Vulnerabilities > CVE-2017-1000364 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linux Kernel
Attack vector
LOCAL Attack complexity
HIGH Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
| description | Solaris - RSH Stack Clash Privilege Escalation (Metasploit). CVE-2017-1000364,CVE-2017-3629,CVE-2017-3630,CVE-2017-3631. Local exploit for Solaris platform. ... |
| file | exploits/solaris/local/45625.rb |
| id | EDB-ID:45625 |
| last seen | 2018-11-27 |
| modified | 2018-10-16 |
| platform | solaris |
| port | |
| published | 2018-10-16 |
| reporter | Exploit-DB |
| source | https://old.exploit-db.com/download/45625/ |
| title | Solaris - RSH Stack Clash Privilege Escalation (Metasploit) |
| type | local |
Metasploit
| description | This module exploits a vulnerability in RSH on unpatched Solaris systems which allows users to gain root privileges. The stack guard page on unpatched Solaris systems is of insufficient size to prevent collisions between the stack and heap memory, aka Stack Clash. This module uploads and executes Qualys' Solaris_rsh.c exploit, which exploits a vulnerability in RSH to bypass the stack guard page to write to the stack and create a SUID root shell. This module has offsets for Solaris versions 11.1 (x86) and Solaris 11.3 (x86). Exploitation will usually complete within a few minutes using the default number of worker threads (10). Occasionally, exploitation will fail. If the target system is vulnerable, usually re-running the exploit will be successful. This module has been tested successfully on Solaris 11.1 (x86) and Solaris 11.3 (x86). |
| id | MSF:EXPLOIT/SOLARIS/LOCAL/RSH_STACK_CLASH_PRIV_ESC |
| last seen | 2020-06-13 |
| modified | 2019-01-10 |
| published | 2018-09-18 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/solaris/local/rsh_stack_clash_priv_esc.rb |
| title | Solaris RSH Stack Clash Privilege Escalation |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1628-1.NASL description The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000364: The default stack guard page was too small and could be last seen 2020-06-01 modified 2020-06-02 plugin id 100954 published 2017-06-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100954 title SUSE SLES11 Security Update : kernel (SUSE-SU-2017:1628-1) (Stack Clash) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2017:1628-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(100954); script_version("3.15"); script_cvs_date("Date: 2019/09/11 11:22:15"); script_cve_id("CVE-2017-1000364"); script_name(english:"SUSE SLES11 Security Update : kernel (SUSE-SU-2017:1628-1) (Stack Clash)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000364: The default stack guard page was too small and could be 'jumped over' by userland programs using more than one page of stack in functions and so lead to memory corruption. This update extends the stack guard page to 1 MB (for 4k pages) and 16 MB (for 64k pages) to reduce this attack vector. This is not a kernel bugfix, but a hardening measure against this kind of userland attack.(bsc#1039348) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1018074" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1035920" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1039348" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1042921" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1043234" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-1000364/" ); # https://www.suse.com/support/update/announcement/2017/suse-su-20171628-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?86a5c7f1" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t patch sdksp4-kernel-13160=1 SUSE Linux Enterprise Server 11-SP4:zypper in -t patch slessp4-kernel-13160=1 SUSE Linux Enterprise Server 11-EXTRA:zypper in -t patch slexsp3-kernel-13160=1 SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch dbgsp4-kernel-13160=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'rsh_stack_clash_priv_esc.rb'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/19"); script_set_attribute(attribute:"patch_publication_date", value:"2017/06/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/21"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-ec2-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-ec2-base-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-ec2-devel-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-xen-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-xen-base-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-xen-devel-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-pae-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-pae-base-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-pae-devel-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"kernel-default-man-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-default-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-default-base-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-default-devel-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-source-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-syms-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-trace-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-trace-base-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-trace-devel-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-ec2-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-ec2-base-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-ec2-devel-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-xen-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-xen-base-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-xen-devel-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-pae-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-pae-base-3.0.101-104.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-pae-devel-3.0.101-104.2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1491.NASL description An update for kernel is now available for Red Hat Enterprise Linux 6.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. Bug Fix(es) : * Previously, a kernel panic occurred when the mcelog daemon executed a huge page memory offline. This update fixes the HugeTLB feature of the Linux kernel to check for the Page Table Entry (PTE) NULL pointer in the page_check_address() function. As a result, the kernel panic no longer occurs under the described circumstances. (BZ#1444342) * Previously, the kdump mechanism was trying to get the lock by the vmalloc_sync_all() function during a kernel panic. Consequently, a deadlock occurred, and the crashkernel did not boot. This update fixes the vmalloc_sync_all() function to avoid synchronizing the vmalloc area on the crashing CPU. As a result, the crashkernel parameter now boots as expected, and the kernel dump is collected successfully under the described circumstances. (BZ#1443494) last seen 2020-06-01 modified 2020-06-02 plugin id 100901 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100901 title RHEL 6 : kernel (RHSA-2017:1491) (Stack Clash) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2017:1491. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(100901); script_version("3.26"); script_cvs_date("Date: 2019/10/24 15:35:43"); script_cve_id("CVE-2017-1000364", "CVE-2017-1000379"); script_xref(name:"RHSA", value:"2017:1491"); script_name(english:"RHEL 6 : kernel (RHSA-2017:1491) (Stack Clash)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for kernel is now available for Red Hat Enterprise Linux 6.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. Bug Fix(es) : * Previously, a kernel panic occurred when the mcelog daemon executed a huge page memory offline. This update fixes the HugeTLB feature of the Linux kernel to check for the Page Table Entry (PTE) NULL pointer in the page_check_address() function. As a result, the kernel panic no longer occurs under the described circumstances. (BZ#1444342) * Previously, the kdump mechanism was trying to get the lock by the vmalloc_sync_all() function during a kernel panic. Consequently, a deadlock occurred, and the crashkernel did not boot. This update fixes the vmalloc_sync_all() function to avoid synchronizing the vmalloc area on the crashing CPU. As a result, the crashkernel parameter now boots as expected, and the kernel dump is collected successfully under the described circumstances. (BZ#1443494)" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/vulnerabilities/stackguard" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2017:1491" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-1000364" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-1000379" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'rsh_stack_clash_priv_esc.rb'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-firmware"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/19"); script_set_attribute(attribute:"patch_publication_date", value:"2017/06/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/20"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6\.2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.2", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2017-1000364", "CVE-2017-1000379"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2017:1491"); } else { __rpm_report = ksplice_reporting_text(); } } yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2017:1491"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"kernel-2.6.32-220.72.2.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"kernel-debug-2.6.32-220.72.2.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"kernel-debug-debuginfo-2.6.32-220.72.2.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"kernel-debug-devel-2.6.32-220.72.2.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"kernel-debuginfo-2.6.32-220.72.2.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-2.6.32-220.72.2.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"kernel-devel-2.6.32-220.72.2.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"2", reference:"kernel-doc-2.6.32-220.72.2.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"2", reference:"kernel-firmware-2.6.32-220.72.2.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"kernel-headers-2.6.32-220.72.2.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"perf-2.6.32-220.72.2.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"perf-debuginfo-2.6.32-220.72.2.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"python-perf-2.6.32-220.72.2.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"python-perf-debuginfo-2.6.32-220.72.2.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-debug / kernel-debug-debuginfo / kernel-debug-devel / etc"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DLA-993.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-7487 Li Qiang reported a reference counter leak in the ipxitf_ioctl function which may result into a use-after-free vulnerability, triggerable when a IPX interface is configured. CVE-2017-7645 Tuomas Haanpaa and Matti Kamunen from Synopsys Ltd discovered that the NFSv2 and NFSv3 server implementations are vulnerable to an out-of-bounds memory access issue while processing arbitrarily long arguments sent by NFSv2/NFSv3 PRC clients, leading to a denial of service. CVE-2017-7895 Ari Kauppi from Synopsys Ltd discovered that the NFSv2 and NFSv3 server implementations do not properly handle payload bounds checking of WRITE requests. A remote attacker with write access to a NFS mount can take advantage of this flaw to read chunks of arbitrary memory from both kernel-space and user-space. CVE-2017-8890 It was discovered that the net_csk_clone_lock() function allows a remote attacker to cause a double free leading to a denial of service or potentially have other impact. CVE-2017-8924 Johan Hovold found that the io_ti USB serial driver could leak sensitive information if a malicious USB device was connected. CVE-2017-8925 Johan Hovold found a reference counter leak in the omninet USB serial driver, resulting in a use-after-free vulnerability. This can be triggered by a local user permitted to open tty devices. CVE-2017-9074 Andrey Konovalov reported that the IPv6 fragmentation implementation could read beyond the end of a packet buffer. A local user or guest VM might be able to use this to leak sensitive information or to cause a denial of service (crash). CVE-2017-9075 Andrey Konovalov reported that the SCTP/IPv6 implementation wrongly initialised address lists on connected sockets, resulting in a use-after-free vulnerability, a similar issue to CVE-2017-8890. This can be triggered by any local user. CVE-2017-9076 / CVE-2017-9077 Cong Wang found that the TCP/IPv6 and DCCP/IPv6 implementations wrongly initialised address lists on connected sockets, a similar issue to CVE-2017-9075. CVE-2017-9242 Andrey Konovalov reported a packet buffer overrun in the IPv6 implementation. A local user could use this for denial of service (memory corruption; crash) and possibly for privilege escalation. CVE-2017-1000364 The Qualys Research Labs discovered that the size of the stack guard page is not sufficiently large. The stack-pointer can jump over the guard-page and moving from the stack into another memory region without accessing the guard-page. In this case no page-fault exception is raised and the stack extends into the other memory region. An attacker can exploit this flaw for privilege escalation. The default stack gap protection is set to 256 pages and can be configured via the stack_guard_gap kernel parameter on the kernel command line. Further details can be found at https://www.qualys.com/2017/06/19/stack-clash/stack-clash.tx t For Debian 7 last seen 2020-03-17 modified 2017-06-20 plugin id 100876 published 2017-06-20 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100876 title Debian DLA-993-2 : linux regression update (Stack Clash) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-3658.NASL description Description of changes: [2.6.39-400.298.1.el6uek] - ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei) [Orabug: 23320090] - tty: Fix race in pty_write() leading to NULL deref (Todd Vierling) [Orabug: 24337879] - xen-netfront: cast grant table reference first to type int (Dongli Zhang) [Orabug: 25102637] - xen-netfront: do not cast grant table reference to signed short (Dongli Zhang) [Orabug: 25102637] - RDS: Print failed rdma op details if failure is remote access error (Rama Nichanamatlu) [Orabug: 25440316] - ping: implement proper locking (Eric Dumazet) [Orabug: 26540288] {CVE-2017-2671} - KEYS: fix dereferencing NULL payload with nonzero length (Eric Biggers) [Orabug: 26592013] - oracleasm: Copy the integrity descriptor (Martin K. Petersen) [Orabug: 26650039] - mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook) [Orabug: 26675934] {CVE-2017-7889} - fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE (Abhi Das) [Orabug: 26797307] - xscore: add dma address check (Zhu Yanjun) [Orabug: 27058559] - more bio_map_user_iov() leak fixes (Al Viro) [Orabug: 27069045] {CVE-2017-12190} - fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh) [Orabug: 27069045] {CVE-2017-12190} - xsigo: [backport] Fix race in freeing aged Forwarding tables (Pradeep Gopanapalli) [Orabug: 24823234] - ocfs2: fix deadlock issue when taking inode lock at vfs entry points (Eric Ren) [Orabug: 25671723] - ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (Eric Ren) [Orabug: 25671723] - net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143563] {CVE-2017-7308} - net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143563] {CVE-2017-7308} - char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) [Orabug: 26403941] {CVE-2017-1000363} - ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix race between read and ioctl (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: fix NULL pointer dereference in read()/ioctl() race (Vegard Nossum) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix race at concurrent reads (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix race among timer ioctls (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben Hutchings) [Orabug: 26403974] {CVE-2017-9074} - ipv6: Check ip6_find_1stfragopt() return value properly. (David S. Miller) [Orabug: 26403974] {CVE-2017-9074} - ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) [Orabug: 26403974] {CVE-2017-9074} - ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) [Orabug: 26404007] {CVE-2017-9077} - aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug: 26643601] {CVE-2016-10044} - vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman) [Orabug: 26643601] {CVE-2016-10044} - vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo) [Orabug: 26643601] {CVE-2016-10044} - x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han) [Orabug: 26643652] {CVE-2017-11473} - sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) [Orabug: 26650889] {CVE-2017-9075} - saa7164: fix double fetch PCIe access condition (Steven Toth) [Orabug: 26675148] {CVE-2017-8831} - saa7164: fix sparse warnings (Hans Verkuil) [Orabug: 26675148] {CVE-2017-8831} - saa7164: get rid of warning: no previous prototype (Mauro Carvalho Chehab) [Orabug: 26675148] {CVE-2017-8831} - [scsi] lpfc 8.3.44: Fix kernel panics from corrupted ndlp (James Smart) [Orabug: 26765341] - timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899791] {CVE-2017-10661} - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn last seen 2020-06-05 modified 2017-12-11 plugin id 105145 published 2017-12-11 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105145 title Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3658) (BlueBorne) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1942-1.NASL description This update for the Linux Kernel 3.12.67-60_64_24 fixes several issues. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-01 modified 2020-06-02 plugin id 101944 published 2017-07-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101944 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1942-1) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1945-1.NASL description This update for the Linux Kernel 3.12.61-52_69 fixes several issues. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-01 modified 2020-06-02 plugin id 101947 published 2017-07-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101947 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1945-1) (Stack Clash) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1647.NASL description An update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) * The NFS2/3 RPC client could send long arguments to the NFS server. These encoded arguments are stored in an array of memory pages, and accessed using pointer variables. Arbitrarily long arguments could make these pointers point outside the array and cause an out-of-bounds memory access. A remote user or program could use this flaw to crash the kernel, resulting in denial of service. (CVE-2017-7645, Important) * The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lacked certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly cause other unspecified impacts using crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c. (CVE-2017-7895, Important) * A flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 101103 published 2017-06-29 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101103 title RHEL 6 : MRG (RHSA-2017:1647) (Stack Clash) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZLSA-2017-1486.NASL description An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101484 published 2017-07-13 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101484 title Virtuozzo 6 : kernel / kernel-abi-whitelists / kernel-debug / etc (VZLSA-2017-1486) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1485.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100895 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100895 title RHEL 7 : kernel (RHSA-2017:1485) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1707-1.NASL description This Linux kernel update for SUSE Linux Enterprise 12 SP2 fixes the following issues : - A previous security update to address CVE-2017-1000364 caused unintended side-effects in several other tools, most notably Java. These issues have been remedied. [bsc#1045340] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101106 published 2017-06-29 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101106 title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1707-1) (Stack Clash) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0174.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0174 for details. last seen 2020-06-05 modified 2017-12-14 plugin id 105248 published 2017-12-14 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105248 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0174) (BlueBorne) (Dirty COW) (Stack Clash) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-1486.NASL description An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100938 published 2017-06-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100938 title CentOS 6 : kernel (CESA-2017:1486) (Stack Clash) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-1486.NASL description From Red Hat Security Advisory 2017:1486 : An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100889 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100889 title Oracle Linux 6 : kernel (ELSA-2017-1486) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1906-1.NASL description This update for the Linux Kernel 3.12.60-52_60 fixes several issues. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-01 modified 2020-06-02 plugin id 101886 published 2017-07-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101886 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1906-1) (Stack Clash) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL51931024.NASL description An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-03-19 modified 2017-12-28 plugin id 105469 published 2017-12-28 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105469 title F5 Networks BIG-IP : Linux kernel vulnerability (K51931024) (Stack Clash) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1616.NASL description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) * A flaw was found in the way Linux kernel allocates heap memory to build the scattergather list from a fragment list(skb_shinfo(skb)->frag_list) in the socket buffer(skb_buff). The heap overflow occurred if last seen 2020-06-01 modified 2020-06-02 plugin id 101102 published 2017-06-29 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101102 title RHEL 7 : kernel-rt (RHSA-2017:1616) (Stack Clash) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3326-1.NASL description It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374) It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Ingo Molnar discovered that the VideoCore DRM driver in the Linux kernel did not return an error after detecting certain overflows. A local attacker could exploit this issue to cause a denial of service (OOPS). (CVE-2017-5577) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 100924 published 2017-06-20 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100924 title Ubuntu 16.10 : linux, linux-meta vulnerabilities (USN-3326-1) (Stack Clash) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1154.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-05-06 modified 2017-08-08 plugin id 102241 published 2017-08-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102241 title EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1154) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1484.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100894 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100894 title RHEL 7 : kernel (RHSA-2017:1484) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1915-1.NASL description This update for the Linux Kernel 3.12.74-60_64_45 fixes several issues. The following bugs were fixed : - CVE-2017-1000364: The previous fix for the stack gap increase tracked by CVE-2017-1000364 had a regression, which is fixed by this follow up patch. (bsc#1039496) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101890 published 2017-07-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101890 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1915-1) (Stack Clash) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3329-1.NASL description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 100927 published 2017-06-20 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100927 title Ubuntu 16.04 LTS : linux-gke, linux-meta-gke vulnerabilities (USN-3329-1) (Stack Clash) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-734.NASL description The openSUSE Leap 42.2 kernel was updated to 4.4.73 to receive security and bugfixes. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-05 modified 2017-06-30 plugin id 101134 published 2017-06-30 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101134 title openSUSE Security Update : the Linux Kernel (openSUSE-2017-734) (Stack Clash) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZA-2017-056.NASL description According to the version of the crit / criu / criu-devel / python-criu / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerability : - A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101053 published 2017-06-27 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101053 title Virtuozzo 7 : crit / criu / criu-devel / python-criu / vzkernel / etc (VZA-2017-056) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZLSA-2017-1484.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101483 published 2017-07-13 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101483 title Virtuozzo 7 : kernel / kernel-abi-whitelists / kernel-debug / etc (VZLSA-2017-1484) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3334-1.NASL description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 100932 published 2017-06-20 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100932 title Ubuntu 14.04 LTS : linux-lts-xenial, linux-meta-lts-xenial vulnerabilities (USN-3334-1) (Stack Clash) NASL family Firewalls NASL id FIREEYE_OS_EX_801.NASL description The remote host is running a version of FireEye Operating System (FEOS) that is affected by multiple vulnerabilities. See vendor release notes for details. last seen 2020-06-01 modified 2020-06-02 plugin id 103673 published 2017-10-05 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103673 title FireEye Operating System Multiple Vulnerabilities (AX < 7.7.7 / EX < 8.0.1) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0126.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0126 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 102064 published 2017-07-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102064 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0126) (Stack Clash) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-1842-1.NASL description The remote Oracle Linux host is missing a security update for the kernel package(s). last seen 2020-06-01 modified 2020-06-02 plugin id 102511 published 2017-08-16 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/102511 title Oracle Linux 7 : kernel (ELSA-2017-1842-1) (Stack Clash) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-1484.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100937 published 2017-06-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100937 title CentOS 7 : kernel (CESA-2017:1484) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1946-1.NASL description This update for the Linux Kernel 3.12.67-60_64_21 fixes several issues. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-01 modified 2020-06-02 plugin id 101948 published 2017-07-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101948 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1946-1) (Stack Clash) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-3595.NASL description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s). last seen 2020-06-01 modified 2020-06-02 plugin id 102059 published 2017-07-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102059 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3595) (Stack Clash) NASL family Misc. NASL id MCAFEE_WEB_GATEWAY_SB10205.NASL description The remote host is running a version of McAfee Web Gateway (MWG) that is affected by multiple security vulnerabilities : - A memory corruption flaw exists in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products that allows remote attackers to execute arbitrary code. (CVE-2012-6706) - A memory corruption flaw exists in Linux Kernel versions 4.11.5 and earlier that allows remote attacks to execute arbitrary code with elevated privileges.(CVE-2017-1000364) - A memory corruption flaw exists in the handling of LD_LIBRARY_PATH that allows a remote attacker to manipulate the heap/stack that may lead to arbitrary code execution. This issue only affects GNU glibc 2.25 and prior. (CVE-2017-1000366) - An input validation flaw exists in Todd Miller last seen 2020-06-13 modified 2017-08-15 plugin id 102496 published 2017-08-15 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102496 title McAfee Web Gateway 7.6.x < 7.6.2.15 / 7.7.x < 7.7.2.3 Multiple Vulnerabilities (SB10205) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1910-1.NASL description This update for the Linux Kernel 3.12.62-60_64_8 fixes several issues. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-01 modified 2020-06-02 plugin id 101888 published 2017-07-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101888 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1910-1) (Stack Clash) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1487.NASL description An update for kernel is now available for Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100897 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100897 title RHEL 6 : kernel (RHSA-2017:1487) (Stack Clash) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0145.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0145 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 102774 published 2017-08-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102774 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0145) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1618-1.NASL description The SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000364: The default stack guard page was too small and could be last seen 2020-06-01 modified 2020-06-02 plugin id 100916 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100916 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1618-1) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1905-1.NASL description This update for the Linux Kernel 3.12.60-52_57 fixes several issues. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-01 modified 2020-06-02 plugin id 101885 published 2017-07-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101885 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1905-1) (Stack Clash) NASL family Fedora Local Security Checks NASL id FEDORA_2017-D3ED702FE4.NASL description The 4.11.6 update contains a number of important fixes across the tree, including the recently announced last seen 2020-06-05 modified 2017-07-17 plugin id 101723 published 2017-07-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101723 title Fedora 26 : kernel (2017-d3ed702fe4) (Stack Clash) NASL family Scientific Linux Local Security Checks NASL id SL_20170619_KERNEL_ON_SL7_X.NASL description Security Fix(es) : - A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) last seen 2020-03-18 modified 2017-06-20 plugin id 100906 published 2017-06-20 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100906 title Scientific Linux Security Update : kernel on SL7.x x86_64 (20170619) (Stack Clash) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3338-1.NASL description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges. (CVE-2016-4997). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100990 published 2017-06-22 reporter Ubuntu Security Notice (C) 2017-2018 Canonical, Inc. / NASL script (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/100990 title Ubuntu 12.04 LTS : linux vulnerabilities (USN-3338-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1696-1.NASL description This Linux kernel update for SUSE Linux Enterprise 11 SP4 fixes the following issues : - A previous security update to address CVE-2017-1000364 caused unintended side-effects in several other tools, most notably Java. These issues have been remedied. [bsc#1045340, bsc#1045406] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101061 published 2017-06-27 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101061 title SUSE SLES11 Security Update : kernel-source (SUSE-SU-2017:1696-1) (Stack Clash) NASL family Junos Local Security Checks NASL id JUNIPER_SPACE_JSA10917_184R1.NASL description According to its self-reported version number, the remote Junos Space version is 18.4.x prior to 18.4R1. It is, therefore, affected by multiple vulnerabilities : - An integer overflow issue exists in procps-ng. This is related to CVE-2018-1124. (CVE-2018-1126) - A directory traversal issue exits in reposync, a part of yum-utils.tory configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. (CVE-2018-10897) - An integer overflow flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 121068 published 2019-01-10 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121068 title Juniper Junos Space 18.4.x < 18.4R1 Multiple Vulnerabilities (JSA10917) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1943-1.NASL description This update for the Linux Kernel 3.12.74-60_64_40 fixes one issue. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-01 modified 2020-06-02 plugin id 101945 published 2017-07-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101945 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1943-1) (Stack Clash) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZA-2017-061.NASL description According to the version of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerability : - An updated fix for CVE-2017-1000364 (kernel: heap/stack gap jumping via unbounded stack allocations). The fix released in the 042stab123.8 kernel was not fully correct. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101207 published 2017-07-05 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101207 title Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-061) NASL family Fedora Local Security Checks NASL id FEDORA_2017-05F10E29F4.NASL description The 4.11.6 update contains a number of important fixes across the tree, including the recently announced last seen 2020-06-05 modified 2017-06-28 plugin id 101068 published 2017-06-28 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101068 title Fedora 24 : kernel (2017-05f10e29f4) (Stack Clash) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3330-1.NASL description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 100928 published 2017-06-20 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100928 title Ubuntu 16.04 LTS : linux-meta-snapdragon, linux-snapdragon vulnerabilities (USN-3330-1) (Stack Clash) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0015.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0015 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 106469 published 2018-01-30 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106469 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0015) (BlueBorne) (Meltdown) (Spectre) (Stack Clash) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1155.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-05-06 modified 2017-08-08 plugin id 102242 published 2017-08-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102242 title EulerOS 2.0 SP2 : kernel (EulerOS-SA-2017-1155) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1617-1.NASL description The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000364: The default stack guard page was too small and could be last seen 2020-06-01 modified 2020-06-02 plugin id 100915 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100915 title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1617-1) (Stack Clash) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1489.NASL description An update for kernel is now available for Red Hat Enterprise Linux 6.5 Advanced Update Support and Red Hat Enterprise Linux 6.5 Telco Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100899 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100899 title RHEL 6 : kernel (RHSA-2017:1489) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1937-1.NASL description This update for the Linux Kernel 3.12.69-60_64_29 fixes several issues. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-01 modified 2020-06-02 plugin id 101940 published 2017-07-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101940 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1937-1) (Stack Clash) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1490.NASL description An update for kernel is now available for Red Hat Enterprise Linux 6.4 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100900 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100900 title RHEL 6 : kernel (RHSA-2017:1490) (Stack Clash) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3325-1.NASL description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 100923 published 2017-06-20 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100923 title Ubuntu 17.04 : linux-meta-raspi2, linux-raspi2 vulnerabilities (USN-3325-1) (Stack Clash) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3332-1.NASL description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 100930 published 2017-06-20 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100930 title Ubuntu 16.04 LTS : linux-meta-raspi2, linux-raspi2 vulnerabilities (USN-3332-1) (Stack Clash) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-3592.NASL description Description of changes: [2.6.39-400.297.4.el6uek] - mm: larger stack guard gap, between vmas (Hugh Dickins) [Orabug: 26326145] {CVE-2017-1000364} This plugin has been deprecated because the recently released Oracle Linux 5 and 6, ELSA-2017-3592, does not fix any security problems relevant to already running systems. You do not need to take any action to update your systems. last seen 2017-10-29 modified 2017-10-06 plugin id 101544 published 2017-07-14 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=101544 title Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3592) (Stack Clash) (deprecated) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2017-177-01.NASL description New kernel packages are available for Slackware 14.2 and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101051 published 2017-06-27 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101051 title Slackware 14.2 / current : kernel (SSA:2017-177-01) (Stack Clash) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3327-1.NASL description It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374) It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Ingo Molnar discovered that the VideoCore DRM driver in the Linux kernel did not return an error after detecting certain overflows. A local attacker could exploit this issue to cause a denial of service (OOPS). (CVE-2017-5577) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 100925 published 2017-06-20 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100925 title Ubuntu 16.10 : linux-meta-raspi2, linux-raspi2 vulnerabilities (USN-3327-1) (Stack Clash) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3335-1.NASL description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) It was discovered that a use-after-free vulnerability in the core voltage regulator driver of the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2014-9940) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 100933 published 2017-06-20 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100933 title Ubuntu 14.04 LTS : linux, linux-meta vulnerabilities (USN-3335-1) (Stack Clash) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1498.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An integer overflow vulnerability was found in the ring_buffer_resize() calculations in which a privileged user can adjust the size of the ringbuffer message size. These calculations can create an issue where the kernel memory allocator will not allocate the correct count of pages yet expect them to be usable. This can lead to the ftrace() output to appear to corrupt kernel memory and possibly be used for privileged escalation or more likely kernel panic.(CVE-2016-9754) - A flaw was found in the Linux kernel last seen 2020-06-12 modified 2019-05-13 plugin id 124821 published 2019-05-13 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124821 title EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1498) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0099_KERNEL.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has kernel packages installed that are affected by multiple vulnerabilities: - A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364) - A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs running in secure-execution mode and reduces the number of allocations performed by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful exploitation of this issue more difficult. (CVE-2017-1000366) - A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636) - The NFS2/3 RPC client could send long arguments to the NFS server. These encoded arguments are stored in an array of memory pages, and accessed using pointer variables. Arbitrarily long arguments could make these pointers point outside the array and cause an out-of- bounds memory access. A remote user or program could use this flaw to crash the kernel, resulting in denial of service. (CVE-2017-7645) - The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lacked certain checks for the end of a buffer. A remote attacker could trigger a pointer- arithmetic error or possibly cause other unspecified impacts using crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c. (CVE-2017-7895) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127325 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127325 title NewStart CGSL MAIN 4.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0099) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1939-1.NASL description This update for the Linux Kernel 3.12.61-52_72 fixes one issue. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-01 modified 2020-06-02 plugin id 101942 published 2017-07-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101942 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1939-1) (Stack Clash) NASL family Misc. NASL id RANCHEROS_1_0_3.NASL description The remote host is running a version of RancherOS that is prior to v.1.0.3, hence is vulnerable to a local memory-corruption vulnerability. Attackers may be able to exploit this issue to execute arbitrary code with elevated privileges (CVE-2017-1000364) Glibc module in Rancheros contains a vulnerability that allows manipulation of the heap/stack. Attackers may be able to exploit this issue to execute arbitrary code with elevated privileges (CVE-2017-1000366) last seen 2020-06-01 modified 2020-06-02 plugin id 132248 published 2019-12-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132248 title Security Updates for RancherOS Local Memory Corruption Vulnerability NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3331-1.NASL description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 100929 published 2017-06-20 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100929 title Ubuntu 16.04 LTS : linux-aws, linux-meta-aws vulnerabilities (USN-3331-1) (Stack Clash) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3328-1.NASL description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 100926 published 2017-06-20 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100926 title Ubuntu 16.04 LTS : linux, linux-meta vulnerabilities (USN-3328-1) (Stack Clash) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-716.NASL description The openSUSE Leap 42.2 kernel was updated to 4.4.72 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-05 modified 2017-06-30 plugin id 101127 published 2017-06-30 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101127 title openSUSE Security Update : the Linux Kernel (openSUSE-2017-716) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1912-1.NASL description This update for the Linux Kernel 3.12.61-52_77 fixes several issues. The following bugs were fixed : - CVE-2017-1000364: The previous fix for the stack gap increase tracked by CVE-2017-1000364 had a regression, which is fixed by this follow up patch. (bsc#1039496) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101889 published 2017-07-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101889 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1912-1) (Stack Clash) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-3587.NASL description Description of changes: kernel-uek [4.1.12-94.3.7.el7uek] - mm: fix new crash in unmapped_area_topdown() (Hugh Dickins) [Orabug: 26326143] {CVE-2017-1000364} - mm: larger stack guard gap, between vmas (Hugh Dickins) [Orabug: 26326143] {CVE-2017-1000364} last seen 2020-06-01 modified 2020-06-02 plugin id 101098 published 2017-06-29 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101098 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3587) (Stack Clash) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3335-2.NASL description USN-3335-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100987 published 2017-06-22 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/100987 title Ubuntu 12.04 LTS : linux-lts-trusty vulnerability (USN-3335-2) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3333-1.NASL description It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374) It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Ingo Molnar discovered that the VideoCore DRM driver in the Linux kernel did not return an error after detecting certain overflows. A local attacker could exploit this issue to cause a denial of service (OOPS). (CVE-2017-5577) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 100931 published 2017-06-20 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100931 title Ubuntu 16.04 LTS : linux-hwe, linux-meta-hwe vulnerabilities (USN-3333-1) (Stack Clash) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0022.NASL description An update of [linux,glibc] packages for PhotonOS has been released. last seen 2019-02-08 modified 2019-02-07 plugin id 111871 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111871 title Photon OS 1.0: Glibc / Linux PHSA-2017-0022 (deprecated) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-845.NASL description An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be jmp last seen 2020-06-01 modified 2020-06-02 plugin id 100874 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100874 title Amazon Linux AMI : kernel (ALAS-2017-845) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1706-1.NASL description The SUSE Linux Enterprise 11 SP3 kernel was updated to fix the following issues : - A previous security update to address CVE-2017-1000364 caused unintended side-effects in several other tools, most notably Java. These issues have been remedied. [bsc#1045340, bsc#1045406] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101082 published 2017-06-28 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101082 title SUSE SLES11 Security Update : kernel (SUSE-SU-2017:1706-1) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1615-1.NASL description The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000364: The default stack guard page was too small and could be last seen 2020-06-01 modified 2020-06-02 plugin id 100914 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100914 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1615-1) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1941-1.NASL description This update for the Linux Kernel 3.12.69-60_64_32 fixes several issues. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-01 modified 2020-06-02 plugin id 101943 published 2017-07-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101943 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1941-1) (Stack Clash) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3324-1.NASL description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 100922 published 2017-06-20 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100922 title Ubuntu 17.04 : linux, linux-meta vulnerabilities (USN-3324-1) (Stack Clash) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-1615-1.NASL description Description of changes: - [3.10.0-514.26.1.0.1.el7.OL7] - [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug 22552377] - Oracle Linux certificates (Alexey Petrenko) - Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(<A HREF= last seen 2020-06-01 modified 2020-06-02 plugin id 101138 published 2017-06-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101138 title Oracle Linux 7 : kernel (ELSA-2017-1615-1) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1704-1.NASL description This Linux kernel update for SUSE Linux Enterprise 12 SP1 fixes the following issues : - A previous security update to address CVE-2017-1000364 caused unintended side-effects in several other tools, most notably Java. These issues have been remedied. [bsc#1045340] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101080 published 2017-06-28 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101080 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1704-1) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1613-1.NASL description The SUSE Linux Enterprise 11 SP3 kernel was updated to receive various security fixes. The following security bugs were fixed : - CVE-2017-1000364: The default stack guard page was too small and could be last seen 2020-06-01 modified 2020-06-02 plugin id 100912 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100912 title SUSE SLES11 Security Update : kernel (SUSE-SU-2017:1613-1) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1922-1.NASL description This update for the Linux Kernel 3.12.60-52_63 fixes several issues. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-01 modified 2020-06-02 plugin id 101926 published 2017-07-24 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101926 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1922-1) (Stack Clash) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-3659.NASL description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s). last seen 2020-06-05 modified 2017-12-14 plugin id 105247 published 2017-12-14 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105247 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3659) (BlueBorne) (Dirty COW) (Stack Clash) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1483.NASL description An update for kernel is now available for Red Hat Enterprise Linux 5.9 Long Life. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100893 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100893 title RHEL 5 : kernel (RHSA-2017:1483) (Stack Clash) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-1484.NASL description From Red Hat Security Advisory 2017:1484 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100888 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100888 title Oracle Linux 7 : kernel (ELSA-2017-1484) (Stack Clash) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0115.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - mm: fix new crash in unmapped_area_topdown (Hugh Dickins) [Orabug: 26326143] (CVE-2017-1000364) - mm: larger stack guard gap, between vmas (Hugh Dickins) [Orabug: 26326143] (CVE-2017-1000364) last seen 2020-06-01 modified 2020-06-02 plugin id 101140 published 2017-06-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101140 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0115) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1944-1.NASL description This update for the Linux Kernel 3.12.69-60_64_35 fixes several issues. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-01 modified 2020-06-02 plugin id 101946 published 2017-07-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101946 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1944-1) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1909-1.NASL description This update for the Linux Kernel 3.12.67-60_64_18 fixes several issues. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-01 modified 2020-06-02 plugin id 101887 published 2017-07-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101887 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1909-1) (Stack Clash) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3886.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2017-7487 Li Qiang reported a reference counter leak in the ipxitf_ioctl function which may result into a use-after-free vulnerability, triggerable when a IPX interface is configured. - CVE-2017-7645 Tuomas Haanpaa and Matti Kamunen from Synopsys Ltd discovered that the NFSv2 and NFSv3 server implementations are vulnerable to an out-of-bounds memory access issue while processing arbitrarily long arguments sent by NFSv2/NFSv3 PRC clients, leading to a denial of service. - CVE-2017-7895 Ari Kauppi from Synopsys Ltd discovered that the NFSv2 and NFSv3 server implementations do not properly handle payload bounds checking of WRITE requests. A remote attacker with write access to a NFS mount can take advantage of this flaw to read chunks of arbitrary memory from both kernel-space and user-space. - CVE-2017-8064 Arnd Bergmann found that the DVB-USB core misused the device logging system, resulting in a use-after-free vulnerability, with unknown security impact. - CVE-2017-8890 It was discovered that the net_csk_clone_lock() function allows a remote attacker to cause a double free leading to a denial of service or potentially have other impact. - CVE-2017-8924 Johan Hovold found that the io_ti USB serial driver could leak sensitive information if a malicious USB device was connected. - CVE-2017-8925 Johan Hovold found a reference counter leak in the omninet USB serial driver, resulting in a use-after-free vulnerability. This can be triggered by a local user permitted to open tty devices. - CVE-2017-9074 Andrey Konovalov reported that the IPv6 fragmentation implementation could read beyond the end of a packet buffer. A local user or guest VM might be able to use this to leak sensitive information or to cause a denial of service (crash). - CVE-2017-9075 Andrey Konovalov reported that the SCTP/IPv6 implementation wrongly initialised address lists on connected sockets, resulting in a use-after-free vulnerability, a similar issue to CVE-2017-8890. This can be triggered by any local user. - CVE-2017-9076 / CVE-2017-9077 Cong Wang found that the TCP/IPv6 and DCCP/IPv6 implementations wrongly initialised address lists on connected sockets, a similar issue to CVE-2017-9075. - CVE-2017-9242 Andrey Konovalov reported a packet buffer overrun in the IPv6 implementation. A local user could use this for denial of service (memory corruption; crash) and possibly for privilege escalation. - CVE-2017-1000364 The Qualys Research Labs discovered that the size of the stack guard page is not sufficiently large. The stack-pointer can jump over the guard-page and moving from the stack into another memory region without accessing the guard-page. In this case no page-fault exception is raised and the stack extends into the other memory region. An attacker can exploit this flaw for privilege escalation. The default stack gap protection is set to 256 pages and can be configured via the stack_guard_gap kernel parameter on the kernel command line. Further details can be found at https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt last seen 2020-06-01 modified 2020-06-02 plugin id 100877 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100877 title Debian DSA-3886-1 : linux - security update (Stack Clash) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1200.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2016-10208 Sergej Schumilo and Ralf Spenneberg discovered that a crafted ext4 filesystem could trigger memory corruption when it is mounted. A user that can provide a device or filesystem image to be mounted could use this for denial of service (crash or data corruption) or possibly for privilege escalation. CVE-2017-8824 Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-dccp.conf install dccp false CVE-2017-8831 Pengfei Wang discovered that the saa7164 video capture driver re-reads data from a PCI device after validating it. A physically present user able to attach a specially designed PCI device could use this for privilege escalation. CVE-2017-12190 Vitaly Mayatskikh discovered that the block layer did not correctly count page references for raw I/O from user-space. This can be exploited by a guest VM with access to a host SCSI device for denial of service (memory exhaustion) or potentially for privilege escalation. CVE-2017-13080 A vulnerability was found in the WPA2 protocol that could lead to reinstallation of the same Group Temporal Key (GTK), which substantially reduces the security of wifi encryption. This is one of the issues collectively known as last seen 2020-03-17 modified 2017-12-11 plugin id 105116 published 2017-12-11 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105116 title Debian DLA-1200-1 : linux security update (KRACK) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1488.NASL description An update for kernel is now available for Red Hat Enterprise Linux 6.6 Advanced Update Support and Red Hat Enterprise Linux 6.6 Telco Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) Red Hat would like to thank Qualys Research Labs for reporting CVE-2017-1000364 and Alexander Popov for reporting CVE-2017-2636. Bug Fix(es) : * Previously, the kdump mechanism was trying to get the lock by the vmalloc_sync_all() function during a kernel panic. Consequently, a deadlock occurred, and the crashkernel did not boot. This update fixes the vmalloc_sync_all() function to avoid synchronizing the vmalloc area on the crashing CPU. As a result, the crashkernel parameter now boots as expected, and the kernel dump is collected successfully under the described circumstances. (BZ#1443497) * Previously, a kernel panic occurred when the mcelog daemon executed a huge page memory offline. This update fixes the HugeTLB feature of the Linux kernel to check for the Page Table Entry (PTE) NULL pointer in the page_check_address() function. As a result, the kernel panic no longer occurs under the described circumstances. (BZ#1444349) * Previously, the vmw_pvscsi driver reported most successful aborts as FAILED due to a bug in vmw_pvscsi abort handler. This update fixes the handler, and successful aborts are no longer reported as FAILED. (BZ#1442966) last seen 2020-06-01 modified 2020-06-02 plugin id 100898 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100898 title RHEL 6 : kernel (RHSA-2017:1488) (Stack Clash) NASL family Junos Local Security Checks NASL id JUNIPER_SPACE_JSA_10826.NASL description According to its self-reported version number, the version of Junos Space running on the remote device is < 17.1R1, and is therefore affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 104100 published 2017-10-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104100 title Juniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0022_LINUX.NASL description An update of the linux package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121706 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121706 title Photon OS 1.0: Linux PHSA-2017-0022 NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1508.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - drivers/soc/qcom/qdsp6v2/voice_svc.c in the QDSP6v2 Voice Service driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a write request, as demonstrated by a voice_svc_send_req buffer overflow.(CVE-2016-5343i1/4%0 - A use-after-free flaw was found in the way the Linux kernel last seen 2020-03-19 modified 2019-05-21 plugin id 125301 published 2019-05-21 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125301 title EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1508) NASL family Scientific Linux Local Security Checks NASL id SL_20170619_KERNEL_ON_SL6_X.NASL description Security Fix(es) : - A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) last seen 2020-03-18 modified 2017-06-20 plugin id 100905 published 2017-06-20 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100905 title Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20170619) (Stack Clash) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-3609.NASL description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s). last seen 2020-06-01 modified 2020-06-02 plugin id 102773 published 2017-08-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102773 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3609) (Stack Clash) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2017-180-01.NASL description New kernel packages are available for Slackware 14.1 to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101115 published 2017-06-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101115 title Slackware 14.1 : Slackware 14.1 kernel (SSA:2017-180-01) (Stack Clash) NASL family Fedora Local Security Checks NASL id FEDORA_2017-D7BC1B3056.NASL description The 4.11.6 update contains a number of important fixes across the tree, including the recently announced last seen 2020-06-05 modified 2017-06-26 plugin id 101037 published 2017-06-26 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101037 title Fedora 25 : kernel (2017-d7bc1b3056) (Stack Clash) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3338-2.NASL description USN-3338-1 fixed vulnerabilities in the Linux kernel. However, the fix for CVE-2017-1000364 introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges. (CVE-2016-4997). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101149 published 2017-06-30 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/101149 title Ubuntu 12.04 LTS : linux regression (USN-3338-2) (Stack Clash) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZA-2017-055.NASL description According to the version of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerability : - A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101052 published 2017-06-27 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101052 title Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-055) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1486.NASL description An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100896 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100896 title RHEL 6 : kernel (RHSA-2017:1486) (Stack Clash) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2017-184-01.NASL description New kernel packages are available for Slackware 14.0 to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101206 published 2017-07-05 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101206 title Slackware 14.0 : Slackware 14.0 kernel (SSA:2017-184-01) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1924-1.NASL description This update for the Linux Kernel 3.12.61-52_66 fixes several issues. The following security bugs were fixed : - CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be last seen 2020-06-01 modified 2020-06-02 plugin id 101927 published 2017-07-24 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101927 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1924-1) (Stack Clash) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1735-1.NASL description This Linux kernel update for SUSE Linux Enterprise 12 fixes the following issues : - A previous security update to address CVE-2017-1000364 caused unintended side-effects in several other tools, most notably Java. These issues have been remedied. [bsc#1045340] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101144 published 2017-06-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101144 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1735-1) (Stack Clash) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1482.NASL description An update for kernel is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) Red Hat would like to thank Qualys Research Labs for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100979 published 2017-06-22 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100979 title RHEL 5 : kernel (RHSA-2017:1482) (Stack Clash)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/149804/rsh_stack_clash_priv_esc.rb.txt |
| id | PACKETSTORM:149804 |
| last seen | 2018-10-16 |
| published | 2018-10-15 |
| reporter | Brendan Coles |
| source | https://packetstormsecurity.com/files/149804/Solaris-RSH-Stack-Clash-Privilege-Escalation.html |
| title | Solaris RSH Stack Clash Privilege Escalation |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
The Hacker News
| id | THN:72D5C1EE790D99032F95F4A094E36BD6 |
| last seen | 2018-01-27 |
| modified | 2017-06-29 |
| published | 2017-06-19 |
| reporter | Swati Khandelwal |
| source | https://thehackernews.com/2017/06/linux-root-privilege-escalation.html |
| title | A Decade Old Unix/Linux/BSD Root Privilege-Escalation Bug Discovered |
Related news
References
- http://www.debian.org/security/2017/dsa-3886
- http://www.securityfocus.com/bid/99130
- http://www.securitytracker.com/id/1038724
- https://access.redhat.com/errata/RHSA-2017:1482
- https://access.redhat.com/errata/RHSA-2017:1483
- https://access.redhat.com/errata/RHSA-2017:1484
- https://access.redhat.com/errata/RHSA-2017:1485
- https://access.redhat.com/errata/RHSA-2017:1486
- https://access.redhat.com/errata/RHSA-2017:1487
- https://access.redhat.com/errata/RHSA-2017:1488
- https://access.redhat.com/errata/RHSA-2017:1489
- https://access.redhat.com/errata/RHSA-2017:1490
- https://access.redhat.com/errata/RHSA-2017:1491
- https://access.redhat.com/errata/RHSA-2017:1567
- https://access.redhat.com/errata/RHSA-2017:1616
- https://access.redhat.com/errata/RHSA-2017:1647
- https://access.redhat.com/errata/RHSA-2017:1712
- https://access.redhat.com/security/cve/CVE-2017-1000364
- https://kc.mcafee.com/corporate/index?page=content&id=SB10205
- https://kc.mcafee.com/corporate/index?page=content&id=SB10207
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03800en_us
- https://www.exploit-db.com/exploits/45625/
- https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
- https://www.suse.com/security/cve/CVE-2017-1000364/
- https://www.suse.com/support/kb/doc/?id=7020973