Vulnerabilities > CVE-2018-1091 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linux Kernel
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c in the Linux kernel before 4.13.5, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-1287-1.NASL description The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes. Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331) CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS) CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS) CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS) CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM) This kernel update contains software mitigations for these issues, which also utilize CPU microcode updates shipped in parallel. For more information on this set of information leaks, check out https://www.suse.com/support/kb/doc/?id=7023736 The following security bugs were fixed: CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network could use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service. (bnc#1096748). CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol. (bnc#1096748). CVE-2016-8636: Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c allowed local users to cause a denial of service (memory corruption), obtain sensitive information or possibly have unspecified other impact via a write or read request involving the last seen 2020-06-01 modified 2020-06-02 plugin id 125282 published 2019-05-20 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125282 title SUSE SLES12 Security Update : kernel (SUSE-SU-2019:1287-1) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-1318.NASL description From Red Hat Security Advisory 2018:1318 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Kernel: KVM: error in exception handling leads to wrong debug stack value (CVE-2018-1087) * Kernel: error in exception handling leads to DoS (CVE-2018-8897) * Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation (CVE-2017-16939) * kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c (CVE-2018-1068) * kernel: ptrace() incorrect error handling leads to corruption and DoS (CVE-2018-1000199) * kernel: guest kernel crash during core dump on POWER9 host (CVE-2018-1091) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Andy Lutomirski for reporting CVE-2018-1087 and CVE-2018-1000199 and Nick Peterson (Everdox Tech LLC) and Andy Lutomirski for reporting CVE-2018-8897. Bug Fix(es) : These updated kernel packages include also numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. See the bug fix descriptions in the related Knowledge Article: https://access.redhat.com/ articles/3431641 last seen 2020-06-01 modified 2020-06-02 plugin id 109665 published 2018-05-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109665 title Oracle Linux 7 : kernel (ELSA-2018-1318) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-1023.NASL description A weakness was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 110197 published 2018-05-30 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110197 title Amazon Linux AMI : kernel (ALAS-2018-1023) NASL family Scientific Linux Local Security Checks NASL id SL_20180508_KERNEL_ON_SL7_X.NASL description Security Fix(es) : - Kernel: KVM: error in exception handling leads to wrong debug stack value (CVE-2018-1087) - Kernel: error in exception handling leads to DoS (CVE-2018-8897) - Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation (CVE-2017-16939) - kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c (CVE-2018-1068) - kernel: ptrace() incorrect error handling leads to corruption and DoS (CVE-2018-1000199) - kernel: guest kernel crash during core dump on POWER9 host (CVE-2018-1091) last seen 2020-03-18 modified 2018-05-09 plugin id 109644 published 2018-05-09 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109644 title Scientific Linux Security Update : kernel on SL7.x x86_64 (20180508) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1048-1.NASL description The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.126 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-1091: In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service (bnc#1087231). - CVE-2018-7740: The resv_map_release function in mm/hugetlb.c allowed local users to cause a denial of service (BUG) via a crafted application that made mmap system calls and has a large pgoff argument to the remap_file_pages system call (bnc#1084353). - CVE-2018-8043: The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c did not validate certain resource availability, which allowed local users to cause a denial of service (NULL pointer dereference) (bnc#1084829). - CVE-2017-18257: The __get_data_block function in fs/f2fs/data.c allowed local users to cause a denial of service (integer overflow and loop) via crafted use of the open and fallocate system calls with an FS_IOC_FIEMAP ioctl. (bnc#1088241) - CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious NCPFS servers to crash the kernel or execute code (bnc#1086162). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 109310 published 2018-04-24 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109310 title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:1048-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2018-1318.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Kernel: KVM: error in exception handling leads to wrong debug stack value (CVE-2018-1087) * Kernel: error in exception handling leads to DoS (CVE-2018-8897) * Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation (CVE-2017-16939) * kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c (CVE-2018-1068) * kernel: ptrace() incorrect error handling leads to corruption and DoS (CVE-2018-1000199) * kernel: guest kernel crash during core dump on POWER9 host (CVE-2018-1091) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Andy Lutomirski for reporting CVE-2018-1087 and CVE-2018-1000199 and Nick Peterson (Everdox Tech LLC) and Andy Lutomirski for reporting CVE-2018-8897. Bug Fix(es) : These updated kernel packages include also numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. See the bug fix descriptions in the related Knowledge Article: https://access.redhat.com/ articles/3431641 last seen 2020-06-01 modified 2020-06-02 plugin id 110245 published 2018-05-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110245 title CentOS 7 : kernel (CESA-2018:1318) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-377.NASL description The openSUSE Leap 42.3 kernel was updated to 4.4.126 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-1091: In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service (bnc#1087231). - CVE-2018-8043: The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c did not validate certain resource availability, which allowed local users to cause a denial of service (NULL pointer dereference) (bnc#1084829). - CVE-2018-7740: The resv_map_release function in mm/hugetlb.c allowed local users to cause a denial of service (BUG) via a crafted application that made mmap system calls and has a large pgoff argument to the remap_file_pages system call (bnc#1084353). The following non-security bugs were fixed : - acpica: Add header support for TPM2 table changes (bsc#1084452). - acpica: Add support for new SRAT subtable (bsc#1085981). - acpica: iasl: Update to IORT SMMUv3 disassembling (bsc#1085981). - acpi/IORT: numa: Add numa node mapping for smmuv3 devices (bsc#1085981). - acpi, numa: fix pxm to online numa node associations (bnc#1012382). - acpi / PMIC: xpower: Fix power_table addresses (bnc#1012382). - acpi/processor: Fix error handling in __acpi_processor_start() (bnc#1012382). - acpi/processor: Replace racy task affinity logic (bnc#1012382). - agp/intel: Flush all chipset writes after updating the GGTT (bnc#1012382). - ahci: Add pci-id for the Highpoint Rocketraid 644L card (bnc#1012382). - alsa: aloop: Fix access to not-yet-ready substream via cable (bnc#1012382). - alsa: aloop: Sync stale timer before release (bnc#1012382). - alsa: firewire-digi00x: handle all MIDI messages on streaming packets (bnc#1012382). - alsa: hda: Add a power_save blacklist (bnc#1012382). - alsa: hda: add dock and led support for HP EliteBook 820 G3 (bnc#1012382). - alsa: hda: add dock and led support for HP ProBook 640 G2 (bnc#1012382). - alsa: hda/realtek - Always immediately update mute LED with pin VREF (bnc#1012382). - alsa: hda/realtek - Fix dock line-out volume on Dell Precision 7520 (bnc#1012382). - alsa: hda/realtek - Fix speaker no sound after system resume (bsc#1031717). - alsa: hda - Revert power_save option default value (git-fixes). - alsa: pcm: Fix UAF in snd_pcm_oss_get_formats() (bnc#1012382). - alsa: usb-audio: Add a quirck for B&W PX headphones (bnc#1012382). - alsa: usb-audio: Fix parsing descriptor of UAC2 processing unit (bnc#1012382). - apparmor: Make path_max parameter readonly (bnc#1012382). - arm64: Add missing Falkor part number for branch predictor hardening (bsc#1068032). - arm64 / cpuidle: Use new cpuidle macro for entering retention state (bsc#1084328). - arm64: mm: do not write garbage into TTBR1_EL1 register (bsc#1085487). - arm: 8668/1: ftrace: Fix dynamic ftrace with DEBUG_RODATA and !FRAME_POINTER (bnc#1012382). - arm: DRA7: clockdomain: Change the CLKTRCTRL of CM_PCIE_CLKSTCTRL to SW_WKUP (bnc#1012382). - arm: dts: Adjust moxart IRQ controller and flags (bnc#1012382). - arm: dts: am335x-pepper: Fix the audio CODEC last seen 2020-06-05 modified 2018-04-18 plugin id 109103 published 2018-04-18 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109103 title openSUSE Security Update : the Linux Kernel (openSUSE-2018-377) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1519.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel through 3.11.1 uses data structures and function calls that do not trigger an intended configuration of IPsec encryption, which allows remote attackers to obtain sensitive information by sniffing the network.(CVE-2013-4350i1/4%0 - The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impacts via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function.(CVE-2017-7187i1/4%0 - An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller last seen 2020-03-19 modified 2019-05-14 plugin id 124972 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124972 title EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1519) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2018-1023.NASL description A weakness was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 110196 published 2018-05-30 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110196 title Amazon Linux 2 : kernel (ALAS-2018-1023) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1318.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Kernel: KVM: error in exception handling leads to wrong debug stack value (CVE-2018-1087) * Kernel: error in exception handling leads to DoS (CVE-2018-8897) * Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation (CVE-2017-16939) * kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c (CVE-2018-1068) * kernel: ptrace() incorrect error handling leads to corruption and DoS (CVE-2018-1000199) * kernel: guest kernel crash during core dump on POWER9 host (CVE-2018-1091) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Andy Lutomirski for reporting CVE-2018-1087 and CVE-2018-1000199 and Nick Peterson (Everdox Tech LLC) and Andy Lutomirski for reporting CVE-2018-8897. Bug Fix(es) : These updated kernel packages include also numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. See the bug fix descriptions in the related Knowledge Article: https://access.redhat.com/ articles/3431641 last seen 2020-06-01 modified 2020-06-02 plugin id 109633 published 2018-05-09 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109633 title RHEL 7 : kernel (RHSA-2018:1318)
Redhat
advisories |
| ||||
rpms |
|
References
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c1fa0768a8713b135848f78fd43ffc208d8ded70
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c1fa0768a8713b135848f78fd43ffc208d8ded70
- http://openwall.com/lists/oss-security/2018/03/27/4
- http://openwall.com/lists/oss-security/2018/03/27/4
- https://access.redhat.com/errata/RHSA-2018:1318
- https://access.redhat.com/errata/RHSA-2018:1318
- https://access.redhat.com/security/cve/cve-2018-1091
- https://access.redhat.com/security/cve/cve-2018-1091
- https://bugzilla.redhat.com/show_bug.cgi?id=1558149
- https://bugzilla.redhat.com/show_bug.cgi?id=1558149
- https://github.com/torvalds/linux/commit/c1fa0768a8713b135848f78fd43ffc208d8ded70
- https://github.com/torvalds/linux/commit/c1fa0768a8713b135848f78fd43ffc208d8ded70
- https://marc.info/?l=linuxppc-embedded&m=150535531910494&w=2
- https://marc.info/?l=linuxppc-embedded&m=150535531910494&w=2
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.5
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.5