Vulnerabilities > CVE-2018-13094 - NULL Pointer Dereference vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-0831.NASL description An update for kernel-alt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-alt packages provide the Linux kernel version 4.x. Security Fix(es) : * kernel: lack of check for mmap minimum address in expand_downwards in mm/ mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms (CVE-2019-9213) * kernel: use-after-free in ucma_leave_multicast in drivers/infiniband/core/ ucma.c (CVE-2018-14734) * kernel: Unprivileged users able to inspect kernel stacks of arbitrary tasks (CVE-2018-17972) * kernel: TLB flush happens too late on mremap (CVE-2018-18281) * kernel: Type confusion in drivers/tty/n_tty.c allows for a denial of service (CVE-2018-18386) * kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397) * kernel: Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053) * kernel: NULL pointer dereference in xfs_da_shrink_inode function (CVE-2018-13094) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * Failed to boot with ftrace=function in kvm with 2vcpu (BZ#1501024) * [ALT-7.5][x86_64] perf test 63 - inet_pton fails on x86_64 (BZ#1518836) * BUG: potential out-of-bounds string access when forcing a SELinux label on a file (BZ#1595706) * stack out-of-bounds in smb{2,3}_create_lease_buf() on SMB2/SMB3 mounts (BZ# 1598757) * [ALT-7.6][KVM][PANIC] ltp/lite proc01 - Unable to handle kernel paging request at virtual address ffff7fe000200018 (BZ#1623193) * Kernel lock up due to read/write lock (BZ#1636261) * [RHEL-ALT] Fix potential Spectre v1 in tty code (BZ#1639679) * [Huawei AArch64 7.6 Bug] HNS3: Vlan on HNS3 NIC cannot communicate (BZ# 1639713) * [RHEL7.6-ALT][AWS] backport last seen 2020-06-01 modified 2020-06-02 plugin id 124257 published 2019-04-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124257 title RHEL 7 : kernel-alt (RHSA-2019:0831) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2019:0831. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(124257); script_version("1.7"); script_cvs_date("Date: 2020/01/24"); script_cve_id("CVE-2018-13053", "CVE-2018-13094", "CVE-2018-14734", "CVE-2018-17972", "CVE-2018-18281", "CVE-2018-18386", "CVE-2018-18397", "CVE-2019-9213"); script_xref(name:"RHSA", value:"2019:0831"); script_name(english:"RHEL 7 : kernel-alt (RHSA-2019:0831)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for kernel-alt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-alt packages provide the Linux kernel version 4.x. Security Fix(es) : * kernel: lack of check for mmap minimum address in expand_downwards in mm/ mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms (CVE-2019-9213) * kernel: use-after-free in ucma_leave_multicast in drivers/infiniband/core/ ucma.c (CVE-2018-14734) * kernel: Unprivileged users able to inspect kernel stacks of arbitrary tasks (CVE-2018-17972) * kernel: TLB flush happens too late on mremap (CVE-2018-18281) * kernel: Type confusion in drivers/tty/n_tty.c allows for a denial of service (CVE-2018-18386) * kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397) * kernel: Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053) * kernel: NULL pointer dereference in xfs_da_shrink_inode function (CVE-2018-13094) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * Failed to boot with ftrace=function in kvm with 2vcpu (BZ#1501024) * [ALT-7.5][x86_64] perf test 63 - inet_pton fails on x86_64 (BZ#1518836) * BUG: potential out-of-bounds string access when forcing a SELinux label on a file (BZ#1595706) * stack out-of-bounds in smb{2,3}_create_lease_buf() on SMB2/SMB3 mounts (BZ# 1598757) * [ALT-7.6][KVM][PANIC] ltp/lite proc01 - Unable to handle kernel paging request at virtual address ffff7fe000200018 (BZ#1623193) * Kernel lock up due to read/write lock (BZ#1636261) * [RHEL-ALT] Fix potential Spectre v1 in tty code (BZ#1639679) * [Huawei AArch64 7.6 Bug] HNS3: Vlan on HNS3 NIC cannot communicate (BZ# 1639713) * [RHEL7.6-ALT][AWS] backport 'nvme: update timeout module parameter type' (BZ#1654958) * ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm (BZ#1663565) * RHEL-Alt-7.6 - kernel: zcrypt: fix specification exception on z196 at ap probe (BZ#1670018) * [Huawei AArch64 7.6 Bug] Flock over NFSv3 failed (BZ#1670650) * [Huawei AArch64 7.6/7.6-z Bug] HNS3: if a single transmit packet(skb) has more than 8 frags, will cause the NIC to be unavailable (BZ#1677643) * krb5{,i,p} doesn't work with older enctypes on aarch64 (BZ#1678922) Users of kernel are advised to upgrade to these updated packages, which fix these bugs." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:0831" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-13053" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-13094" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-14734" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-17972" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-18281" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-18386" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-18397" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-9213" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2018-13053", "CVE-2018-13094", "CVE-2018-14734", "CVE-2018-17972", "CVE-2018-18281", "CVE-2018-18386", "CVE-2018-18397", "CVE-2019-9213"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2019:0831"); } else { __rpm_report = ksplice_reporting_text(); } } yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2019:0831"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", reference:"kernel-abi-whitelists-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-debuginfo-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-devel-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debuginfo-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debuginfo-common-s390x-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-devel-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", reference:"kernel-doc-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-headers-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-debuginfo-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-devel-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"perf-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"perf-debuginfo-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-perf-4.14.0-115.7.1.el7a")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-perf-debuginfo-4.14.0-115.7.1.el7a")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-abi-whitelists / kernel-debug / etc"); } }
NASL family Scientific Linux Local Security Checks NASL id SL_20190806_KERNEL_ON_SL7_X.NASL description Security Fix(es) : - Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900) - Kernel: page cache side channel attacks (CVE-2019-5489) - kernel: Buffer overflow in hidp_process_report (CVE-2018-9363) - kernel: l2tp: Race condition between pppol2tp_session_create() and l2tp_eth_create() (CVE-2018-9517) - kernel: kvm: guest userspace to guest kernel write (CVE-2018-10853) - kernel: use-after-free Read in vhost_transport_send_pkt (CVE-2018-14625) - kernel: use-after-free in ucma_leave_multicast in drivers/infiniband/core/ucma.c (CVE-2018-14734) - kernel: Mishandling of indirect calls weakens Spectre mitigation for paravirtual guests (CVE-2018-15594) - kernel: TLB flush happens too late on mremap (CVE-2018-18281) - kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459) - kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460) - kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882) - kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599) - kernel: a NULL pointer dereference in drivers/scsi/megaraid/megaraid_sas_base.c leading to DoS (CVE-2019-11810) - kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833) - kernel: Information exposure in fd_locked_ioctl function in drivers/block/floppy.c (CVE-2018-7755) - kernel: Memory leak in drivers/net/wireless/mac80211_hwsim.c:hwsim_new_radio_nl () can lead to potential denial of service (CVE-2018-8087) - kernel: HID: debug: Buffer overflow in hid_debug_events_read() in drivers/hid/hid-debug.c (CVE-2018-9516) - kernel: Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053) - kernel: NULL pointer dereference in lookup_slow function (CVE-2018-13093) - kernel: NULL pointer dereference in xfs_da_shrink_inode function (CVE-2018-13094) - kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c (CVE-2018-13095) - kernel: Information leak in cdrom_ioctl_drive_status (CVE-2018-16658) - kernel: out-of-bound read in memcpy_fromiovecend() (CVE-2018-16885) - Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222) last seen 2020-03-18 modified 2019-08-27 plugin id 128226 published 2019-08-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128226 title Scientific Linux Security Update : kernel on SL7.x x86_64 (20190806) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3753-2.NASL description USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168) Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879) Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877) Wen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881) Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-12233) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13094) It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405) Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 112112 published 2018-08-24 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112112 title Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3753-2) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2858-1.NASL description The SUSE Linux Enterprise 12 SP3 azure kernel was updated to 4.4.155 to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001) CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999) CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000) CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922) CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689) CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903) CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511) CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509) CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748) CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748) CVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016) CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517) CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322). CVE-2018-9363: Prevent buffer overflow in hidp_process_report (bsc#1105292) CVE-2018-10883: A local user could have caused an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099863) CVE-2018-10879: A local user could have caused a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844) CVE-2018-10878: A local user could have caused an out-of-bounds write and a denial of service or unspecified other impact by mounting and operating a crafted ext4 filesystem image (bsc#1099813) CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image (bsc#1099811) CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image (bsc#1099846) CVE-2018-10881: A local user could have caused an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099864) CVE-2018-10882: A local user could have caused an out-of-bound write, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image (bsc#1099849) CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could have used this to cause a system crash and a denial of service (bsc#1099845) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 117800 published 2018-09-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117800 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2858-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1223.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A new software page cache side channel attack scenario was discovered in operating systems that implement the very common last seen 2020-03-19 modified 2019-04-09 plugin id 123909 published 2019-04-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123909 title EulerOS Virtualization 2.5.4 : kernel (EulerOS-SA-2019-1223) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3754-1.NASL description Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208) It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472) It was discovered that a buffer overflow existed in the ACPI table parsing implementation in the Linux kernel. A local attacker could use this to construct a malicious ACPI table that, when loaded, caused a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11473) It was discovered that the generic SCSI driver in the Linux kernel did not properly initialize data returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14991) It was discovered that a race condition existed in the packet fanout implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15649) Andrey Konovalov discovered that the Ultra Wide Band driver in the Linux kernel did not properly check for an error condition. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16526) Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16527) Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel did not properly validate USB audio buffer descriptors. A physically proximate attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16529) Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB interface association descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16531) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB HID descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16533) Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB BOS metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16535) Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) It was discovered that the DM04/QQBOX USB driver in the Linux kernel did not properly handle device attachment and warm-start. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16538) Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643) Andrey Konovalov discovered that the video4linux driver for Hauppauge HD PVR USB devices in the Linux kernel did not properly handle some error conditions. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16644) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911) It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912) It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913) It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914) It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558) It was discovered that an integer overflow existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18255) It was discovered that the keyring subsystem in the Linux kernel did not properly prevent a user from creating keyrings for other users. A local attacker could use this cause a denial of service or expose sensitive information. (CVE-2017-18270) Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS. (CVE-2017-2583) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory). (CVE-2017-2584) It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549) Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897) Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-6345) Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348) Andy Lutomirski discovered that the KVM implementation in the Linux kernel was vulnerable to a debug exception error when single-stepping through a syscall. A local attacker in a non-Linux guest vm could possibly use this to gain administrative privileges in the guest vm. (CVE-2017-7518) Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645) Pengfei Wang discovered that a race condition existed in the NXP SAA7164 TV Decoder driver for the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-8831) Pengfei Wang discovered that the Turtle Beach MultiSound audio device driver in the Linux kernel contained race conditions when fetching from the ring-buffer. A local attacker could use this to cause a denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985) It was discovered that the wait4() system call in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2018-10087) It was discovered that the kill() system call implementation in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2018-10124) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323) Zhong Jiang discovered that a use-after-free vulnerability existed in the NUMA memory policy implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10675) Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 file system that caused a denial of service (system crash) when mounted. (CVE-2018-1092) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted. (CVE-2018-1093) It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-10940) Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-12233) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13094) It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405) Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406) Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2017-2671) It was discovered that an information leak existed in the generic SCSI driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-1000204) It was discovered that a memory leak existed in the Serial Attached SCSI (SAS) implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-10021). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 112113 published 2018-08-24 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112113 title Ubuntu 14.04 LTS : linux vulnerabilities (USN-3754-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3752-2.NASL description USN-3752-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. It was discovered that, when attempting to handle an out-of-memory situation, a NULL pointer dereference could be triggered in the Linux kernel in some circumstances. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1000200) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate xattr information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10840) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted. (CVE-2018-1093) Jann Horn discovered that the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 112110 published 2018-08-24 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112110 title Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3752-2) NASL family Fedora Local Security Checks NASL id FEDORA_2018-50075276E8.NASL description The v4.17.5 update contains important fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120418 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120418 title Fedora 28 : kernel (2018-50075276e8) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-2043.NASL description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900) * Kernel: page cache side channel attacks (CVE-2019-5489) * kernel: Buffer overflow in hidp_process_report (CVE-2018-9363) * kernel: l2tp: Race condition between pppol2tp_session_create() and l2tp_eth_create() (CVE-2018-9517) * kernel: kvm: guest userspace to guest kernel write (CVE-2018-10853) * kernel: use-after-free Read in vhost_transport_send_pkt (CVE-2018-14625) * kernel: use-after-free in ucma_leave_multicast in drivers/infiniband/core/ ucma.c (CVE-2018-14734) * kernel: Mishandling of indirect calls weakens Spectre mitigation for paravirtual guests (CVE-2018-15594) * kernel: TLB flush happens too late on mremap (CVE-2018-18281) * kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459) * kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460) * kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882) * kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599) * kernel: a NULL pointer dereference in drivers/scsi/megaraid/ megaraid_sas_base.c leading to DoS (CVE-2019-11810) * kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833) * kernel: Information exposure in fd_locked_ioctl function in drivers/block/ floppy.c (CVE-2018-7755) * kernel: Memory leak in drivers/net/wireless/ mac80211_hwsim.c:hwsim_new_radio_nl() can lead to potential denial of service (CVE-2018-8087) * kernel: HID: debug: Buffer overflow in hid_debug_events_read() in drivers/ hid/hid-debug.c (CVE-2018-9516) * kernel: Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053) * kernel: NULL pointer dereference in lookup_slow function (CVE-2018-13093) * kernel: NULL pointer dereference in xfs_da_shrink_inode function (CVE-2018-13094) * kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c (CVE-2018-13095) * kernel: Information leak in cdrom_ioctl_drive_status (CVE-2018-16658) * kernel: out-of-bound read in memcpy_fromiovecend() (CVE-2018-16885) * Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section. last seen 2020-04-23 modified 2019-08-12 plugin id 127655 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127655 title RHEL 7 : kernel-rt (RHSA-2019:2043) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4299.NASL description Description of changes: [4.1.12-124.23.1.el7uek] - xfs: don last seen 2020-05-15 modified 2018-12-10 plugin id 119534 published 2018-12-10 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119534 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4299) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-2_0-0225_LINUX.NASL description An update of the linux package has been released. last seen 2020-04-14 modified 2020-04-10 plugin id 135305 published 2020-04-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135305 title Photon OS 2.0: Linux PHSA-2020-2.0-0225 NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-3084-1.NASL description The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes. CVE-2018-10853: A flaw was found in the way the KVM hypervisor emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest (bnc#1097104). CVE-2018-10876: A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image. (bnc#1099811) CVE-2018-10877: Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image. (bnc#1099846) CVE-2018-10878: A flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 118034 published 2018-10-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118034 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:3084-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1062.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members.(CVE-2018-13405) - A null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in the Linux kernel allows a local user to cause a denial of service by a number of certain crafted system calls.(CVE-2018-1130) - A flaw was found in the Linux kernel, before 4.16.6 where the cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c allows local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory.(CVE-2018-10940) - The madvise_willneed function in the Linux kernel allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.(CVE-2017-18208) - fuse-backed file mmap-ed onto process cmdline arguments causes denial of service.(CVE-2018-1120) - Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel allows local users to cause a denial of service (kernel memory exhaustion) via multiple read accesses to files in the /sys/class/sas_phy directory.(CVE-2018-7757) - A vulnerability was found in the Linux kernel last seen 2020-05-06 modified 2019-02-25 plugin id 122414 published 2019-02-25 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122414 title EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-1062) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4304.NASL description Description of changes: [4.14.35-1818.5.4.el7uek] - RDS: NULL pointer dereference in rds_atomic_free_op (Mohamed Ghannam) [Orabug: 28020694] {CVE-2018-5333} - x86/speculation: Make enhanced IBRS the default spectre v2 mitigation (Alejandro Jimenez) [Orabug: 28474853] - x86/speculation: Enable enhanced IBRS usage (Alejandro Jimenez) [Orabug: 28474853] - x86/speculation: functions for supporting enhanced IBRS (Alejandro Jimenez) [Orabug: 28474853] - KVM: x86: Expose CLDEMOTE CPU feature to guest VM (Jingqi Liu) [Orabug: 28938290] - x86/cpufeatures: Enumerate cldemote instruction (Fenghua Yu) [Orabug: 28938290] - libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset (Fred Herard) [Orabug: 28946206] - wil6210: missing length check in wmi_set_ie (Lior David) [Orabug: 28951267] {CVE-2018-5848} - floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (Andy Whitcroft) [Orabug: 28956546] {CVE-2018-7755} {CVE-2018-7755} [4.14.35-1818.5.3.el7uek] - hugetlbfs: use truncate mutex to prevent pmd sharing race (Mike Kravetz) [Orabug: 28896279] - xfs: enhance dinode verifier (Eric Sandeen) [Orabug: 28943579] {CVE-2018-10322} - xfs: move inode fork verifiers to xfs_dinode_verify (Darrick J. Wong) [Orabug: 28943579] {CVE-2018-10322} [4.14.35-1818.5.2.el7uek] - rds: crash at rds_ib_inc_copy_to_user+104 due to NULL ptr reference (Venkat Venkatsubra) [Orabug: 28748049] - kdump/vmcore: support encrypted old memory with SME enabled (Lianbo Jiang) [Orabug: 28796835] - amd_iommu: remap the device table of IOMMU with the memory encryption mask for kdump (Lianbo Jiang) [Orabug: 28796835] - kexec: allocate unencrypted control pages for kdump in case SME is enabled (Lianbo Jiang) [Orabug: 28796835] - x86/ioremap: add a function ioremap_encrypted() to remap kdump old memory (Lianbo Jiang) [Orabug: 28796835] - net/rds: Fix endless RNR situation (Venkat Venkatsubra) [Orabug: 28857013] - Btrfs: fix xattr loss after power failure (Filipe Manana) [Orabug: 28893942] - xen/balloon: Support xend-based toolstack (Boris Ostrovsky) [Orabug: 28901032] - Btrfs: fix file data corruption after cloning a range and fsync (Filipe Manana) [Orabug: 28905635] - xen-blkfront: fix kernel panic with negotiate_mq error path (Manjunath Patil) - cdrom: fix improper type cast, which can leat to information leak. (Young_X) [Orabug: 28929755] {CVE-2018-16658} {CVE-2018-10940} {CVE-2018-18710} - sched/fair: Use a recently used CPU as an idle candidate and the basis for SIS (Mel Gorman) [Orabug: 28940633] - sched/fair: Move select_task_rq_fair() slow-path into its own function (Brendan Jackman) [Orabug: 28940633] - certs: Add Oracle last seen 2020-04-30 modified 2018-12-13 plugin id 119638 published 2018-12-13 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119638 title Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4304) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3752-3.NASL description It was discovered that, when attempting to handle an out-of-memory situation, a NULL pointer dereference could be triggered in the Linux kernel in some circumstances. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1000200) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate xattr information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10840) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted. (CVE-2018-1093) Jann Horn discovered that the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 112189 published 2018-08-30 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112189 title Ubuntu 16.04 LTS / 18.04 LTS : linux-azure, linux-oem, linux-gcp vulnerabilities (USN-3752-3) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1503.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The uas driver in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash), or possibly have unspecified other impacts via a crafted USB device, related to drivers/usb/storage/uas-detect.h and drivers/usb/storage/uas.c.(CVE-2017-16530i1/4%0 - The implementation of big key management in security/keys/big_key.c in the Linux kernel before 4.8.7 mishandles unsuccessful crypto registration in conjunction with successful key-type registration, which allows local users to cause a denial of service (NULL pointer dereference and panic) or possibly have unspecified other impact via a crafted application that uses the big_key data type.(CVE-2016-9313i1/4%0 - The Linux kernel allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag. This may create a kernel panic or memory corruption leading to privilege escalation.(CVE-2016-10229i1/4%0 - Buffer overflow in the exitcode_proc_write function in arch/um/kernel/exitcode.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging root privileges for a write operation.(CVE-2013-4512i1/4%0 - It was found that unsharing a mount namespace could allow a user to see data beneath their restricted namespace.(CVE-2014-9717i1/4%0 - A divide-by-zero flaw was discovered in the Linux kernel built with KVM virtualization support(CONFIG_KVM). The flaw occurs in the KVM module last seen 2020-03-19 modified 2019-05-13 plugin id 124826 published 2019-05-13 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124826 title EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1503) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-769.NASL description The openSUSE Leap 15.0 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack-based buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target last seen 2020-06-01 modified 2020-06-02 plugin id 123329 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123329 title openSUSE Security Update : the Linux Kernel (openSUSE-2019-769) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0286.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - xfs: don last seen 2020-04-30 modified 2018-12-11 plugin id 119566 published 2018-12-11 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119566 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0286) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1076.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel which can cause a later system crash in ip_do_fragment(). With certain non-default, but non-rare, configuration of a victim host, an attacker can trigger this crash remotely, thus leading to a remote denial of service.(CVE-2018-14641) - A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system.(CVE-2018-5391) - The resv_map_release function in mm/hugetlb.c in the Linux kernel, through 4.15.7, allows local users to cause a denial of service (BUG) via a crafted application that makes mmap system calls and has a large pgoff argument to the remap_file_pages system call. (CVE-2018-7740) - A use-after-free vulnerability was found in the way the Linux kernel last seen 2020-05-06 modified 2019-03-08 plugin id 122699 published 2019-03-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122699 title EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-1076) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2019-2029.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900) * Kernel: page cache side channel attacks (CVE-2019-5489) * kernel: Buffer overflow in hidp_process_report (CVE-2018-9363) * kernel: l2tp: Race condition between pppol2tp_session_create() and l2tp_eth_create() (CVE-2018-9517) * kernel: kvm: guest userspace to guest kernel write (CVE-2018-10853) * kernel: use-after-free Read in vhost_transport_send_pkt (CVE-2018-14625) * kernel: use-after-free in ucma_leave_multicast in drivers/infiniband/core/ ucma.c (CVE-2018-14734) * kernel: Mishandling of indirect calls weakens Spectre mitigation for paravirtual guests (CVE-2018-15594) * kernel: TLB flush happens too late on mremap (CVE-2018-18281) * kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459) * kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460) * kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882) * kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599) * kernel: a NULL pointer dereference in drivers/scsi/megaraid/ megaraid_sas_base.c leading to DoS (CVE-2019-11810) * kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833) * kernel: Information exposure in fd_locked_ioctl function in drivers/block/ floppy.c (CVE-2018-7755) * kernel: Memory leak in drivers/net/wireless/ mac80211_hwsim.c:hwsim_new_radio_nl() can lead to potential denial of service (CVE-2018-8087) * kernel: HID: debug: Buffer overflow in hid_debug_events_read() in drivers/ hid/hid-debug.c (CVE-2018-9516) * kernel: Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053) * kernel: NULL pointer dereference in lookup_slow function (CVE-2018-13093) * kernel: NULL pointer dereference in xfs_da_shrink_inode function (CVE-2018-13094) * kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c (CVE-2018-13095) * kernel: Information leak in cdrom_ioctl_drive_status (CVE-2018-16658) * kernel: out-of-bound read in memcpy_fromiovecend() (CVE-2018-16885) * Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section. last seen 2020-04-16 modified 2019-09-11 plugin id 128651 published 2019-09-11 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128651 title CentOS 7 : kernel (CESA-2019:2029) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1511.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in the Linux kernel allows a local user to cause a denial of service by a number of certain crafted system calls.(CVE-2018-1130) - An issue was discovered in the XFS filesystem in fs/xfs/xfs_icache.c in the Linux kernel. There is a NULL pointer dereference leading to a system panic in lookup_slow() on a NULL inode-i1/4zi_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during an allocation.(CVE-2018-13093) - An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A NULL pointer dereference may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. This can lead to a system crash and a denial of service.(CVE-2018-13094) - A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not.(CVE-2018-13405) - A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target last seen 2020-03-19 modified 2019-05-13 plugin id 124833 published 2019-05-13 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124833 title EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1511) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2776-1.NASL description The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.155 to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001). CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999). CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000). CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922). CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689). CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511). CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509). CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748). CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748). CVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016). CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517). CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322 1105323). CVE-2018-9363: Prevent buffer overflow in hidp_process_report (bsc#1105292) CVE-2018-10883: A local user could have caused an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099863). CVE-2018-10879: A local user could have caused a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844). CVE-2018-10878: A local user could have caused an out-of-bounds write and a denial of service or unspecified other impact by mounting and operating a crafted ext4 filesystem image (bsc#1099813). CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image (bsc#1099811). CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image (bsc#1099846). CVE-2018-10881: A local user could have caused an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099864). CVE-2018-10882: A local user could have caused an out-of-bound write, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image (bsc#1099849). CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could have used this to cause a system crash and a denial of service (bsc#1099845). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 117629 published 2018-09-21 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117629 title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:2776-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-2029.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900) * Kernel: page cache side channel attacks (CVE-2019-5489) * kernel: Buffer overflow in hidp_process_report (CVE-2018-9363) * kernel: l2tp: Race condition between pppol2tp_session_create() and l2tp_eth_create() (CVE-2018-9517) * kernel: kvm: guest userspace to guest kernel write (CVE-2018-10853) * kernel: use-after-free Read in vhost_transport_send_pkt (CVE-2018-14625) * kernel: use-after-free in ucma_leave_multicast in drivers/infiniband/core/ ucma.c (CVE-2018-14734) * kernel: Mishandling of indirect calls weakens Spectre mitigation for paravirtual guests (CVE-2018-15594) * kernel: TLB flush happens too late on mremap (CVE-2018-18281) * kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459) * kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460) * kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882) * kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599) * kernel: a NULL pointer dereference in drivers/scsi/megaraid/ megaraid_sas_base.c leading to DoS (CVE-2019-11810) * kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833) * kernel: Information exposure in fd_locked_ioctl function in drivers/block/ floppy.c (CVE-2018-7755) * kernel: Memory leak in drivers/net/wireless/ mac80211_hwsim.c:hwsim_new_radio_nl() can lead to potential denial of service (CVE-2018-8087) * kernel: HID: debug: Buffer overflow in hid_debug_events_read() in drivers/ hid/hid-debug.c (CVE-2018-9516) * kernel: Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053) * kernel: NULL pointer dereference in lookup_slow function (CVE-2018-13093) * kernel: NULL pointer dereference in xfs_da_shrink_inode function (CVE-2018-13094) * kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c (CVE-2018-13095) * kernel: Information leak in cdrom_ioctl_drive_status (CVE-2018-16658) * kernel: out-of-bound read in memcpy_fromiovecend() (CVE-2018-16885) * Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section. last seen 2020-04-16 modified 2019-08-12 plugin id 127650 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127650 title RHEL 7 : kernel (RHSA-2019:2029) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1016.NASL description The openSUSE Leap 42.3 kernel was updated to 4.4.155 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001). - CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occured for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999). - CVE-2018-13094: Prevent OOPS that might have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000). - CVE-2018-12896: Prevent integer overflow in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun could have been larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user could have caused a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922). - CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking (bnc#1107689). - CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903). - CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511). - CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509). - CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748). - CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748). - CVE-2018-10938: A crafted network packet sent remotely by an attacker could have forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016). - CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517). - CVE-2018-10902: The raw midi kernel driver did not protect against concurrent access which lead to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(), allowing a malicious local attacker to use this for privilege escalation (bnc#1105322). - CVE-2018-9363: Prevent buffer overflow in hidp_process_report (bsc#1105292). The following non-security bugs were fixed : - 9p/net: Fix zero-copy path in the 9p virtio transport (bnc#1012382). - 9p/virtio: fix off-by-one error in sg list bounds check (bnc#1012382). - 9p: fix multiple NULL-pointer-dereferences (bnc#1012382). - ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices (bnc#1012382). - ACPI / PCI: Bail early in acpi_pci_add_bus() if there is no ACPI handle (bnc#1012382). - ACPI / PM: save NVS memory for ASUS 1025C laptop (bnc#1012382). - ACPI: save NVS memory for Lenovo G50-45 (bnc#1012382). - ALSA: cs5535audio: Fix invalid endian conversion (bnc#1012382). - ALSA: emu10k1: Rate-limit error messages about page errors (bnc#1012382). - ALSA: emu10k1: add error handling for snd_ctl_add (bnc#1012382). - ALSA: fm801: add error handling for snd_ctl_add (bnc#1012382). - ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs (bnc#1012382). - ALSA: hda - Turn CX8200 into D3 as well upon reboot (bnc#1012382). - ALSA: hda/ca0132: fix build failure when a local macro is defined (bnc#1012382). - ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry (bnc#1012382). - ALSA: memalloc: Do not exceed over the requested size (bnc#1012382). - ALSA: rawmidi: Change resized buffers atomically (bnc#1012382). - ALSA: snd-aoa: add of_node_put() in error path (bsc#1099810). - ALSA: usb-audio: Apply rate limit to warning messages in URB complete callback (bnc#1012382). - ALSA: virmidi: Fix too long output trigger loop (bnc#1012382). - ALSA: vx222: Fix invalid endian conversions (bnc#1012382). - ALSA: vxpocket: Fix invalid endian conversions (bnc#1012382). - ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP (bnc#1012382). - ARC: Explicitly add -mmedium-calls to CFLAGS (bnc#1012382). - ARC: Fix CONFIG_SWAP (bnc#1012382). - ARC: mm: allow mprotect to make stack mappings executable (bnc#1012382). - ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot (bnc#1012382). - ARM: dts: Cygnus: Fix I2C controller interrupt type (bnc#1012382). - ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller (bnc#1012382). - ARM: dts: am437x: make edt-ft5x06 a wakeup source (bnc#1012382). - ARM: dts: da850: Fix interrups property for gpio (bnc#1012382). - ARM: dts: imx6sx: fix irq for pcie bridge (bnc#1012382). - ARM: fix put_user() for gcc-8 (bnc#1012382). - ARM: imx_v4_v5_defconfig: Select ULPI support (bnc#1012382). - ARM: imx_v6_v7_defconfig: Select ULPI support (bnc#1012382). - ARM: pxa: irq: fix handling of ICMR registers in suspend/resume (bnc#1012382). - ARM: tegra: Fix Tegra30 Cardhu PCA954x reset (bnc#1012382). - ASoC: Intel: cht_bsw_max98090: remove useless code, align with ChromeOS driver (git-fixes). - ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization (bnc#1012382). - ASoC: dpcm: do not merge format from invalid codec dai (bnc#1012382). - ASoC: dpcm: fix BE dai not hw_free and shutdown (bnc#1012382). - ASoC: pxa: Fix module autoload for platform drivers (bnc#1012382). - ASoC: sirf: Fix potential NULL pointer dereference (bnc#1012382). - Add reference to bsc#1091171 (bnc#1012382; bsc#1091171). - Bluetooth: avoid killing an already killed socket (bnc#1012382). - Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011 (bnc#1012382). - Bluetooth: btusb: Remove Yoga 920 from the btusb_needs_reset_resume_table (bsc#1087092). - Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking (bsc#1087092). - Bluetooth: hci_qca: Fix last seen 2020-06-05 modified 2018-09-17 plugin id 117523 published 2018-09-17 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117523 title openSUSE Security Update : the Linux Kernel (openSUSE-2018-1016) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1140.NASL description The openSUSE Leap 15.0 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack-based buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target last seen 2020-06-05 modified 2018-10-09 plugin id 117988 published 2018-10-09 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117988 title openSUSE Security Update : the Linux Kernel (openSUSE-2018-1140) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-1_0-0287_LINUX.NASL description An update of the linux package has been released. last seen 2020-04-22 modified 2020-04-15 plugin id 135485 published 2020-04-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135485 title Photon OS 1.0: Linux PHSA-2020-1.0-0287 NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3753-1.NASL description It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168) Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879) Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877) Wen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881) Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-12233) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13094) It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405) Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 112111 published 2018-08-24 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112111 title Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3753-1) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-1048.NASL description An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A NULL pointer dereference may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. This can lead to a system crash and a denial of service.(CVE-2018-13094) An issue was discovered in the XFS filesystem in fs/xfs/xfs_icache.c in the Linux kernel. There is a NULL pointer dereference leading to a system panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during an allocation.(CVE-2018-13093) last seen 2020-06-01 modified 2020-06-02 plugin id 111552 published 2018-08-07 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111552 title Amazon Linux AMI : kernel (ALAS-2018-1048) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2980-1.NASL description The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-14617: Prevent NULL pointer dereference and panic in hfsplus_lookup() when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bsc#1102870) CVE-2018-14613: Prevent invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, caused by a lack of block group item validation in check_leaf_item (bsc#1102896). CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903) CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001) CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000) CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999) CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922) CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689) CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511) CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509) CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748) CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748) CVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-01-02 plugin id 120118 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120118 title SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2018:2980-1) NASL family Fedora Local Security Checks NASL id FEDORA_2018-8484550FFF.NASL description The v4.17.5 update contains important fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-07-24 plugin id 111243 published 2018-07-24 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111243 title Fedora 27 : kernel (2018-8484550fff) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3752-1.NASL description It was discovered that, when attempting to handle an out-of-memory situation, a NULL pointer dereference could be triggered in the Linux kernel in some circumstances. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1000200) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate xattr information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10840) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted. (CVE-2018-1093) Jann Horn discovered that the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 112109 published 2018-08-24 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112109 title Ubuntu 18.04 LTS : linux, linux-aws, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities (USN-3752-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2274.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.(CVE-2017-5754)The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access.(CVE-2017-5897)The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device.(CVE-2017-7261)The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.(CVE-2017-7472)A flaw was found in the Linux kernel before version 4.12 in the way the KVM module processed the trap flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB) being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate their privileges inside the guest. Linux guests are not affected by this.(CVE-2017-7518)The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument.(CVE-2018-10124)The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image.(CVE-2018-10323)The Linux kernel before version 4.11 is vulnerable to a NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response is mishandled during session recovery.(CVE-2018-1066)The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls.(CVE-2018-10675)An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp.(CVE-2018-13094)An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.(CVE-2018-20976)Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.(CVE-2018-3693)In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c in the Linux kernel through 4.15, an integer signedness error allows arbitrary information leakage for the FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands.(CVE-2018-6412)Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck directory. NOTE: a third party has indicated that this report is not security relevant.(CVE-2018-7995)In the hidp_process_report in bluetooth, there is an integer overflow. This could lead to an out of bounds write with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-65853588 References: Upstream kernel.(CVE-2018-9363)In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-73083945.(CVE-2018-9518)A vulnerability was found in Linux kernel last seen 2020-05-08 modified 2019-11-08 plugin id 130736 published 2019-11-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130736 title EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2274) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2018-1051.NASL description An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A NULL pointer dereference may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. This can lead to a system crash and a denial of service.(CVE-2018-13094) An issue was discovered in the XFS filesystem in fs/xfs/xfs_icache.c in the Linux kernel. There is a NULL pointer dereference leading to a system panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during an allocation.(CVE-2018-13093) last seen 2020-06-01 modified 2020-06-02 plugin id 111551 published 2018-08-07 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111551 title Amazon Linux 2 : kernel (ALAS-2018-1051) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2114.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2018-13093, CVE-2018-13094 Wen Xu from SSLab at Gatech reported several NULL pointer dereference flaws that may be triggered when mounting and operating a crafted XFS volume. An attacker able to mount arbitrary XFS volumes could use this to cause a denial of service (crash). CVE-2018-20976 It was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear. CVE-2018-21008 It was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after- free. The security impact of this is unclear. CVE-2019-0136 It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages. A nearby attacker could use this for denial of service (loss of wifi connectivity). CVE-2019-2215 The syzkaller tool discovered a use-after-free vulnerability in the Android binder driver. A local user on a system with this driver enabled could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. However, this driver is not enabled on Debian packaged kernels. CVE-2019-10220 Various developers and researchers found that if a crafted file- system or malicious file server presented a directory with filenames including a last seen 2020-03-17 modified 2020-03-06 plugin id 134240 published 2020-03-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134240 title Debian DLA-2114-1 : linux-4.9 security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1220.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel. An attacker with a local account can trick the stack unwinder code to leak stack contents to userspace. The fix allows only root to inspect the kernel stack of an arbitrary task.i1/4^CVE-2018-17972i1/4%0 - A flaw was found in the Linux kernel last seen 2020-03-19 modified 2019-04-09 plugin id 123906 published 2019-04-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123906 title EulerOS Virtualization 2.5.3 : kernel (EulerOS-SA-2019-1220)
Redhat
advisories |
| ||||||||||||
rpms |
|
References
- https://github.com/torvalds/linux/commit/bb3d48dcf86a97dc25fe9fc2c11938e19cb4399a
- https://bugzilla.kernel.org/show_bug.cgi?id=199969
- https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit/?h=for-next&id=bb3d48dcf86a97dc25fe9fc2c11938e19cb4399a
- https://usn.ubuntu.com/3754-1/
- https://usn.ubuntu.com/3753-2/
- https://usn.ubuntu.com/3753-1/
- https://usn.ubuntu.com/3752-2/
- https://usn.ubuntu.com/3752-1/
- https://usn.ubuntu.com/3752-3/
- https://access.redhat.com/errata/RHSA-2019:0831
- https://access.redhat.com/errata/RHSA-2019:2043
- https://access.redhat.com/errata/RHSA-2019:2029
- https://lists.debian.org/debian-lts-announce/2020/03/msg00001.html