ID CVE-2018-3646
Summary Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.
References
Vulnerable Configurations
  • Intel Core I3 330E
    cpe:2.3:h:intel:core_i3:330e
  • Intel Core I3 330M
    cpe:2.3:h:intel:core_i3:330m
  • Intel Core I3 330UM
    cpe:2.3:h:intel:core_i3:330um
  • Intel Core I3 350M
    cpe:2.3:h:intel:core_i3:350m
  • Intel Core I3 370M
    cpe:2.3:h:intel:core_i3:370m
  • Intel Core I3 380M
    cpe:2.3:h:intel:core_i3:380m
  • Intel Core I3 380UM
    cpe:2.3:h:intel:core_i3:380um
  • Intel Core I3 390M
    cpe:2.3:h:intel:core_i3:390m
  • Intel Core I3 530
    cpe:2.3:h:intel:core_i3:530
  • Intel Core I3 540
    cpe:2.3:h:intel:core_i3:540
  • Intel Core I3 550
    cpe:2.3:h:intel:core_i3:550
  • Intel Core I3 560
    cpe:2.3:h:intel:core_i3:560
  • Intel Core I3 2100
    cpe:2.3:h:intel:core_i3:2100
  • Intel Core I3 2100T
    cpe:2.3:h:intel:core_i3:2100t
  • Intel Core I3 2102
    cpe:2.3:h:intel:core_i3:2102
  • Intel Core I3 2105
    cpe:2.3:h:intel:core_i3:2105
  • Intel Core I3 2115C
    cpe:2.3:h:intel:core_i3:2115c
  • Intel Core I3 2120
    cpe:2.3:h:intel:core_i3:2120
  • Intel Core I3 2120T
    cpe:2.3:h:intel:core_i3:2120t
  • Intel Core I3 2125
    cpe:2.3:h:intel:core_i3:2125
  • Intel Core I3 2130
    cpe:2.3:h:intel:core_i3:2130
  • Intel Core I3 2310E
    cpe:2.3:h:intel:core_i3:2310e
  • Intel Core I3 2310M
    cpe:2.3:h:intel:core_i3:2310m
  • Intel Core I3 2312M
    cpe:2.3:h:intel:core_i3:2312m
  • Intel Core I3 2328M
    cpe:2.3:h:intel:core_i3:2328m
  • Intel Core I3 2330E
    cpe:2.3:h:intel:core_i3:2330e
  • Intel Core I3 2330M
    cpe:2.3:h:intel:core_i3:2330m
  • Intel Core I3 2340UE
    cpe:2.3:h:intel:core_i3:2340ue
  • Intel Core I3 2348M
    cpe:2.3:h:intel:core_i3:2348m
  • Intel Core I3 2350M
    cpe:2.3:h:intel:core_i3:2350m
  • Intel Core I3 2357M
    cpe:2.3:h:intel:core_i3:2357m
  • Intel Core I3 2365M
    cpe:2.3:h:intel:core_i3:2365m
  • Intel Core I3 2367M
    cpe:2.3:h:intel:core_i3:2367m
  • Intel Core I3 2370M
    cpe:2.3:h:intel:core_i3:2370m
  • Intel Core I3 2375M
    cpe:2.3:h:intel:core_i3:2375m
  • Intel Core I3 2377M
    cpe:2.3:h:intel:core_i3:2377m
  • Intel Core I3 3110M
    cpe:2.3:h:intel:core_i3:3110m
  • Intel Core I3 3115C
    cpe:2.3:h:intel:core_i3:3115c
  • Intel Core I3 3120M
    cpe:2.3:h:intel:core_i3:3120m
  • Intel Core I3 3120ME
    cpe:2.3:h:intel:core_i3:3120me
  • Intel Core I3 3130M
    cpe:2.3:h:intel:core_i3:3130m
  • Intel Core I3 3210
    cpe:2.3:h:intel:core_i3:3210
  • Intel Core I3 3217U
    cpe:2.3:h:intel:core_i3:3217u
  • Intel Core I3 3217UE
    cpe:2.3:h:intel:core_i3:3217ue
  • Intel Core I3 3220
    cpe:2.3:h:intel:core_i3:3220
  • Intel Core I3 3220T
    cpe:2.3:h:intel:core_i3:3220t
  • Intel Core I3 3225
    cpe:2.3:h:intel:core_i3:3225
  • Intel Core I3 3227U
    cpe:2.3:h:intel:core_i3:3227u
  • Intel Core I3 3229Y
    cpe:2.3:h:intel:core_i3:3229y
  • Intel Core I3 3240
    cpe:2.3:h:intel:core_i3:3240
  • Intel Core I3 3240T
    cpe:2.3:h:intel:core_i3:3240t
  • Intel Core I3 3245
    cpe:2.3:h:intel:core_i3:3245
  • Intel Core I3 3250
    cpe:2.3:h:intel:core_i3:3250
  • Intel Core I3 3250T
    cpe:2.3:h:intel:core_i3:3250t
  • Intel Core I3 4000M
    cpe:2.3:h:intel:core_i3:4000m
  • Intel Core I3 4005U
    cpe:2.3:h:intel:core_i3:4005u
  • Intel Core I3 4010U
    cpe:2.3:h:intel:core_i3:4010u
  • Intel Core I3 4010Y
    cpe:2.3:h:intel:core_i3:4010y
  • Intel Core I3 4012Y
    cpe:2.3:h:intel:core_i3:4012y
  • Intel Core I3 4020Y
    cpe:2.3:h:intel:core_i3:4020y
  • Intel Core I3 4025U
    cpe:2.3:h:intel:core_i3:4025u
  • Intel Core I3 4030U
    cpe:2.3:h:intel:core_i3:4030u
  • Intel Core I3 4030Y
    cpe:2.3:h:intel:core_i3:4030y
  • Intel Core I3 4100E
    cpe:2.3:h:intel:core_i3:4100e
  • Intel Core I3 4100M
    cpe:2.3:h:intel:core_i3:4100m
  • Intel Core I3 4100U
    cpe:2.3:h:intel:core_i3:4100u
  • Intel Core I3 4102E
    cpe:2.3:h:intel:core_i3:4102e
  • Intel Core I3 4110E
    cpe:2.3:h:intel:core_i3:4110e
  • Intel Core I3 4110M
    cpe:2.3:h:intel:core_i3:4110m
  • Intel Core I3 4112E
    cpe:2.3:h:intel:core_i3:4112e
  • Intel Core I3 4120U
    cpe:2.3:h:intel:core_i3:4120u
  • Intel Core I3 4130
    cpe:2.3:h:intel:core_i3:4130
  • Intel Core I3 4130T
    cpe:2.3:h:intel:core_i3:4130t
  • Intel Core I3 4150
    cpe:2.3:h:intel:core_i3:4150
  • Intel Core I3 4150T
    cpe:2.3:h:intel:core_i3:4150t
  • Intel Core I3 4158U
    cpe:2.3:h:intel:core_i3:4158u
  • Intel Core I3 4160
    cpe:2.3:h:intel:core_i3:4160
  • Intel Core I3 4160T
    cpe:2.3:h:intel:core_i3:4160t
  • Intel Core I3 4170
    cpe:2.3:h:intel:core_i3:4170
  • Intel Core I3 4170T
    cpe:2.3:h:intel:core_i3:4170t
  • Intel Core I3 4330
    cpe:2.3:h:intel:core_i3:4330
  • Intel Core I3 4330T
    cpe:2.3:h:intel:core_i3:4330t
  • Intel Core I3 4330TE
    cpe:2.3:h:intel:core_i3:4330te
  • Intel Core I3 4340
    cpe:2.3:h:intel:core_i3:4340
  • Intel Core I3 4340TE
    cpe:2.3:h:intel:core_i3:4340te
  • Intel Core I3 4350
    cpe:2.3:h:intel:core_i3:4350
  • Intel Core I3 4350T
    cpe:2.3:h:intel:core_i3:4350t
  • Intel Core I3 4360
    cpe:2.3:h:intel:core_i3:4360
  • Intel Core I3 4360T
    cpe:2.3:h:intel:core_i3:4360t
  • Intel Core I3 4370
    cpe:2.3:h:intel:core_i3:4370
  • Intel Core I3 4370T
    cpe:2.3:h:intel:core_i3:4370t
  • Intel Core I3 5005U
    cpe:2.3:h:intel:core_i3:5005u
  • Intel Core I3 5010U
    cpe:2.3:h:intel:core_i3:5010u
  • Intel Core I3 5015U
    cpe:2.3:h:intel:core_i3:5015u
  • Intel Core I3 5020U
    cpe:2.3:h:intel:core_i3:5020u
  • Intel Core I3 5157U
    cpe:2.3:h:intel:core_i3:5157u
  • Intel Core I3 6006U
    cpe:2.3:h:intel:core_i3:6006u
  • Intel Core I3 6098P
    cpe:2.3:h:intel:core_i3:6098p
  • Intel Core I3 6100
    cpe:2.3:h:intel:core_i3:6100
  • Intel Core I3 6100E
    cpe:2.3:h:intel:core_i3:6100e
  • Intel Core I3 6100H
    cpe:2.3:h:intel:core_i3:6100h
  • Intel Core I3 6100T
    cpe:2.3:h:intel:core_i3:6100t
  • Intel Core I3 6100TE
    cpe:2.3:h:intel:core_i3:6100te
  • Intel Core I3 6100U
    cpe:2.3:h:intel:core_i3:6100u
  • Intel Core I3 6102E
    cpe:2.3:h:intel:core_i3:6102e
  • Intel Core I3 6157U
    cpe:2.3:h:intel:core_i3:6157u
  • Intel Core I3 6167U
    cpe:2.3:h:intel:core_i3:6167u
  • Intel Core I3 6300
    cpe:2.3:h:intel:core_i3:6300
  • Intel Core I3 6300T
    cpe:2.3:h:intel:core_i3:6300t
  • Intel Core I3 6320
    cpe:2.3:h:intel:core_i3:6320
  • Intel Core I3 8100
    cpe:2.3:h:intel:core_i3:8100
  • Intel Core I3 8350K
    cpe:2.3:h:intel:core_i3:8350k
  • Intel Core I5 430M
    cpe:2.3:h:intel:core_i5:430m
  • Intel Core I5 430UM
    cpe:2.3:h:intel:core_i5:430um
  • Intel Core I5 450M
    cpe:2.3:h:intel:core_i5:450m
  • Intel Core I5 460M
    cpe:2.3:h:intel:core_i5:460m
  • Intel Core I5 470UM
    cpe:2.3:h:intel:core_i5:470um
  • Intel Core I5 480M
    cpe:2.3:h:intel:core_i5:480m
  • Intel Core I5 520E
    cpe:2.3:h:intel:core_i5:520e
  • Intel Core I5 520M
    cpe:2.3:h:intel:core_i5:520m
  • Intel Core I5 520UM
    cpe:2.3:h:intel:core_i5:520um
  • Intel Core I5 540M
    cpe:2.3:h:intel:core_i5:540m
  • Intel Core I5 540UM
    cpe:2.3:h:intel:core_i5:540um
  • Intel Core I5 560M
    cpe:2.3:h:intel:core_i5:560m
  • Intel Core I5 560UM
    cpe:2.3:h:intel:core_i5:560um
  • Intel Core I5 580M
    cpe:2.3:h:intel:core_i5:580m
  • Intel Core I5 650
    cpe:2.3:h:intel:core_i5:650
  • Intel Core I5 655K
    cpe:2.3:h:intel:core_i5:655k
  • Intel Core I5 660
    cpe:2.3:h:intel:core_i5:660
  • Intel Core I5 661
    cpe:2.3:h:intel:core_i5:661
  • Intel Core I5 670
    cpe:2.3:h:intel:core_i5:670
  • Intel Core I5 680
    cpe:2.3:h:intel:core_i5:680
  • Intel Core I5 750
    cpe:2.3:h:intel:core_i5:750
  • Intel Core I5 750S
    cpe:2.3:h:intel:core_i5:750s
  • Intel Core I5 760
    cpe:2.3:h:intel:core_i5:760
  • Intel Core I5 2300
    cpe:2.3:h:intel:core_i5:2300
  • Intel Core I5 2310
    cpe:2.3:h:intel:core_i5:2310
  • Intel Core I5 2320
    cpe:2.3:h:intel:core_i5:2320
  • Intel Core I5 2380P
    cpe:2.3:h:intel:core_i5:2380p
  • Intel Core I5 2390T
    cpe:2.3:h:intel:core_i5:2390t
  • Intel Core I5 2400
    cpe:2.3:h:intel:core_i5:2400
  • Intel Core I5 2400S
    cpe:2.3:h:intel:core_i5:2400s
  • Intel Core I5 2405S
    cpe:2.3:h:intel:core_i5:2405s
  • Intel Core I5 2410M
    cpe:2.3:h:intel:core_i5:2410m
  • Intel Core I5 2430M
    cpe:2.3:h:intel:core_i5:2430m
  • Intel Core I5 2435M
    cpe:2.3:h:intel:core_i5:2435m
  • Intel Core I5 2450M
    cpe:2.3:h:intel:core_i5:2450m
  • Intel Core I5 2450P
    cpe:2.3:h:intel:core_i5:2450p
  • Intel Core I5 2467M
    cpe:2.3:h:intel:core_i5:2467m
  • Intel Core I5 2500
    cpe:2.3:h:intel:core_i5:2500
  • Intel Core I5 2500K
    cpe:2.3:h:intel:core_i5:2500k
  • Intel Core I5 2500S
    cpe:2.3:h:intel:core_i5:2500s
  • Intel Core I5 2500T
    cpe:2.3:h:intel:core_i5:2500t
  • Intel Core I5 2510E
    cpe:2.3:h:intel:core_i5:2510e
  • Intel Core I5 2515E
    cpe:2.3:h:intel:core_i5:2515e
  • Intel Core I5 2520M
    cpe:2.3:h:intel:core_i5:2520m
  • Intel Core I5 2537M
    cpe:2.3:h:intel:core_i5:2537m
  • Intel Core I5 2540M
    cpe:2.3:h:intel:core_i5:2540m
  • Intel Core I5 2550K
    cpe:2.3:h:intel:core_i5:2550k
  • Intel Core I5 2557M
    cpe:2.3:h:intel:core_i5:2557m
  • Intel Core I5 3210M
    cpe:2.3:h:intel:core_i5:3210m
  • Intel Core I5 3230M
    cpe:2.3:h:intel:core_i5:3230m
  • Intel Core I5 3317U
    cpe:2.3:h:intel:core_i5:3317u
  • Intel Core I5 3320M
    cpe:2.3:h:intel:core_i5:3320m
  • Intel Core I5 3330
    cpe:2.3:h:intel:core_i5:3330
  • Intel Core I5 3330S
    cpe:2.3:h:intel:core_i5:3330s
  • Intel Core I5 3337U
    cpe:2.3:h:intel:core_i5:3337u
  • Intel Core I5 3339Y
    cpe:2.3:h:intel:core_i5:3339y
  • Intel Core I5 3340
    cpe:2.3:h:intel:core_i5:3340
  • Intel Core I5 3340M
    cpe:2.3:h:intel:core_i5:3340m
  • Intel Core I5 3340S
    cpe:2.3:h:intel:core_i5:3340s
  • Intel Core I5 3350P
    cpe:2.3:h:intel:core_i5:3350p
  • Intel Core I5 3360M
    cpe:2.3:h:intel:core_i5:3360m
  • Intel Core I5 3380M
    cpe:2.3:h:intel:core_i5:3380m
  • Intel Core I5 3427U
    cpe:2.3:h:intel:core_i5:3427u
  • Intel Core I5 3437U
    cpe:2.3:h:intel:core_i5:3437u
  • Intel Core I5 3439Y
    cpe:2.3:h:intel:core_i5:3439y
  • Intel Core I5 3450
    cpe:2.3:h:intel:core_i5:3450
  • Intel Core I5 3450S
    cpe:2.3:h:intel:core_i5:3450s
  • Intel Core I5 3470
    cpe:2.3:h:intel:core_i5:3470
  • Intel Core I5 3470S
    cpe:2.3:h:intel:core_i5:3470s
  • Intel Core I5 3470T
    cpe:2.3:h:intel:core_i5:3470t
  • Intel Core I5 3475S
    cpe:2.3:h:intel:core_i5:3475s
  • Intel Core I5 3550
    cpe:2.3:h:intel:core_i5:3550
  • Intel Core I5 3550S
    cpe:2.3:h:intel:core_i5:3550s
  • Intel Core I5 3570
    cpe:2.3:h:intel:core_i5:3570
  • Intel Core I5 3570K
    cpe:2.3:h:intel:core_i5:3570k
  • Intel Core I5 3570S
    cpe:2.3:h:intel:core_i5:3570s
  • Intel Core I5 3570T
    cpe:2.3:h:intel:core_i5:3570t
  • Intel Core I5 3610ME
    cpe:2.3:h:intel:core_i5:3610me
  • Intel Core I5 4200H
    cpe:2.3:h:intel:core_i5:4200h
  • Intel Core I5 4200M
    cpe:2.3:h:intel:core_i5:4200m
  • Intel Core I5 4200U
    cpe:2.3:h:intel:core_i5:4200u
  • Intel Core I5 4200Y
    cpe:2.3:h:intel:core_i5:4200y
  • Intel Core I5 4202Y
    cpe:2.3:h:intel:core_i5:4202y
  • Intel Core I5 4210H
    cpe:2.3:h:intel:core_i5:4210h
  • Intel Core I5 4210M
    cpe:2.3:h:intel:core_i5:4210m
  • Intel Core I5 4210U
    cpe:2.3:h:intel:core_i5:4210u
  • Intel Core I5 4210Y
    cpe:2.3:h:intel:core_i5:4210y
  • Intel Core I5 4220Y
    cpe:2.3:h:intel:core_i5:4220y
  • Intel Core I5 4250U
    cpe:2.3:h:intel:core_i5:4250u
  • Intel Core I5 4258U
    cpe:2.3:h:intel:core_i5:4258u
  • Intel Core I5 4260U
    cpe:2.3:h:intel:core_i5:4260u
  • Intel Core I5 4278U
    cpe:2.3:h:intel:core_i5:4278u
  • Intel Core I5 4288U
    cpe:2.3:h:intel:core_i5:4288u
  • Intel Core I5 4300M
    cpe:2.3:h:intel:core_i5:4300m
  • Intel Core I5 4300U
    cpe:2.3:h:intel:core_i5:4300u
  • Intel Core I5 4300Y
    cpe:2.3:h:intel:core_i5:4300y
  • Intel Core I5 4302Y
    cpe:2.3:h:intel:core_i5:4302y
  • Intel Core I5 4308U
    cpe:2.3:h:intel:core_i5:4308u
  • Intel Core I5 4310M
    cpe:2.3:h:intel:core_i5:4310m
  • Intel Core I5 4310U
    cpe:2.3:h:intel:core_i5:4310u
  • Intel Core I5 4330M
    cpe:2.3:h:intel:core_i5:4330m
  • Intel Core I5 4340M
    cpe:2.3:h:intel:core_i5:4340m
  • Intel Core I5 4350U
    cpe:2.3:h:intel:core_i5:4350u
  • Intel Core I5 4360U
    cpe:2.3:h:intel:core_i5:4360u
  • Intel Core I5 4400E
    cpe:2.3:h:intel:core_i5:4400e
  • Intel Core I5 4402E
    cpe:2.3:h:intel:core_i5:4402e
  • Intel Core I5 4402EC
    cpe:2.3:h:intel:core_i5:4402ec
  • Intel Core I5 4410E
    cpe:2.3:h:intel:core_i5:4410e
  • Intel Core I5 4422E
    cpe:2.3:h:intel:core_i5:4422e
  • Intel Core I5 4430
    cpe:2.3:h:intel:core_i5:4430
  • Intel Core I5 4430S
    cpe:2.3:h:intel:core_i5:4430s
  • Intel Core I5 4440
    cpe:2.3:h:intel:core_i5:4440
  • Intel Core I5 4440S
    cpe:2.3:h:intel:core_i5:4440s
  • Intel Core I5 4460
    cpe:2.3:h:intel:core_i5:4460
  • Intel Core I5 4460S
    cpe:2.3:h:intel:core_i5:4460s
  • Intel Core I5 4460T
    cpe:2.3:h:intel:core_i5:4460t
  • Intel Core I5 4570
    cpe:2.3:h:intel:core_i5:4570
  • Intel Core I5 4570R
    cpe:2.3:h:intel:core_i5:4570r
  • Intel Core I5 4570S
    cpe:2.3:h:intel:core_i5:4570s
  • Intel Core I5 4570T
    cpe:2.3:h:intel:core_i5:4570t
  • Intel Core I5 4570TE
    cpe:2.3:h:intel:core_i5:4570te
  • Intel Core I5 4590
    cpe:2.3:h:intel:core_i5:4590
  • Intel Core I5 4590S
    cpe:2.3:h:intel:core_i5:4590s
  • Intel Core I5 4590T
    cpe:2.3:h:intel:core_i5:4590t
  • Intel Core I5 4670
    cpe:2.3:h:intel:core_i5:4670
  • Intel Core I5 4670K
    cpe:2.3:h:intel:core_i5:4670k
  • Intel Core I5 4670R
    cpe:2.3:h:intel:core_i5:4670r
  • Intel Core I5 4670S
    cpe:2.3:h:intel:core_i5:4670s
  • Intel Core I5 4670T
    cpe:2.3:h:intel:core_i5:4670t
  • Intel Core I5 4690
    cpe:2.3:h:intel:core_i5:4690
  • Intel Core I5 4690K
    cpe:2.3:h:intel:core_i5:4690k
  • Intel Core I5 4690S
    cpe:2.3:h:intel:core_i5:4690s
  • Intel Core I5 4690T
    cpe:2.3:h:intel:core_i5:4690t
  • Intel Core I5 5200U
    cpe:2.3:h:intel:core_i5:5200u
  • Intel Core I5 5250U
    cpe:2.3:h:intel:core_i5:5250u
  • Intel Core I5 5257U
    cpe:2.3:h:intel:core_i5:5257u
  • Intel Core I5 5287U
    cpe:2.3:h:intel:core_i5:5287u
  • Intel Core I5 5300U
    cpe:2.3:h:intel:core_i5:5300u
  • Intel Core I5 5350H
    cpe:2.3:h:intel:core_i5:5350h
  • Intel Core I5 5350U
    cpe:2.3:h:intel:core_i5:5350u
  • Intel Core I5 5575R
    cpe:2.3:h:intel:core_i5:5575r
  • Intel Core I5 5675C
    cpe:2.3:h:intel:core_i5:5675c
  • Intel Core I5 5675R
    cpe:2.3:h:intel:core_i5:5675r
  • Intel Core I5 6200U
    cpe:2.3:h:intel:core_i5:6200u
  • Intel Core I5 6260U
    cpe:2.3:h:intel:core_i5:6260u
  • Intel Core I5 6267U
    cpe:2.3:h:intel:core_i5:6267u
  • Intel Core I5 6287U
    cpe:2.3:h:intel:core_i5:6287u
  • Intel Core I5 6300HQ
    cpe:2.3:h:intel:core_i5:6300hq
  • Intel Core I5 6300U
    cpe:2.3:h:intel:core_i5:6300u
  • Intel Core I5 6350HQ
    cpe:2.3:h:intel:core_i5:6350hq
  • Intel Core I5 6360U
    cpe:2.3:h:intel:core_i5:6360u
  • Intel Core I5 6400
    cpe:2.3:h:intel:core_i5:6400
  • Intel Core I5 6400T
    cpe:2.3:h:intel:core_i5:6400t
  • Intel Core I5 6402P
    cpe:2.3:h:intel:core_i5:6402p
  • Intel Core I5 6440EQ
    cpe:2.3:h:intel:core_i5:6440eq
  • Intel Core I5 6440HQ
    cpe:2.3:h:intel:core_i5:6440hq
  • Intel Core I5 6442EQ
    cpe:2.3:h:intel:core_i5:6442eq
  • Intel Core I5 6500
    cpe:2.3:h:intel:core_i5:6500
  • Intel Core I5 6500T
    cpe:2.3:h:intel:core_i5:6500t
  • Intel Core I5 6500TE
    cpe:2.3:h:intel:core_i5:6500te
  • Intel Core I5 6585R
    cpe:2.3:h:intel:core_i5:6585r
  • Intel Core I5 6600
    cpe:2.3:h:intel:core_i5:6600
  • Intel Core I5 6600K
    cpe:2.3:h:intel:core_i5:6600k
  • Intel Core I5 6600T
    cpe:2.3:h:intel:core_i5:6600t
  • Intel Core I5 6685R
    cpe:2.3:h:intel:core_i5:6685r
  • Intel Core I5 8250U
    cpe:2.3:h:intel:core_i5:8250u
  • Intel Core I5 8350U
    cpe:2.3:h:intel:core_i5:8350u
  • Intel Core I5 8400
    cpe:2.3:h:intel:core_i5:8400
  • Intel Core I5 8600K
    cpe:2.3:h:intel:core_i5:8600k
  • Intel Core I7 7Y75
    cpe:2.3:h:intel:core_i7:7y75
  • Intel Core I7 610E
    cpe:2.3:h:intel:core_i7:610e
  • Intel Core I7 620LE
    cpe:2.3:h:intel:core_i7:620le
  • Intel Core I7 620LM
    cpe:2.3:h:intel:core_i7:620lm
  • Intel Core I7 620M
    cpe:2.3:h:intel:core_i7:620m
  • Intel Core I7 620UE
    cpe:2.3:h:intel:core_i7:620ue
  • Intel Core I7 620UM
    cpe:2.3:h:intel:core_i7:620um
  • Intel Core I7 640LM
    cpe:2.3:h:intel:core_i7:640lm
  • Intel Core I7 640M
    cpe:2.3:h:intel:core_i7:640m
  • Intel Core I7 640UM
    cpe:2.3:h:intel:core_i7:640um
  • Intel Core I7 660LM
    cpe:2.3:h:intel:core_i7:660lm
  • Intel Core I7 660UE
    cpe:2.3:h:intel:core_i7:660ue
  • Intel Core I7 660UM
    cpe:2.3:h:intel:core_i7:660um
  • Intel Core I7 680UM
    cpe:2.3:h:intel:core_i7:680um
  • Intel Core I7 720QM
    cpe:2.3:h:intel:core_i7:720qm
  • Intel Core I7 740QM
    cpe:2.3:h:intel:core_i7:740qm
  • Intel Core I7 820QM
    cpe:2.3:h:intel:core_i7:820qm
  • Intel Core I7 840QM
    cpe:2.3:h:intel:core_i7:840qm
  • Intel Core I7 860
    cpe:2.3:h:intel:core_i7:860
  • Intel Core I7 860S
    cpe:2.3:h:intel:core_i7:860s
  • Intel Core I7 870
    cpe:2.3:h:intel:core_i7:870
  • Intel Core I7 870S
    cpe:2.3:h:intel:core_i7:870s
  • Intel Core I7 875K
    cpe:2.3:h:intel:core_i7:875k
  • Intel Core I7 880
    cpe:2.3:h:intel:core_i7:880
  • Intel Core I7 920
    cpe:2.3:h:intel:core_i7:920
  • Intel Core I7 920XM
    cpe:2.3:h:intel:core_i7:920xm
  • Intel Core I7 930
    cpe:2.3:h:intel:core_i7:930
  • Intel Core I7 940
    cpe:2.3:h:intel:core_i7:940
  • Intel Core I7 940XM
    cpe:2.3:h:intel:core_i7:940xm
  • Intel Core I7 950
    cpe:2.3:h:intel:core_i7:950
  • Intel Core I7 960
    cpe:2.3:h:intel:core_i7:960
  • Intel Core I7 965
    cpe:2.3:h:intel:core_i7:965
  • Intel Core I7 970
    cpe:2.3:h:intel:core_i7:970
  • Intel Core I7 975
    cpe:2.3:h:intel:core_i7:975
  • Intel Core I7 980
    cpe:2.3:h:intel:core_i7:980
  • Intel Core I7 980X
    cpe:2.3:h:intel:core_i7:980x
  • Intel Core I7 990X
    cpe:2.3:h:intel:core_i7:990x
  • Intel Core I7 2600
    cpe:2.3:h:intel:core_i7:2600
  • Intel Core I7 2600K
    cpe:2.3:h:intel:core_i7:2600k
  • Intel Core I7 2600S
    cpe:2.3:h:intel:core_i7:2600s
  • Intel Core I7 2610UE
    cpe:2.3:h:intel:core_i7:2610ue
  • Intel Core I7 2617M
    cpe:2.3:h:intel:core_i7:2617m
  • Intel Core I7 2620M
    cpe:2.3:h:intel:core_i7:2620m
  • Intel Core I7 2629M
    cpe:2.3:h:intel:core_i7:2629m
  • Intel Core I7 2630QM
    cpe:2.3:h:intel:core_i7:2630qm
  • Intel Core I7 2635QM
    cpe:2.3:h:intel:core_i7:2635qm
  • Intel Core I7 2637M
    cpe:2.3:h:intel:core_i7:2637m
  • Intel Core I7 2640M
    cpe:2.3:h:intel:core_i7:2640m
  • Intel Core I7 2649M
    cpe:2.3:h:intel:core_i7:2649m
  • Intel Core I7 2655LE
    cpe:2.3:h:intel:core_i7:2655le
  • Intel Core I7 2657M
    cpe:2.3:h:intel:core_i7:2657m
  • Intel Core I7 2670QM
    cpe:2.3:h:intel:core_i7:2670qm
  • Intel Core I7 2675QM
    cpe:2.3:h:intel:core_i7:2675qm
  • Intel Core I7 2677M
    cpe:2.3:h:intel:core_i7:2677m
  • Intel Core I7 2700K
    cpe:2.3:h:intel:core_i7:2700k
  • Intel Core I7 2710QE
    cpe:2.3:h:intel:core_i7:2710qe
  • Intel Core I7 2715QE
    cpe:2.3:h:intel:core_i7:2715qe
  • Intel Core I7 2720QM
    cpe:2.3:h:intel:core_i7:2720qm
  • Intel Core I7 2760QM
    cpe:2.3:h:intel:core_i7:2760qm
  • Intel Core I7 2820QM
    cpe:2.3:h:intel:core_i7:2820qm
  • Intel Core I7 2860QM
    cpe:2.3:h:intel:core_i7:2860qm
  • Intel Core I7 2920XM
    cpe:2.3:h:intel:core_i7:2920xm
  • Intel Core I7 2960XM
    cpe:2.3:h:intel:core_i7:2960xm
  • Intel Core I7 3517U
    cpe:2.3:h:intel:core_i7:3517u
  • Intel Core I7 3517UE
    cpe:2.3:h:intel:core_i7:3517ue
  • Intel Core I7 3520M
    cpe:2.3:h:intel:core_i7:3520m
  • Intel Core I7 3537U
    cpe:2.3:h:intel:core_i7:3537u
  • Intel Core I7 3540M
    cpe:2.3:h:intel:core_i7:3540m
  • Intel Core I7 3555LE
    cpe:2.3:h:intel:core_i7:3555le
  • Intel Core I7 3610QE
    cpe:2.3:h:intel:core_i7:3610qe
  • Intel Core I7 3610QM
    cpe:2.3:h:intel:core_i7:3610qm
  • Intel Core I7 3612QE
    cpe:2.3:h:intel:core_i7:3612qe
  • Intel Core I7 3612QM
    cpe:2.3:h:intel:core_i7:3612qm
  • Intel Core I7 3615QE
    cpe:2.3:h:intel:core_i7:3615qe
  • Intel Core I7 3615QM
    cpe:2.3:h:intel:core_i7:3615qm
  • Intel Core I7 3630QM
    cpe:2.3:h:intel:core_i7:3630qm
  • Intel Core I7 3632QM
    cpe:2.3:h:intel:core_i7:3632qm
  • Intel Core I7 3635QM
    cpe:2.3:h:intel:core_i7:3635qm
  • Intel Core I7 3667U
    cpe:2.3:h:intel:core_i7:3667u
  • Intel Core I7 3687U
    cpe:2.3:h:intel:core_i7:3687u
  • Intel Core I7 3689Y
    cpe:2.3:h:intel:core_i7:3689y
  • Intel Core I7 3720QM
    cpe:2.3:h:intel:core_i7:3720qm
  • Intel Core I7 3740QM
    cpe:2.3:h:intel:core_i7:3740qm
  • Intel Core I7 3770
    cpe:2.3:h:intel:core_i7:3770
  • Intel Core I7 3770K
    cpe:2.3:h:intel:core_i7:3770k
  • Intel Core I7 3770S
    cpe:2.3:h:intel:core_i7:3770s
  • Intel Core I7 3770T
    cpe:2.3:h:intel:core_i7:3770t
  • Intel Core I7 3820QM
    cpe:2.3:h:intel:core_i7:3820qm
  • Intel Core I7 3840QM
    cpe:2.3:h:intel:core_i7:3840qm
  • Intel Core I7 4500U
    cpe:2.3:h:intel:core_i7:4500u
  • Intel Core I7 4510U
    cpe:2.3:h:intel:core_i7:4510u
  • Intel Core I7 4550U
    cpe:2.3:h:intel:core_i7:4550u
  • Intel Core I7 4558U
    cpe:2.3:h:intel:core_i7:4558u
  • Intel Core I7 4578U
    cpe:2.3:h:intel:core_i7:4578u
  • Intel Core I7 4600M
    cpe:2.3:h:intel:core_i7:4600m
  • Intel Core I7 4600U
    cpe:2.3:h:intel:core_i7:4600u
  • Intel Core I7 4610M
    cpe:2.3:h:intel:core_i7:4610m
  • Intel Core I7 4610Y
    cpe:2.3:h:intel:core_i7:4610y
  • Intel Core I7 4650U
    cpe:2.3:h:intel:core_i7:4650u
  • Intel Core I7 4700EC
    cpe:2.3:h:intel:core_i7:4700ec
  • Intel Core I7 4700EQ
    cpe:2.3:h:intel:core_i7:4700eq
  • Intel Core I7 4700HQ
    cpe:2.3:h:intel:core_i7:4700hq
  • Intel Core I7 4700MQ
    cpe:2.3:h:intel:core_i7:4700mq
  • Intel Core I7 4702EC
    cpe:2.3:h:intel:core_i7:4702ec
  • Intel Core I7 4702HQ
    cpe:2.3:h:intel:core_i7:4702hq
  • Intel Core I7 4702MQ
    cpe:2.3:h:intel:core_i7:4702mq
  • Intel Core I7 4710HQ
    cpe:2.3:h:intel:core_i7:4710hq
  • Intel Core I7 4710MQ
    cpe:2.3:h:intel:core_i7:4710mq
  • Intel Core I7 4712HQ
    cpe:2.3:h:intel:core_i7:4712hq
  • Intel Core I7 4712MQ
    cpe:2.3:h:intel:core_i7:4712mq
  • Intel Core I7 4720HQ
    cpe:2.3:h:intel:core_i7:4720hq
  • Intel Core I7 4722HQ
    cpe:2.3:h:intel:core_i7:4722hq
  • Intel Core I7 4750HQ
    cpe:2.3:h:intel:core_i7:4750hq
  • Intel Core I7 4760HQ
    cpe:2.3:h:intel:core_i7:4760hq
  • Intel Core I7 4765T
    cpe:2.3:h:intel:core_i7:4765t
  • Intel Core I7 4770
    cpe:2.3:h:intel:core_i7:4770
  • Intel Core I7 4770HQ
    cpe:2.3:h:intel:core_i7:4770hq
  • Intel Core I7 4770K
    cpe:2.3:h:intel:core_i7:4770k
  • Intel Core I7 4770R
    cpe:2.3:h:intel:core_i7:4770r
  • Intel Core I7 4770S
    cpe:2.3:h:intel:core_i7:4770s
  • Intel Core I7 4770T
    cpe:2.3:h:intel:core_i7:4770t
  • Intel Core I7 4770TE
    cpe:2.3:h:intel:core_i7:4770te
  • Intel Core I7 4771
    cpe:2.3:h:intel:core_i7:4771
  • Intel Core I7 4785T
    cpe:2.3:h:intel:core_i7:4785t
  • Intel Core I7 4790
    cpe:2.3:h:intel:core_i7:4790
  • Intel Core I7 4790K
    cpe:2.3:h:intel:core_i7:4790k
  • Intel Core I7 4790S
    cpe:2.3:h:intel:core_i7:4790s
  • Intel Core I7 4790T
    cpe:2.3:h:intel:core_i7:4790t
  • Intel Core I7 4800MQ
    cpe:2.3:h:intel:core_i7:4800mq
  • Intel Core I7 4810MQ
    cpe:2.3:h:intel:core_i7:4810mq
  • Intel Core I7 4850HQ
    cpe:2.3:h:intel:core_i7:4850hq
  • Intel Core I7 4860HQ
    cpe:2.3:h:intel:core_i7:4860hq
  • Intel Core I7 4870HQ
    cpe:2.3:h:intel:core_i7:4870hq
  • Intel Core I7 4900MQ
    cpe:2.3:h:intel:core_i7:4900mq
  • Intel Core I7 4910MQ
    cpe:2.3:h:intel:core_i7:4910mq
  • Intel Core I7 4950HQ
    cpe:2.3:h:intel:core_i7:4950hq
  • Intel Core I7 4960HQ
    cpe:2.3:h:intel:core_i7:4960hq
  • Intel Core I7 4980HQ
    cpe:2.3:h:intel:core_i7:4980hq
  • Intel Core I7 5500U
    cpe:2.3:h:intel:core_i7:5500u
  • Intel Core I7 5550U
    cpe:2.3:h:intel:core_i7:5550u
  • Intel Core I7 5557U
    cpe:2.3:h:intel:core_i7:5557u
  • Intel Core I7 5600U
    cpe:2.3:h:intel:core_i7:5600u
  • Intel Core I7 5650U
    cpe:2.3:h:intel:core_i7:5650u
  • Intel Core I7 5700EQ
    cpe:2.3:h:intel:core_i7:5700eq
  • Intel Core I7 5700HQ
    cpe:2.3:h:intel:core_i7:5700hq
  • Intel Core I7 5750HQ
    cpe:2.3:h:intel:core_i7:5750hq
  • Intel Core I7 5775C
    cpe:2.3:h:intel:core_i7:5775c
  • Intel Core I7 5775R
    cpe:2.3:h:intel:core_i7:5775r
  • Intel Core I7 5850EQ
    cpe:2.3:h:intel:core_i7:5850eq
  • Intel Core I7 5850HQ
    cpe:2.3:h:intel:core_i7:5850hq
  • Intel Core I7 5950HQ
    cpe:2.3:h:intel:core_i7:5950hq
  • Intel Core I7 7500U
    cpe:2.3:h:intel:core_i7:7500u
  • Intel Core I7 7560U
    cpe:2.3:h:intel:core_i7:7560u
  • Intel Core I7 7567U
    cpe:2.3:h:intel:core_i7:7567u
  • Intel Core I7 7600U
    cpe:2.3:h:intel:core_i7:7600u
  • Intel Core I7 7660U
    cpe:2.3:h:intel:core_i7:7660u
  • Intel Core I7 7700
    cpe:2.3:h:intel:core_i7:7700
  • Intel Core I7 7700HQ
    cpe:2.3:h:intel:core_i7:7700hq
  • Intel Core I7 7700K
    cpe:2.3:h:intel:core_i7:7700k
  • Intel Core I7 7700T
    cpe:2.3:h:intel:core_i7:7700t
  • Intel Core I7 7820EQ
    cpe:2.3:h:intel:core_i7:7820eq
  • Intel Core I7 7820HK
    cpe:2.3:h:intel:core_i7:7820hk
  • Intel Core I7 7820HQ
    cpe:2.3:h:intel:core_i7:7820hq
  • Intel Core I7 7920HQ
    cpe:2.3:h:intel:core_i7:7920hq
  • Intel Core I7 8550U
    cpe:2.3:h:intel:core_i7:8550u
  • Intel Core I7 8650U
    cpe:2.3:h:intel:core_i7:8650u
  • Intel Core I7 8700
    cpe:2.3:h:intel:core_i7:8700
  • Intel Core I7 8700K
    cpe:2.3:h:intel:core_i7:8700k
  • Intel Core M 5Y10
    cpe:2.3:h:intel:core_m:5y10
  • Intel Core M 5Y10A
    cpe:2.3:h:intel:core_m:5y10a
  • Intel Core M 5Y10C
    cpe:2.3:h:intel:core_m:5y10c
  • Intel Core M 5Y31
    cpe:2.3:h:intel:core_m:5y31
  • Intel Core M 5Y51
    cpe:2.3:h:intel:core_m:5y51
  • Intel Core M 5Y70
    cpe:2.3:h:intel:core_m:5y70
  • Intel Core M 5Y71
    cpe:2.3:h:intel:core_m:5y71
  • Intel Core M3 6Y30
    cpe:2.3:h:intel:core_m3:6y30
  • Intel Core M3 7Y30
    cpe:2.3:h:intel:core_m3:7y30
  • Intel Core M3 7Y32
    cpe:2.3:h:intel:core_m3:7y32
  • Intel Core M5 6Y54
    cpe:2.3:h:intel:core_m5:6y54
  • Intel Core M5 6Y57
    cpe:2.3:h:intel:core_m5:6y57
  • Intel Core M7 6Y75
    cpe:2.3:h:intel:core_m7:6y75
  • cpe:2.3:h:intel:xeon
    cpe:2.3:h:intel:xeon
CVSS
Base: 4.7
Impact:
Exploitability:
CWE CWE-200
CAPEC
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Reusing Session IDs (aka Session Replay)
    This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2387-1.NASL
    description This update for the Linux Kernel 4.4.74-92_38 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2017-18344: The timer_create syscall implementation in kernel/time/posix-timers.c didn't properly validate the sigevent->sigev_notify field, which lead to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allowed userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE) (bsc#1103203). before 4.14.8 - CVE-2017-11600: net/xfrm/xfrm_policy.c did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bsc#1096564) - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111839
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111839
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2387-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-1624.NASL
    description This update for xen fixes the following issues : Update to Xen 4.10.2 bug fix release (bsc#1027519). Security vulnerabilities fixed : - CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient TLB flushing with AMD IOMMUs, which potentially allowed a guest to escalate its privileges, may cause a Denial of Service (DoS) affecting the entire host, or may be able to access data it is not supposed to access. (XSA-275) (bsc#1115040) - CVE-2018-19965: Fixed an issue related to the INVPCID instruction in case non-canonical addresses are accessed, which may allow a guest to cause Xen to crash, resulting in a Denial of Service (DoS) affecting the entire host. (XSA-279) (bsc#1115045) - CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240, which conflicted with shadow paging and allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS). (XSA-280) (bsc#1115047) - CVE-2018-18883: Fixed an issue related to inproper restriction of nested VT-x, which allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS). (XSA-278) (bsc#1114405) - CVE-2018-15468: Fixed incorrect MSR_DEBUGCTL handling, which allowed guests to enable Branch Trace Store and may cause a Denial of Service (DoS) of the entire host. (XSA-269) (bsc#1103276) - CVE-2018-15469: Fixed use of v2 grant tables on ARM, which were not properly implemented and may cause a Denial of Service (DoS). (XSA-268) (bsc#1103275) - CVE-2018-15470: Fixed an issue in the logic in oxenstored for handling writes, which allowed a guest to write memory unbounded leading to system-wide Denial of Service (DoS). (XSA-272) (bsc#1103279) - CVE-2018-3646: Mitigations for VMM aspects of L1 Terminal Fault (XSA-273) (bsc#1091107) Other bugs fixed : - Fixed an issue related to a domU hang on SLE12-SP3 HV (bsc#1108940) - Fixed an issue with xpti=no-dom0 not working as expected (bsc#1105528) - Fixed a kernel oops related to fs/dcache.c called by d_materialise_unique() (bsc#1094508) This update was imported from the SUSE:SLE-15:Update update project.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 119951
    published 2018-12-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119951
    title openSUSE Security Update : xen (openSUSE-2018-1624) (Foreshadow)
  • NASL family Misc.
    NASL id CITRIX_XENSERVER_CTX236548.NASL
    description The version of Citrix XenServer running on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities including L1 Terminal Fault (L1TF) and a local code execution vulnerability.
    last seen 2019-02-21
    modified 2018-11-09
    plugin id 111789
    published 2018-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111789
    title Citrix XenServer Multiple Vulnerabilities (Foreshadow) (CTX236548)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-4300-1.NASL
    description This update for xen fixes the following issues : Update to Xen 4.10.2 bug fix release (bsc#1027519). Security vulnerabilities fixed : CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient TLB flushing with AMD IOMMUs, which potentially allowed a guest to escalate its privileges, may cause a Denial of Service (DoS) affecting the entire host, or may be able to access data it is not supposed to access. (XSA-275) (bsc#1115040) CVE-2018-19965: Fixed an issue related to the INVPCID instruction in case non-canonical addresses are accessed, which may allow a guest to cause Xen to crash, resulting in a Denial of Service (DoS) affecting the entire host. (XSA-279) (bsc#1115045) CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240, which conflicted with shadow paging and allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS). (XSA-280) (bsc#1115047) CVE-2018-18883: Fixed an issue related to inproper restriction of nested VT-x, which allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS). (XSA-278) (bsc#1114405) CVE-2018-15468: Fixed incorrect MSR_DEBUGCTL handling, which allowed guests to enable Branch Trace Store and may cause a Denial of Service (DoS) of the entire host. (XSA-269) (bsc#1103276) CVE-2018-15469: Fixed use of v2 grant tables on ARM, which were not properly implemented and may cause a Denial of Service (DoS). (XSA-268) (bsc#1103275) CVE-2018-15470: Fixed an issue in the logic in oxenstored for handling writes, which allowed a guest to write memory unbounded leading to system-wide Denial of Service (DoS). (XSA-272) (bsc#1103279) CVE-2018-3646: Mitigations for VMM aspects of L1 Terminal Fault (XSA-273) (bsc#1091107) Other bugs fixed: Fixed an issue related to a domU hang on SLE12-SP3 HV (bsc#1108940) Fixed an issue with xpti=no-dom0 not working as expected (bsc#1105528) Fixed a kernel oops related to fs/dcache.c called by d_materialise_unique() (bsc#1094508) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 120196
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120196
    title SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2018:4300-1) (Foreshadow)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-4196.NASL
    description Description of changes: [4.1.12-124.18.5.el7uek] - inet: frag: enforce memory limits earlier (Eric Dumazet) [Orabug: 28450977] - x86/mm/pageattr.c: fix page prot mask (Mihai Carabas) [Orabug: 28492122] - x86/pgtable.h: fix PMD/PUD mask (Mihai Carabas) [Orabug: 28492122] - x86/asm: Add pud/pmd mask interfaces to handle large PAT bit (Toshi Kani) [Orabug: 28492122] [4.1.12-124.18.4.el7uek] - kvm/vmx: Don't mark vmx_exit() __exit (Boris Ostrovsky) [Orabug: 28491688] - x86/speculation: Don't mark cpu_no_l1tf __initconst (Boris Ostrovsky) [Orabug: 28491688] - x86/speculation: parse l1tf boot parameter early (Boris Ostrovsky) [Orabug: 28491688] [4.1.12-124.18.3.el7uek] - posix-timer: Properly check sigevent->sigev_notify (Thomas Gleixner) [Orabug: 28481412] {CVE-2017-18344} [4.1.12-124.18.2.el7uek] - x86/mm/kmmio: Make the tracer robust against L1TF (Andi Kleen) [Orabug: 28220674] {CVE-2018-3620} - x86/mm/pat: Make set_memory_np() L1TF safe (Andi Kleen) [Orabug: 28220674] {CVE-2018-3620} - x86/mm/pat: Ensure cpa->pfn only contains page frame numbers (Matt Fleming) [Orabug: 28220674] {CVE-2018-3620} - x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert (Andi Kleen) [Orabug: 28220674] {CVE-2018-3620} - x86/speculation/l1tf: Invert all not present mappings (Andi Kleen) [Orabug: 28220674] {CVE-2018-3620} - cpu/hotplug: Fix SMT supported evaluation (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - KVM: VMX: Tell the nested hypervisor to skip L1D flush on vmentry (Paolo Bonzini) [Orabug: 28220674] {CVE-2018-3646} - x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry (Paolo Bonzini) [Orabug: 28220674] {CVE-2018-3620} - KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES (KarimAllah Ahmed) [Orabug: 28220674] {CVE-2018-3646} - x86/speculation: Simplify sysfs report of VMX L1TF vulnerability (Paolo Bonzini) [Orabug: 28220674] {CVE-2018-3620} - Documentation/l1tf: Remove Yonah processors from not vulnerable list (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - x86/KVM/VMX: Don't set l1tf_flush_l1d from vmx_handle_external_intr() (Nicolai Stange) [Orabug: 28220674] {CVE-2018-3646} - x86/irq: Let interrupt handlers set kvm_cpu_l1tf_flush_l1d (Nicolai Stange) [Orabug: 28220674] {CVE-2018-3646} - x86: Don't include linux/irq.h from asm/hardirq.h (Nicolai Stange) [Orabug: 28220625] {CVE-2018-3620} - x86/KVM/VMX: Introduce per-host-cpu analogue of l1tf_flush_l1d (Nicolai Stange) [Orabug: 28220625] {CVE-2018-3646} - x86/KVM/VMX: Move the l1tf_flush_l1d test to vmx_l1d_flush() (Nicolai Stange) [Orabug: 28220625] {CVE-2018-3646} - x86/KVM/VMX: Replace 'vmx_l1d_flush_always' with 'vmx_l1d_flush_cond' (Nicolai Stange) [Orabug: 28220625] {CVE-2018-3646} - x86/KVM/VMX: Don't set l1tf_flush_l1d to true from vmx_l1d_flush() (Nicolai Stange) [Orabug: 28220625] {CVE-2018-3646} - KVM: VMX: support MSR_IA32_ARCH_CAPABILITIES as a feature MSR (Paolo Bonzini) [Orabug: 28220625] {CVE-2018-3646} - KVM: X86: Introduce kvm_get_msr_feature() (Wanpeng Li) [Orabug: 28220674] {CVE-2018-3646} - KVM: x86: Add a framework for supporting MSR-based features (Tom Lendacky) [Orabug: 28220674] {CVE-2018-3646} - cpu/hotplug: detect SMT disabled by BIOS (Josh Poimboeuf) [Orabug: 28220674] {CVE-2018-3620} - Documentation/l1tf: Fix typos (Tony Luck) [Orabug: 28220674] {CVE-2018-3620} - x86/KVM/VMX: Initialize the vmx_l1d_flush_pages' content (Nicolai Stange) [Orabug: 28220674] {CVE-2018-3646} - x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures (Jiri Kosina) [Orabug: 28220674] {CVE-2018-3620} - Documentation: Add section about CPU vulnerabilities (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - x86/bugs, kvm: Introduce boot-time control of L1TF mitigations (Jiri Kosina) [Orabug: 28220674] {CVE-2018-3646} - cpu/hotplug: Set CPU_SMT_NOT_SUPPORTED early (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - cpu/hotplug: Expose SMT control init function (Jiri Kosina) [Orabug: 28220674] {CVE-2018-3620} - x86/kvm: Allow runtime control of L1D flush (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3646} - x86/kvm: Serialize L1D flush parameter setter (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3646} - x86/kvm: Add static key for flush always (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3646} - x86/kvm: Move l1tf setup function (Thomas Gleixner) [Orabug: 28220625] {CVE-2018-3646} - x86/l1tf: Handle EPT disabled state proper (Thomas Gleixner) [Orabug: 28220625] {CVE-2018-3620} - x86/kvm: Drop L1TF MSR list approach (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3646} - x86/litf: Introduce vmx status variable (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - cpu/hotplug: Online siblings when SMT control is turned on (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - x86/KVM/VMX: Use MSR save list for IA32_FLUSH_CMD if required (Konrad Rzeszutek Wilk) [Orabug: 28220674] {CVE-2018-3646} - x86/KVM/VMX: Extend add_atomic_switch_msr() to allow VMENTER only MSRs (Konrad Rzeszutek Wilk) [Orabug: 28220674] {CVE-2018-3646} - x86/KVM/VMX: Separate the VMX AUTOLOAD guest/host number accounting (Konrad Rzeszutek Wilk) [Orabug: 28220674] {CVE-2018-3646} - x86/KVM/VMX: Add find_msr() helper function (Konrad Rzeszutek Wilk) [Orabug: 28220674] {CVE-2018-3646} - x86/KVM/VMX: Split the VMX MSR LOAD structures to have an host/guest numbers (Konrad Rzeszutek Wilk) [Orabug: 28220674] {CVE-2018-3646} - x86/KVM/VMX: Add L1D flush logic (Paolo Bonzini) [Orabug: 28220674] {CVE-2018-3646} - x86/KVM/VMX: Add L1D MSR based flush (Paolo Bonzini) [Orabug: 28220674] {CVE-2018-3646} - x86/KVM/VMX: Add L1D flush algorithm (Paolo Bonzini) [Orabug: 28220674] {CVE-2018-3646} - x86/KVM/VMX: Add module argument for L1TF mitigation (Konrad Rzeszutek Wilk) [Orabug: 28220674] {CVE-2018-3646} {CVE-2018-3646} - locking/static_keys: Add static_key_{en,dis}able() helpers (Peter Zijlstra) [Orabug: 28220674] {CVE-2018-3620} - x86/KVM: Warn user if KVM is loaded SMT and L1TF CPU bug being present (Konrad Rzeszutek Wilk) [Orabug: 28220674] {CVE-2018-3646} - KVM: x86: Introducing kvm_x86_ops VM init/destroy hooks (Suravee Suthikulpanit) [Orabug: 28220674] {CVE-2018-3646} - cpu/hotplug: Boot HT siblings at least once (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - Revert 'x86/apic: Ignore secondary threads if nosmt=force' (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - x86/speculation/l1tf: Fix up pte->pfn conversion for PAE (Michal Hocko) [Orabug: 28220674] {CVE-2018-3620} - x86/speculation/l1tf: Protect PAE swap entries against L1TF (Vlastimil Babka) [Orabug: 28220674] {CVE-2018-3620} - x86/CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings (Borislav Petkov) [Orabug: 28220674] {CVE-2018-3620} - x86/cpufeatures: Add detection of L1D cache flush support. (Konrad Rzeszutek Wilk) [Orabug: 28220674] {CVE-2018-3620} - x86/speculation/l1tf: Extend 64bit swap file size limit (Vlastimil Babka) [Orabug: 28220674] {CVE-2018-3620} - x86/apic: Ignore secondary threads if nosmt=force (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - x86/cpu/AMD: Evaluate smp_num_siblings early (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info (Borislav Petkov) [Orabug: 28220674] {CVE-2018-3620} - x86/cpu/intel: Evaluate smp_num_siblings early (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - x86/cpu/topology: Provide detect_extended_topology_early() (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - x86/cpu/common: Provide detect_ht_early() (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - x86/cpu/AMD: Remove the pointless detect_ht() call (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - x86/cpu: Remove the pointless CPU printout (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - cpu/hotplug: Provide knobs to control SMT (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - x86/topology: Add topology_max_smt_threads() (Andi Kleen) [Orabug: 28220674] {CVE-2018-3620} - cpu/hotplug: Split do_cpu_down() (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - x86/topology: Provide topology_smt_supported() (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - x86/smp: Provide topology_is_primary_thread() (Thomas Gleixner) [Orabug: 28220674] {CVE-2018-3620} - x86/bugs: Move the l1tf function and define pr_fmt properly (Konrad Rzeszutek Wilk) [Orabug: 28220674] {CVE-2018-3620} - x86/speculation/l1tf: Limit swap file size to MAX_PA/2 (Andi Klein) [Orabug: 28220674] {CVE-2018-3620} - x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings (Andi Klein) [Orabug: 28220674] {CVE-2018-3620} - x86/speculation/l1tf: Add sysfs reporting for l1tf (Andi Klein) [Orabug: 28220674] {CVE-2018-3620} - x86/speculation/l1tf: Make sure the first page is always reserved (Andi Klein) [Orabug: 28220674] {CVE-2018-3620} - x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation (Andi Klein) [Orabug: 28220674] {CVE-2018-3620} - x86/speculation/l1tf: Protect swap entries against L1TF (Linus Torvalds) [Orabug: 28220674] {CVE-2018-3620} - x86/speculation/l1tf: Change order of offset/type in swap entry (Linus Torvalds) [Orabug: 28220674] {CVE-2018-3620} - x86/speculation/l1tf: Increase 32bit PAE __PHYSICAL_PAGE_SHIFT (Andi Klein) [Orabug: 28220674] {CVE-2018-3620} - x86/mm: Limit mmap() of /dev/mem to valid physical addresses (Craig Bergstrom) [Orabug: 28220674] {CVE-2018-3620} - x86/mm: Prevent non-MAP_FIXED mapping across DEFAULT_MAP_WINDOW border (Kirill A. Shutemov) [Orabug: 28220674] {CVE-2018-3620}
    last seen 2019-02-21
    modified 2018-11-01
    plugin id 111726
    published 2018-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111726
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4196) (Foreshadow)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS_JAN2019_SRU11_4_3_5_0.NASL
    description This Solaris system is missing necessary patches to address critical security updates : - Vulnerability in the Oracle Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. (CVE-2019-2437) - Vulnerability in the Oracle Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). The supported version that is affected is 11. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Solaris accessible data. (CVE-2018-3646) - Vulnerability in the Oracle Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Solaris accessible data. (CVE-2018-3639)
    last seen 2019-02-21
    modified 2019-01-23
    plugin id 121223
    published 2019-01-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121223
    title Oracle Solaris Critical Patch Update : jan2019_SRU11_4_3_5_0 (Foreshadow) (Spectre)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2416-1.NASL
    description This update for the Linux Kernel 4.4.114-94_14 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2017-18344: The timer_create syscall implementation in kernel/time/posix-timers.c didn't properly validate the sigevent->sigev_notify field, which lead to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allowed userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE) (bsc#1103203). before 4.14.8 - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 112016
    published 2018-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112016
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2416-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-1331.NASL
    description This update for xen fixes the following issues : XEN was updated to the Xen 4.9.3 bug fix only release (bsc#1027519) - CVE-2018-17963: qemu_deliver_packet_iov accepted packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. (bsc#1111014) - CVE-2018-15470: oxenstored might not have enforced the configured quota-maxentity. This allowed a malicious or buggy guest to write as many xenstore entries as it wishes, causing unbounded memory usage in oxenstored. This can lead to a system-wide DoS. (XSA-272) (bsc#1103279) - CVE-2018-15469: ARM never properly implemented grant table v2, either in the hypervisor or in Linux. Unfortunately, an ARM guest can still request v2 grant tables; they will simply not be properly set up, resulting in subsequent grant-related hypercalls hitting BUG() checks. An unprivileged guest can cause a BUG() check in the hypervisor, resulting in a denial-of-service (crash). (XSA-268) (bsc#1103275) Note that SUSE does not ship ARM Xen, so we are not affected. - CVE-2018-15468: The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to choose any MSR_DEBUGCTL setting it likes. A malicious or buggy guest administrator (on Intel x86 HVM or PVH) can lock up the entire host, causing a Denial of Service. (XSA-269) (bsc#1103276) - CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may have allowed unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. (XSA-273) (bsc#1091107) Non security issues fixed : - The affinity reporting via 'xl vcpu-list' was broken (bsc#1106263) - Kernel oops in fs/dcache.c called by d_materialise_unique() (bsc#1094508) This update was imported from the SUSE:SLE-12-SP3:Update update project.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 118563
    published 2018-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118563
    title openSUSE Security Update : xen (openSUSE-2018-1331) (Foreshadow)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2018-005.NASL
    description The remote host is running Mac OS X 10.12.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities affecting the following components : - afpserver - AppleGraphicsControl - APR - ATS - CFNetwork - CoreAnimation - CoreCrypto - CoreFoundation - CUPS - Dictionary - dyld - Foundation - Heimdal - Hypervisor - ICU - Intel Graphics Driver - IOGraphics - IOHIDFamily - IOKit - IOUserEthernet - IPSec - Kernel - Login Window - mDNSOffloadUserClient - MediaRemote - Microcode - Perl - Ruby - Security - Spotlight - Symptom Framework - WiFi
    last seen 2019-02-21
    modified 2019-01-09
    plugin id 118573
    published 2018-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118573
    title macOS and Mac OS X Multiple Vulnerabilities (Security Update 2018-005)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-3490-1.NASL
    description This update for xen fixes the following issues : XEN was updated to the Xen 4.9.3 bug fix only release (bsc#1027519) CVE-2018-17963: qemu_deliver_packet_iov accepted packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. (bsc#1111014) CVE-2018-15470: oxenstored might not have enforced the configured quota-maxentity. This allowed a malicious or buggy guest to write as many xenstore entries as it wishes, causing unbounded memory usage in oxenstored. This can lead to a system-wide DoS. (XSA-272) (bsc#1103279) CVE-2018-15469: ARM never properly implemented grant table v2, either in the hypervisor or in Linux. Unfortunately, an ARM guest can still request v2 grant tables; they will simply not be properly set up, resulting in subsequent grant-related hypercalls hitting BUG() checks. An unprivileged guest can cause a BUG() check in the hypervisor, resulting in a denial-of-service (crash). (XSA-268) (bsc#1103275) Note that SUSE does not ship ARM Xen, so we are not affected. CVE-2018-15468: The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to choose any MSR_DEBUGCTL setting it likes. A malicious or buggy guest administrator (on Intel x86 HVM or PVH) can lock up the entire host, causing a Denial of Service. (XSA-269) (bsc#1103276) CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may have allowed unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. (XSA-273) (bsc#1091107) Non security issues fixed: The affinity reporting via 'xl vcpu-list' was broken (bsc#1106263) Kernel oops in fs/dcache.c called by d_materialise_unique() (bsc#1094508) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 118491
    published 2018-10-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118491
    title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:3490-1) (Foreshadow)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_AUG_4343897.NASL
    description The remote Windows host is missing security update 4343897. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8341, CVE-2018-8348) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) - An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. (CVE-2018-8343) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-8349) - An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8400, CVE-2018-8401, CVE-2018-8405, CVE-2018-8406) - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8390) - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2018-8414) - A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this vulnerability could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine. (CVE-2018-8200, CVE-2018-8204) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385) - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8347) - A remote code execution vulnerability exists when Microsoft Windows PDF Library improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8350) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2018-8345) - A information disclosure vulnerability exists when WebAudio Library improperly handles audio requests. An attacker who has successfully exploited this vulnerability might be able to read privileged data across trust boundaries. In browsing scenarios, an attacker could convince a user to visit a malicious site and leverage the vulnerability to obtain privileged information from the browser process, such as sensitive data from other opened tabs. An attacker could also inject malicious code into advertising networks used by trusted sites or embed malicious code on a compromised, but trusted, site. The update addresses the vulnerability by correcting how the WebAudio Library handles audio requests. (CVE-2018-8370) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-8339) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8266, CVE-2018-8381) - A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8316) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8399, CVE-2018-8404) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8394, CVE-2018-8398) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8403) - An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction. An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser frame or window state from a different domain. For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website. This update addresses the vulnerability by denying permission to read the state of the object model, to which frames or windows on different domains should not have access. (CVE-2018-8351) - An elevation of privilege vulnerability exists in Microsoft browsers allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2018-8357) - An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations. (CVE-2018-0952) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373, CVE-2018-8389) - A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8377) - An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments. The vulnerability is caused when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream. (CVE-2018-8360) - A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content. An attacker who successfully exploited this vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2018-8388)
    last seen 2019-02-21
    modified 2019-01-30
    plugin id 111687
    published 2018-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111687
    title KB4343897: Windows 10 Version 1709 And Windows Server Version 1709 August 2018 Security Update (Foreshadow)
  • NASL family MacOS X Local Security Checks
    NASL id MACOS_10_14.NASL
    description The remote host is running a version of Mac OS X that is prior to 10.13.6 or is not macOS 10.14. It is, therefore, affected by multiple vulnerabilities in the following components : - afpserver - AppleGraphicsControl - Application Firewall - App Store - APR - ATS - Auto Unlock - Bluetooth - CFNetwork - CoreFoundation - CoreText - Crash Reporter - CUPS - Dictionary - Grand Central Dispatch - Heimdal - Hypervisor - iBooks - Intel Graphics Driver - IOHIDFamily - IOKit - IOUserEthernet - Kernel - LibreSSL - Login Window - mDNSOffloadUserClient - MediaRemote - Microcode - Security - Spotlight - Symptom Framework - Text - Wi-Fi Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 118178
    published 2018-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118178
    title macOS < 10.14 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-915602DF63.NASL
    description L1 Terminal Fault speculative side channel patch bundle [XSA-273, CVE-2018-3620, CVE-2018-3646] drop patches also in the bundle, which also includes Use of v2 grant tables may cause crash on ARM [XSA-268] (#1616081) x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS [XSA-269] (#1616077) oxenstored does not apply quota-maxentity [XSA-272] (#1616080) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-02
    plugin id 112234
    published 2018-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112234
    title Fedora 27 : xen (2018-915602df63) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2391-1.NASL
    description This update for the Linux Kernel 4.4.114-92_67 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2017-18344: The timer_create syscall implementation in kernel/time/posix-timers.c didn't properly validate the sigevent->sigev_notify field, which lead to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allowed userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE) (bsc#1103203). before 4.14.8 - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111842
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111842
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2391-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2528-1.NASL
    description This update for xen fixes the following issues: These security issue were fixed : - CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may have allowed unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis (bsc#1091107, bsc#1027519). - CVE-2018-12617: An integer overflow that could cause a segmentation fault in qmp_guest_file_read() with g_malloc() in qemu-guest-agent was fixed (bsc#1098744) - CVE-2018-3665: System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. (bsc#1095242) - CVE-2018-3639: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (bsc#1092631) - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. (bsc#1074562) - CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. (bsc#1074562) - CVE-2017-5754: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. (bsc#1074562) - CVE-2018-12891: Certain PV MMU operations may take a long time to process. For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few rarely taken code paths did bypass such checks. By suitably enforcing the conditions through its own page table contents, a malicious guest may cause such bypasses to be used for an unbounded number of iterations. A malicious or buggy PV guest may cause a Denial of Service (DoS) affecting the entire host. Specifically, it may prevent use of a physical CPU for an indeterminate period of time. (bsc#1097521) - CVE-2018-12893: One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. A malicious PV guest can crash Xen, leading to a Denial of Service. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. An attacker needs to be able to control hardware debugging facilities to exploit the vulnerability, but such permissions are typically available to unprivileged users. (bsc#1097522) - CVE-2018-11806: m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. (bsc#1096224) - CVE-2018-10982: An issue was discovered in Xen allowed x86 HVM guest OS users to cause a denial of service (unexpectedly high interrupt number, array overrun, and hypervisor crash) or possibly gain hypervisor privileges by setting up an HPET timer to deliver interrupts in IO-APIC mode, aka vHPET interrupt injection. (bsc#1090822) - CVE-2018-10981: An issue was discovered in Xen that allowed x86 HVM guest OS users to cause a denial of service (host OS infinite loop) in situations where a QEMU device model attempts to make invalid transitions between states of a request. (bsc#1090823) Following bugs were fixed : - After updating to kernel 3.0.101-0.47.106.32-xen system crashes in check_bugs() (bsc#1097206) - bsc#1079730 - in xen-kmp, unplug emulated devices after migration This is required since xen-4.10 and/or qemu-2.10 because the state of unplug is not propagated from one dom0 to another. Without this unplug qemu's block-backend will be unable to open qcow2 disks on the receiving dom0 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 112147
    published 2018-08-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112147
    title SUSE SLES11 Security Update : xen (SUSE-SU-2018:2528-1) (Foreshadow) (Meltdown) (Spectre)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3740-1.NASL
    description It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS). (CVE-2018-3646) It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker could use this to expose sensitive information (memory from the kernel or other processes). (CVE-2018-3620) Juha-Matti Tilli discovered that the IP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packet fragments. A remote attacker could use this to cause a denial of service. (CVE-2018-5391). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-08
    plugin id 111749
    published 2018-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111749
    title Ubuntu 18.04 LTS : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem, and (USN-3740-1) (Foreshadow)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0248.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 111992
    published 2018-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111992
    title OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2367-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_66 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2017-11600: net/xfrm/xfrm_policy.c did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bsc#1096564) - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111834
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111834
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2367-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2351-1.NASL
    description This update for the Linux Kernel 3.12.61-52_101 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2017-11600: net/xfrm/xfrm_policy.c did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bsc#1096564) - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111822
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111822
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2351-1) (Foreshadow)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_AUG_4343885.NASL
    description The remote Windows host is missing security update 4343885. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8341, CVE-2018-8348) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) - An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. (CVE-2018-8343) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-8349) - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8390) - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2018-8414) - A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this vulnerability could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine. (CVE-2018-8200, CVE-2018-8204) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385) - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8347) - A remote code execution vulnerability exists when Microsoft Windows PDF Library improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8350) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2018-8345) - A information disclosure vulnerability exists when WebAudio Library improperly handles audio requests. An attacker who has successfully exploited this vulnerability might be able to read privileged data across trust boundaries. In browsing scenarios, an attacker could convince a user to visit a malicious site and leverage the vulnerability to obtain privileged information from the browser process, such as sensitive data from other opened tabs. An attacker could also inject malicious code into advertising networks used by trusted sites or embed malicious code on a compromised, but trusted, site. The update addresses the vulnerability by correcting how the WebAudio Library handles audio requests. (CVE-2018-8370) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-8339) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8266, CVE-2018-8381) - A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8316) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8399, CVE-2018-8404) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8394, CVE-2018-8398) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8403) - An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction. An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser frame or window state from a different domain. For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website. This update addresses the vulnerability by denying permission to read the state of the object model, to which frames or windows on different domains should not have access. (CVE-2018-8351) - An elevation of privilege vulnerability exists in Microsoft browsers allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2018-8357) - An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations. (CVE-2018-0952) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373, CVE-2018-8389) - An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8401, CVE-2018-8405, CVE-2018-8406) - An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments. The vulnerability is caused when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream. (CVE-2018-8360) - A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content. An attacker who successfully exploited this vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2018-8388)
    last seen 2019-02-21
    modified 2019-01-30
    plugin id 111684
    published 2018-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111684
    title KB4343885: Windows 10 Version 1703 August 2018 Security Update (Foreshadow)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD_10_13_6_2018-002.NASL
    description The remote host is running macOS 10.13.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities affecting the following components : - fpserver - AppleGraphicsControl - APR - ATS - CFNetwork - CoreAnimation - CoreCrypto - CoreFoundation - CUPS - Dictionary - dyld - EFI - Foundation - Grand Central Dispatch - Heimdal - Hypervisor - ICU - Intel Graphics Driver - IOGraphics - IOHIDFamily - IOKit - IOUserEthernet - IPSec - Kernel - Login Window - mDNSOffloadUserClient - MediaRemote - Microcode - NetworkExtension - Security - Spotlight - Symptom Framework - WiFi
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 118575
    published 2018-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118575
    title macOS 10.13.6 Multiple Vulnerabilities (Security Update 2018-002)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2362-1.NASL
    description The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-13053: The alarm_timer_nsleep function in kernel/time/alarmtimer.c had an integer overflow via a large relative timeout because ktime_add_safe is not used (bnc#1099924). - CVE-2018-13405: The inode_init_owner function in fs/inode.c allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID (bnc#1100416). - CVE-2018-13406: An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1098016 bnc#1100418). - CVE-2018-14734: drivers/infiniband/core/ucma.c allowed ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bnc#1103119). - CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081). - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111830
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111830
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2362-1) (Foreshadow)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-683DFDE81A.NASL
    description L1 Terminal Fault speculative side channel patch bundle [XSA-273, CVE-2018-3620, CVE-2018-3646] drop patches also in the bundle, which also includes Use of v2 grant tables may cause crash on ARM [XSA-268] (#1616081) x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS [XSA-269] (#1616077) oxenstored does not apply quota-maxentity [XSA-272] (#1616080) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 120490
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120490
    title Fedora 28 : xen (2018-683dfde81a) (Foreshadow)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0247.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0247 for details.
    last seen 2019-02-21
    modified 2018-11-01
    plugin id 111773
    published 2018-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111773
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0247) (Foreshadow)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201810-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201810-06 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the referenced CVE identifiers for details. Impact : A local attacker could cause a Denial of Service condition or disclose sensitive information. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-10-31
    plugin id 118506
    published 2018-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118506
    title GLSA-201810-06 : Xen: Multiple vulnerabilities (Foreshadow) (Meltdown) (Spectre)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2363-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_82 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111831
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111831
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2363-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2354-1.NASL
    description This update for the Linux Kernel 3.12.61-52_119 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111825
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111825
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2354-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-885.NASL
    description The openSUSE Leap 42.3 kernel was updated to 4.4.143 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-18344: The timer_create syscall implementation in kernel/time/posix-timers.c didn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allowed userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE) (bnc#1102851 bnc#1103580). - CVE-2018-10876: A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image. (bnc#1099811) - CVE-2018-10877: Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image. (bnc#1099846) - CVE-2018-10878: A flaw was found in the ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image. (bnc#1099813) - CVE-2018-10879: A flaw was found in the ext4 filesystem. A local user can cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image. (bnc#1099844) - CVE-2018-10880: Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service. (bnc#1099845) - CVE-2018-10881: A flaw was found in the ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. (bnc#1099864) - CVE-2018-10882: A flaw was found in the ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image. (bnc#1099849) - CVE-2018-10883: A flaw was found in the ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. (bnc#1099863) - CVE-2018-14734: drivers/infiniband/core/ucma.c allowed ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bnc#1103119). - CVE-2018-3620: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis (bnc#1087081 1089343 ). - CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis (bnc#1089343 1104365). - CVE-2018-5390 aka 'SegmentSmack': The Linux kernel could be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (bnc#1102340). - CVE-2018-5391 aka 'FragmentSmack': A flaw in the IP packet reassembly could be used by remote attackers to consume lots of CPU time (bnc#1103097). The following non-security bugs were fixed : - Add support for 5,25,50, and 100G to 802.3ad bonding driver (bsc#1096978) - ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS (bnc#1012382). - arm64: do not open code page table entry creation (bsc#1102197). - arm64: kpti: Use early_param for kpti= command-line option (bsc#1102188). - arm64: Make sure permission updates happen for pmd/pud (bsc#1102197). - atm: zatm: Fix potential Spectre v1 (bnc#1012382). - bcm63xx_enet: correct clock usage (bnc#1012382). - bcm63xx_enet: do not write to random DMA channel on BCM6345 (bnc#1012382). - blkcg: simplify statistic accumulation code (bsc#1082979). - block: copy ioprio in __bio_clone_fast() (bsc#1082653). - block/swim: Fix array bounds check (bsc#1082979). - bpf: fix loading of BPF_MAXINSNS sized programs (bsc#1012382). - bpf, x64: fix memleak when not converging after image (bsc#1012382). - btrfs: Do not remove block group still has pinned down bytes (bsc#1086457). - cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag (bsc#1099858). - cachefiles: Fix refcounting bug in backing-file read monitoring (bsc#1099858). - cachefiles: Wait rather than BUG'ing on 'Unexpected object collision' (bsc#1099858). - cifs: fix bad/NULL ptr dereferencing in SMB2_sess_setup() (bsc#1090123). - compiler, clang: always inline when CONFIG_OPTIMIZE_INLINING is disabled (bnc#1012382). - compiler, clang: properly override 'inline' for clang (bnc#1012382). - compiler, clang: suppress warning for unused static inline functions (bnc#1012382). - compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations (bnc#1012382). - cpu/hotplug: Add sysfs state interface (bsc#1089343). - cpu/hotplug: Provide knobs to control SMT (bsc#1089343). - cpu/hotplug: Split do_cpu_down() (bsc#1089343). - crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak (bnc#1012382). - crypto: crypto4xx - remove bad list_del (bnc#1012382). - dm thin metadata: remove needless work from __commit_transaction (bsc#1082979). - drm/msm: Fix possible null dereference on failure of get_pages() (bsc#1102394). - drm: re-enable error handling (bsc#1103884). - esp6: fix memleak on error path in esp6_input (git-fixes). - ext4: check for allocation block validity with block group locked (bsc#1104495). - ext4: do not update s_last_mounted of a frozen fs (bsc#1101841). - ext4: factor out helper ext4_sample_last_mounted() (bsc#1101841). - ext4: fix check to prevent initializing reserved inodes (bsc#1104319). - ext4: fix false negatives *and* false positives in ext4_check_descriptors() (bsc#1103445). - ext4: fix inline data updates with checksums enabled (bsc#1104494). - fscache: Allow cancelled operations to be enqueued (bsc#1099858). - fscache: Fix reference overput in fscache_attach_object() error handling (bsc#1099858). - genirq: Make force irq threading setup more robust (bsc#1082979). - hid: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter (bnc#1012382). - ib/isert: fix T10-pi check mask setting (bsc#1082979). - ibmasm: do not write out of bounds in read handler (bnc#1012382). - ibmvnic: Fix error recovery on login failure (bsc#1101789). - ibmvnic: Remove code to request error information (bsc#1104174). - ibmvnic: Revise RX/TX queue error messages (bsc#1101331). - ibmvnic: Update firmware error reporting with cause string (bsc#1104174). - iw_cxgb4: correctly enforce the max reg_mr depth (bnc#1012382). - kabi protect includes in include/linux/inet.h (bsc#1095643). - kabi protect net/core/utils.c includes (bsc#1095643). - kABI: protect struct loop_device (kabi). - kABI: reintroduce __static_cpu_has_safe (kabi). - Kbuild: fix # escaping in .cmd files for future Make (bnc#1012382). - keys: DNS: fix parsing multiple options (bnc#1012382). - kvm: arm/arm64: Drop resource size check for GICV window (bsc#1102215). - kvm: arm/arm64: Set dist->spis to NULL after kfree (bsc#1102214). - libata: do not try to pass through NCQ commands to non-NCQ devices (bsc#1082979). - loop: add recursion validation to LOOP_CHANGE_FD (bnc#1012382). - loop: remember whether sysfs_create_group() was done (bnc#1012382). - mmc: dw_mmc: fix card threshold control configuration (bsc#1102203). - mm: check VMA flags to avoid invalid PROT_NONE NUMA balancing (bsc#1097771). - net: cxgb3_main: fix potential Spectre v1 (bnc#1012382). - net: dccp: avoid crash in ccid3_hc_rx_send_feedback() (bnc#1012382). - net: dccp: switch rx_tstamp_last_feedback to monotonic clock (bnc#1012382). - netfilter: ebtables: reject non-bridge targets (bnc#1012382). - netfilter: nf_queue: augment nfqa_cfg_policy (bnc#1012382). - netfilter: x_tables: initialise match/target check parameter struct (bnc#1012382). - net/mlx5: Fix command interface race in polling mode (bnc#1012382). - net/mlx5: Fix incorrect raw command length parsing (bnc#1012382). - net: mvneta: fix the Rx desc DMA address in the Rx path (bsc#1102207). - net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bnc#1012382). - net: off by one in inet6_pton() (bsc#1095643). - net: phy: marvell: Use strlcpy() for ethtool::get_strings (bsc#1102205). - net_sched: blackhole: tell upper qdisc about dropped packets (bnc#1012382). - net: sungem: fix rx checksum support (bnc#1012382). - net/utils: generic inet_pton_with_scope helper (bsc#1095643). - null_blk: use sector_div instead of do_div (bsc#1082979). - nvme-rdma: Check remotely invalidated rkey matches our expected rkey (bsc#1092001). - nvme-rdma: default MR page size to 4k (bsc#1092001). - nvme-rdma: do not complete requests before a send work request has completed (bsc#1092001). - nvme-rdma: do not suppress send completions (bsc#1092001). - nvme-rdma: Fix command completion race at error recovery (bsc#1090435). - nvme-rdma: make nvme_rdma_[create|destroy]_queue_ib symmetrical (bsc#1092001). - nvme-rdma: use inet_pton_with_scope helper (bsc#1095643). - nvme-rdma: Use mr pool (bsc#1092001). - nvme-rdma: wait for local invalidation before completing a request (bsc#1092001). - ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent (bnc#1012382). - pci: ibmphp: Fix use-before-set in get_max_bus_speed() (bsc#1100132). - perf tools: Move syscall number fallbacks from perf-sys.h to tools/arch/x86/include/asm/ (bnc#1012382). - pm / hibernate: Fix oops at snapshot_write() (bnc#1012382). - powerpc/64: Initialise thread_info for emergency stacks (bsc#1094244, bsc#1100930, bsc#1102683). - powerpc/fadump: handle crash memory ranges array index overflow (bsc#1103269). - powerpc/fadump: merge adjacent memory ranges to reduce PT_LOAD segements (bsc#1103269). - qed: Limit msix vectors in kdump kernel to the minimum required count (bnc#1012382). - r8152: napi hangup fix after disconnect (bnc#1012382). - rdma/ocrdma: Fix an error code in ocrdma_alloc_pd() (bsc#1082979). - rdma/ocrdma: Fix error codes in ocrdma_create_srq() (bsc#1082979). - rdma/ucm: Mark UCM interface as BROKEN (bnc#1012382). - rds: avoid unenecessary cong_update in loop transport (bnc#1012382). - Revert 'block-cancel-workqueue-entries-on-blk_mq_freeze_queue' (bsc#1103717) - Revert 'sit: reload iphdr in ipip6_rcv' (bnc#1012382). - Revert 'x86/cpufeature: Move some of the scattered feature bits to x86_capability' (kabi). - Revert 'x86/cpu: Probe CPUID leaf 6 even when cpuid_level == 6' (kabi). - rtlwifi: rtl8821ae: fix firmware is not ready to run (bnc#1012382). - s390/qeth: fix error handling in adapter command callbacks (bnc#1103745, LTC#169699). - sched/smt: Update sched_smt_present at runtime (bsc#1089343). - scsi: qlogicpti: Fix an error handling path in 'qpti_sbus_probe()' (bsc#1082979). - scsi: sg: fix minor memory leak in error path (bsc#1082979). - scsi: target: fix crash with iscsi target and dvd (bsc#1082979). - smsc75xx: Add workaround for gigabit link up hardware errata (bsc#1100132). - smsc95xx: Configure pause time to 0xffff when tx flow control enabled (bsc#1085536). - supported.conf: Do not build KMP for openSUSE kernels The merge of kselftest-kmp was overseen, and bad for openSUSE-42.3 - tcp: fix Fast Open key endianness (bnc#1012382). - tcp: prevent bogus FRTO undos with non-SACK flows (bnc#1012382). - tools build: fix # escaping in .cmd files for future Make (bnc#1012382). - uprobes/x86: Remove incorrect WARN_ON() in uprobe_init_insn() (bnc#1012382). - usb: core: handle hub C_PORT_OVER_CURRENT condition (bsc#1100132). - usb: quirks: add delay quirks for Corsair Strafe (bnc#1012382). - usb: serial: ch341: fix type promotion bug in ch341_control_in() (bnc#1012382). - usb: serial: cp210x: add another USB ID for Qivicon ZigBee stick (bnc#1012382). - usb: serial: keyspan_pda: fix modem-status error handling (bnc#1012382). - usb: serial: mos7840: fix status-register error handling (bnc#1012382). - usb: yurex: fix out-of-bounds uaccess in read handler (bnc#1012382). - vfio: platform: Fix reset module leak in error path (bsc#1102211). - vfs: add the sb_start_intwrite_trylock() helper (bsc#1101841). - vhost_net: validate sock before trying to put its fd (bnc#1012382). - vmw_balloon: fix inflation with batching (bnc#1012382). - x86/alternatives: Add an auxilary section (bnc#1012382). - x86/alternatives: Discard dynamic check after init (bnc#1012382). - x86/apic: Ignore secondary threads if nosmt=force (bsc#1089343). - x86/asm: Add _ASM_ARG* constants for argument registers to (bnc#1012382). - x86/boot: Simplify kernel load address alignment check (bnc#1012382). - x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info (bsc#1089343). - x86/cpu/AMD: Evaluate smp_num_siblings early (bsc#1089343). - x86/CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings (bsc#1089343). Update config files. - x86/cpu/AMD: Remove the pointless detect_ht() call (bsc#1089343). - x86/cpu/common: Provide detect_ht_early() (bsc#1089343). - x86/cpufeature: Add helper macro for mask check macros (bnc#1012382). - x86/cpufeature: Carve out X86_FEATURE_* (bnc#1012382). - x86/cpufeature: Get rid of the non-asm goto variant (bnc#1012382). - x86/cpufeature: Make sure DISABLED/REQUIRED macros are updated (bnc#1012382). - x86/cpufeature: Move some of the scattered feature bits to x86_capability (bnc#1012382). - x86/cpufeature: Replace the old static_cpu_has() with safe variant (bnc#1012382). - x86/cpufeature: Speed up cpu_feature_enabled() (bnc#1012382). - x86/cpufeature: Update cpufeaure macros (bnc#1012382). - x86/cpu/intel: Evaluate smp_num_siblings early (bsc#1089343). - x86/cpu: Probe CPUID leaf 6 even when cpuid_level == 6 (bnc#1012382). - x86/cpu: Provide a config option to disable static_cpu_has (bnc#1012382). - x86/cpu: Remove the pointless CPU printout (bsc#1089343). - x86/cpu/topology: Provide detect_extended_topology_early() (bsc#1089343). - x86/fpu: Add an XSTATE_OP() macro (bnc#1012382). - x86/fpu: Get rid of xstate_fault() (bnc#1012382). - x86/headers: Do not include asm/processor.h in asm/atomic.h (bnc#1012382). - x86/mm/pkeys: Fix mismerge of protection keys CPUID bits (bnc#1012382). - x86/mm: Simplify p[g4um]d_page() macros (1087081). - x86/smpboot: Do not use smp_num_siblings in __max_logical_packages calculation (bsc#1089343). - x86/smp: Provide topology_is_primary_thread() (bsc#1089343). - x86/topology: Add topology_max_smt_threads() (bsc#1089343). - x86/topology: Provide topology_smt_supported() (bsc#1089343). - x86/vdso: Use static_cpu_has() (bnc#1012382). - xen/grant-table: log the lack of grants (bnc#1085042). - xen-netfront: Fix mismatched rtnl_unlock (bnc#1101658). - xen-netfront: Update features after registering netdev (bnc#1101658). - xhci: xhci-mem: off by one in xhci_stream_id_to_ring() (bnc#1012382).
    last seen 2019-02-21
    modified 2018-11-01
    plugin id 111997
    published 2018-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111997
    title openSUSE Security Update : the Linux Kernel (openSUSE-2018-885) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2352-1.NASL
    description This update for the Linux Kernel 3.12.61-52_89 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2017-11600: net/xfrm/xfrm_policy.c did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bsc#1096564) - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111823
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111823
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2352-1) (Foreshadow)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0272.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0272 for details.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 118963
    published 2018-11-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118963
    title OracleVM 3.2 : xen (OVMSA-2018-0272) (Foreshadow) (Spectre)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4274.NASL
    description This update provides mitigations for the 'L1 Terminal Fault'vulnerability affecting a range of Intel CPUs. For additional information please refer to https://xenbits.xen.org/xsa/advisory-273.html. The microcode updates mentioned there are not yet available in a form distributable by Debian. In addition two denial of service vulnerabilities have been fixed (XSA-268 and XSA-269).
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 111797
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111797
    title Debian DSA-4274-1 : xen - security update (Foreshadow)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_2310B814A65211E8805BA4BADB2F4699.NASL
    description On certain Intel 64-bit x86 systems there is a period of time during terminal fault handling where the CPU may use speculative execution to try to load data. The CPU may speculatively access the level 1 data cache (L1D). Data which would otherwise be protected may then be determined by using side channel methods. This issue affects bhyve on FreeBSD/amd64 systems. Impact : An attacker executing user code, or kernel code inside of a virtual machine, may be able to read secret data from the kernel or from another virtual machine.
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 112069
    published 2018-08-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112069
    title FreeBSD : FreeBSD -- L1 Terminal Fault (L1TF) Kernel Information Disclosure (2310b814-a652-11e8-805b-a4badb2f4699) (Foreshadow)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3756-1.NASL
    description It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS). (CVE-2018-3646) Jann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2018-3639) Zdenek Sojka, Rudolf Marek, Alex Zuepke, and Innokentiy Sennovskiy discovered that microprocessors that perform speculative reads of system registers may allow unauthorized disclosure of system parameters via a sidechannel attack. This vulnerability is also known as Rogue System Register Read (RSRE). An attacker could use this to expose sensitive information. (CVE-2018-3640). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 112151
    published 2018-08-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112151
    title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : intel-microcode vulnerabilities (USN-3756-1) (Foreshadow) (Spectre)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1350.NASL
    description According to the version of the kvm package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3646) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 118438
    published 2018-10-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118438
    title EulerOS Virtualization 2.5.0 : kvm (EulerOS-SA-2018-1350)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_AUG_MICROCODE.NASL
    description The remote Windows host is missing a security update. It is, therefore, missing microcode updates to address Rogue System Register Read (RSRE), Speculative Store Bypass (SSB), L1 Terminal Fault (L1TF), and Branch Target Injection vulnerabilities.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 112116
    published 2018-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112116
    title Security Updates for Windows 10 / Windows Server 2016 (August 2018) (Spectre) (Meltdown) (Foreshadow)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_AUG_4343898.NASL
    description The remote Windows host is missing security update 4343888 or cumulative update 4343898. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8403) - An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments. The vulnerability is caused when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream. (CVE-2018-8360) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8341, CVE-2018-8348) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8404) - A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8316) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373, CVE-2018-8389) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2018-8345) - An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8405) - An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. (CVE-2018-8343) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8394, CVE-2018-8398) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-8349) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-8339) - A security feature bypass vulnerability exists when Active Directory Federation Services (AD FS) improperly handles multi-factor authentication requests. (CVE-2018-8340) - An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction. An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser frame or window state from a different domain. For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website. This update addresses the vulnerability by denying permission to read the state of the object model, to which frames or windows on different domains should not have access. (CVE-2018-8351)
    last seen 2019-02-21
    modified 2019-01-30
    plugin id 111688
    published 2018-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111688
    title KB4343888: Windows 8.1 and Windows Server 2012 R2 August 2018 Security Update (Foreshadow)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2390.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 16th August 2018] The original errata text was missing reference to CVE-2018-5390 fix. We have updated the errata text to correct this issue. No changes have been made to the packages. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3693) * A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390) * kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265) * kernel: race condition in snd_seq_write() may lead to UAF or OOB-access (CVE-2018-7566) * kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646; Vladimir Kiriansky (MIT) and Carl Waldspurger (Carl Waldspurger Consulting) for reporting CVE-2018-3693; Juha-Matti Tilli (Aalto University, Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390; and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901. Bug Fix(es) : * The Least recently used (LRU) operations are batched by caching pages in per-cpu page vectors to prevent contention of the heavily used lru_lock spinlock. The page vectors can hold even the compound pages. Previously, the page vectors were cleared only if they were full. Subsequently, the amount of memory held in page vectors, which is not reclaimable, was sometimes too high. Consequently the page reclamation started the Out of Memory (OOM) killing processes. With this update, the underlying source code has been fixed to clear LRU page vectors each time when a compound page is added to them. As a result, OOM killing processes due to high amounts of memory held in page vectors no longer occur. (BZ#1575819)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 111731
    published 2018-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111731
    title RHEL 6 : kernel (RHSA-2018:2390) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2384-1.NASL
    description The SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081). - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343). - CVE-2018-14734: drivers/infiniband/core/ucma.c allowed ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bnc#1103119). - CVE-2018-13053: The alarm_timer_nsleep function in kernel/time/alarmtimer.c had via a large relative timeout because ktime_add_safe is not used (bnc#1099924). - CVE-2018-13405: The inode_init_owner function in fs/inode.c allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID (bnc#1100416). - CVE-2018-13406: An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1098016 bnc#1100418). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111838
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111838
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2384-1) (Foreshadow)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1506.NASL
    description Security researchers identified speculative execution side-channel methods which have the potential to improperly gather sensitive data from multiple types of computing devices with different vendors’ processors and operating systems. This update requires an update to the intel-microcode package, which is non-free. It is related to DLA-1446-1 and adds more mitigations for additional types of Intel processors. For more information please also read the official Intel security advisories at : https://www.intel.com/content/www/us/en/security-center/advisory/intel -s a-00088.html https://www.intel.com/content/www/us/en/security-center/advisory/intel -s a-00115.html https://www.intel.com/content/www/us/en/security-center/advisory/intel -s a-00161.html For Debian 8 'Jessie', these problems have been fixed in version 3.20180807a.1~deb8u1. We recommend that you upgrade your intel-microcode packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 117502
    published 2018-09-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117502
    title Debian DLA-1506-1 : intel-microcode security update (Foreshadow) (Spectre)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2483-1.NASL
    description This update for xen fixes the following issues: This security issue was fixed : - CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may have allowed unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis (bsc#1091107, bsc#1027519). These non-security issue were fixed : - bsc#1102116: SSBD is not virtualized for guests - bsc#1101684: Not able to disable the visibility of the new CPU flags Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 112106
    published 2018-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112106
    title SUSE SLES12 Security Update : xen (SUSE-SU-2018:2483-1) (Foreshadow)
  • NASL family Misc.
    NASL id VMWARE_ESXI_VMSA-2018-0020.NASL
    description The remote VMware ESXi host is version 5.5, 6.0, 6.5, or 6.7 and is missing a security patch. It is, therefore, vulnerable to a speculative execution side channel attack known as L1 Terminal Fault (L1TF). An attacker who successfully exploited L1TF may be able to read privileged data across trust boundaries.
    last seen 2019-02-21
    modified 2018-12-13
    plugin id 111759
    published 2018-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111759
    title ESXi 5.5 / 6.0 / 6.5 / 6.7 Speculative Execution Side Channel Vulnerability (Foreshadow) (VMSA-2018-0020) (remote check)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0282.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0282 for details.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 119277
    published 2018-11-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119277
    title OracleVM 3.4 : xen (OVMSA-2018-0282) (Foreshadow) (Spectre)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2393.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 6.5 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 111734
    published 2018-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111734
    title RHEL 6 : kernel (RHSA-2018:2393) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2331-2.NASL
    description ucode-intel was updated to the 20180807 release. For the listed CPU chipsets this fixes CVE-2018-3640 (Spectre v3a) and is part of the mitigations for CVE-2018-3639 (Spectre v4) and CVE-2018-3646 (L1 Terminal fault). (bsc#1104134 bsc#1087082 bsc#1087083 bsc#1089343) Processor Identifier Version Products Model Stepping F-MO-S/PI Old->New ---- new platforms ---------------------------------------- WSM-EP/WS U1 6-2c-2/03 0000001f Xeon E/L/X56xx, W36xx NHM-EX D0 6-2e-6/04 0000000d Xeon E/L/X65xx/75xx BXT C0 6-5c-2/01 00000014 Atom T5500/5700 APL E0 6-5c-a/03 0000000c Atom x5-E39xx DVN B0 6-5f-1/01 00000024 Atom C3xxx ---- updated platforms ------------------------------------ NHM-EP/WS D0 6-1a-5/03 00000019->0000001d Xeon E/L/X/W55xx NHM B1 6-1e-5/13 00000007->0000000a Core i7-8xx, i5-7xx; Xeon L3426, X24xx WSM B1 6-25-2/12 0000000e->00000011 Core i7-6xx, i5-6xx/4xxM, i3-5xx/3xxM, Pentium G69xx, Celeon P45xx; Xeon L3406 WSM K0 6-25-5/92 00000004->00000007 Core i7-6xx, i5-6xx/5xx/4xx, i3-5xx/3xx, Pentium G69xx/P6xxx/U5xxx, Celeron P4xxx/U3xxx SNB D2 6-2a-7/12 0000002d->0000002e Core Gen2; Xeon E3 WSM-EX A2 6-2f-2/05 00000037->0000003b Xeon E7 IVB E2 6-3a-9/12 0000001f->00000020 Core Gen3 Mobile HSW-H/S/E3 Cx/Dx 6-3c-3/32 00000024->00000025 Core Gen4 Desktop; Xeon E3 v3 BDW-U/Y E/F 6-3d-4/c0 0000002a->0000002b Core Gen5 Mobile HSW-ULT Cx/Dx 6-45-1/72 00000023->00000024 Core Gen4 Mobile and derived Pentium/Celeron HSW-H Cx 6-46-1/32 00000019->0000001a Core Extreme i7-5xxxX BDW-H/E3 E/G 6-47-1/22 0000001d->0000001e Core i5-5xxxR/C, i7-5xxxHQ/EQ; Xeon E3 v4 SKL-U/Y D0 6-4e-3/c0 000000c2->000000c6 Core Gen6 Mobile BDX-DE V1 6-56-2/10 00000015->00000017 Xeon D-1520/40 BDX-DE V2/3 6-56-3/10 07000012->07000013 Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19 BDX-DE Y0 6-56-4/10 0f000011->0f000012 Xeon D-1557/59/67/71/77/81/87 APL D0 6-5c-9/03 0000002c->00000032 Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx SKL-H/S/E3 R0 6-5e-3/36 000000c2->000000c6 Core Gen6; Xeon E3 v5 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 118281
    published 2018-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118281
    title SUSE SLES12 Security Update : Security update to ucode-intel (SUSE-SU-2018:2331-2) (Foreshadow) (Spectre)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-886.NASL
    description The openSUSE Leap 15.0 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-10853: A flaw was found in KVM in which certain instructions such as sgdt/sidt call segmented_write_std doesn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic (bnc#1097104). - CVE-2018-10876: A flaw was found in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image. (bnc#1099811) - CVE-2018-10877: Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image. (bnc#1099846) - CVE-2018-10878: A flaw was found in the ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image. (bnc#1099813) - CVE-2018-10879: A flaw was found in the ext4 filesystem. A local user can cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image. (bnc#1099844) - CVE-2018-10880: Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service. (bnc#1099845) - CVE-2018-10881: A flaw was found in the ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. (bnc#1099864) - CVE-2018-10882: A flaw was found in the ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image. (bnc#1099849) - CVE-2018-10883: A flaw was found in the ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. (bnc#1099863) - CVE-2018-3620: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis (bnc#1087081). - CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis (bnc#1089343 bnc#1104365). - CVE-2018-5391 aka 'FragmentSmack': A flaw in the IP packet reassembly could be used by remote attackers to consume lots of CPU time (bnc#1103097). The following non-security bugs were fixed : - afs: Fix directory permissions check (bsc#1101828). - bdi: Move cgroup bdi_writeback to a dedicated low concurrency workqueue (bsc#1101867). - be2net: gather debug info and reset adapter (only for Lancer) on a tx-timeout (bsc#1086288). - be2net: Update the driver version to 12.0.0.0 (bsc#1086288 ). - befs_lookup(): use d_splice_alias() (bsc#1101844). - block: Fix transfer when chunk sectors exceeds max (bsc#1101874). - bpf, ppc64: fix unexpected r0=0 exit path inside bpf_xadd (bsc#1083647). - branch-check: fix long->int truncation when profiling branches (bsc#1101116,). - cdrom: do not call check_disk_change() inside cdrom_open() (bsc#1101872). - compiler.h: enable builtin overflow checkers and add fallback code (bsc#1101116,). - cpu/hotplug: Make bringup/teardown of smp threads symmetric (bsc#1089343). - cpu/hotplug: Provide knobs to control SMT (bsc#1089343). - cpu/hotplug: Split do_cpu_down() (bsc#1089343). - delayacct: fix crash in delayacct_blkio_end() after delayacct init failure (bsc#1104066). - dm: add writecache target (bsc#1101116,). - dm writecache: support optional offset for start of device (bsc#1101116,). - dm writecache: use 2-factor allocator arguments (bsc#1101116,). - EDAC: Add missing MEM_LRDDR4 entry in edac_mem_types[] (bsc#1103886). - EDAC: Drop duplicated array of strings for memory type names (bsc#1103886). - ext2: fix a block leak (bsc#1101875). - ext4: add more mount time checks of the superblock (bsc#1101900). - ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() (bsc#1101896). - ext4: check for allocation block validity with block group locked (bsc#1104495). - ext4: check superblock mapped prior to committing (bsc#1101902). - ext4: do not update s_last_mounted of a frozen fs (bsc#1101841). - ext4: factor out helper ext4_sample_last_mounted() (bsc#1101841). - ext4: fix check to prevent initializing reserved inodes (bsc#1104319). - ext4: fix false negatives *and* false positives in ext4_check_descriptors() (bsc#1103445). - ext4: fix fencepost error in check for inode count overflow during resize (bsc#1101853). - ext4: fix inline data updates with checksums enabled (bsc#1104494). - ext4: include the illegal physical block in the bad map ext4_error msg (bsc#1101903). - ext4: report delalloc reserve as non-free in statfs for project quota (bsc#1101843). - ext4: update mtime in ext4_punch_hole even if no blocks are released (bsc#1101895). - f2fs: call unlock_new_inode() before d_instantiate() (bsc#1101837). - fix io_destroy()/aio_complete() race (bsc#1101852). - Force log to disk before reading the AGF during a fstrim (bsc#1101893). - fscache: Fix hanging wait on page discarded by writeback (bsc#1101885). - fs: clear writeback errors in inode_init_always (bsc#1101882). - fs: do not scan the inode cache before SB_BORN is set (bsc#1101883). - hns3: fix unused function warning (bsc#1104353). - hns3pf: do not check handle during mqprio offload (bsc#1104353 ). - hns3pf: fix hns3_del_tunnel_port() (bsc#1104353). - hns3pf: Fix some harmless copy and paste bugs (bsc#1104353 ). - hv_netvsc: Fix napi reschedule while receive completion is busy (). - hv/netvsc: Fix NULL dereference at single queue mode fallback (bsc#1104708). - hwmon: (asus_atk0110) Replace deprecated device register call (bsc#1103363). - IB/hns: Annotate iomem pointers correctly (bsc#1104427 ). - IB/hns: Avoid compile test under non 64bit environments (bsc#1104427). - IB/hns: Declare local functions 'static' (bsc#1104427 ). - IB/hns: fix boolreturn.cocci warnings (bsc#1104427). - IB/hns: Fix for checkpatch.pl comment style warnings (bsc#1104427). - IB/hns: fix memory leak on ah on error return path (bsc#1104427 ). - IB/hns: fix returnvar.cocci warnings (bsc#1104427). - IB/hns: fix semicolon.cocci warnings (bsc#1104427). - IB/hns: Fix the bug of polling cq failed for loopback Qps (bsc#1104427). Refresh patches.suse/0001-IB-hns-checking-for-IS_ERR-instead-of- NULL.patch. - IB/hns: Fix the bug with modifying the MAC address without removing the driver (bsc#1104427). - IB/hns: Fix the bug with rdma operation (bsc#1104427 ). - IB/hns: Fix the bug with wild pointer when destroy rc qp (bsc#1104427). - IB/hns: include linux/interrupt.h (bsc#1104427). - IB/hns: Support compile test for hns RoCE driver (bsc#1104427 ). - IB/hns: Use zeroing memory allocator instead of allocator/memset (bsc#1104427). - isofs: fix potential memory leak in mount option parsing (bsc#1101887). - jump_label: Fix concurrent static_key_enable/disable() (bsc#1089343). - jump_label: Provide hotplug context variants (bsc#1089343). - jump_label: Reorder hotplug lock and jump_label_lock (bsc#1089343). - kabi/severities: Allow kABI changes for kvm/x86 (except for kvm_x86_ops) - kabi/severities: ignore qla2xxx as all symbols are internal - kabi/severities: ignore x86_kvm_ops; lttng-modules would have to be adjusted in case they depend on this particular change - kabi/severities: Relax kvm_vcpu_* kABI breakage - media: rc: oops in ir_timer_keyup after device unplug (bsc#1090888). - mm: fix __gup_device_huge vs unmap (bsc#1101839). - net: hns3: Add a check for client instance init state (bsc#1104353). - net: hns3: add a mask initialization for mac_vlan table (bsc#1104353). - net: hns3: Add *Asserting Reset* mailbox message & handling in VF (bsc#1104353). - net: hns3: add Asym Pause support to phy default features (bsc#1104353). - net: hns3: Add dcb netlink interface for the support of DCB feature (bsc#1104353). - net: hns3: Add DCB support when interacting with network stack (bsc#1104353). - net: hns3: Add ethtool interface for vlan filter (bsc#1104353 ). - net: hns3: add ethtool_ops.get_channels support for VF (bsc#1104353). - net: hns3: add ethtool_ops.get_coalesce support to PF (bsc#1104353). - net: hns3: add ethtool_ops.set_coalesce support to PF (bsc#1104353). - net: hns3: add ethtool -p support for fiber port (bsc#1104353 ). - net: hns3: add ethtool related offload command (bsc#1104353 ). - net: hns3: Add Ethtool support to HNS3 driver (bsc#1104353 ). - net: hns3: add existence checking before adding unicast mac address (bsc#1104353). - net: hns3: add existence check when remove old uc mac address (bsc#1104353). - net: hns3: add feature check when feature changed (bsc#1104353 ). - net: hns3: add get_link support to VF (bsc#1104353). - net: hns3: add get/set_coalesce support to VF (bsc#1104353 ). - net: hns3: add handling vlan tag offload in bd (bsc#1104353 ). - net: hns3: Add hclge_dcb module for the support of DCB feature (bsc#1104353). - net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support (bsc#1104353). - net: hns3: Add HNS3 driver to kernel build framework & MAINTAINERS (bsc#1104353). - net: hns3: Add hns3_get_handle macro in hns3 driver (bsc#1104353 ). - net: hns3: Add HNS3 IMP(Integrated Mgmt Proc) Cmd Interface Support (bsc#1104353). - net: hns3: Add HNS3 VF driver to kernel build framework (bsc#1104353). - net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support (bsc#1104353). - net: hns3: Add HNS3 VF IMP(Integrated Management Proc) cmd interface (bsc#1104353). - net: hns3: add int_gl_idx setup for TX and RX queues (bsc#1104353). - net: hns3: add int_gl_idx setup for VF (bsc#1104353 ). - net: hns3: Add mac loopback selftest support in hns3 driver (bsc#1104353). - net: hns3: Add mailbox interrupt handling to PF driver (bsc#1104353). - net: hns3: Add mailbox support to PF driver (bsc#1104353 ). - net: hns3: Add mailbox support to VF driver (bsc#1104353 ). - net: hns3: add manager table initialization for hardware (bsc#1104353). - net: hns3: Add MDIO support to HNS3 Ethernet driver for hip08 SoC (bsc#1104353). - net: hns3: Add missing break in misc_irq_handle (bsc#1104353 ). - net: hns3: Add more packet size statisctics (bsc#1104353 ). - net: hns3: add MTU initialization for hardware (bsc#1104353 ). - net: hns3: add net status led support for fiber port (bsc#1104353). - net: hns3: add nic_client check when initialize roce base information (bsc#1104353). - net: hns3: add querying speed and duplex support to VF (bsc#1104353). - net: hns3: Add repeat address checking for setting mac address (bsc#1104353). - net: hns3: Add reset interface implementation in client (bsc#1104353). - net: hns3: Add reset process in hclge_main (bsc#1104353 ). - net: hns3: Add reset service task for handling reset requests (bsc#1104353). - net: hns3: add result checking for VF when modify unicast mac address (bsc#1104353). - net: hns3: Add some interface for the support of DCB feature (bsc#1104353). - net: hns3: Adds support for led locate command for copper port (bsc#1104353). - net: hns3: Add STRP_TAGP field support for hardware revision 0x21 (bsc#1104353). - net: hns3: Add support for dynamically buffer reallocation (bsc#1104353). - net: hns3: add support for ETHTOOL_GRXFH (bsc#1104353 ). - net: hns3: add support for get_regs (bsc#1104353). - net: hns3: Add support for IFF_ALLMULTI flag (bsc#1104353 ). - net: hns3: Add support for misc interrupt (bsc#1104353 ). - net: hns3: add support for nway_reset (bsc#1104353). - net: hns3: Add support for PFC setting in TM module (bsc#1104353 ). - net: hns3: Add support for port shaper setting in TM module (bsc#1104353). - net: hns3: add support for querying advertised pause frame by ethtool ethx (bsc#1104353). - net: hns3: add support for querying pfc puase packets statistic (bsc#1104353). - net: hns3: add support for set_link_ksettings (bsc#1104353 ). - net: hns3: add support for set_pauseparam (bsc#1104353 ). - net: hns3: add support for set_ringparam (bsc#1104353 ). - net: hns3: add support for set_rxnfc (bsc#1104353). - net: hns3: Add support for tx_accept_tag2 and tx_accept_untag2 config (bsc#1104353). - net: hns3: add support for VF driver inner interface hclgevf_ops.get_tqps_and_rss_info (bsc#1104353). - net: hns3: Add support of hardware rx-vlan-offload to HNS3 VF driver (bsc#1104353). - net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC (bsc#1104353). - net: hns3: Add support of .sriov_configure in HNS3 driver (bsc#1104353). - net: hns3: Add support of the HNAE3 framework (bsc#1104353 ). - net: hns3: Add support of TX Scheduler & Shaper to HNS3 driver (bsc#1104353). - net: hns3: Add support to change MTU in HNS3 hardware (bsc#1104353). - net: hns3: Add support to enable TX/RX promisc mode for H/W rev(0x21) (bsc#1104353). - net: hns3: add support to modify tqps number (bsc#1104353 ). - net: hns3: add support to query tqps number (bsc#1104353 ). - net: hns3: Add support to re-initialize the hclge device (bsc#1104353). - net: hns3: Add support to request VF Reset to PF (bsc#1104353 ). - net: hns3: Add support to reset the enet/ring mgmt layer (bsc#1104353). - net: hns3: add support to update flow control settings after autoneg (bsc#1104353). - net: hns3: Add tc-based TM support for sriov enabled port (bsc#1104353). - net: hns3: Add timeout process in hns3_enet (bsc#1104353 ). - net: hns3: Add VF Reset device state and its handling (bsc#1104353). - net: hns3: Add VF Reset Service Task to support event handling (bsc#1104353). - net: hns3: add vlan offload config command (bsc#1104353 ). - net: hns3: change GL update rate (bsc#1104353). - net: hns3: Change PF to add ring-vect binding & resetQ to mailbox (bsc#1104353). - net: hns3: Change return type of hnae3_register_ae_algo (bsc#1104353). - net: hns3: Change return type of hnae3_register_ae_dev (bsc#1104353). - net: hns3: Change return value in hnae3_register_client (bsc#1104353). - net: hns3: Changes required in PF mailbox to support VF reset (bsc#1104353). - net: hns3: Changes to make enet watchdog timeout func common for PF/VF (bsc#1104353). - net: hns3: Changes to support ARQ(Asynchronous Receive Queue) (bsc#1104353). - net: hns3: change the returned tqp number by ethtool -x (bsc#1104353). - net: hns3: change the time interval of int_gl calculating (bsc#1104353). - net: hns3: change the unit of GL value macro (bsc#1104353 ). - net: hns3: change TM sched mode to TC-based mode when SRIOV enabled (bsc#1104353). - net: hns3: check for NULL function pointer in hns3_nic_set_features (bsc#1104353). - net: hns3: Cleanup for endian issue in hns3 driver (bsc#1104353 ). - net: hns3: Cleanup for non-static function in hns3 driver (bsc#1104353). - net: hns3: Cleanup for ROCE capability flag in ae_dev (bsc#1104353). - net: hns3: Cleanup for shifting true in hns3 driver (bsc#1104353 ). - net: hns3: Cleanup for struct that used to send cmd to firmware (bsc#1104353). - net: hns3: Cleanup indentation for Kconfig in the the hisilicon folder (bsc#1104353). - net: hns3: cleanup mac auto-negotiation state query (bsc#1104353 ). - net: hns3: cleanup mac auto-negotiation state query in hclge_update_speed_duplex (bsc#1104353). - net: hns3: cleanup of return values in hclge_init_client_instance() (bsc#1104353). - net: hns3: Clear TX/RX rings when stopping port & un-initializing client (bsc#1104353). - net: hns3: Consistently using GENMASK in hns3 driver (bsc#1104353). - net: hns3: converting spaces into tabs to avoid checkpatch.pl warning (bsc#1104353). - net: hns3: Disable VFs change rxvlan offload status (bsc#1104353 ). - net: hns3: Disable vf vlan filter when vf vlan table is full (bsc#1104353). - net: hns3: ensure media_type is uninitialized (bsc#1104353 ). - net: hns3: export pci table of hclge and hclgevf to userspace (bsc#1104353). - net: hns3: fix a bug about hns3_clean_tx_ring (bsc#1104353 ). - net: hns3: fix a bug for phy supported feature initialization (bsc#1104353). - net: hns3: fix a bug in hclge_uninit_client_instance (bsc#1104353). - net: hns3: fix a bug in hns3_driv_to_eth_caps (bsc#1104353 ). - net: hns3: fix a bug when alloc new buffer (bsc#1104353 ). - net: hns3: fix a bug when getting phy address from NCL_config file (bsc#1104353). - net: hns3: fix a dead loop in hclge_cmd_csq_clean (bsc#1104353 ). - net: hns3: fix a handful of spelling mistakes (bsc#1104353 ). - net: hns3: Fix a loop index error of tqp statistics query (bsc#1104353). - net: hns3: Fix a misuse to devm_free_irq (bsc#1104353 ). - net: hns3: Fix an error handling path in 'hclge_rss_init_hw()' (bsc#1104353). - net: hns3: Fix an error macro definition of HNS3_TQP_STAT (bsc#1104353). - net: hns3: Fix an error of total drop packet statistics (bsc#1104353). - net: hns3: Fix a response data read error of tqp statistics query (bsc#1104353). - net: hns3: fix endian issue when PF get mbx message flag (bsc#1104353). - net: hns3: fix error type definition of return value (bsc#1104353). - net: hns3: Fixes API to fetch ethernet header length with kernel default (bsc#1104353). - net: hns3: Fixes error reported by Kbuild and internal review (bsc#1104353). - net: hns3: Fixes initalization of RoCE handle and makes it conditional (bsc#1104353). - net: hns3: Fixes initialization of phy address from firmware (bsc#1104353). - net: hns3: Fixes kernel panic issue during rmmod hns3 driver (bsc#1104353). - net: hns3: Fixes ring-to-vector map-and-unmap command (bsc#1104353). - net: hns3: Fixes the back pressure setting when sriov is enabled (bsc#1104353). - net: hns3: Fixes the command used to unmap ring from vector (bsc#1104353). - net: hns3: Fixes the default VLAN-id of PF (bsc#1104353 ). - net: hns3: Fixes the error legs in hclge_init_ae_dev function (bsc#1104353). - net: hns3: Fixes the ether address copy with appropriate API (bsc#1104353). - net: hns3: Fixes the initialization of MAC address in hardware (bsc#1104353). - net: hns3: Fixes the init of the VALID BD info in the descriptor (bsc#1104353). - net: hns3: Fixes the missing PCI iounmap for various legs (bsc#1104353). - net: hns3: Fixes the missing u64_stats_fetch_begin_irq in 64-bit stats fetch (bsc#1104353). - net: hns3: Fixes the out of bounds access in hclge_map_tqp (bsc#1104353). - net: hns3: Fixes the premature exit of loop when matching clients (bsc#1104353). - net: hns3: fixes the ring index in hns3_fini_ring (bsc#1104353 ). - net: hns3: Fixes the state to indicate client-type initialization (bsc#1104353). - net: hns3: Fixes the static checker error warning in hns3_get_link_ksettings() (bsc#1104353). - net: hns3: Fixes the static check warning due to missing unsupp L3 proto check (bsc#1104353). - net: hns3: Fixes the wrong IS_ERR check on the returned phydev value (bsc#1104353). - net: hns3: fix for buffer overflow smatch warning (bsc#1104353 ). - net: hns3: fix for changing MTU (bsc#1104353). - net: hns3: fix for cleaning ring problem (bsc#1104353 ). - net: hns3: Fix for CMDQ and Misc. interrupt init order problem (bsc#1104353). - net: hns3: fix for coal configuation lost when setting the channel (bsc#1104353). - net: hns3: fix for coalesce configuration lost during reset (bsc#1104353). - net: hns3: Fix for deadlock problem occurring when unregistering ae_algo (bsc#1104353). - net: hns3: Fix for DEFAULT_DV when dev does not support DCB (bsc#1104353). - net: hns3: Fix for fiber link up problem (bsc#1104353 ). - net: hns3: fix for getting advertised_caps in hns3_get_link_ksettings (bsc#1104353). - net: hns3: fix for getting autoneg in hns3_get_link_ksettings (bsc#1104353). - net: hns3: fix for getting auto-negotiation state in hclge_get_autoneg (bsc#1104353). - net: hns3: fix for getting wrong link mode problem (bsc#1104353 ). - net: hns3: Fix for hclge_reset running repeatly problem (bsc#1104353). - net: hns3: Fix for hns3 module is loaded multiple times problem (bsc#1104353). - net: hns3: fix for ipv6 address loss problem after setting channels (bsc#1104353). - net: hns3: fix for loopback failure when vlan filter is enable (bsc#1104353). - net: hns3: fix for netdev not running problem after calling net_stop and net_open (bsc#1104353). - net: hns3: Fix for netdev not running problem after calling net_stop and net_open (bsc#1104353). - net: hns3: fix for not initializing VF rss_hash_key problem (bsc#1104353). - net: hns3: fix for not returning problem in get_link_ksettings when phy exists (bsc#1104353). - net: hns3: fix for not setting pause parameters (bsc#1104353 ). - net: hns3: Fix for not setting rx private buffer size to zero (bsc#1104353). - net: hns3: Fix for packet loss due wrong filter config in VLAN tbls (bsc#1104353). - net: hns3: fix for pause configuration lost during reset (bsc#1104353). - net: hns3: Fix for PF mailbox receving unknown message (bsc#1104353). - net: hns3: fix for phy_addr error in hclge_mac_mdio_config (bsc#1104353). - net: hns3: Fix for phy not link up problem after resetting (bsc#1104353). - net: hns3: Fix for pri to tc mapping in TM (bsc#1104353 ). - net: hns3: fix for returning wrong value problem in hns3_get_rss_indir_size (bsc#1104353). - net: hns3: fix for returning wrong value problem in hns3_get_rss_key_size (bsc#1104353). - net: hns3: fix for RSS configuration loss problem during reset (bsc#1104353). - net: hns3: Fix for rx priv buf allocation when DCB is not supported (bsc#1104353). - net: hns3: Fix for rx_priv_buf_alloc not setting rx shared buffer (bsc#1104353). - net: hns3: Fix for service_task not running problem after resetting (bsc#1104353). - net: hns3: Fix for setting mac address when resetting (bsc#1104353). - net: hns3: fix for setting MTU (bsc#1104353). - net: hns3: Fix for setting rss_size incorrectly (bsc#1104353 ). - net: hns3: Fix for the NULL pointer problem occurring when initializing ae_dev failed (bsc#1104353). - net: hns3: fix for the wrong shift problem in hns3_set_txbd_baseinfo (bsc#1104353). - net: hns3: fix for updating fc_mode_last_time (bsc#1104353 ). - net: hns3: fix for use-after-free when setting ring parameter (bsc#1104353). - net: hns3: Fix for VF mailbox cannot receiving PF response (bsc#1104353). - net: hns3: Fix for VF mailbox receiving unknown message (bsc#1104353). - net: hns3: fix for vlan table lost problem when resetting (bsc#1104353). - net: hns3: Fix for vxlan tx checksum bug (bsc#1104353 ). - net: hns3: Fix initialization when cmd is not supported (bsc#1104353). - net: hns3: fix length overflow when CONFIG_ARM64_64K_PAGES (bsc#1104353). - net: hns3: fix NULL pointer dereference before null check (bsc#1104353). - net: hns3: fix return value error of hclge_get_mac_vlan_cmd_status() (bsc#1104353). - net: hns3: fix rx path skb->truesize reporting bug (bsc#1104353 ). - net: hns3: Fix setting mac address error (bsc#1104353 ). - net: hns3: Fix spelling errors (bsc#1104353). - net: hns3: fix spelling mistake: 'capabilty' -> 'capability' (bsc#1104353). - net: hns3: fix the bug of hns3_set_txbd_baseinfo (bsc#1104353 ). - net: hns3: fix the bug when map buffer fail (bsc#1104353 ). - net: hns3: fix the bug when reuse command description in hclge_add_mac_vlan_tbl (bsc#1104353). - net: hns3: Fix the missing client list node initialization (bsc#1104353). - net: hns3: fix the ops check in hns3_get_rxnfc (bsc#1104353 ). - net: hns3: fix the queue id for tqp enable&&reset (bsc#1104353 ). - net: hns3: fix the ring count for ETHTOOL_GRXRINGS (bsc#1104353 ). - net: hns3: fix the TX/RX ring.queue_index in hns3_ring_get_cfg (bsc#1104353). - net: hns3: fix the VF queue reset flow error (bsc#1104353 ). - net: hns3: fix to correctly fetch l4 protocol outer header (bsc#1104353). - net: hns3: Fix to support autoneg only for port attached with phy (bsc#1104353). - net: hns3: Fix typo error for feild in hclge_tm (bsc#1104353 ). - net: hns3: free the ring_data structrue when change tqps (bsc#1104353). - net: hns3: get rss_size_max from configuration but not hardcode (bsc#1104353). - net: hns3: get vf count by pci_sriov_get_totalvfs (bsc#1104353 ). - net: hns3: hclge_inform_reset_assert_to_vf() can be static (bsc#1104353). - net: hns3: hns3:fix a bug about statistic counter in reset process (bsc#1104353). - net: hns3: hns3_get_channels() can be static (bsc#1104353 ). - net: hns3: Increase the default depth of bucket for TM shaper (bsc#1104353). - net: hns3: increase the max time for IMP handle command (bsc#1104353). - net: hns3: make local functions static (bsc#1104353 ). - net: hns3: Mask the packet statistics query when NIC is down (bsc#1104353). - net: hns3: Modify the update period of packet statistics (bsc#1104353). - net: hns3: never send command queue message to IMP when reset (bsc#1104353). - net: hns3: Optimize PF CMDQ interrupt switching process (bsc#1104353). - net: hns3: Optimize the PF's process of updating multicast MAC (bsc#1104353). - net: hns3: Optimize the VF's process of updating multicast MAC (bsc#1104353). - net: hns3: reallocate tx/rx buffer after changing mtu (bsc#1104353). - net: hns3: refactor GL update function (bsc#1104353 ). - net: hns3: refactor interrupt coalescing init function (bsc#1104353). - net: hns3: Refactor mac_init function (bsc#1104353). - net: hns3: Refactor of the reset interrupt handling logic (bsc#1104353). - net: hns3: Refactors the requested reset & pending reset handling code (bsc#1104353). - net: hns3: refactor the coalesce related struct (bsc#1104353 ). - net: hns3: refactor the get/put_vector function (bsc#1104353 ). - net: hns3: refactor the hclge_get/set_rss function (bsc#1104353 ). - net: hns3: refactor the hclge_get/set_rss_tuple function (bsc#1104353). - net: hns3: Refactor the initialization of command queue (bsc#1104353). - net: hns3: refactor the loopback related function (bsc#1104353 ). - net: hns3: Refactor the mapping of tqp to vport (bsc#1104353 ). - net: hns3: Refactor the skb receiving and transmitting function (bsc#1104353). - net: hns3: remove a couple of redundant assignments (bsc#1104353 ). - net: hns3: remove add/del_tunnel_udp in hns3_enet module (bsc#1104353). - net: hns3: Remove a useless member of struct hns3_stats (bsc#1104353). - net: hns3: Remove error log when getting pfc stats fails (bsc#1104353). - net: hns3: Remove packet statistics in the range of 8192~12287 (bsc#1104353). - net: hns3: remove redundant memset when alloc buffer (bsc#1104353). - net: hns3: remove redundant semicolon (bsc#1104353). - net: hns3: Remove repeat statistic of rx_errors (bsc#1104353 ). - net: hns3: Removes unnecessary check when clearing TX/RX rings (bsc#1104353). - net: hns3: remove TSO config command from VF driver (bsc#1104353 ). - net: hns3: remove unnecessary pci_set_drvdata() and devm_kfree() (bsc#1104353). - net: hns3: remove unused GL setup function (bsc#1104353 ). - net: hns3: remove unused hclgevf_cfg_func_mta_filter (bsc#1104353). - net: hns3: Remove unused led control code (bsc#1104353 ). - net: hns3: report the function type the same line with hns3_nic_get_stats64 (bsc#1104353). - net: hns3: set the cmdq out_vld bit to 0 after used (bsc#1104353 ). - net: hns3: set the max ring num when alloc netdev (bsc#1104353 ). - net: hns3: Setting for fc_mode and dcb enable flag in TM module (bsc#1104353). - net: hns3: Support for dynamically assigning tx buffer to TC (bsc#1104353). - net: hns3: Unified HNS3 {VF|PF} Ethernet Driver for hip08 SoC (bsc#1104353). - net: hns3: unify the pause params setup function (bsc#1104353 ). - net: hns3: Unify the strings display of packet statistics (bsc#1104353). - net: hns3: Updates MSI/MSI-X alloc/free APIs(depricated) to new APIs (bsc#1104353). - net: hns3: Updates RX packet info fetch in case of multi BD (bsc#1104353). - net: hns3: Use enums instead of magic number in hclge_is_special_opcode (bsc#1104353). - net: hns3: VF should get the real rss_size instead of rss_size_max (bsc#1104353). - net: lan78xx: Fix race in tx pending skb size calculation (bsc#1100132). - net: lan78xx: fix rx handling before first packet is send (bsc#1100132). - net: qmi_wwan: add BroadMobi BM806U 2020:2033 (bsc#1087092). - net: qmi_wwan: Add Netgear Aircard 779S (bsc#1090888). - net-usb: add qmi_wwan if on lte modem wistron neweb d18q1 (bsc#1087092). - net: usb: asix: replace mii_nway_restart in resume path (bsc#1100132). - orangefs: report attributes_mask and attributes for statx (bsc#1101832). - orangefs: set i_size on new symlink (bsc#1101845). - overflow.h: Add allocation size calculation helpers (bsc#1101116,). - powerpc/64: Add GENERIC_CPU support for little endian (). - powerpc/fadump: handle crash memory ranges array index overflow (bsc#1103269). - powerpc/fadump: merge adjacent memory ranges to reduce PT_LOAD segements (bsc#1103269). - powerpc/pkeys: Deny read/write/execute by default (bsc#1097577). - powerpc/pkeys: Fix calculation of total pkeys (bsc#1097577). - powerpc/pkeys: Give all threads control of their key permissions (bsc#1097577). - powerpc/pkeys: key allocation/deallocation must not change pkey registers (bsc#1097577). - powerpc/pkeys: make protection key 0 less special (bsc#1097577). - powerpc/pkeys: Preallocate execute-only key (bsc#1097577). - powerpc/pkeys: Save the pkey registers before fork (bsc#1097577). - qed*: Add link change count value to ethtool statistics display. - qed: Add qed APIs for PHY module query (bsc#1086314 ). - qed: Add srq core support for RoCE and iWARP (bsc#1086314 ). - qede: Add driver callbacks for eeprom module query (bsc#1086314 ). - qedf: Add get_generic_tlv_data handler (bsc#1086317). - qedf: Add support for populating ethernet TLVs (bsc#1086317). - qed: fix spelling mistake 'successffuly' -> 'successfully' (bsc#1086314). - qedi: Add get_generic_tlv_data handler (bsc#1086315). - qedi: Add support for populating ethernet TLVs (bsc#1086315). - qed: Make some functions static (bsc#1086314). - qed: remove redundant functions qed_get_cm_pq_idx_rl (bsc#1086314). - qed: remove redundant functions qed_set_gft_event_id_cm_hdr (bsc#1086314). - qed: remove redundant pointer 'name' (bsc#1086314). - qed: use dma_zalloc_coherent instead of allocator/memset (bsc#1086314). - qed*: Utilize FW 8.37.2.0 (bsc#1086314). - rdma/hns: Add 64KB page size support for hip08 (bsc#1104427 ). - rdma/hns: Add command queue support for hip08 RoCE driver (bsc#1104427). - rdma/hns: Add CQ operations support for hip08 RoCE driver (bsc#1104427). - rdma/hns: Add detailed comments for mb() call (bsc#1104427 ). - rdma/hns: Add eq support of hip08 (bsc#1104427). - rdma/hns: Add gsi qp support for modifying qp in hip08 (bsc#1104427). - rdma/hns: Add mailbox's implementation for hip08 RoCE driver (bsc#1104427). - rdma/hns: Add modify CQ support for hip08 (bsc#1104427 ). - rdma/hns: Add names to function arguments in function pointers (bsc#1104427). - rdma/hns: Add profile support for hip08 driver (bsc#1104427 ). - rdma/hns: Add QP operations support for hip08 SoC (bsc#1104427 ). - rdma/hns: Add releasing resource operation in error branch (bsc#1104427). - rdma/hns: Add rereg mr support for hip08 (bsc#1104427 ). - rdma/hns: Add reset process for RoCE in hip08 (bsc#1104427 ). - rdma/hns: Add return operation when configured global param fail (bsc#1104427). - rdma/hns: Add rq inline data support for hip08 RoCE (bsc#1104427 ). - rdma/hns: Add rq inline flags judgement (bsc#1104427 ). - rdma/hns: Add sq_invld_flg field in QP context (bsc#1104427 ). - rdma/hns: Add support for processing send wr and receive wr (bsc#1104427). - rdma/hns: Add the interfaces to support multi hop addressing for the contexts in hip08 (bsc#1104427). - rdma/hns: Adjust the order of cleanup hem table (bsc#1104427 ). - rdma/hns: Assign dest_qp when deregistering mr (bsc#1104427 ). - rdma/hns: Assign the correct value for tx_cqn (bsc#1104427 ). - rdma/hns: Assign zero for pkey_index of wc in hip08 (bsc#1104427 ). - rdma/hns: Avoid NULL pointer exception (bsc#1104427 ). - rdma/hns: Bugfix for cq record db for kernel (bsc#1104427 ). - rdma/hns: Bugfix for init hem table (bsc#1104427). - rdma/hns: Bugfix for rq record db for kernel (bsc#1104427 ). - rdma/hns: Check return value of kzalloc (bsc#1104427 ). - rdma/hns: Configure BT BA and BT attribute for the contexts in hip08 (bsc#1104427). - rdma/hns: Configure fence attribute in hip08 RoCE (bsc#1104427 ). - rdma/hns: Configure mac&gid and user access region for hip08 RoCE driver (bsc#1104427). - rdma/hns: Configure sgid type for hip08 RoCE (bsc#1104427 ). - rdma/hns: Configure the MTPT in hip08 (bsc#1104427). - rdma/hns: Configure TRRL field in hip08 RoCE device (bsc#1104427 ). - rdma/hns: Create gsi qp in hip08 (bsc#1104427). - rdma/hns: Delete the unnecessary initializing enum to zero (bsc#1104427). - rdma/hns: Do not unregister a callback we didn't register (bsc#1104427). - rdma/hns: Drop local zgid in favor of core defined variable (bsc#1104427). - rdma/hns: Enable inner_pa_vld filed of mpt (bsc#1104427 ). - rdma/hns: Enable the cqe field of sqwqe of RC (bsc#1104427 ). - rdma/hns: ensure for-loop actually iterates and free's buffers (bsc#1104427). - rdma/hns: Fill sq wqe context of ud type in hip08 (bsc#1104427 ). - rdma/hns: Filter for zero length of sge in hip08 kernel mode (bsc#1104427). - rdma/hns: Fix a bug with modifying mac address (bsc#1104427 ). - rdma/hns: Fix a couple misspellings (bsc#1104427). - rdma/hns: Fix calltrace for sleeping in atomic (bsc#1104427 ). - rdma/hns: Fix cqn type and init resp (bsc#1104427). - rdma/hns: Fix cq record doorbell enable in kernel (bsc#1104427 ). - rdma/hns: Fix endian problems around imm_data and rkey (bsc#1104427). - rdma/hns: Fix inconsistent warning (bsc#1104427). - rdma/hns: Fix init resp when alloc ucontext (bsc#1104427 ). - rdma/hns: Fix misplaced call to hns_roce_cleanup_hem_table (bsc#1104427). - rdma/hns: Fix QP state judgement before receiving work requests (bsc#1104427). - rdma/hns: Fix QP state judgement before sending work requests (bsc#1104427). - rdma/hns: fix spelling mistake: 'Reseved' -> 'Reserved' (bsc#1104427). - rdma/hns: Fix the bug with NULL pointer (bsc#1104427 ). - rdma/hns: Fix the bug with rq sge (bsc#1104427). - rdma/hns: Fix the endian problem for hns (bsc#1104427 ). - rdma/hns: Fix the illegal memory operation when cross page (bsc#1104427). - rdma/hns: Fix the issue of IOVA not page continuous in hip08 (bsc#1104427). - rdma/hns: Fix the qp context state diagram (bsc#1104427 ). - rdma/hns: Generate gid type of RoCEv2 (bsc#1104427). - rdma/hns: Get rid of page operation after dma_alloc_coherent (bsc#1104427). - rdma/hns: Get rid of virt_to_page and vmap calls after dma_alloc_coherent (bsc#1104427). - rdma/hns: Implement the disassociate_ucontext API (bsc#1104427 ). - rdma/hns: Increase checking CMQ status timeout value (bsc#1104427). - rdma/hns: Initialize the PCI device for hip08 RoCE (bsc#1104427 ). - rdma/hns: Intercept illegal RDMA operation when use inline data (bsc#1104427). - rdma/hns: Load the RoCE dirver automatically (bsc#1104427 ). - rdma/hns: make various function static, fixes warnings (bsc#1104427). - rdma/hns: Modify assignment device variable to support both PCI device and platform device (bsc#1104427). - rdma/hns: Modify the usage of cmd_sn in hip08 (bsc#1104427 ). - rdma/hns: Modify the value with rd&dest_rd of qp_attr (bsc#1104427). - rdma/hns: Modify uar allocation algorithm to avoid bitmap exhaust (bsc#1104427). - rdma/hns: Move priv in order to add multiple hns_roce support (bsc#1104427). - rdma/hns: Move the location for initializing tmp_len (bsc#1104427). - rdma/hns: Not support qp transition from reset to reset for hip06 (bsc#1104427). - rdma/hns: Only assign dest_qp if IB_QP_DEST_QPN bit is set (bsc#1104427). - rdma/hns: Only assign dqpn if IB_QP_PATH_DEST_QPN bit is set (bsc#1104427). - rdma/hns: Only assign mtu if IB_QP_PATH_MTU bit is set (bsc#1104427). - rdma/hns: Refactor code for readability (bsc#1104427 ). - rdma/hns: Refactor eq code for hip06 (bsc#1104427). - rdma/hns: remove redundant assignment to variable j (bsc#1104427 ). - rdma/hns: Remove some unnecessary attr_mask judgement (bsc#1104427). - rdma/hns: Remove unnecessary operator (bsc#1104427). - rdma/hns: Remove unnecessary platform_get_resource() error check (bsc#1104427). - rdma/hns: Rename the idx field of db (bsc#1104427). - rdma/hns: Replace condition statement using hardware version information (bsc#1104427). - rdma/hns: Replace __raw_write*(cpu_to_le*()) with LE write*() (bsc#1104427). - rdma/hns: return 0 rather than return a garbage status value (bsc#1104427). - rdma/hns_roce: Do not check return value of zap_vma_ptes() (bsc#1104427). - rdma/hns: Set access flags of hip08 RoCE (bsc#1104427 ). - rdma/hns: Set desc_dma_addr for zero when free cmq desc (bsc#1104427). - rdma/hns: Set NULL for __internal_mr (bsc#1104427). - rdma/hns: Set rdma_ah_attr type for querying qp (bsc#1104427 ). - rdma/hns: Set se attribute of sqwqe in hip08 (bsc#1104427 ). - rdma/hns: Set sq_cur_sge_blk_addr field in QPC in hip08 (bsc#1104427). - rdma/hns: Set the guid for hip08 RoCE device (bsc#1104427 ). - rdma/hns: Set the owner field of SQWQE in hip08 RoCE (bsc#1104427). - rdma/hns: Split CQE from MTT in hip08 (bsc#1104427). - rdma/hns: Split hw v1 driver from hns roce driver (bsc#1104427 ). - rdma/hns: Submit bad wr (bsc#1104427). - rdma/hns: Support cq record doorbell for kernel space (bsc#1104427). - rdma/hns: Support cq record doorbell for the user space (bsc#1104427). - rdma/hns: Support multi hop addressing for PBL in hip08 (bsc#1104427). - rdma/hns: Support rq record doorbell for kernel space (bsc#1104427). - rdma/hns: Support rq record doorbell for the user space (bsc#1104427). - rdma/hns: Support WQE/CQE/PBL page size configurable feature in hip08 (bsc#1104427). - rdma/hns: Unify the calculation for hem index in hip08 (bsc#1104427). - rdma/hns: Update assignment method for owner field of send wqe (bsc#1104427). - rdma/hns: Update calculation of irrl_ba field for hip08 (bsc#1104427). - rdma/hns: Update convert function of endian format (bsc#1104427 ). - rdma/hns: Update the interfaces for MTT/CQE multi hop addressing in hip08 (bsc#1104427). - rdma/hns: Update the IRRL table chunk size in hip08 (bsc#1104427 ). - rdma/hns: Update the PD&CQE&MTT specification in hip08 (bsc#1104427). - rdma/hns: Update the usage of ack timeout in hip08 (bsc#1104427 ). - rdma/hns: Update the usage of sr_max and rr_max field (bsc#1104427). - rdma/hns: Update the verbs of polling for completion (bsc#1104427). - rdma/hns: Use free_pages function instead of free_page (bsc#1104427). - rdma/hns: Use structs to describe the uABI instead of opencoding (bsc#1104427). - rdma/qedr: Fix NULL pointer dereference when running over iWARP without RDMA-CM (bsc#1086314). - rdma/qedr: fix spelling mistake: 'adrresses' -> 'addresses' (bsc#1086314). - rdma/qedr: fix spelling mistake: 'failes' -> 'fails' (bsc#1086314). - reiserfs: fix buffer overflow with long warning messages (bsc#1101847). - reiserfs-fix-buffer-overflow-with-long-warning-messa.pat ch: Silence bogus compiler warning about unused result of strscpy(). - s390/dasd: configurable IFCC handling (bsc#1097808). - sched/smt: Update sched_smt_present at runtime (bsc#1089343). - scsi: mpt3sas: Add an I/O barrier (bsc#1086906,). - scsi: mpt3sas: Added support for SAS Device Discovery Error Event (bsc#1086906,). - scsi: mpt3sas: Add PCI device ID for Andromeda (bsc#1086906,). - scsi: mpt3sas: Allow processing of events during driver unload (bsc#1086906,). - scsi: mpt3sas: As per MPI-spec, use combined reply queue for SAS3.5 controllers when HBA supports more than 16 MSI-x vectors (bsc#1086906,). - scsi: mpt3sas: Bug fix for big endian systems (bsc#1086906,). - scsi: mpt3sas: Cache enclosure pages during enclosure add (bsc#1086906,). - scsi: mpt3sas: clarify mmio pointer types (bsc#1086906,). - scsi: mpt3sas: Configure reply post queue depth, DMA and sgl tablesize (bsc#1086906,). - scsi: mpt3sas: Do not abort I/Os issued to NVMe drives while processing Async Broadcast primitive event (bsc#1086906,). - scsi: mpt3sas: Do not access the structure after decrementing it's instance reference count (bsc#1086906,). - scsi: mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM (bsc#1086906,). - scsi: mpt3sas: Enhanced handling of Sense Buffer (bsc#1086906,). - scsi: mpt3sas: Fix, False timeout prints for ioctl and other internal commands during controller reset (bsc#1086906,). - scsi: mpt3sas: fix possible memory leak (bsc#1086906,). - scsi: mpt3sas: fix spelling mistake: 'disbale' -> 'disable' (bsc#1086906,). - scsi: mpt3sas: For NVME device, issue a protocol level reset (bsc#1086906,). - scsi: mpt3sas: Incorrect command status was set/marked as not used (bsc#1086906,). - scsi: mpt3sas: Increase event log buffer to support 24 port HBA's (bsc#1086906,). - scsi: mpt3sas: Introduce API to get BAR0 mapped buffer address (bsc#1086906,). - scsi: mpt3sas: Introduce Base function for cloning (bsc#1086906,). - scsi: mpt3sas: Introduce function to clone mpi reply (bsc#1086906,). - scsi: mpt3sas: Introduce function to clone mpi request (bsc#1086906,). - scsi: mpt3sas: Lockless access for chain buffers (bsc#1086906,). - scsi: mpt3sas: Optimize I/O memory consumption in driver (bsc#1086906,). - scsi: mpt3sas: Pre-allocate RDPQ Array at driver boot time (bsc#1086906,). - scsi: mpt3sas: Replace PCI pool old API (bsc#1081917). - Refresh patches.drivers/scsi-mpt3sas-SGL-to-PRP-Translation-for- I-Os-to-NVMe.patch. - scsi: mpt3sas: Report Firmware Package Version from HBA Driver (bsc#1086906,). - scsi: mpt3sas: Update driver version '25.100.00.00' (bsc#1086906,). - scsi: mpt3sas: Update driver version '26.100.00.00' (bsc#1086906,). - scsi: mpt3sas: Update MPI Headers (bsc#1086906,). - scsi: qedf: Add additional checks when restarting an rport due to ABTS timeout (bsc#1086317). - scsi: qedf: Add check for offload before flushing I/Os for target (bsc#1086317). - scsi: qedf: Add dcbx_not_wait module parameter so we won't wait for DCBX convergence to start discovery (bsc#1086317). - scsi: qedf: Add missing skb frees in error path (bsc#1086317). - scsi: qedf: Add more defensive checks for concurrent error conditions (bsc#1086317). - scsi: qedf: Add task id to kref_get_unless_zero() debug messages when flushing requests (bsc#1086317). - scsi: qedf: Check if link is already up when receiving a link up event from qed (bsc#1086317). - scsi: qedf: fix LTO-enabled build (bsc#1086317). - scsi: qedf: Fix VLAN display when printing sent FIP frames (bsc#1086317). - scsi: qedf: Honor default_prio module parameter even if DCBX does not converge (bsc#1086317). - scsi: qedf: Honor priority from DCBX FCoE App tag (bsc#1086317). - scsi: qedf: If qed fails to enable MSI-X fail PCI probe (bsc#1086317). - scsi: qedf: Improve firmware debug dump handling (bsc#1086317). - scsi: qedf: Increase the number of default FIP VLAN request retries to 60 (bsc#1086317). - scsi: qedf: Release RRQ reference correctly when RRQ command times out (bsc#1086317). - scsi: qedf: remove redundant initialization of 'fcport' (bsc#1086317). - scsi: qedf: Remove setting DCBX pending during soft context reset (bsc#1086317). - scsi: qedf: Return request as DID_NO_CONNECT if MSI-X is not enabled (bsc#1086317). - scsi: qedf: Sanity check FCoE/FIP priority value to make sure it's between 0 and 7 (bsc#1086317). - scsi: qedf: Send the driver state to MFW (bsc#1086317). - scsi: qedf: Set the UNLOADING flag when removing a vport (bsc#1086317). - scsi: qedf: Synchronize rport restarts when multiple ELS commands time out (bsc#1086317). - scsi: qedf: Update copyright for 2018 (bsc#1086317). - scsi: qedf: Update version number to 8.33.16.20 (bsc#1086317). - scsi: qedf: use correct strncpy() size (bsc#1086317). - scsi: qedi: fix building with LTO (bsc#1086315). - scsi: qedi: fix build regression (bsc#1086315). - scsi: qedi: Fix kernel crash during port toggle (bsc#1086315). - scsi: qedi: Send driver state to MFW (bsc#1086315). - scsi: qla2xxx: correctly shift host byte (bsc#1086327,). - scsi: qla2xxx: Correct setting of SAM_STAT_CHECK_CONDITION (bsc#1086327,). - scsi: qla2xxx: Fix crash on qla2x00_mailbox_command (bsc#1086327,). - scsi: qla2xxx: Fix Inquiry command being dropped in Target mode (bsc#1086327,). - scsi: qla2xxx: Fix race condition between iocb timeout and initialisation (bsc#1086327,). - scsi: qla2xxx: Fix Rport and session state getting out of sync (bsc#1086327,). - scsi: qla2xxx: Fix sending ADISC command for login (bsc#1086327,). - scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails (bsc#1086327,). - scsi: qla2xxx: Fix TMF and Multi-Queue config (bsc#1086327,). - scsi: qla2xxx: Move GPSC and GFPNID out of session management (bsc#1086327,). - scsi: qla2xxx: Prevent relogin loop by removing stale code (bsc#1086327,). - scsi: qla2xxx: Reduce redundant ADISC command for RSCNs (bsc#1086327,). - scsi: qla2xxx: remove irq save in qla2x00_poll() (bsc#1086327,). - scsi: qla2xxx: Remove stale debug value for login_retry flag (bsc#1086327,). - scsi: qla2xxx: Update driver version to 10.00.00.07-k (bsc#1086327,). - scsi: qla2xxx: Use predefined get_datalen_for_atio() inline function (bsc#1086327,). - scsi: qla4xxx: Move an array from a .h into a .c file (bsc#1086331). - scsi: qla4xxx: Remove unused symbols (bsc#1086331). - scsi: qla4xxx: skip error recovery in case of register disconnect (bsc#1086331). - scsi: qla4xxx: Use dma_pool_zalloc() (bsc#1086331). - scsi: qla4xxx: Use zeroing allocator rather than allocator/memset (bsc#1086331). - selftests/powerpc: Fix core-pkey for default execute permission change (bsc#1097577). - selftests/powerpc: Fix ptrace-pkey for default execute permission change (bsc#1097577). - supported.conf: add drivers/md/dm-writecache - supported.conf: added hns3 modules - supported.conf: added hns-roce-hw-v1 and hns-roce-hw-v2 - supported.conf: Enable HiSi v3 SAS adapter () - tcp_rbd depends on BLK_DEV_RBD (). - typec: tcpm: fusb302: Resolve out of order messaging events (bsc#1087092). - udf: Detect incorrect directory size (bsc#1101891). - udf: Provide saner default for invalid uid / gid (bsc#1101890). - vfs: add the sb_start_intwrite_trylock() helper (bsc#1101841). - x86/apic: Ignore secondary threads if nosmt=force (bsc#1089343). - x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info (bsc#1089343). - x86/cpu/AMD: Evaluate smp_num_siblings early (bsc#1089343). - x86/CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings (bsc#1089343). - x86/cpu/AMD: Remove the pointless detect_ht() call (bsc#1089343). - x86/cpu/common: Provide detect_ht_early() (bsc#1089343). - x86/cpu/intel: Evaluate smp_num_siblings early (bsc#1089343). - x86/cpu: Remove the pointless CPU printout (bsc#1089343). - x86/cpu/topology: Provide detect_extended_topology_early() (bsc#1089343). - x86/KVM/VMX: Add module argument for L1TF mitigation. - x86/smp: Provide topology_is_primary_thread() (bsc#1089343). - x86/topology: Provide topology_smt_supported() (bsc#1089343). - x86/xen: init %gs very early to avoid page faults with stack protector (bnc#1104777). - xen-netback: fix input validation in xenvif_set_hash_mapping() (bnc#1103277). - xen/netfront: do not cache skb_shinfo() (bnc#1065600). - xfs: catch inode allocation state mismatch corruption (bsc#1104211). - xfs: prevent creating negative-sized file via INSERT_RANGE (bsc#1101833).
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 111812
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111812
    title openSUSE Security Update : the Linux Kernel (openSUSE-2018-886) (Foreshadow)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1279.NASL
    description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) - A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390) - A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system.(CVE-2018-5391) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 112238
    published 2018-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112238
    title EulerOS 2.0 SP3 : kernel (EulerOS-SA-2018-1279)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2350-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_60 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2017-11600: net/xfrm/xfrm_policy.c did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bsc#1096564) - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111821
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111821
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2350-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2353-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_63 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2017-11600: net/xfrm/xfrm_policy.c did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bsc#1096564) - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111824
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111824
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2353-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2364-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_93 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111832
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111832
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2364-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2342-1.NASL
    description This update for the Linux Kernel 3.12.61-52_133 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111814
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111814
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2342-1) (Foreshadow)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_FUSION_VMSA_2018_0020.NASL
    description The version of VMware Fusion installed on the remote macOS or Mac OS X host is 10.x prior to 10.1.3. It is, therefore, vulnerable to a speculative execution side channel attack known as L1 Terminal Fault (L1TF). An attacker who successfully exploited L1TF may be able to read privileged data across trust boundaries.
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 111758
    published 2018-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111758
    title VMware Fusion 10.x < 10.1.3 Speculative Execution Side Channel Vulnerability (Foreshadow) (VMSA-2018-0020) (macOS)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_AUG_4343887.NASL
    description The remote Windows host is missing security update 4343887. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8341, CVE-2018-8348) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) - An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. (CVE-2018-8343) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-8349) - A security feature bypass vulnerability exists when Microsoft Edge improperly handles redirect requests. The vulnerability allows Microsoft Edge to bypass Cross- Origin Resource Sharing (CORS) redirect restrictions, and to follow redirect requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted to a destination website of the attacker's choice. (CVE-2018-8358) - A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this vulnerability could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine. (CVE-2018-8200, CVE-2018-8204) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385) - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8347) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2018-8345) - A information disclosure vulnerability exists when WebAudio Library improperly handles audio requests. An attacker who has successfully exploited this vulnerability might be able to read privileged data across trust boundaries. In browsing scenarios, an attacker could convince a user to visit a malicious site and leverage the vulnerability to obtain privileged information from the browser process, such as sensitive data from other opened tabs. An attacker could also inject malicious code into advertising networks used by trusted sites or embed malicious code on a compromised, but trusted, site. The update addresses the vulnerability by correcting how the WebAudio Library handles audio requests. (CVE-2018-8370) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8404) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-8339) - A security feature bypass vulnerability exists when Active Directory Federation Services (AD FS) improperly handles multi-factor authentication requests. (CVE-2018-8340) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8266, CVE-2018-8381) - An elevation of privilege vulnerability exists when Microsoft Cortana allows arbitrary website browsing on the lockscreen. An attacker who successfully exploited the vulnerability could steal browser stored passwords or log on to websites as another user. (CVE-2018-8253) - A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8316) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8394, CVE-2018-8398) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8403) - An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction. An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser frame or window state from a different domain. For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website. This update addresses the vulnerability by denying permission to read the state of the object model, to which frames or windows on different domains should not have access. (CVE-2018-8351) - An elevation of privilege vulnerability exists in Microsoft browsers allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2018-8357) - An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations. (CVE-2018-0952) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373, CVE-2018-8389) - An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8401, CVE-2018-8405, CVE-2018-8406) - An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments. The vulnerability is caused when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream. (CVE-2018-8360) - A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content. An attacker who successfully exploited this vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2018-8388)
    last seen 2019-02-21
    modified 2019-01-30
    plugin id 111685
    published 2018-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111685
    title KB4343887: Windows 10 Version 1607 and Windows Server 2016 August 2018 Security Update (Foreshadow)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2403.NASL
    description An update for redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390) Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Juha-Matti Tilli (Aalto University, Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 112027
    published 2018-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112027
    title RHEL 7 : Virtualization (RHSA-2018:2403) (Foreshadow)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2402.NASL
    description An update for rhvm-appliance is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390) Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Juha-Matti Tilli (Aalto University, Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 112026
    published 2018-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112026
    title RHEL 7 : Virtualization (RHSA-2018:2402) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2369-1.NASL
    description This update for the Linux Kernel 3.12.61-52_136 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111836
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111836
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2369-1) (Foreshadow)
  • NASL family Firewalls
    NASL id PFSENSE_SA-18_08.NASL
    description According to its self-reported version number, the remote pfSense install is a version 2.3.x prior or equal to 2.3.5-p2 or 2.4.x prior to 2.4.3-p1. It is, therefore, affected by multiple vulnerabilities: - Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis. (CVE-2018-3620) - An authenticated command injection vulnerability exists in status_interfaces.php via dhcp_relinquish_lease() in pfSense before 2.4.4. This allows an authenticated WebGUI user with privileges for the affected page to execute commands in the context of the root user when submitting a request to relinquish a DHCP lease for an interface which is configured to obtain its address via DHCP. (CVE-2018-16055) - a denial of service vulnerability exists in the ip fragment reassembly code due to excessive system resource consumption. This issue can allow a remote attacker who is able to send arbitrary ip fragments to cause the machine to consume excessive resources. (CVE-2018-6923)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 119887
    published 2018-12-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119887
    title pfSense 2.3.x <= 2.3.5-p2 / 2.4.x < 2.4.4 Multiple Vulnerabilities (SA-18_06 / SA-18_07 / SA-18_08)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2356-1.NASL
    description This update for the Linux Kernel 3.12.61-52_111 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111827
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111827
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2356-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2355-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_57 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2017-11600: net/xfrm/xfrm_policy.c did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bsc#1096564) - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111826
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111826
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2355-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2347-1.NASL
    description This update for the Linux Kernel 3.12.61-52_106 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2017-11600: net/xfrm/xfrm_policy.c did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bsc#1096564) - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111818
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111818
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2347-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2346-1.NASL
    description This update for the Linux Kernel 3.12.61-52_92 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2017-11600: net/xfrm/xfrm_policy.c did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bsc#1096564) - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111817
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111817
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2346-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2368-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_85 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111835
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111835
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2368-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2410-1.NASL
    description This update for xen fixes the following security issues : - CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may have allowed unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis (bsc#1091107, bsc#1027519). - Incorrect MSR_DEBUGCTL handling let guests enable BTS allowing a malicious or buggy guest administrator can lock up the entire host (bsc#1103276) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 112013
    published 2018-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112013
    title SUSE SLES12 Security Update : xen (SUSE-SU-2018:2410-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2358-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_96 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111828
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111828
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2358-1) (Foreshadow)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2395.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3693) * A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390) * kernel: crypto: privilege escalation in skcipher_recvmsg function (CVE-2017-13215) * kernel: mm: use-after-free in do_get_mempolicy function allows local DoS or other unspecified impact (CVE-2018-10675) * kernel: race condition in snd_seq_write() may lead to UAF or OOB access (CVE-2018-7566) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646; Vladimir Kiriansky (MIT) and Carl Waldspurger (Carl Waldspurger Consulting) for reporting CVE-2018-3693; and Juha-Matti Tilli (Aalto University, Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390. Bug Fix(es) : * The kernel-rt packages have been upgraded to the 3.10.0-862.10.2 source tree, which provides a number of bug fixes over the previous version. (BZ# 1594915)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 111736
    published 2018-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111736
    title RHEL 7 : kernel-rt (RHSA-2018:2395) (Foreshadow)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3740-2.NASL
    description USN-3740-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS). (CVE-2018-3646) It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker could use this to expose sensitive information (memory from the kernel or other processes). (CVE-2018-3620) Juha-Matti Tilli discovered that the IP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packet fragments. A remote attacker could use this to cause a denial of service. (CVE-2018-5391). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111750
    published 2018-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111750
    title Ubuntu 16.04 LTS : linux-hwe, linux-azure, linux-gcp vulnerabilities (USN-3740-2) (Foreshadow)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180814_KERNEL_ON_SL6_X.NASL
    description Security Fix(es) : - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side- channel attacks. (CVE-2018-3693) - kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901) - kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) - kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265) - kernel: race condition in snd_seq_write() may lead to UAF or OOB-access (CVE-2018-7566) - kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004) Bug Fix(es) : - The Least recently used (LRU) operations are batched by caching pages in per-cpu page vectors to prevent contention of the heavily used lru_lock spinlock. The page vectors can hold even the compound pages. Previously, the page vectors were cleared only if they were full. Subsequently, the amount of memory held in page vectors, which is not reclaimable, was sometimes too high. Consequently the page reclamation started the Out of Memory (OOM) killing processes. With this update, the underlying source code has been fixed to clear LRU page vectors each time when a compound page is added to them. As a result, OOM killing processes due to high amounts of memory held in page vectors no longer occur.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 111777
    published 2018-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111777
    title Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2359-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_69 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111829
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111829
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2359-1) (Foreshadow)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3742-1.NASL
    description It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS). (CVE-2018-3646) It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker could use this to expose sensitive information (memory from the kernel or other processes). (CVE-2018-3620) Andrey Konovalov discovered an out-of-bounds read in the POSIX timers subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2017-18344) Juha-Matti Tilli discovered that the TCP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packets. A remote attacker could use this to cause a denial of service. (CVE-2018-5390) Juha-Matti Tilli discovered that the IP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packet fragments. A remote attacker could use this to cause a denial of service. (CVE-2018-5391). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111753
    published 2018-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111753
    title Ubuntu 14.04 LTS : linux vulnerabilities (USN-3742-1) (Foreshadow)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4279.NASL
    description Multiple researchers have discovered a vulnerability in the way the Intel processor designs have implemented speculative execution of instructions in combination with handling of page-faults. This flaw could allow an attacker controlling an unprivileged process to read memory from arbitrary (non-user controlled) addresses, including from the kernel and all other processes running on the system or cross guest/host boundaries to read host memory. To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode (only available in Debian non-free). Common server class CPUs are covered in the update released as DSA 4273-1.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 111988
    published 2018-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111988
    title Debian DSA-4279-1 : linux - security update (Foreshadow)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1481.NASL
    description Multiple researchers have discovered a vulnerability in the way the Intel processor designs have implemented speculative execution of instructions in combination with handling of page-faults. This flaw could allow an attacker controlling an unprivileged process to read memory from arbitrary (non-user controlled) addresses, including from the kernel and all other processes running on the system or cross guest/host boundaries to read host memory. To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode (only available in Debian non-free). Common server class CPUs are covered in the update released as DLA 1446-1. For Debian 8 'Jessie', these problems have been fixed in version 4.9.110-3+deb9u4~deb8u1. We recommend that you upgrade your linux-4.9 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-31
    plugin id 112168
    published 2018-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112168
    title Debian DLA-1481-1 : linux-4.9 security update (Foreshadow)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-4242.NASL
    description Description of changes: [4.14.35-1818.3.3.el7uek] - net: net_failover: fix typo in net_failover_slave_register() (Liran Alon) [Orabug: 28122110] - virtio_net: Extend virtio to use VF datapath when available (Sridhar Samudrala) [Orabug: 28122110] - virtio_net: Introduce VIRTIO_NET_F_STANDBY feature bit (Sridhar Samudrala) [Orabug: 28122110] - net: Introduce net_failover driver (Sridhar Samudrala) [Orabug: 28122110] - net: Introduce generic failover module (Sridhar Samudrala) [Orabug: 28122110] - IB/ipoib: Improve filtering log message (Yuval Shaia) [Orabug: 28655435] - IB/ipoib: Fix wrong update of arp_blocked counter (Yuval Shaia) [Orabug: 28655435] - IB/ipoib: Update RX counters after ACL filtering (Yuval Shaia) [Orabug: 28655435] - IB/ipoib: Filter RX packets before adding pseudo header (Yuval Shaia) [Orabug: 28655435] - dm crypt: add middle-endian variant of plain64 IV (Konrad Rzeszutek Wilk) [Orabug: 28604629] - uek-rpm: Disable deprecated CONFIG_ACPI_PROCFS_POWER (Victor Erminpour) [Orabug: 28644322] - net/rds: Fix call to sleeping function in a non-sleeping context (Hå kon Bugge) [Orabug: 28657397] - cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (Scott Bauer) [Orabug: 28664499] {CVE-2018-16658} - ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c (Seunghun Han) [Orabug: 28664576] {CVE-2017-13695} - usb: xhci: do not create and register shared_hcd when USB3.0 is disabled (Tung Nguyen) [Orabug: 28677854] [4.14.35-1818.3.2.el7uek] - hwmon: (k10temp) Display both Tctl and Tdie (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Use API function to access System Management Network (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Fix reading critical temperature register (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Add temperature offset for Ryzen 2700X (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Add support for temperature offsets (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Add support for family 17h (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Move chip specific code into probe function (Guenter Roeck) [Orabug: 28143470] - net/rds: make the source code clean (Zhu Yanjun) [Orabug: 28607913] - net/rds: Use rdma_read_gids to get connection SGID/DGID in IPv6 (Zhu Yanjun) [Orabug: 28607913] - net/rds: Use rdma_read_gids to read connection GIDs (Parav Pandit) [Orabug: 28607913] - posix-timers: Sanitize overrun handling (Thomas Gleixner) [Orabug: 28642970] {CVE-2018-12896} - crypto: ccp - Add support for new CCP/PSP device ID (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Support register differences between PSP devices (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Remove unused #defines (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Add psp enabled message when initialization succeeds (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Fix command completion detection race (Tom Lendacky) [Orabug: 28584386] - iommu/amd: Add support for IOMMU XT mode (Suravee Suthikulpanit) [Orabug: 28584386] - iommu/amd: Add support for higher 64-bit IOMMU Control Register (Suravee Suthikulpanit) [Orabug: 28584386] - x86: irq_remapping: Move irq remapping mode enum (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Fix LLC ID bit-shift calculation (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Derive CPU topology from CPUID function 0xB when available (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Calculate last level cache ID from number of sharing threads (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU: Rename intel_cacheinfo.c to cacheinfo.c (Borislav Petkov) [Orabug: 28584386] - perf/events/amd/uncore: Fix amd_uncore_llc ID to use pre-defined cpu_llc_id (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Have smp_num_siblings and cpu_llc_id always be present (Borislav Petkov) [Orabug: 28584386] [4.14.35-1818.3.1.el7uek] - arm64: vdso: fix clock_getres for 4GiB-aligned res (Mark Rutland) [Orabug: 28603375] - locking/qrwlock: Prevent slowpath writers getting held up by fastpath (Will Deacon) [Orabug: 28605196] - locking/qrwlock, arm64: Move rwlock implementation over to qrwlocks (Will Deacon) [Orabug: 28605196] - locking/qrwlock: Use atomic_cond_read_acquire() when spinning in qrwlock (Will Deacon) [Orabug: 28605196] - locking/atomic: Add atomic_cond_read_acquire() (Will Deacon) [Orabug: 28605196] - rds: CVE-2018-7492: Fix NULL pointer dereference in __rds_rdma_map (Hå kon Bugge) [Orabug: 28565429] {CVE-2018-7492} - irqchip/irq-bcm2836: Add support for DT interrupt polarity (Stefan Wahren) [Orabug: 28596168] - dt-bindings/bcm2836-l1-intc: Add interrupt polarity support (Stefan Wahren) [Orabug: 28596168] - dt-bindings/bcm283x: Define polarity of per-cpu interrupts (Stefan Wahren) [Orabug: 28596168] - x86/spec_ctrl: Only set SPEC_CTRL_IBRS_FIRMWARE if IBRS is actually in use (Patrick Colp) [Orabug: 28610695] [4.14.35-1818.2.2.el7uek] - x86/xen: Calculate __max_logical_packages on PV domains (Prarit Bhargava) [Orabug: 28476586] - x86/entry/64: Remove %ebx handling from error_entry/exit (Andy Lutomirski) [Orabug: 28402921] {CVE-2018-14678} - x86/pti: Don't report XenPV as vulnerable (Jiri Kosina) [Orabug: 28476680] - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (Andi Kleen) [Orabug: 28488807] {CVE-2018-3620} - x86/speculation/l1tf: Suggest what to do on systems with too much RAM (Vlastimil Babka) [Orabug: 28488807] {CVE-2018-3620} - x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (Vlastimil Babka) [Orabug: 28488807] {CVE-2018-3620} - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (Vlastimil Babka) [Orabug: 28488807] {CVE-2018-3620} - x86/speculation/l1tf: Exempt zeroed PTEs from inversion (Sean Christopherson) [Orabug: 28488807] {CVE-2018-3620} - x86/l1tf: Fix build error seen if CONFIG_KVM_INTEL is disabled (Guenter Roeck) [Orabug: 28488807] {CVE-2018-3620} - x86/spectre: Add missing family 6 check to microcode check (Andi Kleen) [Orabug: 28488807] {CVE-2018-3620} - KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled (Thomas Gleixner) [Orabug: 28488807] {CVE-2018-3646} - x86/microcode: Allow late microcode loading with SMT disabled (Josh Poimboeuf) [Orabug: 28488807] {CVE-2018-3620} - PCI: Add ACS quirk for Ampere root ports (Feng Kan) [Orabug: 28525940] - xfs: don't fail when converting shortform attr to long form during ATTR_REPLACE (Darrick J. Wong) [Orabug: 28573020] - uek-rpm: Disable F2FS in the UEK5 config (Victor Erminpour) [Orabug: 28577123]
    last seen 2019-02-21
    modified 2018-10-11
    plugin id 118053
    published 2018-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118053
    title Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4242) (Foreshadow)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-2390.NASL
    description From Red Hat Security Advisory 2018:2390 : An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 16th August 2018] The original errata text was missing reference to CVE-2018-5390 fix. We have updated the errata text to correct this issue. No changes have been made to the packages. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3693) * A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390) * kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265) * kernel: race condition in snd_seq_write() may lead to UAF or OOB-access (CVE-2018-7566) * kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646; Vladimir Kiriansky (MIT) and Carl Waldspurger (Carl Waldspurger Consulting) for reporting CVE-2018-3693; Juha-Matti Tilli (Aalto University, Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390; and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901. Bug Fix(es) : * The Least recently used (LRU) operations are batched by caching pages in per-cpu page vectors to prevent contention of the heavily used lru_lock spinlock. The page vectors can hold even the compound pages. Previously, the page vectors were cleared only if they were full. Subsequently, the amount of memory held in page vectors, which is not reclaimable, was sometimes too high. Consequently the page reclamation started the Out of Memory (OOM) killing processes. With this update, the underlying source code has been fixed to clear LRU page vectors each time when a compound page is added to them. As a result, OOM killing processes due to high amounts of memory held in page vectors no longer occur. (BZ#1575819)
    last seen 2019-02-21
    modified 2018-10-12
    plugin id 111724
    published 2018-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111724
    title Oracle Linux 6 : kernel (ELSA-2018-2390) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2380-1.NASL
    description The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081). - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343). - CVE-2018-5391 aka 'FragmentSmack': A flaw in the IP packet reassembly could be used by remote attackers to consume lots of CPU time (bnc#1103097). - CVE-2018-10876: A flaw was found in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image. (bnc#1099811) - CVE-2018-10877: The ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image. (bnc#1099846) - CVE-2018-10878: A flaw was found in the ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image. (bnc#1099813) - CVE-2018-10879: A flaw was found in the ext4 filesystem. A local user can cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image. (bnc#1099844) - CVE-2018-10880: Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service. (bnc#1099845) - CVE-2018-10881: A flaw was found in the ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. (bnc#1099864) - CVE-2018-10882: A flaw was found in the ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image. (bnc#1099849) - CVE-2018-10883: A flaw was found in the ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. (bnc#1099863) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 120082
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120082
    title SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2018:2380-1) (Foreshadow)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3741-3.NASL
    description USN-3741-1 introduced mitigations in the Linux kernel for Ubuntu 14.04 LTS to address L1 Terminal Fault (L1TF) vulnerabilities (CVE-2018-3620, CVE-2018-3646). Unfortunately, the update introduced regressions that caused kernel panics when booting in some environments as well as preventing Java applications from starting. This update fixes the problems. We apologize for the inconvenience. Original advisory details : It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS). (CVE-2018-3646) It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker could use this to expose sensitive information (memory from the kernel or other processes). (CVE-2018-3620) Juha-Matti Tilli discovered that the TCP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packets. A remote attacker could use this to cause a denial of service. (CVE-2018-5390) Juha-Matti Tilli discovered that the IP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packet fragments. A remote attacker could use this to cause a denial of service. (CVE-2018-5391). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 112017
    published 2018-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112017
    title Ubuntu 14.04 LTS : linux regressions (USN-3741-3) (Foreshadow)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2391.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 111732
    published 2018-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111732
    title RHEL 6 : kernel (RHSA-2018:2391) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2332-1.NASL
    description The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081). - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343). - CVE-2018-1000204: A malformed SG_IO ioctl issued for a SCSI device could lead to a local kernel information leak manifesting in up to approximately 1000 memory pages copied to the userspace. The problem has limited scope as non-privileged users usually have no permissions to access SCSI device files. (bnc#1096728). - CVE-2018-13053: The alarm_timer_nsleep function in kernel/time/alarmtimer.c had an integer overflow via a large relative timeout because ktime_add_safe is not used (bnc#1099924). - CVE-2018-13406: An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1098016 bnc#1100418). - CVE-2016-8405: An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. (bnc#1099942). - CVE-2018-5814: Multiple race condition errors when handling probe, disconnect, and rebind operations could be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets (bnc#1096480). - CVE-2018-12233: In the ea_get function in fs/jfs/xattr.c a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. (bnc#1097234). - CVE-2017-13305: A information disclosure vulnerability in the Upstream kernel encrypted-keys. (bnc#1094353). - CVE-2018-1130: A NULL pointer dereference in dccp_write_xmit() function in net/dccp/output.c allowed a local user to cause a denial of service by a number of certain crafted system calls (bnc#1092904). - CVE-2018-1068: A flaw was found in the implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory (bnc#1085107). - CVE-2018-5803: An error in the '_sctp_make_chunk()' function (net/sctp/sm_make_chunk.c) when handling SCTP packets length could be exploited to cause a kernel crash (bnc#1083900). - CVE-2018-7492: A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map() function allowed local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST (bnc#1082962). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111782
    published 2018-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111782
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2018:2332-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2335-1.NASL
    description ucode-intel was updated to the 20180807 release. For the listed CPU chipsets this fixes CVE-2018-3640 (Spectre v3a), and is part of the mitigations for CVE-2018-3639 (Spectre v4) and CVE-2018-3646 (L1 Terminal Fault). (bsc#1104134 bsc#1087082 bsc#1087083 bsc#1089343) Processor Identifier Version Products Model Stepping F-MO-S/PI Old->New ---- new platforms ---------------------------------------- WSM-EP/WS U1 6-2c-2/03 0000001f Xeon E/L/X56xx, W36xx NHM-EX D0 6-2e-6/04 0000000d Xeon E/L/X65xx/75xx BXT C0 6-5c-2/01 00000014 Atom T5500/5700 APL E0 6-5c-a/03 0000000c Atom x5-E39xx DVN B0 6-5f-1/01 00000024 Atom C3xxx ---- updated platforms ------------------------------------ NHM-EP/WS D0 6-1a-5/03 00000019->0000001d Xeon E/L/X/W55xx NHM B1 6-1e-5/13 00000007->0000000a Core i7-8xx, i5-7xx; Xeon L3426, X24xx WSM B1 6-25-2/12 0000000e->00000011 Core i7-6xx, i5-6xx/4xxM, i3-5xx/3xxM, Pentium G69xx, Celeon P45xx; Xeon L3406 WSM K0 6-25-5/92 00000004->00000007 Core i7-6xx, i5-6xx/5xx/4xx, i3-5xx/3xx, Pentium G69xx/P6xxx/U5xxx, Celeron P4xxx/U3xxx SNB D2 6-2a-7/12 0000002d->0000002e Core Gen2; Xeon E3 WSM-EX A2 6-2f-2/05 00000037->0000003b Xeon E7 IVB E2 6-3a-9/12 0000001f->00000020 Core Gen3 Mobile HSW-H/S/E3 Cx/Dx 6-3c-3/32 00000024->00000025 Core Gen4 Desktop; Xeon E3 v3 BDW-U/Y E/F 6-3d-4/c0 0000002a->0000002b Core Gen5 Mobile HSW-ULT Cx/Dx 6-45-1/72 00000023->00000024 Core Gen4 Mobile and derived Pentium/Celeron HSW-H Cx 6-46-1/32 00000019->0000001a Core Extreme i7-5xxxX BDW-H/E3 E/G 6-47-1/22 0000001d->0000001e Core i5-5xxxR/C, i7-5xxxHQ/EQ; Xeon E3 v4 SKL-U/Y D0 6-4e-3/c0 000000c2->000000c6 Core Gen6 Mobile BDX-DE V1 6-56-2/10 00000015->00000017 Xeon D-1520/40 BDX-DE V2/3 6-56-3/10 07000012->07000013 Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19 BDX-DE Y0 6-56-4/10 0f000011->0f000012 Xeon D-1557/59/67/71/77/81/87 APL D0 6-5c-9/03 0000002c->00000032 Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx SKL-H/S/E3 R0 6-5e-3/36 000000c2->000000c6 Core Gen6; Xeon E3 v5 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111783
    published 2018-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111783
    title SUSE SLES11 Security Update : Security update to ucode-intel (SUSE-SU-2018:2335-1) (Foreshadow) (Spectre)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_AUG_4343892.NASL
    description The remote Windows host is missing security update 4343892. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8403) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8341, CVE-2018-8348) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8404) - A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8316) - A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this vulnerability could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine. (CVE-2018-8200, CVE-2018-8204) - An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations. (CVE-2018-0952) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8266, CVE-2018-8381) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373, CVE-2018-8389) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2018-8345) - An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8401, CVE-2018-8405, CVE-2018-8406) - A information disclosure vulnerability exists when WebAudio Library improperly handles audio requests. An attacker who has successfully exploited this vulnerability might be able to read privileged data across trust boundaries. In browsing scenarios, an attacker could convince a user to visit a malicious site and leverage the vulnerability to obtain privileged information from the browser process, such as sensitive data from other opened tabs. An attacker could also inject malicious code into advertising networks used by trusted sites or embed malicious code on a compromised, but trusted, site. The update addresses the vulnerability by correcting how the WebAudio Library handles audio requests. (CVE-2018-8370) - An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. (CVE-2018-8343) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8394, CVE-2018-8398) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-8349) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-8339) - An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments. The vulnerability is caused when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream. (CVE-2018-8360) - An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction. An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser frame or window state from a different domain. For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website. This update addresses the vulnerability by denying permission to read the state of the object model, to which frames or windows on different domains should not have access. (CVE-2018-8351) - An elevation of privilege vulnerability exists in Microsoft browsers allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2018-8357)
    last seen 2019-02-21
    modified 2019-01-30
    plugin id 111686
    published 2018-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111686
    title KB4343892: Windows 10 August 2018 Security Update (Foreshadow)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1058.NASL
    description Fixes for L1Terminal Fault security issues : L1 Terminal Fault-OS/ SMM : Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis.(CVE-2018-3620) L1 Terminal Fault-VMM : Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis.(CVE-2018-3646) L1 Terminal Fault-SGX : Systems with microprocessors utilizing speculative execution and Intel SGX may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis. AWS is not affected by CVE-2018-3615 . There is no AWS products related to enclave systems like SGX.(CVE-2018-3615) Denial of service caused by a large number of IP fragments : A denial of service attack by exhausting resources on a networked host by sending a large number of IP fragments that can not be reassembled by the receiver.(CVE-2018-5391)
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 111702
    published 2018-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111702
    title Amazon Linux AMI : kernel (ALAS-2018-1058) (Foreshadow)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_AUG_4343909.NASL
    description The remote Windows host is missing security update 4343909. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8341, CVE-2018-8348) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) - A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8377, CVE-2018-8387) - An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. (CVE-2018-8343) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-8349) - An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8400, CVE-2018-8401, CVE-2018-8405, CVE-2018-8406) - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8390) - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2018-8414) - A spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could trick a user by redirecting the user to a specially crafted website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2018-8383) - A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this vulnerability could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine. (CVE-2018-8200, CVE-2018-8204) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385) - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8347) - A remote code execution vulnerability exists when Microsoft Windows PDF Library improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8350) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2018-8345) - A information disclosure vulnerability exists when WebAudio Library improperly handles audio requests. An attacker who has successfully exploited this vulnerability might be able to read privileged data across trust boundaries. In browsing scenarios, an attacker could convince a user to visit a malicious site and leverage the vulnerability to obtain privileged information from the browser process, such as sensitive data from other opened tabs. An attacker could also inject malicious code into advertising networks used by trusted sites or embed malicious code on a compromised, but trusted, site. The update addresses the vulnerability by correcting how the WebAudio Library handles audio requests. (CVE-2018-8370) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-8339) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8266, CVE-2018-8380, CVE-2018-8381) - A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8316) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8399, CVE-2018-8404) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8394, CVE-2018-8398) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8403) - An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction. An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser frame or window state from a different domain. For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website. This update addresses the vulnerability by denying permission to read the state of the object model, to which frames or windows on different domains should not have access. (CVE-2018-8351) - An elevation of privilege vulnerability exists in Microsoft browsers allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2018-8357) - An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations. (CVE-2018-0952) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373, CVE-2018-8389) - An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments. The vulnerability is caused when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream. (CVE-2018-8360) - A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content. An attacker who successfully exploited this vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2018-8388)
    last seen 2019-02-21
    modified 2019-01-30
    plugin id 111692
    published 2018-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111692
    title KB4343909: Windows 10 Version 1803 and Windows Server Version 1803 August 2018 Security Update (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2345-1.NASL
    description This update for the Linux Kernel 3.12.61-52_128 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111816
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111816
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2345-1) (Foreshadow)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2384.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3693) * A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390) * kernel: crypto: privilege escalation in skcipher_recvmsg function (CVE-2017-13215) * kernel: mm: use-after-free in do_get_mempolicy function allows local DoS or other unspecified impact (CVE-2018-10675) * kernel: race condition in snd_seq_write() may lead to UAF or OOB access (CVE-2018-7566) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646; Vladimir Kiriansky (MIT) and Carl Waldspurger (Carl Waldspurger Consulting) for reporting CVE-2018-3693; and Juha-Matti Tilli (Aalto University, Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390. Bug Fix(es) : These updated kernel packages include also numerous bug fixes. Space precludes documenting all of the bug fixes in this advisory. See the descriptions in the related Knowledge Article : https://access.redhat.com/articles/3527791
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 111727
    published 2018-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111727
    title RHEL 7 : kernel (RHSA-2018:2384) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2331-1.NASL
    description ucode-intel was updated to the 20180807 release. For the listed CPU chipsets this fixes CVE-2018-3640 (Spectre v3a) and is part of the mitigations for CVE-2018-3639 (Spectre v4) and CVE-2018-3646 (L1 Terminal fault). (bsc#1104134 bsc#1087082 bsc#1087083 bsc#1089343) Processor Identifier Version Products Model Stepping F-MO-S/PI Old->New ---- new platforms ---------------------------------------- WSM-EP/WS U1 6-2c-2/03 0000001f Xeon E/L/X56xx, W36xx NHM-EX D0 6-2e-6/04 0000000d Xeon E/L/X65xx/75xx BXT C0 6-5c-2/01 00000014 Atom T5500/5700 APL E0 6-5c-a/03 0000000c Atom x5-E39xx DVN B0 6-5f-1/01 00000024 Atom C3xxx ---- updated platforms ------------------------------------ NHM-EP/WS D0 6-1a-5/03 00000019->0000001d Xeon E/L/X/W55xx NHM B1 6-1e-5/13 00000007->0000000a Core i7-8xx, i5-7xx; Xeon L3426, X24xx WSM B1 6-25-2/12 0000000e->00000011 Core i7-6xx, i5-6xx/4xxM, i3-5xx/3xxM, Pentium G69xx, Celeon P45xx; Xeon L3406 WSM K0 6-25-5/92 00000004->00000007 Core i7-6xx, i5-6xx/5xx/4xx, i3-5xx/3xx, Pentium G69xx/P6xxx/U5xxx, Celeron P4xxx/U3xxx SNB D2 6-2a-7/12 0000002d->0000002e Core Gen2; Xeon E3 WSM-EX A2 6-2f-2/05 00000037->0000003b Xeon E7 IVB E2 6-3a-9/12 0000001f->00000020 Core Gen3 Mobile HSW-H/S/E3 Cx/Dx 6-3c-3/32 00000024->00000025 Core Gen4 Desktop; Xeon E3 v3 BDW-U/Y E/F 6-3d-4/c0 0000002a->0000002b Core Gen5 Mobile HSW-ULT Cx/Dx 6-45-1/72 00000023->00000024 Core Gen4 Mobile and derived Pentium/Celeron HSW-H Cx 6-46-1/32 00000019->0000001a Core Extreme i7-5xxxX BDW-H/E3 E/G 6-47-1/22 0000001d->0000001e Core i5-5xxxR/C, i7-5xxxHQ/EQ; Xeon E3 v4 SKL-U/Y D0 6-4e-3/c0 000000c2->000000c6 Core Gen6 Mobile BDX-DE V1 6-56-2/10 00000015->00000017 Xeon D-1520/40 BDX-DE V2/3 6-56-3/10 07000012->07000013 Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19 BDX-DE Y0 6-56-4/10 0f000011->0f000012 Xeon D-1557/59/67/71/77/81/87 APL D0 6-5c-9/03 0000002c->00000032 Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx SKL-H/S/E3 R0 6-5e-3/36 000000c2->000000c6 Core Gen6; Xeon E3 v5 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111781
    published 2018-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111781
    title SUSE SLED12 / SLES12 Security Update : Security update to ucode-intel (SUSE-SU-2018:2331-1) (Foreshadow) (Spectre)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2396.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639) Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639. Bug Fix(es) : * The kernel-rt packages have been upgraded to the 3.10.0-693.37.1 source tree, which provides a number of bug fixes over the previous version. (BZ# 1599860)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 111775
    published 2018-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111775
    title RHEL 6 : MRG (RHSA-2018:2396) (Foreshadow) (Spectre)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2387.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639) Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639. Bug Fix(es) : * Previously, configurations with the little-endian variant of IBM Power Systems CPU architectures and Hard Disk Drives (HDD) designed according to Nonvolatile Memory Express (NVMe) open standards, experienced crashes during shutdown or reboot due to race conditions of CPUs. As a consequence, the sysfs pseudo file system threw a stack trace report about an attempt to create a duplicate entry in sysfs. This update modifies the source code so that the irq_dispose_mapping() function is called first and the msi_bitmap_free_hwirqs() function is called afterwards. As a result, the race condition no longer appears in the described scenario. (BZ#1570510) * When switching from the indirect branch speculation (IBRS) feature to the retpolines feature, the IBRS state of some CPUs was sometimes not handled correctly. Consequently, some CPUs were left with the IBRS Model-Specific Register (MSR) bit set to 1, which could lead to performance issues. With this update, the underlying source code has been fixed to clear the IBRS MSR bits correctly, thus fixing the bug. (BZ#1586147) * During a balloon reset, page pointers were not correctly initialized after unmapping the memory. Consequently, on the VMware ESXi hypervisor with 'Fault Tolerance' and 'ballooning' enabled, the following messages repeatedly occurred in the kernel log : [3014611.640148] WARNING: at mm/vmalloc.c:1491 __vunmap+0xd3/0x100() [3014611.640269] Trying to vfree() nonexistent vm area (ffffc90000697000) With this update, the underlying source code has been fixed to initialize page pointers properly. As a result, the mm/vmalloc.c warnings no longer occur under the described circumstances. (BZ#1595600)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 111728
    published 2018-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111728
    title RHEL 7 : kernel (RHSA-2018:2387) (Foreshadow) (Spectre)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2348-1.NASL
    description This update for the Linux Kernel 3.12.74-60_64_88 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111819
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111819
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2348-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2349-1.NASL
    description This update for the Linux Kernel 3.12.61-52_122 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111820
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111820
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2349-1) (Foreshadow)
  • NASL family Windows
    NASL id VMWARE_WORKSTATION_WIN_VMSA_2018_0020.NASL
    description The version of VMware Workstation installed on the remote Windows host is 14.x prior to 14.1.3. It is, therefore, affected by a speculative execution side channel attack known as L1 Terminal Fault (L1TF). An attacker who successfully exploited L1TF may be able to read privileged data across trust boundaries.
    last seen 2019-02-21
    modified 2018-12-13
    plugin id 111761
    published 2018-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111761
    title VMware Workstation 14.x < 14.1.3 Speculative Execution Side Channel Vulnerability (Foreshadow) (VMSA-2018-0020)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0246.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=02cec92b3eb1612e37616b10400d82f1e3d8de85 - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - l1tf: Utility to offline/online SMT siblings. (Ross Philipson) [Orabug: 28487050] (CVE-2018-3646) - x86/spec-ctrl: Introduce an option to control L1D_FLUSH for HVM guests (Andrew Cooper) [Orabug: 28487050] (CVE-2018-3620) (CVE-2018-3646) - x86/msr: Virtualise MSR_FLUSH_CMD for guests (Andrew Cooper) [Orabug: 28487050] (CVE-2018-3646) (CVE-2018-3646) - x86/spec-ctrl: CPUID/MSR definitions for L1D_FLUSH (Andrew Cooper) [Orabug: 28487050] (CVE-2018-3646) (CVE-2018-3646) - x86/spec-ctrl: Calculate safe PTE addresses for L1TF mitigations (Andrew Cooper) [Orabug: 28487050] (CVE-2018-3620) (CVE-2018-3646) - x86: command line option to avoid use of secondary hyper-threads (Jan Beulich) [Orabug: 28487050] (CVE-2018-3646) - cpupools: fix state when downing a CPU failed (Jan Beulich) [Orabug: 28487050] (CVE-2018-3646)
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 111772
    published 2018-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111772
    title OracleVM 3.4 : xen (OVMSA-2018-0246) (Foreshadow)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-F8CBA144AE.NASL
    description The 4.17.14-202 build contains patches for the 'foreshadow ' security issue that were missing from the 201 builds. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 120927
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120927
    title Fedora 28 : kernel / kernel-headers (2018-f8cba144ae) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2341-1.NASL
    description This update for the Linux Kernel 3.12.61-52_125 fixes several issues. The following security issues were fixed : - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system (bsc#1099306). - CVE-2018-10853: A flaw was found in kvm. In which certain instructions such as sgdt/sidt call segmented_write_std didn't propagate access correctly. As such, during userspace induced exception, the guest can incorrectly assume that the exception happened in the kernel and panic. (bsc#1097108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111813
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111813
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2341-1) (Foreshadow)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2389-1.NASL
    description