RHSA-2014:0328

RHSA-2014:0339

59386

66441

https://bugzilla.redhat.com/show_bug.cgi?id=1062577

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.

The SUSE Linux Enterprise Server 11 SP2 LTSS received a roll up update to fix several security and non-security issues.

The following security issues have been fixed :

  - CVE-2014-0055: The get_rx_bufs function in     drivers/vhost/net.c in the vhost-net subsystem in the     Linux kernel package before 2.6.32-431.11.2 on Red Hat     Enterprise Linux (RHEL) 6 does not properly handle     vhost_get_vq_desc errors, which allows guest OS users to     cause a denial of service (host OS crash) via     unspecified vectors. (bnc#870173)

  - CVE-2014-0077: drivers/vhost/net.c in the Linux kernel     before 3.13.10, when mergeable buffers are disabled,     does not properly validate packet lengths, which allows     guest OS users to cause a denial of service (memory     corruption and host OS crash) or possibly gain     privileges on the host OS via crafted packets, related     to the handle_rx and get_rx_bufs functions. (bnc#870576)

  - CVE-2014-1739: The media_device_enum_entities function     in drivers/media/media-device.c in the Linux kernel     before 3.14.6 does not initialize a certain data     structure, which allows local users to obtain sensitive     information from kernel memory by leveraging /dev/media0     read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call.
    (bnc#882804)

  - CVE-2014-2706: Race condition in the mac80211 subsystem     in the Linux kernel before 3.13.7 allows remote     attackers to cause a denial of service (system crash)     via network traffic that improperly interacts with the     WLAN_STA_PS_STA state (aka power-save mode), related to     sta_info.c and tx.c. (bnc#871797)

  - CVE-2014-2851: Integer overflow in the ping_init_sock     function in net/ipv4/ping.c in the Linux kernel through     3.14.1 allows local users to cause a denial of service     (use-after-free and system crash) or possibly gain     privileges via a crafted application that leverages an     improperly managed reference counter. (bnc#873374)

  - CVE-2014-3144: The (1) BPF_S_ANC_NLATTR and (2)     BPF_S_ANC_NLATTR_NEST extension implementations in the     sk_run_filter function in net/core/filter.c in the Linux     kernel through 3.14.3 do not check whether a certain     length value is sufficiently large, which allows local     users to cause a denial of service (integer underflow     and system crash) via crafted BPF instructions. NOTE:
    the affected code was moved to the __skb_get_nlattr and
    __skb_get_nlattr_nest functions before the vulnerability     was announced. (bnc#877257)

  - CVE-2014-3145: The BPF_S_ANC_NLATTR_NEST extension     implementation in the sk_run_filter function in     net/core/filter.c in the Linux kernel through 3.14.3     uses the reverse order in a certain subtraction, which     allows local users to cause a denial of service     (over-read and system crash) via crafted BPF     instructions. NOTE: the affected code was moved to the
    __skb_get_nlattr_nest function before the vulnerability     was announced. (bnc#877257)

  - CVE-2014-3917: kernel/auditsc.c in the Linux kernel     through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with     certain syscall rules, allows local users to obtain     potentially sensitive single-bit values from kernel     memory or cause a denial of service (OOPS) via a large     value of a syscall number. (bnc#880484)

  - CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux     kernel through 3.15.1 on 32-bit x86 platforms, when     syscall auditing is enabled and the sep CPU feature flag     is set, allows local users to cause a denial of service     (OOPS and system crash) via an invalid syscall number,     as demonstrated by number 1000. (bnc#883724)

  - CVE-2014-4652: Race condition in the tlv handler     functionality in the snd_ctl_elem_user_tlv function in     sound/core/control.c in the ALSA control implementation     in the Linux kernel before 3.15.2 allows local users to     obtain sensitive information from kernel memory by     leveraging /dev/snd/controlCX access. (bnc#883795)

  - CVE-2014-4653: sound/core/control.c in the ALSA control     implementation in the Linux kernel before 3.15.2 does     not ensure possession of a read/write lock, which allows     local users to cause a denial of service     (use-after-free) and obtain sensitive information from     kernel memory by leveraging /dev/snd/controlCX access.
    (bnc#883795)

  - CVE-2014-4654: The snd_ctl_elem_add function in     sound/core/control.c in the ALSA control implementation     in the Linux kernel before 3.15.2 does not check     authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands,     which allows local users to remove kernel controls and     cause a denial of service (use-after-free and system     crash) by leveraging /dev/snd/controlCX access for an     ioctl call. (bnc#883795)

  - CVE-2014-4655: The snd_ctl_elem_add function in     sound/core/control.c in the ALSA control implementation     in the Linux kernel before 3.15.2 does not properly     maintain the user_ctl_count value, which allows local     users to cause a denial of service (integer overflow and     limit bypass) by leveraging /dev/snd/controlCX access     for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl     calls. (bnc#883795)

  - CVE-2014-4656: Multiple integer overflows in     sound/core/control.c in the ALSA control implementation     in the Linux kernel before 3.15.2 allow local users to     cause a denial of service by leveraging     /dev/snd/controlCX access, related to (1) index values     in the snd_ctl_add function and (2) numid values in the     snd_ctl_remove_numid_conflict function. (bnc#883795)

  - CVE-2014-4667: The sctp_association_free function in     net/sctp/associola.c in the Linux kernel before 3.15.2     does not properly manage a certain backlog value, which     allows remote attackers to cause a denial of service     (socket outage) via a crafted SCTP packet. (bnc#885422)

  - CVE-2014-4699: The Linux kernel before 3.15.4 on Intel     processors does not properly restrict use of a     non-canonical value for the saved RIP address in the     case of a system call that does not use IRET, which     allows local users to leverage a race condition and gain     privileges, or cause a denial of service (double fault),     via a crafted application that makes ptrace and fork     system calls. (bnc#885725)

  - CVE-2014-5077: The sctp_assoc_update function in     net/sctp/associola.c in the Linux kernel through 3.15.8,     when SCTP authentication is enabled, allows remote     attackers to cause a denial of service (NULL pointer     dereference and OOPS) by starting to establish an     association between two endpoints immediately after an     exchange of INIT and INIT ACK chunks to establish an     earlier association between these endpoints in the     opposite direction. (bnc#889173)

  - CVE-2013-4299: Interpretation conflict in     drivers/md/dm-snap-persistent.c in the Linux kernel     through 3.11.6 allows remote authenticated users to     obtain sensitive information or modify data via a     crafted mapping to a snapshot block device. (bnc#846404)

The following bugs have been fixed :

  - pagecachelimit: reduce lru_lock contention for heavy     parallel reclaim (bnc#878509, bnc#864464).

  - pagecachelimit: reduce lru_lock contention for heavy     parallel reclaim kabi fixup (bnc#878509, bnc#864464).

  - ACPI / PAD: call schedule() when need_resched() is true     (bnc#866911).

  - kabi: Fix breakage due to addition of user_ctl_lock     (bnc#883795).

  - cpuset: Fix memory allocator deadlock (bnc#876590).

  - tcp: allow to disable cwnd moderation in TCP_CA_Loss     state (bnc#879921).

  - tcp: adapt selected parts of RFC 5682 and PRR logic     (bnc#879921).

  - vlan: more careful checksum features handling     (bnc#872634).

  - bonding: fix vlan_features computing (bnc#872634).

  - NFSv4: Minor cleanups for nfs4_handle_exception and     nfs4_async_handle_error (bnc#889324).

  - NFS: Do not lose sockets when nfsd shutdown races with     connection timeout (bnc#871854).

  - reiserfs: call truncate_setsize under tailpack mutex     (bnc#878115).

  - reiserfs: drop vmtruncate (bnc#878115).

  - megaraid_sas: mask off flags in ioctl path (bnc#886474).

  - block: fix race between request completion and timeout     handling (bnc#881051).

  - drivers/rtc/interface.c: fix infinite loop in     initializing the alarm (bnc#871676).

  - xfrm: check peer pointer for null before calling     inet_putpeer() (bnc#877775).

  - supported.conf: Add firewire/nosy as supported. This     driver is the replacement for the ieee1394/pcilynx     driver, which was supported.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An updated rhev-hypervisor6 package that fixes multiple security issues is now available.

The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent.

Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions.

It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092)

A flaw was found in the way the get_rx_bufs() function in the vhost_net implementation in the Linux kernel handled error conditions reported by the vhost_get_vq_desc() function. A privileged guest user could use this flaw to crash the host. (CVE-2014-0055)

A heap-based buffer overflow flaw was found in the Linux kernel's cdc-wdm driver, used for USB CDC WCM device management. An attacker with physical access to a system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1860)

The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team.

This updated package provides updated components that include fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers :

CVE-2014-0101, and CVE-2014-0069 (kernel issues)

CVE-2010-2596, CVE-2013-1960, CVE-2013-1961, CVE-2013-4231, CVE-2013-4232, CVE-2013-4243, and CVE-2013-4244 (libtiff issues)

Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which corrects these issues.

The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets.

drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions.

net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function.

The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors.

The Linux kernel was updated to fix security issues and bugs :

Security issues fixed: CVE-2014-3153: The futex_requeue function in kernel/futex.c in the Linux kernel did not ensure that calls have two different futex addresses, which allowed local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.

CVE-2014-0077: drivers/vhost/net.c in the Linux kernel, when mergeable buffers are disabled, did not properly validate packet lengths, which allowed guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions.

CVE-2014-0055: The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package did not properly handle vhost_get_vq_desc errors, which allowed guest OS users to cause a denial of service (host OS crash) via unspecified vectors.

CVE-2014-2678: The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports.

CVE-2013-7339: The rds_ib_laddr_check function in net/rds/ib.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports.

CVE-2014-2851: Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter.

CVE-2014-3122: The try_to_unmap_cluster function in mm/rmap.c in the Linux kernel did not properly consider which pages must be locked, which allowed local users to cause a denial of service (system crash) by triggering a memory-usage pattern that requires removal of page-table mappings.

Bugs fixed :

  - memcg: deprecate memory.force_empty knob (bnc#878274).

The Linux kernel was updated to fix security issues and bugs.

Security issues fixed: CVE-2014-3153: The futex_requeue function in kernel/futex.c in the Linux kernel did not ensure that calls have two different futex addresses, which allowed local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.

CVE-2014-3144: The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel did not check whether a certain length value is sufficiently large, which allowed local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the
__skb_get_nlattr and __skb_get_nlattr_nest functions before the vulnerability was announced.

CVE-2014-3145: The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel used the reverse order in a certain subtraction, which allowed local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the
__skb_get_nlattr_nest function before the vulnerability was announced.

CVE-2014-0077: drivers/vhost/net.c in the Linux kernel, when mergeable buffers are disabled, did not properly validate packet lengths, which allowed guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions.

CVE-2014-0055: The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package did not properly handle vhost_get_vq_desc errors, which allowed guest OS users to cause a denial of service (host OS crash) via unspecified vectors.

CVE-2014-2678: The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports.

CVE-2013-7339: The rds_ib_laddr_check function in net/rds/ib.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports.

CVE-2014-2851: Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter.

  - ext4: Fix buffer double free in ext4_alloc_branch()     (bnc#880599 bnc#876981).

  - patches.fixes/firewire-01-net-fix-use-after-free.patch,     patches.fixes/firewire-02-ohci-fix-probe-failure-with-ag     ere-lsi-controllers.patch,     patches.fixes/firewire-03-dont-use-prepare_delayed_work.
    patch: Add missing bug reference (bnc#881697).

  - firewire: don't use PREPARE_DELAYED_WORK.

  - firewire: ohci: fix probe failure with Agere/LSI     controllers.

  - firewire: net: fix use after free.

  - USB: OHCI: fix problem with global suspend on ATI     controllers (bnc#868315).

  - mm: revert 'page-writeback.c: subtract min_free_kbytes     from dirtyable memory' (bnc#879792).

  - usb: musb: tusb6010: Use musb->tusb_revision instead of     tusb_get_revision call (bnc#872715).

  - usb: musb: tusb6010: Add tusb_revision to struct musb to     store the revision (bnc#872715).

  - ALSA: hda - Fix onboard audio on Intel H97/Z97 chipsets     (bnc#880613).

  - floppy: do not corrupt bio.bi_flags when reading block 0     (bnc#879258).

  - reiserfs: call truncate_setsize under tailpack mutex     (bnc#878115).

  - Update Xen config files: Set compatibility level back to     4.1 (bnc#851338).

  - Update config files. Guillaume GARDET reported a broken     build due to CONFIG_USB_SERIAL_GENERIC being modular

  - memcg: deprecate memory.force_empty knob (bnc#878274).

  - nfsd: when reusing an existing repcache entry, unhash it     first (bnc#877721).

  - Enable Socketcan again for i386 and x86_64 (bnc#858067)

  - xhci: extend quirk for Renesas cards (bnc#877713).

  - xhci: Fix resume issues on Renesas chips in Samsung     laptops (bnc#877713).

  - mm: try_to_unmap_cluster() should lock_page() before     mlocking (bnc#876102, CVE-2014-3122).

  - drm/i915, HD-audio: Don't continue probing when     nomodeset is given (bnc#882648).

  - x86/mm/numa: Fix 32-bit kernel NUMA boot (bnc#881727).

Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges.
(CVE-2014-3153)

A flaw was discovered in the vhost-net subsystem of the Linux kernel.
Guest OS users could exploit this flaw to cause a denial of service (host OS crash). (CVE-2014-0055)

Sasha Levin reported a bug in the Linux kernel's virtual memory management subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-3122).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory.
(CVE-2014-1738)

Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges if the floppy disk module is loaded. (CVE-2014-1737)

A flaw was discovered in the vhost-net subsystem of the Linux kernel.
Guest OS users could exploit this flaw to cause a denial of service (host OS crash). (CVE-2014-0055)

A flaw was discovered in the handling of network packets when mergeable buffers are disabled for virtual machines in the Linux kernel. Guest OS users may exploit this flaw to cause a denial of service (host OS crash) or possibly gain privilege on the host OS.
(CVE-2014-0077)

Nikolay Aleksandrov discovered a race condition in Linux kernel's IPv4 fragment handling code. Remote attackers could exploit this flaw to cause a denial of service (system crash) or possibly have other unspecified impact. (CVE-2014-0100)

A flaw was discovered in the Linux kernel's handling of the SCTP handshake. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2014-0101)

A flaw was discovered in the handling of routing information in Linux kernel's IPv6 stack. A remote attacker could exploit this flaw to cause a denial of service (memory consumption) via a flood of ICMPv6 router advertisement packets. (CVE-2014-2309)

An error was discovered in the Linux kernel's DCCP protocol support. A remote attacked could exploit this flaw to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2014-2523)

Max Sydorenko discovered a race condition in the Atheros 9k wireless driver in the Linux kernel. This race could be exploited by remote attackers to cause a denial of service (system crash). (CVE-2014-2672)

Adhemerval Zanella Neto discovered a flaw the in the Transactional Memory (TM) implementation for powerpc based machine. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-2673)

An error was discovered in the Reliable Datagram Sockets (RDS) protocol stack in the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash) or possibly have unspecified other impact. (CVE-2014-2678)

Yaara Rozenblum discovered a race condition in the Linux kernel's Generic IEEE 802.11 Networking Stack (mac80211). Remote attackers could exploit this flaw to cause a denial of service (system crash).
(CVE-2014-2706)

A flaw was discovered in the Linux kernel's ping sockets. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or possibly gain privileges via a crafted application. (CVE-2014-2851).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory.
(CVE-2014-1738)

Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges if the floppy disk module is loaded. (CVE-2014-1737)

A flaw was discovered in the vhost-net subsystem of the Linux kernel.
Guest OS users could exploit this flaw to cause a denial of service (host OS crash). (CVE-2014-0055)

A flaw was discovered in the handling of network packets when mergeable buffers are disabled for virtual machines in the Linux kernel. Guest OS users may exploit this flaw to cause a denial of service (host OS crash) or possibly gain privilege on the host OS.
(CVE-2014-0077)

A flaw was discovered in the Linux kernel's handling of the SCTP handshake. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2014-0101)

A flaw was discovered in the handling of routing information in Linux kernel's IPv6 stack. A remote attacker could exploit this flaw to cause a denial of service (memory consumption) via a flood of ICMPv6 router advertisement packets. (CVE-2014-2309)

An error was discovered in the Linux kernel's DCCP protocol support. A remote attacked could exploit this flaw to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2014-2523)

Max Sydorenko discovered a race condition in the Atheros 9k wireless driver in the Linux kernel. This race could be exploited by remote attackers to cause a denial of service (system crash). (CVE-2014-2672)

An error was discovered in the Reliable Datagram Sockets (RDS) protocol stack in the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash) or possibly have unspecified other impact. (CVE-2014-2678)

Yaara Rozenblum discovered a race condition in the Linux kernel's Generic IEEE 802.11 Networking Stack (mac80211). Remote attackers could exploit this flaw to cause a denial of service (system crash).
(CVE-2014-2706)

A flaw was discovered in the Linux kernel's ping sockets. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or possibly gain privileges via a crafted application. (CVE-2014-2851)

Sasha Levin reported a bug in the Linux kernel's virtual memory management subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-3122).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory.
(CVE-2014-1738)

Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges if the floppy disk module is loaded. (CVE-2014-1737)

A flaw was discovered in the Linux kernel's IPC reference counting. An unprivileged local user could exploit this flaw to cause a denial of service (OOM system crash). (CVE-2013-4483)

A flaw was discovered in the vhost-net subsystem of the Linux kernel.
Guest OS users could exploit this flaw to cause a denial of service (host OS crash). (CVE-2014-0055)

A flaw was discovered in the handling of network packets when mergeable buffers are disabled for virtual machines in the Linux kernel. Guest OS users may exploit this flaw to cause a denial of service (host OS crash) or possibly gain privilege on the host OS.
(CVE-2014-0077)

A flaw was discovered in the Linux kernel's handling of the SCTP handshake. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2014-0101)

A flaw was discovered in the handling of routing information in Linux kernel's IPv6 stack. A remote attacker could exploit this flaw to cause a denial of service (memory consumption) via a flood of ICMPv6 router advertisement packets. (CVE-2014-2309)

An error was discovered in the Linux kernel's DCCP protocol support. A remote attacked could exploit this flaw to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2014-2523)

Max Sydorenko discovered a race condition in the Atheros 9k wireless driver in the Linux kernel. This race could be exploited by remote attackers to cause a denial of service (system crash). (CVE-2014-2672)

An error was discovered in the Reliable Datagram Sockets (RDS) protocol stack in the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash) or possibly have unspecified other impact. (CVE-2014-2678)

Yaara Rozenblum discovered a race condition in the Linux kernel's Generic IEEE 802.11 Networking Stack (mac80211). Remote attackers could exploit this flaw to cause a denial of service (system crash).
(CVE-2014-2706)

A flaw was discovered in the Linux kernel's ping sockets. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or possibly gain privileges via a crafted application. (CVE-2014-2851)

Sasha Levin reported a bug in the Linux kernel's virtual memory management subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-3122).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2014-3034 advisory.

  - The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between     locked instructions and write-combined memory types, which allows local users to cause a denial of service     (system hang) via a crafted application, aka the errata 793 issue. (CVE-2013-6885)

  - The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly     manage tty driver access in the LECHO & !OPOST case, which allows local users to cause a denial of     service (memory corruption and system crash) or gain privileges by triggering a race condition involving     read and write operations with long strings. (CVE-2014-0196)

  - The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count     the addition of routes, which allows remote attackers to cause a denial of service (memory consumption)     via a flood of ICMPv6 Router Advertisement packets. (CVE-2014-2309)

  - Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before     3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers     an invalid memory copy affecting certain cancel_work_item data. (CVE-2014-0049)

  - The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is     enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer     parameter. (CVE-2014-0038)

  - Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in     the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value.
    (CVE-2013-4587)

  - The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not     ensure that a certain length value is consistent with the size of an associated data structure, which     allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or     (3) recvmsg system call. (CVE-2013-7266)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The 3.13.9 stable update contains a number of important fixes across the tree. The 3.13.8 stable update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 3.13.8 stable update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2014-3015 advisory.

  - The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package     before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc     errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors.
    (CVE-2014-0055)

  - The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not     validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which     allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an     SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk.
    (CVE-2014-0101)

  - net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer     incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute     arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3)     dccp_error function. (CVE-2014-2523)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2014-3014 advisory.

  - The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package     before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc     errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors.
    (CVE-2014-0055)

  - The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly     handle uncached write operations that copy fewer than the requested number of bytes, which allows local     users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and     system crash), or possibly gain privileges via a writev system call with a crafted pointer.
    (CVE-2014-0069)

  - The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not     validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which     allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an     SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk.
    (CVE-2014-0101)

  - net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer     incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute     arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3)     dccp_error function. (CVE-2014-2523)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

* A flaw was found in the way the get_rx_bufs() function in the vhost_net implementation in the Linux kernel handled error conditions reported by the vhost_get_vq_desc() function. A privileged guest user could use this flaw to crash the host. (CVE-2014-0055, Important)

* A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system. (CVE-2014-0101, Important)

* A flaw was found in the way the Linux kernel's CIFS implementation handled uncached write operations with specially crafted iovec structures. An unprivileged local user with access to a CIFS share could use this flaw to crash the system, leak kernel memory, or, potentially, escalate their privileges on the system. Note: the default cache settings for CIFS mounts on Scientific Linux 6 prohibit a successful exploitation of this issue. (CVE-2014-0069, Moderate)

* A heap-based buffer overflow flaw was found in the Linux kernel's cdc- wdm driver, used for USB CDC WCM device management. An attacker with physical access to a system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1860, Low)

The system must be rebooted for this update to take effect.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the way the get_rx_bufs() function in the vhost_net implementation in the Linux kernel handled error conditions reported by the vhost_get_vq_desc() function. A privileged guest user could use this flaw to crash the host. (CVE-2014-0055, Important)

* A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system. (CVE-2014-0101, Important)

* A flaw was found in the way the Linux kernel's CIFS implementation handled uncached write operations with specially crafted iovec structures. An unprivileged local user with access to a CIFS share could use this flaw to crash the system, leak kernel memory, or, potentially, escalate their privileges on the system. Note: the default cache settings for CIFS mounts on Red Hat Enterprise Linux 6 prohibit a successful exploitation of this issue. (CVE-2014-0069, Moderate)

* A heap-based buffer overflow flaw was found in the Linux kernel's cdc-wdm driver, used for USB CDC WCM device management. An attacker with physical access to a system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1860, Low)

Red Hat would like to thank Nokia Siemens Networks for reporting CVE-2014-0101, and Al Viro for reporting CVE-2014-0069.

This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2014-0328 advisory.

  - Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux     kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or     possibly execute arbitrary code via a crafted cdc-wdm USB device. (CVE-2013-1860)

  - The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package     before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc     errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors.
    (CVE-2014-0055)

  - The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly     handle uncached write operations that copy fewer than the requested number of bytes, which allows local     users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and     system crash), or possibly gain privileges via a writev system call with a crafted pointer.
    (CVE-2014-0069)

  - The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not     validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which     allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an     SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk.
    (CVE-2014-0101)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
127146	NewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0004)	Nessus	NewStart CGSL Local Security Checks	critical
99163	OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)	Nessus	OracleVM Local Security Checks	critical
83633	SUSE SLES11 Security Update : kernel (SUSE-SU-2014:1105-1)	Nessus	SuSE Local Security Checks	high
79003	RHEL 6 : rhev-hypervisor6 (RHSA-2014:0339)	Nessus	Red Hat Local Security Checks	medium
78271	Amazon Linux AMI : kernel (ALAS-2014-328)	Nessus	Amazon Linux Local Security Checks	critical
76557	SuSE 11.3 Security Update : Linux kernel (SAT Patch Numbers 9488 / 9491 / 9493)	Nessus	SuSE Local Security Checks	critical
76342	openSUSE Security Update : kernel (openSUSE-SU-2014:0856-1)	Nessus	SuSE Local Security Checks	high
76228	openSUSE Security Update : kernel (openSUSE-SU-2014:0840-1)	Nessus	SuSE Local Security Checks	high
74356	Ubuntu 12.04 LTS : linux vulnerabilities (USN-2235-1)	Nessus	Ubuntu Local Security Checks	high
74215	Ubuntu 13.10 : linux vulnerabilities (USN-2228-1)	Nessus	Ubuntu Local Security Checks	critical
74213	Ubuntu 12.04 LTS : linux-lts-saucy vulnerabilities (USN-2225-1)	Nessus	Ubuntu Local Security Checks	critical
74212	Ubuntu 12.04 LTS : linux-lts-raring vulnerabilities (USN-2224-1)	Nessus	Ubuntu Local Security Checks	critical
74211	Ubuntu 12.04 LTS : linux-lts-quantal vulnerabilities (USN-2223-1)	Nessus	Ubuntu Local Security Checks	critical
74101	Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2014-3034)	Nessus	Oracle Linux Local Security Checks	critical
73428	Fedora 19 : kernel-3.13.9-100.fc19 (2014-4849)	Nessus	Fedora Local Security Checks	medium
73367	Fedora 20 : kernel-3.13.8-200.fc20 (2014-4675)	Nessus	Fedora Local Security Checks	medium
73222	Oracle Linux 5 / 6 : unbreakable enterprise kernel (ELSA-2014-3015)	Nessus	Oracle Linux Local Security Checks	critical
73221	Oracle Linux 6 : unbreakable enterprise kernel (ELSA-2014-3014)	Nessus	Oracle Linux Local Security Checks	critical
73200	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20140325)	Nessus	Scientific Linux Local Security Checks	high
73198	RHEL 6 : kernel (RHSA-2014:0328)	Nessus	Red Hat Local Security Checks	high
73196	Oracle Linux 6 : kernel (ELSA-2014-0328)	Nessus	Oracle Linux Local Security Checks	high
73191	CentOS 6 : kernel (CESA-2014:0328)	Nessus	CentOS Local Security Checks	high

CVE-2014-0055

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

high

medium

critical

critical

high

high

high

critical

critical

critical

critical

critical

medium

medium

critical

critical

high

high

high

high