Vulnerabilities > CVE-2017-12193 - NULL Pointer Dereference vulnerability in Linux Kernel
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3507-1.NASL description Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12193) Eric Biggers discovered that the key management subsystem in the Linux kernel did not properly restrict adding a key that already exists but is uninstantiated. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15299) It was discovered that a NULL pointer dereference error existed in the PowerPC KVM implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-15306) Eric Biggers discovered a race condition in the key management subsystem of the Linux kernel around keys in a negative state. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15951) Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB BOS metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16535) Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 105100 published 2017-12-08 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105100 title Ubuntu 17.10 : linux, linux-raspi2 vulnerabilities (USN-3507-1) (Dirty COW) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3509-3.NASL description USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. Unfortunately, it also introduced a regression that prevented the Ceph network filesystem from being used. This update fixes the problem. We apologize for the inconvenience. Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12193) Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 105354 published 2017-12-18 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105354 title Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2 regression (USN-3509-3) (Dirty COW) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3698-1.NASL description It was discovered that the nested KVM implementation in the Linux kernel in some situations did not properly prevent second level guests from reading and writing the hardware CR8 register. A local attacker in a guest could use this to cause a denial of service (system crash). (CVE-2017-12154) Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12193) It was discovered that a race condition existed in the ALSA subsystem of the Linux kernel when creating and deleting a port via ioctl(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15265) It was discovered that a NULL pointer dereference vulnerability existed in the DCCP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1130) Julian Stecklina and Thomas Prescher discovered that FPU register states (such as MMX, SSE, and AVX registers) which are lazily restored are potentially vulnerable to a side channel attack. A local attacker could use this to expose sensitive information. (CVE-2018-3665) Wang Qize discovered that an information disclosure vulnerability existed in the SMBus driver for ACPI Embedded Controllers in the Linux kernel. A local attacker could use this to expose sensitive information (kernel pointer addresses). (CVE-2018-5750) It was discovered that the SCTP Protocol implementation in the Linux kernel did not properly validate userspace provided payload lengths in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5803) It was discovered that an integer overflow error existed in the futex implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-6927) It was discovered that an information leak vulnerability existed in the floppy driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-7755) It was discovered that a memory leak existed in the SAS driver subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-7757). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 110900 published 2018-07-03 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110900 title Ubuntu 14.04 LTS : linux vulnerabilities (USN-3698-1) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZA-2017-101.NASL description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerability : - A flaw was found in the implementation of associative arrays in the Linux kernel. A null pointer dereference could happen in assoc_array_apply_edit() due to incorrect node splitting. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104499 published 2017-11-13 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104499 title Virtuozzo 7 : readykernel-patch (VZA-2017-101) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1026.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages.(CVE-2017-16939) - The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.(CVE-2017-12190) - The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.(CVE-2017-12193) - The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket.(CVE-2017-7542) - The bnep_add_connection function in net/bluetooth/bnep/core.c in the Linux kernel before 3.19 does not ensure that an l2cap socket is available, which allows local users to gain privileges via a crafted application.(CVE-2017-15868) - The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state.(CVE-2017-8824) - net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces.(CVE-2017-17448) - The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system.(CVE-2017-17449) - net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces.(CVE-2017-17450) - The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-17558) - The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.(CVE-2017-17805) - The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization.(CVE-2017-17806) - he KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task last seen 2020-06-10 modified 2018-01-19 plugin id 106167 published 2018-01-19 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106167 title EulerOS 2.0 SP2 : kernel (EulerOS-SA-2018-1026) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0017.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - drivers/char/mem.c: deny access in open operation when securelevel is set (Ethan Zhao) [Orabug: 27234850] [Orabug: 27234850] - hugetlb: fix nr_pmds accounting with shared page tables (Kirill A. Shutemov) [Orabug: 26988581] - x86/IBRS: Drop unnecessary WRITE_ONCE (Boris Ostrovsky) [Orabug: 27416198] - x86/IBRS: Don last seen 2020-06-01 modified 2020-06-02 plugin id 106706 published 2018-02-09 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106706 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0017) (Meltdown) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3507-2.NASL description Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12193) Eric Biggers discovered that the key management subsystem in the Linux kernel did not properly restrict adding a key that already exists but is uninstantiated. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15299) It was discovered that a NULL pointer dereference error existed in the PowerPC KVM implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-15306) Eric Biggers discovered a race condition in the key management subsystem of the Linux kernel around keys in a negative state. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15951). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 105101 published 2017-12-08 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105101 title Ubuntu 16.04 LTS : linux-gcp vulnerabilities (USN-3507-2) (Dirty COW) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-3398-1.NASL description The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.103 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000410: The Linux kernel was affected by an information lea that lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. (bnc#1070535). - CVE-2017-11600: net/xfrm/xfrm_policy.c in the Linux kernel did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bnc#1050231). - CVE-2017-12193: The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel mishandled node splitting, which allowed local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations (bnc#1066192). - CVE-2017-15115: The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel did not check whether the intended netns is used in a peel-off action, which allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls (bnc#1068671). - CVE-2017-16528: sound/core/seq_device.c in the Linux kernel allowed local users to cause a denial of service (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066629). - CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066606). - CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066573). - CVE-2017-16645: The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel allowed local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067132). - CVE-2017-16646: drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel allowed local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067105). - CVE-2017-16994: The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel mishandled holes in hugetlb ranges, which allowed local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call (bnc#1069996). - CVE-2017-17448: net/netfilter/nfnetlink_cthelper.c in the Linux kernel did not require the CAP_NET_ADMIN capability for new, get, and del operations, which allowed local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces (bnc#1071693). - CVE-2017-17449: The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel did not restrict observations of Netlink messages to a single net namespace, which allowed local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system (bnc#1071694). - CVE-2017-17450: net/netfilter/xt_osf.c in the Linux kernel did not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allowed local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces (bnc#1071695). - CVE-2017-7482: Fixed an overflow when decoding a krb5 principal. (bnc#1046107). - CVE-2017-8824: The dccp_disconnect function in net/dccp/proto.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state (bnc#1070771). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 105460 published 2017-12-26 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105460 title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:3398-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1390.NASL description The openSUSE Leap 42.2 kernel was updated to 4.4.102 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000405: A bug in the THP CoW support could be used by local attackers to corrupt memory of other processes and cause them to crash (bnc#1069496). - CVE-2017-1000410: The Linux kernel was affected by an information leak in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. (bnc#1070535). - CVE-2017-11600: net/xfrm/xfrm_policy.c in the Linux kernel did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bnc#1050231). - CVE-2017-12193: The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel mishandled node splitting, which allowed local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations (bnc#1066192). - CVE-2017-15115: The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel did not check whether the intended netns is used in a peel-off action, which allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls (bnc#1068671). - CVE-2017-16528: sound/core/seq_device.c in the Linux kernel allowed local users to cause a denial of service (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066629). - CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066606). - CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066573). - CVE-2017-16645: The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel allowed local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067132). - CVE-2017-16646: drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel allowed local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067105). - CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bnc#1069702). - CVE-2017-16994: The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel mishandled holes in hugetlb ranges, which allowed local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call (bnc#1069996). - CVE-2017-17448: net/netfilter/nfnetlink_cthelper.c in the Linux kernel did not require the CAP_NET_ADMIN capability for new, get, and del operations, which allowed local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces (bnc#1071693). - CVE-2017-17449: The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel did not restrict observations of Netlink messages to a single net namespace, which allowed local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system (bnc#1071694). - CVE-2017-17450: net/netfilter/xt_osf.c in the Linux kernel did not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allowed local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces (bnc#1071695). - CVE-2017-7482: Fixed an overflow when decoding a krb5 principal. (bnc#1046107). - CVE-2017-8824: The dccp_disconnect function in net/dccp/proto.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state (bnc#1070771). The following non-security bugs were fixed : - adm80211: return an error if adm8211_alloc_rings() fails (bsc#1031717). - adv7604: Initialize drive strength to default when using DT (bnc#1012382). - af_netlink: ensure that NLMSG_DONE never fails in dumps (bnc#1012382). - alsa: caiaq: Fix stray URB at probe error path (bnc#1012382). - alsa: hda: Add Raven PCI ID (bnc#1012382). - alsa: hda - Apply ALC269_FIXUP_NO_SHUTUP on HDA_FIXUP_ACT_PROBE (bnc#1012382). - alsa: hda/ca0132 - Fix memory leak at error path (bsc#1031717). - alsa: hda - fix headset mic problem for Dell machines with alc236 (bnc#1012382). - alsa: hda - No loopback on ALC299 codec (git-fixes). - alsa: hda/realtek: Add headset mic support for Intel NUC Skull Canyon (bsc#1031717). - alsa: hda/realtek - Add new codec ID ALC299 (bnc#1012382). - alsa: hda/realtek - Add support for ALC236/ALC3204 (bnc#1012382). - alsa: hda/realtek - Fix ALC700 family no sound issue (bsc#1031717). - alsa: hda: Remove superfluous last seen 2020-06-05 modified 2017-12-18 plugin id 105344 published 2017-12-18 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105344 title openSUSE Security Update : the Linux Kernel (openSUSE-2017-1390) (Dirty COW) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-3249-1.NASL description The SUSE Linux Enterprise 12 kernel was updated to 3.12.61 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bnc#1069702 1069708). - CVE-2017-1000405: The Linux Kernel had a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() could be reached by get_user_pages(). In such case, the pmd would become dirty. This scenario breaks the new can_follow_write_pmd() last seen 2020-06-01 modified 2020-06-02 plugin id 105150 published 2017-12-11 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105150 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3249-1) (Dirty COW) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-3210-1.NASL description The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages. (bnc#1069702) - CVE-2017-1000405: mm, thp: do not dirty huge pages on read fault (bnc#1069496). - CVE-2017-16649: The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel allowed local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. (bnc#1067085) - CVE-2014-0038: The compat_sys_recvmmsg function in net/compat.c, when CONFIG_X86_X32 is enabled, allowed local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter (bnc#860993). - CVE-2017-16650: The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel allowed local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. (bnc#1067086) - CVE-2017-16535: The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. (bnc#1066700) - CVE-2017-15102: The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel allowed local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference. (bnc#1066705) - CVE-2017-16531: drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor. (bnc#1066671) - CVE-2017-12193: The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel mishandled node splitting, which allowed local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations. (bnc#1066192) - CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. (bnc#1066650) - CVE-2017-16525: The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup. (bnc#1066618) - CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (bnc#1066573) - CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (bnc#1066606) - CVE-2017-16527: sound/usb/mixer.c in the Linux kernel allowed local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. (bnc#1066625) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 105020 published 2017-12-05 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105020 title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3210-1) (Dirty COW) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4025.NASL description Description of changes: [4.1.12-112.14.14.el7uek] - drivers/char/mem.c: deny access in open operation when securelevel is set (Ethan Zhao) [Orabug: 27234850] [Orabug: 27234850] - hugetlb: fix nr_pmds accounting with shared page tables (Kirill A. Shutemov) [Orabug: 26988581] - x86/IBRS: Drop unnecessary WRITE_ONCE (Boris Ostrovsky) [Orabug: 27416198] - x86/IBRS: Don last seen 2020-06-01 modified 2020-06-02 plugin id 106670 published 2018-02-08 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106670 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4025) (Meltdown) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0014_KERNEL.NASL description The remote NewStart CGSL host, running version MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - A flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 127165 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127165 title NewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0014) NASL family Fedora Local Security Checks NASL id FEDORA_2017-38B37120A2.NASL description The 4.13.11 update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-11-08 plugin id 104444 published 2017-11-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104444 title Fedora 25 : kernel (2017-38b37120a2) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1523.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The snd_msndmidi_input_read function in sound/isa/msnd/msnd_midi.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a last seen 2020-03-19 modified 2019-05-14 plugin id 124976 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124976 title EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1523) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3509-4.NASL description USN-3509-2 fixed vulnerabilities in the Linux Hardware Enablement kernel for Ubuntu 14.04 LTS. Unfortunately, it also introduced a regression that prevented the Ceph network filesystem from being used. This update fixes the problem. We apologize for the inconvenience. Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12193) Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 105355 published 2017-12-18 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105355 title Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws regression (USN-3509-4) (Dirty COW) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0181.NASL description An update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * A flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 106525 published 2018-01-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106525 title RHEL 6 : kernel-rt (RHSA-2018:0181) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1391.NASL description The openSUSE Leap 42.3 kernel was updated to 4.4.103 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000405: A bug in the THP CoW support could be used by local attackers to corrupt memory of other processes and cause them to crash (bnc#1069496). - CVE-2017-1000410: The Linux kernel was affected by a vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. (bnc#1070535). - CVE-2017-11600: net/xfrm/xfrm_policy.c in the Linux kernel did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bnc#1050231). - CVE-2017-12193: The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel mishandled node splitting, which allowed local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations (bnc#1066192). - CVE-2017-15115: The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel did not check whether the intended netns is used in a peel-off action, which allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls (bnc#1068671). - CVE-2017-16528: sound/core/seq_device.c in the Linux kernel allowed local users to cause a denial of service (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066629). - CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066606). - CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066573). - CVE-2017-16645: The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel allowed local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067132). - CVE-2017-16646: drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel allowed local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067105). - CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bnc#1069702). - CVE-2017-16994: The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel mishandled holes in hugetlb ranges, which allowed local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call (bnc#1069996). - CVE-2017-17448: net/netfilter/nfnetlink_cthelper.c in the Linux kernel did not require the CAP_NET_ADMIN capability for new, get, and del operations, which allowed local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces (bnc#1071693). - CVE-2017-17449: The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel did not restrict observations of Netlink messages to a single net namespace, which allowed local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system (bnc#1071694). - CVE-2017-17450: net/netfilter/xt_osf.c in the Linux kernel did not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allowed local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces (bnc#1071695). - CVE-2017-7482: Fixed an overflow when decoding a krb5 principal. (bnc#1046107). - CVE-2017-8824: The dccp_disconnect function in net/dccp/proto.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state (bnc#1070771). The following non-security bugs were fixed : - acpi / apd: Add clock frequency for ThunderX2 I2C controller (bsc#1067225). - Add references (bsc#1062941, bsc#1037404, bsc#1012523, bsc#1038299) The scsi_devinfo patches are relevant for all bugs related to HITACHI OPEN-V. - adm80211: return an error if adm8211_alloc_rings() fails (bsc#1031717). - adv7604: Initialize drive strength to default when using DT (bnc#1012382). - af_netlink: ensure that NLMSG_DONE never fails in dumps (bnc#1012382). - alsa: caiaq: Fix stray URB at probe error path (bnc#1012382). - alsa: hda: Abort capability probe at invalid register read (bsc#1048356). - alsa: hda: Add Raven PCI ID (bnc#1012382). - alsa: hda - Apply ALC269_FIXUP_NO_SHUTUP on HDA_FIXUP_ACT_PROBE (bnc#1012382). - alsa: hda/ca0132 - Fix memory leak at error path (bsc#1031717). - alsa: hda - fix headset mic problem for Dell machines with alc236 (bnc#1012382). - alsa: hda - No loopback on ALC299 codec (git-fixes). - alsa: hda/realtek: Add headset mic support for Intel NUC Skull Canyon (bsc#1031717). - alsa: hda/realtek - Add new codec ID ALC299 (bnc#1012382). - alsa: hda/realtek - Add support for ALC236/ALC3204 (bnc#1012382). - alsa: hda/realtek - Fix ALC700 family no sound issue (bsc#1031717). - alsa: hda: Remove superfluous last seen 2020-06-05 modified 2017-12-19 plugin id 105364 published 2017-12-19 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105364 title openSUSE Security Update : the Linux Kernel (openSUSE-2017-1391) (Dirty COW) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0035.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0035 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 109158 published 2018-04-19 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109158 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0035) (Dirty COW) (Meltdown) (Spectre) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0151.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Note: This issue is present in hardware and cannot be fully fixed via software update. The updated kernel packages provide software mitigation for this hardware issue at a cost of potential performance penalty. Please refer to References section for further information about this issue and the performance impact. In this update initial mitigations for IBM Power (PowerPC) and IBM zSeries (S390) architectures are provided. * Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 106330 published 2018-01-25 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106330 title RHEL 7 : kernel (RHSA-2018:0151) (Meltdown) (Spectre) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4071.NASL description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s). last seen 2020-06-01 modified 2020-06-02 plugin id 109156 published 2018-04-19 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109156 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4071) (Dirty COW) (Meltdown) (Spectre) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2018-0151.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Note: This issue is present in hardware and cannot be fully fixed via software update. The updated kernel packages provide software mitigation for this hardware issue at a cost of potential performance penalty. Please refer to References section for further information about this issue and the performance impact. In this update initial mitigations for IBM Power (PowerPC) and IBM zSeries (S390) architectures are provided. * Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 106353 published 2018-01-26 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106353 title CentOS 7 : kernel (CESA-2018:0151) (Meltdown) (Spectre) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3509-2.NASL description USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12193) Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 105105 published 2017-12-08 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105105 title Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3509-2) (Dirty COW) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZA-2017-102.NASL description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerability : - A flaw was found in the implementation of associative arrays in the Linux kernel. A null pointer dereference could happen in assoc_array_apply_edit() due to incorrect node splitting. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104500 published 2017-11-13 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104500 title Virtuozzo 7 : readykernel-patch (VZA-2017-102) NASL family Scientific Linux Local Security Checks NASL id SL_20180125_KERNEL_ON_SL7_X.NASL description Security Fix(es) : An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Note: This issue is present in hardware and cannot be fully fixed via software update. The updated kernel packages provide software mitigation for this hardware issue at a cost of potential performance penalty. * Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor last seen 2020-03-18 modified 2018-01-25 plugin id 106340 published 2018-01-25 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106340 title Scientific Linux Security Update : kernel on SL7.x x86_64 (20180125) (Meltdown) (Spectre) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-3410-1.NASL description The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.103 to receive various security and bugfixes. This update enables SMB encryption in the CIFS support in the Linux Kernel (fate#324404) The following security bugs were fixed : - CVE-2017-1000410: The Linux kernel was affected by an information leak in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. (bnc#1070535). - CVE-2017-11600: net/xfrm/xfrm_policy.c in the Linux kernel did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bnc#1050231). - CVE-2017-12193: The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel mishandled node splitting, which allowed local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations (bnc#1066192). - CVE-2017-15115: The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel did not check whether the intended netns is used in a peel-off action, which allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls (bnc#1068671). - CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c (bnc#1062520). - CVE-2017-16528: sound/core/seq_device.c in the Linux kernel allowed local users to cause a denial of service (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066629). - CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066606). - CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066573). - CVE-2017-16645: The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel allowed local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067132). - CVE-2017-16646: drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel allowed local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067105). - CVE-2017-16994: The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel mishandled holes in hugetlb ranges, which allowed local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call (bnc#1069996). - CVE-2017-17448: net/netfilter/nfnetlink_cthelper.c in the Linux kernel did not require the CAP_NET_ADMIN capability for new, get, and del operations, which allowed local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces (bnc#1071693). - CVE-2017-17449: The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, did not restrict observations of Netlink messages to a single net namespace, which allowed local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system (bnc#1071694). - CVE-2017-17450: net/netfilter/xt_osf.c in the Linux kernel did not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allowed local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces (bnc#1071695). - CVE-2017-7482: Fixed an overflow when decoding a krb5 principal. (bnc#1046107). - CVE-2017-8824: The dccp_disconnect function in net/dccp/proto.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state (bnc#1070771). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 105461 published 2017-12-26 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105461 title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:3410-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1318.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space.(CVE-2017-1000410) - The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.(CVE-2017-12193) - The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.(CVE-2017-12190) - The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference.(CVE-2017-15102) - The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls.(CVE-2017-15115) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-12-07 plugin id 105046 published 2017-12-07 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105046 title EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1318) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1499.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in last seen 2020-04-03 modified 2019-05-13 plugin id 124822 published 2019-05-13 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124822 title EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1499) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3509-1.NASL description Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12193) Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 105104 published 2017-12-08 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105104 title Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3509-1) (Dirty COW) NASL family Fedora Local Security Checks NASL id FEDORA_2017-EF58CBDE27.NASL description The 4.13.11 update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-01-15 plugin id 105996 published 2018-01-15 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105996 title Fedora 27 : kernel (2017-ef58cbde27) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-925.NASL description Incorrect updates of uninstantiated keys crash the kernel A vulnerability was found in the key management subsystem of the Linux kernel. An update on an uninstantiated key could cause a kernel panic, leading to denial of service (DoS). (CVE-2017-15299) Memory leak when merging buffers in SCSI IO vectors It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in last seen 2020-06-01 modified 2020-06-02 plugin id 104707 published 2017-11-21 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/104707 title Amazon Linux AMI : kernel (ALAS-2017-925) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0152.NASL description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * A flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 106331 published 2018-01-25 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106331 title RHEL 7 : kernel-rt (RHSA-2018:0152) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-0151.NASL description From Red Hat Security Advisory 2018:0151 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Note: This issue is present in hardware and cannot be fully fixed via software update. The updated kernel packages provide software mitigation for this hardware issue at a cost of potential performance penalty. Please refer to References section for further information about this issue and the performance impact. In this update initial mitigations for IBM Power (PowerPC) and IBM zSeries (S390) architectures are provided. * Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 106364 published 2018-01-26 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106364 title Oracle Linux 7 : kernel (ELSA-2018-0151) (Meltdown) (Spectre) NASL family Fedora Local Security Checks NASL id FEDORA_2017-9FBB35AEDA.NASL description The 4.13.11 update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-11-08 plugin id 104448 published 2017-11-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104448 title Fedora 26 : kernel (2017-9fbb35aeda)
Redhat
| advisories |
| ||||
| rpms |
|
References
- https://github.com/torvalds/linux/commit/ea6789980fdaa610d7eb63602c746bf6ec70cd2b
- https://bugzilla.redhat.com/show_bug.cgi?id=1501215
- http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.11
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ea6789980fdaa610d7eb63602c746bf6ec70cd2b
- http://www.securityfocus.com/bid/101678
- https://access.redhat.com/errata/RHSA-2018:0151
- https://usn.ubuntu.com/3698-2/
- https://usn.ubuntu.com/3698-1/