Vulnerabilities > CVE-2017-17741 - Out-of-bounds Read vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
The KVM implementation in the Linux kernel through 4.14.7 allows attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-1287-1.NASL description The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes. Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331) CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS) CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS) CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS) CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM) This kernel update contains software mitigations for these issues, which also utilize CPU microcode updates shipped in parallel. For more information on this set of information leaks, check out https://www.suse.com/support/kb/doc/?id=7023736 The following security bugs were fixed: CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network could use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service. (bnc#1096748). CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol. (bnc#1096748). CVE-2016-8636: Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c allowed local users to cause a denial of service (memory corruption), obtain sensitive information or possibly have unspecified other impact via a write or read request involving the last seen 2020-06-01 modified 2020-06-02 plugin id 125282 published 2019-05-20 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125282 title SUSE SLES12 Security Update : kernel (SUSE-SU-2019:1287-1) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0525-1.NASL description The SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032). The previous fix using CPU Microcode has been complemented by building the Linux Kernel with return trampolines aka last seen 2020-06-01 modified 2020-06-02 plugin id 106967 published 2018-02-23 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106967 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0525-1) (Spectre) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0102.NASL description An update of 'linux' packages of Photon OS has been released. last seen 2019-02-08 modified 2019-02-07 plugin id 111914 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111914 title Photon OS 1.0: Linux PHSA-2018-1.0-0102 (deprecated) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3617-2.NASL description USN-3617-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS. It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the ASIX Ethernet USB driver in the Linux kernel did not properly handle suspend and resume events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16647) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a tasks last seen 2020-06-01 modified 2020-06-02 plugin id 108835 published 2018-04-04 reporter Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108835 title Ubuntu 16.04 LTS : linux-hwe, linux-gcp, linux-oem vulnerabilities (USN-3617-2) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4073.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2017-8824 Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:echo >> /etc/modprobe.d/disable-dccp.conf install dccp false - CVE-2017-16538 Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). - CVE-2017-16644 Andrey Konovalov reported that the hdpvr media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). - CVE-2017-16995 Jann Horn discovered that the Extended BPF verifier did not correctly model the behaviour of 32-bit load instructions. A local user can use this for privilege escalation. - CVE-2017-17448 Kevin Cernekee discovered that the netfilter subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace, not just the root namespace, to enable and disable connection tracking helpers. This could lead to denial of service, violation of network security policy, or have other impact. - CVE-2017-17449 Kevin Cernekee discovered that the netlink subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace to monitor netlink traffic in all net namespaces, not just those owned by that user namespace. This could lead to exposure of sensitive information. - CVE-2017-17450 Kevin Cernekee discovered that the xt_osf module allowed users with the CAP_NET_ADMIN capability in any user namespace to modify the global OS fingerprint list. - CVE-2017-17558 Andrey Konovalov reported that that USB core did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. - CVE-2017-17712 Mohamed Ghannam discovered a race condition in the IPv4 raw socket implementation. A local user could use this to obtain sensitive information from the kernel. - CVE-2017-17741 Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash). - CVE-2017-17805 It was discovered that some implementations of the Salsa20 block cipher did not correctly handle zero-length input. A local user could use this to cause a denial of service (crash) or possibly have other security impact. - CVE-2017-17806 It was discovered that the HMAC implementation could be used with an underlying hash algorithm that requires a key, which was not intended. A local user could use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. - CVE-2017-17807 Eric Biggers discovered that the KEYS subsystem lacked a check for write permission when adding keys to a process last seen 2020-06-01 modified 2020-06-02 plugin id 105433 published 2017-12-26 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105433 title Debian DSA-4073-1 : linux - security update NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-956.NASL description Kernel address information leak in drivers/acpi/sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel, through 4.14.15, allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.(CVE-2018-5750) Improper sorting of GIDs in nfsd can lead to incorrect permissions being applied Linux kernel contains a Incorrect Access Control vulnerability in NFS server (nfsd) that can result in remote users reading or writing files they should not be able to via NFS. This attack appear to be exploitable via NFS server must export a filesystem with the last seen 2020-06-01 modified 2020-06-02 plugin id 106933 published 2018-02-22 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106933 title Amazon Linux AMI : kernel (ALAS-2018-956) (Dirty COW) (Spectre) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3632-1.NASL description It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task last seen 2020-06-01 modified 2020-06-02 plugin id 109316 published 2018-04-24 reporter Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109316 title Ubuntu 16.04 LTS : linux-azure vulnerabilities (USN-3632-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3617-3.NASL description It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the ASIX Ethernet USB driver in the Linux kernel did not properly handle suspend and resume events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16647) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a tasks last seen 2020-06-01 modified 2020-06-02 plugin id 108840 published 2018-04-05 reporter Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108840 title Ubuntu 17.10 : linux-raspi2 vulnerabilities (USN-3617-3) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0437-1.NASL description The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032). The previous fix using CPU Microcode has been complemented by building the Linux Kernel with return trampolines aka last seen 2020-06-01 modified 2020-06-02 plugin id 106815 published 2018-02-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106815 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0437-1) (Spectre) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1450.NASL description According to the versions of the kvm package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in the Linux kernel before 4.6.1 supports MSR 0x2f8, which allows guest OS users to read or write to the kvm_arch_vcpu data structure, and consequently obtain sensitive information or cause a denial of service (system crash), via a crafted ioctl call.(CVE-2016-3713) - Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to a null pointer dereference flaw. It could occur on x86 platform, when emulating an undefined instruction. An attacker could use this flaw to crash the host kernel resulting in DoS.(CVE-2016-8630) - Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support was vulnerable to an incorrect segment selector(SS) value error. The error could occur while loading values into the SS register in long mode. A user or process inside a guest could use this flaw to crash the guest, resulting in DoS or potentially escalate their privileges inside the guest.(CVE-2017-2583) - arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt.(CVE-2017-2584) - A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (i1/4z1024) index value.(CVE-2017-1000252) - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor last seen 2020-03-19 modified 2019-05-14 plugin id 124953 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124953 title EulerOS Virtualization 3.0.1.0 : kvm (EulerOS-SA-2019-1450) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4164.NASL description Description of changes: kernel-uek kernel-uek [3.8.13-118.22.1.el7uek] - dm: fix race between dm_get_from_kobject() and __dm_destroy() (Hou Tao) {CVE-2017-18203} - drm: udl: Properly check framebuffer mmap offsets (Greg Kroah-Hartman) [Orabug: 27986407] {CVE-2018-8781} - kernel/exit.c: avoid undefined behaviour when calling wait4() wait4(-2147483648, 0x20, 0, 0xdd0000) triggers: UBSAN: Undefined behaviour in kernel/exit.c:1651:9 (mridula shastry) [Orabug: 27875488] {CVE-2018-10087} - kernel/signal.c: avoid undefined behaviour in kill_something_info When running kill(72057458746458112, 0) in userspace I hit the following issue. (mridula shastry) {CVE-2018-10124} - bluetooth: Validate socket address length in sco_sock_bind(). (mlevatic) [Orabug: 28130293] {CVE-2015-8575} - dccp: check sk for closed state in dccp_sendmsg() (Alexey Kodanev) [Orabug: 28220402] {CVE-2017-8824} {CVE-2018-1130} - sctp: verify size of a new chunk in _sctp_make_chunk() (Alexey Kodanev) [Orabug: 28240075] {CVE-2018-5803} - mm/mempolicy.c: fix error handling in set_mempolicy and mbind. (Chris Salls) [Orabug: 28242478] {CVE-2017-7616} - xfrm: policy: check policy direction value (Vladis Dronov) [Orabug: 28264121] {CVE-2017-11600} {CVE-2017-11600} - x86/fpu: Make eager FPU default (Mihai Carabas) [Orabug: 28156176] {CVE-2018-3665} - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li) [Orabug: 27951287] {CVE-2017-17741} {CVE-2017-17741} - xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug: 27989498] {CVE-2018-10323} - Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030520] {CVE-2017-1000410} {CVE-2017-1000410} - ALSA: hrtimer: Fix stall by hrtimer_cancel() (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2549} - ALSA: timer: Harden slave timer list handling (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2547} {CVE-2016-2548} - ALSA: timer: Fix double unlink of active_list (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2545} - ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2543} - ALSA: seq: Fix race at timer setup and close (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2544} - ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) [Orabug: 28058229] {CVE-2016-2384} - perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds) [Orabug: 27947608] {CVE-2018-1000199} - Revert last seen 2020-06-01 modified 2020-06-02 plugin id 110998 published 2018-07-11 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110998 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4164) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0015.NASL description An update of {'linux'} packages of Photon OS has been released. last seen 2019-02-08 modified 2019-02-07 plugin id 111285 published 2018-07-24 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111285 title Photon OS 2.0 : linux (PhotonOS-PHSA-2018-2.0-0015) (deprecated) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3617-1.NASL description It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the ASIX Ethernet USB driver in the Linux kernel did not properly handle suspend and resume events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16647) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a tasks last seen 2020-06-01 modified 2020-06-02 plugin id 108834 published 2018-04-04 reporter Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108834 title Ubuntu 17.10 : linux vulnerabilities (USN-3617-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1772-1.NASL description The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.136 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the last seen 2020-06-01 modified 2020-06-02 plugin id 110660 published 2018-06-22 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110660 title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:1772-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0555-1.NASL description The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032). The previous fix using CPU Microcode has been complemented by building the Linux Kernel with return trampolines aka last seen 2020-06-01 modified 2020-06-02 plugin id 107055 published 2018-02-28 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107055 title SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0555-1) (Meltdown) (Spectre) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0231.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - x86/fpu: Make eager FPU default (Mihai Carabas) [Orabug: 28156176] (CVE-2018-3665) - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li) [Orabug: 27951287] (CVE-2017-17741) (CVE-2017-17741) - xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug: 27989498] (CVE-2018-10323) - Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030520] (CVE-2017-1000410) (CVE-2017-1000410) - ALSA: hrtimer: Fix stall by hrtimer_cancel (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2549) - ALSA: timer: Harden slave timer list handling (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2547) (CVE-2016-2548) - ALSA: timer: Fix double unlink of active_list (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2545) - ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2543) - ALSA: seq: Fix race at timer setup and close (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2544) - ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) [Orabug: 28058229] (CVE-2016-2384) - perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds) [Orabug: 27947608] (CVE-2018-1000199) - Revert last seen 2020-06-01 modified 2020-06-02 plugin id 110581 published 2018-06-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110581 title OracleVM 3.3 : Unbreakable / etc (OVMSA-2018-0231) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3620-1.NASL description It was discovered that the netlink 802.11 configuration interface in the Linux kernel did not properly validate some attributes passed from userspace. A local attacker with the CAP_NET_ADMIN privilege could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11089) It was discovered that a buffer overflow existed in the ioctl handling code in the ISDN subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-12762) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task last seen 2020-06-01 modified 2020-06-02 plugin id 108843 published 2018-04-05 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108843 title Ubuntu 14.04 LTS : linux vulnerabilities (USN-3620-1) NASL family Fedora Local Security Checks NASL id FEDORA_2017-7810B7C59F.NASL description The 4.14.8 stable kernel update contains a number of important fixes across the tree. ---- The 4.14.7 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-12-26 plugin id 105447 published 2017-12-26 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105447 title Fedora 26 : kernel (2017-7810b7c59f) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4108.NASL description Description of changes: [4.1.12-124.15.1.el7uek] - netfilter: nfnetlink_cthelper: Add missing permission checks (Kevin Cernekee) [Orabug: 27260771] {CVE-2017-17448} - netlink: Add netns check on taps (Kevin Cernekee) [Orabug: 27260799] {CVE-2017-17449} - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li) [Orabug: 27290606] {CVE-2017-17741} {CVE-2017-17741} - xprtrdma: Detect unreachable NFS/RDMA servers more reliably (Chuck Lever) [Orabug: 27587008] - sunrpc: Export xprt_force_disconnect() (Chuck Lever) [Orabug: 27587008] - sunrpc: Allow xprt->ops->timer method to sleep (Chuck Lever) [Orabug: 27587008] - KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit (Haozhong Zhang) [Orabug: 27720128] - x86/microcode: probe CPU features on microcode update (Ankur Arora) [Orabug: 27878230] - x86/microcode: microcode_write() should not reference boot_cpu_data (Ankur Arora) [Orabug: 27878230] - x86/cpufeatures: use cpu_data in init_scattered_cpuid_flags() (Ankur Arora) [Orabug: 27878230] - mm/pagewalk.c: report holes in hugetlb ranges (Jann Horn) [Orabug: 27913118] {CVE-2017-16994} - KEYS: don last seen 2020-06-01 modified 2020-06-02 plugin id 109828 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109828 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4108) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0015_LINUX.NASL description An update of the linux package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121914 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121914 title Photon OS 2.0: Linux PHSA-2018-2.0-0015 NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0237.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - dm: fix race between dm_get_from_kobject and __dm_destroy (Hou Tao) (CVE-2017-18203) - drm: udl: Properly check framebuffer mmap offsets (Greg Kroah-Hartman) [Orabug: 27986407] (CVE-2018-8781) - kernel/exit.c: avoid undefined behaviour when calling wait4 wait4(-2147483648, 0x20, 0, 0xdd0000) triggers: UBSAN: Undefined behaviour in kernel/exit.c:1651:9 (mridula shastry) [Orabug: 27875488] (CVE-2018-10087) - kernel/signal.c: avoid undefined behaviour in kill_something_info When running kill(72057458746458112, 0) in userspace I hit the following issue. (mridula shastry) (CVE-2018-10124) - bluetooth: Validate socket address length in sco_sock_bind. (mlevatic) [Orabug: 28130293] (CVE-2015-8575) - dccp: check sk for closed state in dccp_sendmsg (Alexey Kodanev) [Orabug: 28220402] (CVE-2017-8824) (CVE-2018-1130) - sctp: verify size of a new chunk in _sctp_make_chunk (Alexey Kodanev) [Orabug: 28240075] (CVE-2018-5803) - mm/mempolicy.c: fix error handling in set_mempolicy and mbind. (Chris Salls) [Orabug: 28242478] (CVE-2017-7616) - xfrm: policy: check policy direction value (Vladis Dronov) [Orabug: 28264121] (CVE-2017-11600) (CVE-2017-11600) - x86/fpu: Make eager FPU default (Mihai Carabas) [Orabug: 28156176] (CVE-2018-3665) - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li) [Orabug: 27951287] (CVE-2017-17741) (CVE-2017-17741) - xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug: 27989498] (CVE-2018-10323) - Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030520] (CVE-2017-1000410) (CVE-2017-1000410) - ALSA: hrtimer: Fix stall by hrtimer_cancel (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2549) - ALSA: timer: Harden slave timer list handling (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2547) (CVE-2016-2548) - ALSA: timer: Fix double unlink of active_list (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2545) - ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2543) - ALSA: seq: Fix race at timer setup and close (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2544) - ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) [Orabug: 28058229] (CVE-2016-2384) - perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds) [Orabug: 27947608] (CVE-2018-1000199) - Revert last seen 2020-06-01 modified 2020-06-02 plugin id 111022 published 2018-07-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111022 title OracleVM 3.3 : Unbreakable / etc (OVMSA-2018-0237) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3619-2.NASL description USN-3619-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16995) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911) It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912) It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913) It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task last seen 2020-06-01 modified 2020-06-02 plugin id 108878 published 2018-04-06 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108878 title Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3619-2) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-656.NASL description The openSUSE Leap 42.3 was updated to 4.4.138 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3639: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4 (bsc#1085308 bsc#1087082) This update improves the previous Spectre Variant 4 fixes and also mitigates them on the ARM architecture. - CVE-2018-3665: The FPU state and registers of x86 CPUs were saved and restored in a lazy fashion, which opened its disclosure by speculative side channel attacks. This has been fixed by replacing the lazy save/restore by eager saving and restoring (bnc#1087086) - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the last seen 2020-06-05 modified 2018-06-22 plugin id 110658 published 2018-06-22 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110658 title openSUSE Security Update : the Linux Kernel (openSUSE-2018-656) (Spectre) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3619-1.NASL description Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16995) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911) It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912) It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913) It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task last seen 2020-06-01 modified 2020-06-02 plugin id 108842 published 2018-04-05 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108842 title Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1) NASL family Fedora Local Security Checks NASL id FEDORA_2017-1EBB87E7C0.NASL description The 4.14.8 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-01-15 plugin id 105830 published 2018-01-15 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105830 title Fedora 27 : kernel (2017-1ebb87e7c0) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4134.NASL description Description of changes: kernel-uek [3.8.13-118.21.4.el7uek] - x86/fpu: Make eager FPU default (Mihai Carabas) [Orabug: 28156176] {CVE-2018-3665} [3.8.13-118.21.3.el7uek] - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li) [Orabug: 27951287] {CVE-2017-17741} {CVE-2017-17741} - xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug: 27989498] {CVE-2018-10323} - Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030520] {CVE-2017-1000410} {CVE-2017-1000410} - ALSA: hrtimer: Fix stall by hrtimer_cancel() (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2549} - ALSA: timer: Harden slave timer list handling (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2547} {CVE-2016-2548} - ALSA: timer: Fix double unlink of active_list (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2545} - ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2543} - ALSA: seq: Fix race at timer setup and close (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2544} - ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) [Orabug: 28058229] {CVE-2016-2384} [3.8.13-118.21.2.el7uek] - perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds) [Orabug: 27947608] {CVE-2018-1000199} - Revert last seen 2020-06-01 modified 2020-06-02 plugin id 110583 published 2018-06-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110583 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4134) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0102_LINUX.NASL description An update of the linux package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121803 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121803 title Photon OS 1.0: Linux PHSA-2018-1.0-0102 NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1232.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5754 Multiple researchers have discovered a vulnerability in Intel processors, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Meltdown and is addressed in the Linux kernel for the Intel x86-64 architecture by a patch set named Kernel Page Table Isolation, enforcing a near complete separation of the kernel and userspace address maps and preventing the attack. This solution might have a performance impact, and can be disabled at boot time by passing `pti=off last seen 2020-03-17 modified 2018-01-08 plugin id 105622 published 2018-01-08 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/105622 title Debian DLA-1232-1 : linux security update (Meltdown) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0660-1.NASL description The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032). The previous fix using CPU Microcode has been complemented by building the Linux Kernel with return trampolines aka last seen 2020-06-01 modified 2020-06-02 plugin id 108279 published 2018-03-13 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108279 title SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0660-1) (Spectre) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2018-956.NASL description Stack-based out-of-bounds read via vmcall instruction Linux kernel compiled with the KVM virtualization (CONFIG_KVM) support is vulnerable to an out-of-bounds read access issue. It could occur when emulating vmcall instructions invoked by a guest. A guest user/process could use this flaw to disclose kernel memory bytes.(CVE-2017-17741) drivers/block/loop.c mishandles lo_release serialization allowing denial-of-service A flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 109127 published 2018-04-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109127 title Amazon Linux 2 : kernel (ALAS-2018-956) (Dirty COW) (Spectre) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4082.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2017-5754 Multiple researchers have discovered a vulnerability in Intel processors, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Meltdown and is addressed in the Linux kernel for the Intel x86-64 architecture by a patch set named Kernel Page Table Isolation, enforcing a near complete separation of the kernel and userspace address maps and preventing the attack. This solution might have a performance impact, and can be disabled at boot time by passing pti=off to the kernel command line. - CVE-2017-8824 Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:echo >> /etc/modprobe.d/disable-dccp.conf install dccp false - CVE-2017-15868 Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of the second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation. - CVE-2017-16538 Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). - CVE-2017-16939 Mohamed Ghannam reported (through Beyond Security last seen 2020-06-01 modified 2020-06-02 plugin id 105704 published 2018-01-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105704 title Debian DSA-4082-1 : linux - security update (Meltdown) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-944.NASL description Race condition in raw_sendmsg function allows denial-of-service or kernel addresses leak A flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 106171 published 2018-01-19 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106171 title Amazon Linux AMI : kernel (ALAS-2018-944) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4172.NASL description Description of changes: [2.6.39-400.300.2.el6uek] - Revert last seen 2020-06-01 modified 2020-06-02 plugin id 111144 published 2018-07-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111144 title Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4172)
References
- https://www.spinics.net/lists/kvm/msg160796.html
- https://www.debian.org/security/2017/dsa-4073
- https://www.debian.org/security/2018/dsa-4082
- https://lists.debian.org/debian-lts-announce/2018/01/msg00004.html
- http://www.securityfocus.com/bid/102227
- https://usn.ubuntu.com/3617-2/
- https://usn.ubuntu.com/3617-1/
- https://usn.ubuntu.com/3620-2/
- https://usn.ubuntu.com/3620-1/
- https://usn.ubuntu.com/3619-1/
- https://usn.ubuntu.com/3617-3/
- https://usn.ubuntu.com/3619-2/
- https://usn.ubuntu.com/3632-1/