • Linux Kernel 4.8.9
    cpe:2.3:o:linux:linux_kernel:4.8.9
  • Linux Kernel 4.8.10
    cpe:2.3:o:linux:linux_kernel:4.8.10
  • Linux Kernel 4.8.11
    cpe:2.3:o:linux:linux_kernel:4.8.11
  • Linux Kernel 4.8.12
    cpe:2.3:o:linux:linux_kernel:4.8.12
  • Linux Kernel 4.8.13
    cpe:2.3:o:linux:linux_kernel:4.8.13
  • Linux Kernel 4.8.14
    cpe:2.3:o:linux:linux_kernel:4.8.14
  • Linux Kernel 4.8.15
    cpe:2.3:o:linux:linux_kernel:4.8.15
  • Linux Kernel 4.8.16
    cpe:2.3:o:linux:linux_kernel:4.8.16
  • Linux Kernel 4.8.17
    cpe:2.3:o:linux:linux_kernel:4.8.17
  • Linux Kernel 4.9
    cpe:2.3:o:linux:linux_kernel:4.9
  • Linux Kernel 4.9.1
    cpe:2.3:o:linux:linux_kernel:4.9.1
  • Linux Kernel 4.9.2
    cpe:2.3:o:linux:linux_kernel:4.9.2
  • Linux Kernel 4.9.3
    cpe:2.3:o:linux:linux_kernel:4.9.3
  • Linux Kernel 4.9.4
    cpe:2.3:o:linux:linux_kernel:4.9.4
  • Linux Kernel 4.9.5
    cpe:2.3:o:linux:linux_kernel:4.9.5
  • Linux Kernel 4.9.6
    cpe:2.3:o:linux:linux_kernel:4.9.6
  • Linux Kernel 4.9.7
    cpe:2.3:o:linux:linux_kernel:4.9.7
  • Linux Kernel 4.9.8
    cpe:2.3:o:linux:linux_kernel:4.9.8
  • Linux Kernel 4.9.9
    cpe:2.3:o:linux:linux_kernel:4.9.9
  • Linux Kernel 4.9.10
    cpe:2.3:o:linux:linux_kernel:4.9.10
  • Linux Kernel 4.9.11
    cpe:2.3:o:linux:linux_kernel:4.9.11
  • Linux Kernel 4.9.12
    cpe:2.3:o:linux:linux_kernel:4.9.12
  • Linux Kernel 4.9.13
    cpe:2.3:o:linux:linux_kernel:4.9.13
  • Linux Kernel 4.9.14
    cpe:2.3:o:linux:linux_kernel:4.9.14
  • Linux Kernel 4.9.15
    cpe:2.3:o:linux:linux_kernel:4.9.15
  • Linux Kernel 4.9.16
    cpe:2.3:o:linux:linux_kernel:4.9.16
  • Linux Kernel 4.9.17
    cpe:2.3:o:linux:linux_kernel:4.9.17
  • Linux Kernel 4.9.18
    cpe:2.3:o:linux:linux_kernel:4.9.18
  • Linux Kernel 4.9.19
    cpe:2.3:o:linux:linux_kernel:4.9.19
  • Linux Kernel 4.9.20
    cpe:2.3:o:linux:linux_kernel:4.9.20
  • Linux Kernel 4.9.21
    cpe:2.3:o:linux:linux_kernel:4.9.21
  • Linux Kernel 4.9.22
    cpe:2.3:o:linux:linux_kernel:4.9.22
  • Linux Kernel 4.9.23
    cpe:2.3:o:linux:linux_kernel:4.9.23
  • Linux Kernel 4.9.24
    cpe:2.3:o:linux:linux_kernel:4.9.24
  • Linux Kernel 4.9.25
    cpe:2.3:o:linux:linux_kernel:4.9.25
  • Linux Kernel 4.9.26
    cpe:2.3:o:linux:linux_kernel:4.9.26
  • Linux Kernel 4.9.27
    cpe:2.3:o:linux:linux_kernel:4.9.27
  • Linux Kernel 4.9.28
    cpe:2.3:o:linux:linux_kernel:4.9.28
  • Linux Kernel 4.9.29
    cpe:2.3:o:linux:linux_kernel:4.9.29
  • Linux Kernel 4.9.30
    cpe:2.3:o:linux:linux_kernel:4.9.30
  • Linux Kernel 4.9.31
    cpe:2.3:o:linux:linux_kernel:4.9.31
  • Linux Kernel 4.9.32
    cpe:2.3:o:linux:linux_kernel:4.9.32
  • Linux Kernel 4.9.33
    cpe:2.3:o:linux:linux_kernel:4.9.33
  • Linux Kernel 4.9.34
    cpe:2.3:o:linux:linux_kernel:4.9.34
  • Linux Kernel 4.9.35
    cpe:2.3:o:linux:linux_kernel:4.9.35
  • Linux Kernel 4.9.36
    cpe:2.3:o:linux:linux_kernel:4.9.36
  • Linux Kernel 4.9.37
    cpe:2.3:o:linux:linux_kernel:4.9.37
  • Linux Kernel 4.9.38
    cpe:2.3:o:linux:linux_kernel:4.9.38
  • Linux Kernel 4.9.39
    cpe:2.3:o:linux:linux_kernel:4.9.39
  • Linux Kernel 4.9.40
    cpe:2.3:o:linux:linux_kernel:4.9.40
  • Linux Kernel 4.9.41
    cpe:2.3:o:linux:linux_kernel:4.9.41
  • Linux Kernel 4.9.42
    cpe:2.3:o:linux:linux_kernel:4.9.42
  • Linux Kernel 4.9.43
    cpe:2.3:o:linux:linux_kernel:4.9.43
  • Linux Kernel 4.9.44
    cpe:2.3:o:linux:linux_kernel:4.9.44
  • Linux Kernel 4.9.45
    cpe:2.3:o:linux:linux_kernel:4.9.45
  • Linux Kernel 4.9.46
    cpe:2.3:o:linux:linux_kernel:4.9.46
  • Linux Kernel 4.9.47
    cpe:2.3:o:linux:linux_kernel:4.9.47
  • Linux Kernel 4.9.48
    cpe:2.3:o:linux:linux_kernel:4.9.48
  • Linux Kernel 4.9.49
    cpe:2.3:o:linux:linux_kernel:4.9.49
  • Linux Kernel 4.9.50
    cpe:2.3:o:linux:linux_kernel:4.9.50
  • Linux Kernel 4.9.51
    cpe:2.3:o:linux:linux_kernel:4.9.51
  • Linux Kernel 4.9.52
    cpe:2.3:o:linux:linux_kernel:4.9.52
  • Linux Kernel 4.9.53
    cpe:2.3:o:linux:linux_kernel:4.9.53
  • Linux Kernel 4.9.54
    cpe:2.3:o:linux:linux_kernel:4.9.54
  • Linux Kernel 4.9.55
    cpe:2.3:o:linux:linux_kernel:4.9.55
  • Linux Kernel 4.9.56
    cpe:2.3:o:linux:linux_kernel:4.9.56
  • Linux Kernel 4.9.57
    cpe:2.3:o:linux:linux_kernel:4.9.57
  • Linux Kernel 4.9.58
    cpe:2.3:o:linux:linux_kernel:4.9.58
  • Linux Kernel 4.9.59
    cpe:2.3:o:linux:linux_kernel:4.9.59
  • Linux Kernel 4.9.60
    cpe:2.3:o:linux:linux_kernel:4.9.60
  • Linux Kernel 4.9.61
    cpe:2.3:o:linux:linux_kernel:4.9.61
  • Linux Kernel 4.9.62
    cpe:2.3:o:linux:linux_kernel:4.9.62
  • Linux Kernel 4.9.63
    cpe:2.3:o:linux:linux_kernel:4.9.63
  • Linux Kernel 4.9.64
    cpe:2.3:o:linux:linux_kernel:4.9.64
  • Linux Kernel 4.9.65
    cpe:2.3:o:linux:linux_kernel:4.9.65
  • Linux Kernel 4.9.66
    cpe:2.3:o:linux:linux_kernel:4.9.66
  • Linux Kernel 4.9.67
    cpe:2.3:o:linux:linux_kernel:4.9.67
  • Linux Kernel 4.9.68
    cpe:2.3:o:linux:linux_kernel:4.9.68
  • Linux Kernel 4.9.69
    cpe:2.3:o:linux:linux_kernel:4.9.69
  • Linux Kernel 4.9.70
    cpe:2.3:o:linux:linux_kernel:4.9.70
  • Linux Kernel 4.9.71
    cpe:2.3:o:linux:linux_kernel:4.9.71
  • Linux Kernel 4.9.72
    cpe:2.3:o:linux:linux_kernel:4.9.72
  • Linux Kernel 4.9.73
    cpe:2.3:o:linux:linux_kernel:4.9.73
  • Linux Kernel 4.9.74
    cpe:2.3:o:linux:linux_kernel:4.9.74
  • Linux Kernel 4.9.75
    cpe:2.3:o:linux:linux_kernel:4.9.75
  • Linux Kernel 4.9.76
    cpe:2.3:o:linux:linux_kernel:4.9.76
  • Linux Kernel 4.9.77
    cpe:2.3:o:linux:linux_kernel:4.9.77
  • Linux Kernel 4.9.78
    cpe:2.3:o:linux:linux_kernel:4.9.78
  • Linux Kernel 4.9.79
    cpe:2.3:o:linux:linux_kernel:4.9.79
  • Linux Kernel 4.9.80
    cpe:2.3:o:linux:linux_kernel:4.9.80
  • Linux Kernel 4.9.81
    cpe:2.3:o:linux:linux_kernel:4.9.81
  • Linux Kernel 4.9.82
    cpe:2.3:o:linux:linux_kernel:4.9.82
  • Linux Kernel 4.9.83
    cpe:2.3:o:linux:linux_kernel:4.9.83
  • Linux Kernel 4.9.84
    cpe:2.3:o:linux:linux_kernel:4.9.84
  • Linux Kernel 4.9.85
    cpe:2.3:o:linux:linux_kernel:4.9.85
  • Linux Kernel 4.9.86
    cpe:2.3:o:linux:linux_kernel:4.9.86
  • Linux Kernel 4.9.87
    cpe:2.3:o:linux:linux_kernel:4.9.87
  • Linux Kernel 4.9.88
    cpe:2.3:o:linux:linux_kernel:4.9.88
  • Linux Kernel 4.9.89
    cpe:2.3:o:linux:linux_kernel:4.9.89
  • Linux Kernel 4.9.90
    cpe:2.3:o:linux:linux_kernel:4.9.90
  • Linux Kernel 4.9.91
    cpe:2.3:o:linux:linux_kernel:4.9.91
  • Linux Kernel 4.9.92
    cpe:2.3:o:linux:linux_kernel:4.9.92
  • Linux Kernel 4.9.93
    cpe:2.3:o:linux:linux_kernel:4.9.93
  • Linux Kernel 4.9.94
    cpe:2.3:o:linux:linux_kernel:4.9.94
  • Linux Kernel 4.9.95
    cpe:2.3:o:linux:linux_kernel:4.9.95
  • Linux Kernel 4.9.96
    cpe:2.3:o:linux:linux_kernel:4.9.96
  • Linux Kernel 4.9.97
    cpe:2.3:o:linux:linux_kernel:4.9.97
  • Linux Kernel 4.9.98
    cpe:2.3:o:linux:linux_kernel:4.9.98
  • Linux Kernel 4.9.99
    cpe:2.3:o:linux:linux_kernel:4.9.99
  • Linux Kernel 4.9.100
    cpe:2.3:o:linux:linux_kernel:4.9.100
  • Linux Kernel 4.9.101
    cpe:2.3:o:linux:linux_kernel:4.9.101
  • Linux Kernel 4.9.102
    cpe:2.3:o:linux:linux_kernel:4.9.102
  • Linux Kernel 4.9.103
    cpe:2.3:o:linux:linux_kernel:4.9.103
  • Linux Kernel 4.9.104
    cpe:2.3:o:linux:linux_kernel:4.9.104
  • Linux Kernel 4.9.105
    cpe:2.3:o:linux:linux_kernel:4.9.105
  • Linux Kernel 4.9.106
    cpe:2.3:o:linux:linux_kernel:4.9.106
  • Linux Kernel 4.9.107
    cpe:2.3:o:linux:linux_kernel:4.9.107
  • Linux Kernel 4.9.108
    cpe:2.3:o:linux:linux_kernel:4.9.108
  • Linux Kernel 4.9.109
    cpe:2.3:o:linux:linux_kernel:4.9.109
  • Linux Kernel 4.9.110
    cpe:2.3:o:linux:linux_kernel:4.9.110
  • Linux Kernel 4.9.111
    cpe:2.3:o:linux:linux_kernel:4.9.111
  • Linux Kernel 4.10
    cpe:2.3:o:linux:linux_kernel:4.10
  • Linux Kernel 4.10.1
    cpe:2.3:o:linux:linux_kernel:4.10.1
  • Linux Kernel 4.10.2
    cpe:2.3:o:linux:linux_kernel:4.10.2
  • Linux Kernel 4.10.3
    cpe:2.3:o:linux:linux_kernel:4.10.3
  • Linux Kernel 4.10.4
    cpe:2.3:o:linux:linux_kernel:4.10.4
  • Linux Kernel 4.10.5
    cpe:2.3:o:linux:linux_kernel:4.10.5
  • Linux Kernel 4.10.6
    cpe:2.3:o:linux:linux_kernel:4.10.6
  • Linux Kernel 4.10.7
    cpe:2.3:o:linux:linux_kernel:4.10.7
  • Linux Kernel 4.10.8
    cpe:2.3:o:linux:linux_kernel:4.10.8
  • Linux Kernel 4.10.9
    cpe:2.3:o:linux:linux_kernel:4.10.9
  • Linux Kernel 4.10.10
    cpe:2.3:o:linux:linux_kernel:4.10.10
  • Linux Kernel 4.10.11
    cpe:2.3:o:linux:linux_kernel:4.10.11
  • Linux Kernel 4.10.12
    cpe:2.3:o:linux:linux_kernel:4.10.12
  • Linux Kernel 4.10.13
    cpe:2.3:o:linux:linux_kernel:4.10.13
  • Linux Kernel 4.10.14
    cpe:2.3:o:linux:linux_kernel:4.10.14
  • Linux Kernel 4.10.15
    cpe:2.3:o:linux:linux_kernel:4.10.15
  • Linux Kernel 4.10.16
    cpe:2.3:o:linux:linux_kernel:4.10.16
  • Linux Kernel 4.10.17
    cpe:2.3:o:linux:linux_kernel:4.10.17
  • Linux Kernel 4.11
    cpe:2.3:o:linux:linux_kernel:4.11
  • Linux Linux Kernel 4.11 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:4.11:rc1
  • Linux Linux Kernel 4.11 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:4.11:rc2
  • Linux Linux Kernel 4.11 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:4.11:rc3
  • Linux Linux Kernel 4.11 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:4.11:rc4
  • Linux Linux Kernel 4.11 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:4.11:rc5
  • Linux Linux Kernel 4.11 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:4.11:rc6
  • Linux Linux Kernel 4.11 Release Candidate 7
    cpe:2.3:o:linux:linux_kernel:4.11:rc7
  • Linux Kernel 4.11.1
    cpe:2.3:o:linux:linux_kernel:4.11.1
  • Linux Kernel 4.11.2
    cpe:2.3:o:linux:linux_kernel:4.11.2
  • Linux Kernel 4.11.3
    cpe:2.3:o:linux:linux_kernel:4.11.3
  • Linux Kernel 4.11.4
    cpe:2.3:o:linux:linux_kernel:4.11.4
  • Linux Kernel 4.11.5
    cpe:2.3:o:linux:linux_kernel:4.11.5
  • Linux Kernel 4.11.6
    cpe:2.3:o:linux:linux_kernel:4.11.6
  • Linux Kernel 4.11.7
    cpe:2.3:o:linux:linux_kernel:4.11.7
  • Linux Kernel 4.11.8
    cpe:2.3:o:linux:linux_kernel:4.11.8
  • Linux Kernel 4.11.9
    cpe:2.3:o:linux:linux_kernel:4.11.9
  • Linux Kernel 4.11.10
    cpe:2.3:o:linux:linux_kernel:4.11.10
  • Linux Kernel 4.11.11
    cpe:2.3:o:linux:linux_kernel:4.11.11
  • Linux Kernel 4.11.12
    cpe:2.3:o:linux:linux_kernel:4.11.12
  • Linux Kernel 4.12
    cpe:2.3:o:linux:linux_kernel:4.12
  • Linux Kernel 4.12.1
    cpe:2.3:o:linux:linux_kernel:4.12.1
  • Linux Kernel 4.12.2
    cpe:2.3:o:linux:linux_kernel:4.12.2
  • Linux Kernel 4.12.3
    cpe:2.3:o:linux:linux_kernel:4.12.3
  • Linux Kernel 4.12.4
    cpe:2.3:o:linux:linux_kernel:4.12.4
  • Linux Kernel 4.12.5
    cpe:2.3:o:linux:linux_kernel:4.12.5
  • Linux Kernel 4.12.6
    cpe:2.3:o:linux:linux_kernel:4.12.6
  • Linux Kernel 4.12.7
    cpe:2.3:o:linux:linux_kernel:4.12.7
  • Linux Kernel 4.12.8
    cpe:2.3:o:linux:linux_kernel:4.12.8
  • Linux Kernel 4.12.9
    cpe:2.3:o:linux:linux_kernel:4.12.9
  • Linux Kernel 4.12.10
    cpe:2.3:o:linux:linux_kernel:4.12.10
  • Linux Kernel 4.12.11
    cpe:2.3:o:linux:linux_kernel:4.12.11
  • Linux Kernel 4.12.12
    cpe:2.3:o:linux:linux_kernel:4.12.12
  • Linux Kernel 4.12.13
    cpe:2.3:o:linux:linux_kernel:4.12.13
  • Linux Kernel 4.12.14
    cpe:2.3:o:linux:linux_kernel:4.12.14
  • Linux Kernel 4.13
    cpe:2.3:o:linux:linux_kernel:4.13
  • Linux Kernel 4.13 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:4.13:rc1
  • Linux Kernel 4.13 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:4.13:rc2
  • Linux Kernel 4.13 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:4.13:rc3
  • Linux Kernel 4.13 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:4.13:rc4
  • Linux Kernel 4.13 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:4.13:rc5
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-125
CAPEC
  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
nessus via4
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-901.NASL
    description A buffer overflow was discovered in tpacket_rcv() function in the Linux kernel since v4.6-rc1 through v4.13. A number of socket-related syscalls can be made to set up a configuration when each packet received by a network interface can cause writing up to 10 bytes to a kernel memory outside of a kernel buffer. This can cause unspecified kernel data corruption effects, including damage of in-memory and on-disk XFS data. (CVE-2017-14497) A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 103653
    published 2017-10-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103653
    title Amazon Linux AMI : kernel (ALAS-2017-901)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2930-1.NASL
    description Description of changes: - [3.10.0-693.5.2.0.1.el7.OL7] - [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug 22552377] - Oracle Linux certificates (Alexey Petrenko) - Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petrenko at oracle.com) - Update x509.genkey [bug 24817676] [3.10.0-693.5.2.el7] - [mm] page_cgroup: Fix Kernel bug during boot with memory cgroups enabled (Larry Woodman) [1491970 1483747] - Revert: [mm] Fix Kernel bug during boot with memory cgroups enabled (Larry Woodman) [1491970 1483747] [3.10.0-693.5.1.el7] - [netdrv] i40e: point wb_desc at the nvm_wb_desc during i40e_read_nvm_aq (Stefan Assmann) [1491972 1484232] - [netdrv] i40e: avoid NVM acquire deadlock during NVM update (Stefan Assmann) [1491972 1484232] - [mm] Fix Kernel bug during boot with memory cgroups enabled (Larry Woodman) [1491970 1483747] - [fs] nfsv4: Ensure we don't re-test revoked and freed stateids (Dave Wysochanski) [1491969 1459733] - [netdrv] bonding: commit link status change after propose (Jarod Wilson) [1491121 1469790] - [mm] page_alloc: ratelimit PFNs busy info message (Jonathan Toppins) [1491120 1383179] - [netdrv] cxgb4: avoid crash on PCI error recovery path (Gustavo Duarte) [1489872 1456990] - [scsi] Add STARGET_CREATED_REMOVE state to scsi_target_state (Ewan Milne) [1489814 1468727] - [net] tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Davide Caratti) [1488341 1487061] {CVE-2017-14106} - [net] tcp: fix 0 divide in __tcp_select_window() (Davide Caratti) [1488341 1487061] {CVE-2017-14106} - [net] sctp: Avoid out-of-bounds reads from address storage (Stefano Brivio) [1484356 1484355] {CVE-2017-7558} - [net] udp: consistently apply ufo or fragmentation (Davide Caratti) [1481530 1481535] {CVE-2017-1000112} - [net] udp: account for current skb length when deciding about UFO (Davide Caratti) [1481530 1481535] {CVE-2017-1000112} - [net] ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output (Davide Caratti) [1481530 1481535] {CVE-2017-1000112} - [net] udp: avoid ufo handling on IP payload compression packets (Stefano Brivio) [1490263 1464161] - [pci] hv: Use vPCI protocol version 1.2 (Vitaly Kuznetsov) [1478256 1459202] - [pci] hv: Add vPCI version protocol negotiation (Vitaly Kuznetsov) [1478256 1459202] - [pci] hv: Use page allocation for hbus structure (Vitaly Kuznetsov) [1478256 1459202] - [pci] hv: Fix comment formatting and use proper integer fields (Vitaly Kuznetsov) [1478256 1459202] - [net] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() (Stefano Brivio) [1477007 1477010] {CVE-2017-7542} - [net] ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [1477007 1477010] {CVE-2017-7542} - [net] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (Hannes Frederic Sowa) [1435672 1435670] {CVE-2017-7184} - [net] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window (Hannes Frederic Sowa) [1435672 1435670] {CVE-2017-7184} - [net] l2cap: prevent stack overflow on incoming bluetooth packet (Neil Horman) [1489788 1489789] {CVE-2017-1000251} [3.10.0-693.4.1.el7] - [fs] nfsv4: Add missing nfs_put_lock_context() (Benjamin Coddington) [1487271 1476826] - [fs] nfs: discard nfs_lockowner structure (Benjamin Coddington) [1487271 1476826] - [fs] nfsv4: enhance nfs4_copy_lock_stateid to use a flock stateid if there is one (Benjamin Coddington) [1487271 1476826] - [fs] nfsv4: change nfs4_select_rw_stateid to take a lock_context inplace of lock_owner (Benjamin Coddington) [1487271 1476826] - [fs] nfsv4: change nfs4_do_setattr to take an open_context instead of a nfs4_state (Benjamin Coddington) [1487271 1476826] - [fs] nfsv4: add flock_owner to open context (Benjamin Coddington) [1487271 1476826] - [fs] nfs: remove l_pid field from nfs_lockowner (Benjamin Coddington) [1487271 1476826] - [x86] platform/uv/bau: Disable BAU on single hub configurations (Frank Ramsay) [1487159 1487160 1472455 1473353] - [x86] platform/uv/bau: Fix congested_response_us not taking effect (Frank Ramsay) [1487159 1472455] - [fs] cifs: Disable encryption capability for RHEL 7.4 kernel (Sachin Prabhu) [1485445 1485445] - [fs] sunrpc: Handle EADDRNOTAVAIL on connection failures (Dave Wysochanski) [1484269 1479043] - [fs] include/linux/printk.h: include pr_fmt in pr_debug_ratelimited (Sachin Prabhu) [1484267 1472823] - [fs] printk: pr_debug_ratelimited: check state first to reduce 'callbacks suppressed' messages (Sachin Prabhu) [1484267 1472823] - [net] packet: fix tp_reserve race in packet_set_ring (Stefano Brivio) [1481938 1481940] {CVE-2017-1000111} - [fs] proc: revert /proc//maps [stack:TID] annotation (Waiman Long) [1481724 1448534] - [net] ping: check minimum size on ICMP header length (Matteo Croce) [1481578 1481573] {CVE-2016-8399} - [ipc] mqueue: fix a use-after-free in sys_mq_notify() (Davide Caratti) [1476128 1476126] {CVE-2017-11176} - [netdrv] brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (Stanislaw Gruszka) [1474778 1474784] {CVE-2017-7541} [3.10.0-693.3.1.el7] - [block] blk-mq-tag: fix wakeup hang after tag resize (Ming Lei) [1487281 1472434]
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 104088
    published 2017-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104088
    title Oracle Linux 7 : kernel (ELSA-2017-2930-1) (BlueBorne)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-4B4C022807.NASL
    description The 4.12.9 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-27
    plugin id 102895
    published 2017-09-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102895
    title Fedora 25 : kernel (2017-4b4c022807)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-78C4C71539.NASL
    description The 4.12.9 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-27
    plugin id 102898
    published 2017-09-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102898
    title Fedora 26 : kernel (2017-78c4c71539)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3981.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks. - CVE-2017-7518 Andy Lutomirski discovered that KVM is prone to an incorrect debug exception (#DB) error occurring while emulating a syscall instruction. A process inside a guest can take advantage of this flaw for privilege escalation inside a guest. - CVE-2017-7558 (stretch only) Stefano Brivio of Red Hat discovered that the SCTP subsystem is prone to a data leak vulnerability due to an out-of-bounds read flaw, allowing to leak up to 100 uninitialized bytes to userspace. - CVE-2017-10661 (jessie only) Dmitry Vyukov of Google reported that the timerfd facility does not properly handle certain concurrent operations on a single file descriptor. This allows a local attacker to cause a denial of service or potentially execute arbitrary code. - CVE-2017-11600 Bo Zhang reported that the xfrm subsystem does not properly validate one of the parameters to a netlink message. Local users with the CAP_NET_ADMIN capability can use this to cause a denial of service or potentially to execute arbitrary code. - CVE-2017-12134 / #866511 / XSA-229 Jan H. Schoenherr of Amazon discovered that when Linux is running in a Xen PV domain on an x86 system, it may incorrectly merge block I/O requests. A buggy or malicious guest may trigger this bug in dom0 or a PV driver domain, causing a denial of service or potentially execution of arbitrary code. This issue can be mitigated by disabling merges on the underlying back-end block devices, e.g.:echo 2 > /sys/block/nvme0n1/queue/nomerges - CVE-2017-12146 (stretch only) Adrian Salido of Google reported a race condition in access to the'driver_override' attribute for platform devices in sysfs. If unprivileged users are permitted to access this attribute, this might allow them to gain privileges. - CVE-2017-12153 Bo Zhang reported that the cfg80211 (wifi) subsystem does not properly validate the parameters to a netlink message. Local users with the CAP_NET_ADMIN capability (in any user namespace with a wifi device) can use this to cause a denial of service. - CVE-2017-12154 Jim Mattson of Google reported that the KVM implementation for Intel x86 processors did not correctly handle certain nested hypervisor configurations. A malicious guest (or nested guest in a suitable L1 hypervisor) could use this for denial of service. - CVE-2017-14106 Andrey Konovalov discovered that a user-triggerable division by zero in the tcp_disconnect() function could result in local denial of service. - CVE-2017-14140 Otto Ebeling reported that the move_pages() system call performed insufficient validation of the UIDs of the calling and target processes, resulting in a partial ASLR bypass. This made it easier for local users to exploit vulnerabilities in programs installed with the set-UID permission bit set. - CVE-2017-14156 'sohu0106' reported an information leak in the atyfb video driver. A local user with access to a framebuffer device handled by this driver could use this to obtain sensitive information. - CVE-2017-14340 Richard Wareing discovered that the XFS implementation allows the creation of files with the 'realtime' flag on a filesystem with no realtime device, which can result in a crash (oops). A local user with access to an XFS filesystem that does not have a realtime device can use this for denial of service. - CVE-2017-14489 ChunYu Wang of Red Hat discovered that the iSCSI subsystem does not properly validate the length of a netlink message, leading to memory corruption. A local user with permission to manage iSCSI devices can use this for denial of service or possibly to execute arbitrary code. - CVE-2017-14497 (stretch only) Benjamin Poirier of SUSE reported that vnet headers are not properly handled within the tpacket_rcv() function in the raw packet (af_packet) feature. A local user with the CAP_NET_RAW capability can take advantage of this flaw to cause a denial of service (buffer overflow, and disk and memory corruption) or have other impact. - CVE-2017-1000111 Andrey Konovalov of Google reported a race condition in the raw packet (af_packet) feature. Local users with the CAP_NET_RAW capability can use this for denial of service or possibly to execute arbitrary code. - CVE-2017-1000112 Andrey Konovalov of Google reported a race condition flaw in the UDP Fragmentation Offload (UFO) code. A local user can use this flaw for denial of service or possibly to execute arbitrary code. - CVE-2017-1000251 / #875881 Armis Labs discovered that the Bluetooth subsystem does not properly validate L2CAP configuration responses, leading to a stack-based buffer overflow. This is one of several vulnerabilities dubbed 'Blueborne'. A nearby attacker can use this to cause a denial of service or possibly to execute arbitrary code on a system with Bluetooth enabled. - CVE-2017-1000252 (stretch only) Jan H. Schoenherr of Amazon reported that the KVM implementation for Intel x86 processors did not correctly validate interrupt injection requests. A local user with permission to use KVM could use this for denial of service. - CVE-2017-1000370 The Qualys Research Labs reported that a large argument or environment list can result in ASLR bypass for 32-bit PIE binaries. - CVE-2017-1000371 The Qualys Research Labs reported that a large argument or environment list can result in a stack/heap clash for 32-bit PIE binaries. - CVE-2017-1000380 Alexander Potapenko of Google reported a race condition in the ALSA (sound) timer driver, leading to an information leak. A local user with permission to access sound devices could use this to obtain sensitive information. Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited by any local user.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 103365
    published 2017-09-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103365
    title Debian DSA-3981-1 : linux - security update (BlueBorne) (Stack Clash)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2930.NASL
    description From Red Hat Security Advisory 2017:2930 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) * The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat). Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/node/3212921.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 104001
    published 2017-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104001
    title Oracle Linux 7 : kernel (ELSA-2017-2930)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-079.NASL
    description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. - The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls. - A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial-of-service. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 102981
    published 2017-09-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102981
    title Virtuozzo 7 : readykernel-patch (VZA-2017-079)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-078.NASL
    description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. - The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls. - A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial-of-service. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 102980
    published 2017-09-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102980
    title Virtuozzo 7 : readykernel-patch (VZA-2017-078)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-2930.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) * The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat). Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/node/3212921.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104106
    published 2017-10-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104106
    title CentOS 7 : kernel (CESA-2017:2930)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2930.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) * The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat). Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/node/3212921.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104003
    published 2017-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104003
    title RHEL 7 : kernel (RHSA-2017:2930)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2918.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) * The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) * A flaw was found where the XFS filesystem code mishandles a user-settable inode flag in the Linux kernel prior to 4.14-rc1. This can cause a local denial of service via a kernel panic. (CVE-2017-14340, Moderate) Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat) and the CVE-2017-14340 issue was discovered by Dave Chinner (Red Hat). Bug Fix(es) : * kernel-rt packages have been upgraded to the 3.10.0-693.5.2 source tree, which provides number of bug fixes over the previous version. (BZ#1489085)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104090
    published 2017-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104090
    title RHEL 6 : MRG (RHSA-2017:2918)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20171019_KERNEL_ON_SL7_X.NASL
    description Security Fix(es) : - Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) - A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) - An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) - A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) - Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) - An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) - A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) - The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user- space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) - A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 104008
    published 2017-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104008
    title Scientific Linux Security Update : kernel on SL7.x x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2931.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) * The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat). Bug Fix(es) : * The kernel-rt packages have been upgraded to the 3.10.0-693.5.2 source tree, which provides number of bug fixes over the previous version. (BZ# 1489084)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104004
    published 2017-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104004
    title RHEL 7 : kernel-rt (RHSA-2017:2931)
packetstorm via4
data source https://packetstormsecurity.com/files/download/150552/linkernel48-leak.txt
id PACKETSTORM:150552
last seen 2018-12-01
published 2018-12-01
reporter Jinbum Park
source https://packetstormsecurity.com/files/150552/Linux-Kernel-4.8-Ubuntu-16.04-sctp-Kernel-Pointer-Leak.html
title Linux Kernel 4.8 (Ubuntu 16.04) sctp Kernel Pointer Leak
redhat via4
advisories
  • rhsa
    id RHSA-2017:2918
  • rhsa
    id RHSA-2017:2930
  • rhsa
    id RHSA-2017:2931
rpms
  • kernel-0:3.10.0-693.5.2.el7
  • kernel-abi-whitelists-0:3.10.0-693.5.2.el7
  • kernel-bootwrapper-0:3.10.0-693.5.2.el7
  • kernel-debug-0:3.10.0-693.5.2.el7
  • kernel-debug-devel-0:3.10.0-693.5.2.el7
  • kernel-devel-0:3.10.0-693.5.2.el7
  • kernel-doc-0:3.10.0-693.5.2.el7
  • kernel-headers-0:3.10.0-693.5.2.el7
  • kernel-kdump-0:3.10.0-693.5.2.el7
  • kernel-kdump-devel-0:3.10.0-693.5.2.el7
  • kernel-tools-0:3.10.0-693.5.2.el7
  • kernel-tools-libs-0:3.10.0-693.5.2.el7
  • kernel-tools-libs-devel-0:3.10.0-693.5.2.el7
  • perf-0:3.10.0-693.5.2.el7
  • python-perf-0:3.10.0-693.5.2.el7
  • kernel-rt-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-devel-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-kvm-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-devel-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-doc-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-kvm-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-devel-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-kvm-0:3.10.0-693.5.2.rt56.626.el7
refmap via4
bid 100466
confirm https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7558
debian DSA-3981
mlist
  • [linux-netdev] 20170823 [PATCH net] sctp: Avoid out-of-bounds reads from address storage
  • [oss-security] 20170823 CVE-2017-7558: Linux kernel: sctp: out-of-bounds read in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info()
sectrack 1039221
Last major update 26-07-2018 - 11:29
Published 26-07-2018 - 11:29
Last modified 26-09-2018 - 11:28
Back to Top