[oss-security] 20150605 Re: CVE Request: Linux Kernel Ozwpan Driver - Remote packet-of-death vulnerabilities

74669

USN-2989-1

USN-2998-1

USN-3000-1

USN-3001-1

USN-3002-1

USN-3003-1

USN-3004-1

[linux-kernel] 20150513 [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186)

  - The snd_compr_tstamp function in     sound/core/compress_offload.c in the Linux kernel     through 4.7, as used in Android before 2016-08-05 on     Nexus 5 and 7 (2013) devices, does not properly     initialize a timestamp data structure, which allows     attackers to obtain sensitive information via a crafted     application, aka Android internal bug 28770164 and     Qualcomm internal bug CR568717.(CVE-2014-9892)

  - A memory leak in the cx23888_ir_probe() function in     drivers/media/pci/cx23885/cx23888-ir.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     kfifo_alloc() failures, aka     CID-a7b2df76b42b.(CVE-2019-19054)

  - A memory leak in the adis_update_scan_mode() function     in drivers/iio/imu/adis_buffer.c in the Linux kernel     before 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-ab612b1daf41.(CVE-2019-19060)

  - A memory leak in the adis_update_scan_mode_burst()     function in drivers/iio/imu/adis_buffer.c in the Linux     kernel before 5.3.9 allows attackers to cause a denial     of service (memory consumption), aka     CID-9c0530e898f3.(CVE-2019-19061)

  - A memory leak in the crypto_report() function in     crypto/crypto_user_base.c in the Linux kernel through     5.3.11 allows attackers to cause a denial of service     (memory consumption) by triggering crypto_report_alg()     failures, aka CID-ffdde5932042.(CVE-2019-19062)

  - A memory leak in the ccp_run_sha_cmd() function in     drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-128c66429247.(CVE-2019-18808)

  - In ashmem_ioctl of ashmem.c, there is an out-of-bounds     write due to insufficient locking when accessing asma.
    This could lead to a local elevation of privilege     enabling code execution as a privileged process with no     additional execution privileges needed. User     interaction is not needed for exploitation. Product:
    Android. Versions: Android kernel. Android ID:
    A-66954097.(CVE-2017-13216)

  - A certain backport in the TCP Fast Open implementation     for the Linux kernel before 3.18 does not properly     maintain a count value, which allow local users to     cause a denial of service (system crash) via the Fast     Open feature, as demonstrated by visiting the     chrome://flags/#enable-tcp-fast-open URL when using     certain 3.10.x through 3.16.x kernel builds, including     longterm-maintenance releases and ckt (aka Canonical     Kernel Team) builds.(CVE-2015-3332)

  - The rtnl_fill_link_ifmap function in     net/core/rtnetlink.c in the Linux kernel before 4.5.5     does not initialize a certain data structure, which     allows local users to obtain sensitive information from     kernel stack memory by reading a Netlink     message.(CVE-2016-4486)

  - The ip6gre_err function in net/ipv6/ip6_gre.c in the     Linux kernel allows remote attackers to have     unspecified impact via vectors involving GRE flags in     an IPv6 packet, which trigger an out-of-bounds     access.(CVE-2017-5897)

  - In the Linux kernel before version 4.12, Kerberos 5     tickets decoded when using the RXRPC keys incorrectly     assumes the size of a field. This could lead to the     size-remaining variable wrapping and the data pointer     going over the end of the buffer. This could possibly     lead to memory corruption and possible privilege     escalation.(CVE-2017-7482)

  - A flaw was found in the Linux Kernel where an attacker     may be able to have an uncontrolled read to     kernel-memory from within a vm guest. A race condition     between connect() and close() function may allow an     attacker using the AF_VSOCK protocol to gather a 4 byte     information leak or possibly intercept or corrupt     AF_VSOCK messages destined to other     clients.(CVE-2018-14625)

  - drivers/net/usb/asix_devices.c in the Linux kernel     through 4.13.11 allows local users to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact via a crafted     USB device.(CVE-2017-16647)

  - A memory leak in the ql_alloc_large_buffers() function     in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux     kernel before 5.3.5 allows local users to cause a     denial of service (memory consumption) by triggering     pci_dma_mapping_error() failures, aka     CID-1acb8f2a7a9f.(CVE-2019-18806)

  - An issue was discovered in the fd_locked_ioctl function     in drivers/block/floppy.c in the Linux kernel through     4.15.7. The floppy driver will copy a kernel pointer to     user memory in response to the FDGETPRM ioctl. An     attacker can send the FDGETPRM ioctl and use the     obtained kernel pointer to discover the location of     kernel code and data and bypass kernel security     protections such as KASLR.(CVE-2018-7755)

  - The usbvision driver in the Linux kernel package     3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red     Hat Enterprise Linux (RHEL) 7.1 allows physically     proximate attackers to cause a denial of service     (panic) via a nonzero bInterfaceNumber value in a USB     device descriptor.(CVE-2015-7833)

  - A flaw that allowed an attacker to corrupt memory and     possibly escalate privileges was found in the mwifiex     kernel module while connecting to a malicious wireless     network.(CVE-2019-3846)

  - drivers/net/wireless/marvell/libertas/if_sdio.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16232)

  - drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16234)

  - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14     does not check the alloc_workqueue return value,     leading to a NULL pointer dereference.(CVE-2019-16231)

  - Insufficient access control in the Intel(R)     PROSet/Wireless WiFi Software driver before version     21.10 may allow an unauthenticated user to potentially     enable denial of service via adjacent     access.(CVE-2019-0136)

  - A flaw was found in the Linux kernel. A heap based     buffer overflow in mwifiex_uap_parse_tail_ies function     in drivers/net/wireless/marvell/mwifiex/ie.c might lead     to memory corruption and possibly other     consequences.(CVE-2019-10126)

  - The Bluetooth BR/EDR specification up to and including     version 5.1 permits sufficiently low encryption key     length and does not prevent an attacker from     influencing the key length negotiation. This allows     practical brute-force attacks (aka 'KNOB') that can     decrypt traffic and inject arbitrary ciphertext without     the victim noticing.(CVE-2019-9506)

  - An issue was discovered in net/wireless/nl80211.c in     the Linux kernel through 5.2.17. It does not check the     length of variable elements in a beacon head, leading     to a buffer overflow.(CVE-2019-16746)

  - In the hidp_process_report in bluetooth, there is an     integer overflow. This could lead to an out of bounds     write with no additional execution privileges needed.
    User interaction is not needed for exploitation.
    Product: Android Versions: Android kernel Android ID:
    A-65853588 References: Upstream kernel.(CVE-2018-9363)

  - An issue was discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance.(CVE-2019-17075)

  - rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel through 5.3.6 lacks a certain upper-bound check,     leading to a buffer overflow.(CVE-2019-17666)

  - arch/arm/mm/dma-mapping.c in the Linux kernel before     3.13 on ARM platforms, as used in Android before     2016-08-05 on Nexus 5 and 7 (2013) devices, does not     prevent executable DMA mappings, which might allow     local users to gain privileges via a crafted     application, aka Android internal bug 28803642 and     Qualcomm internal bug CR642735.(CVE-2014-9888)

  - An issue was discovered in drivers/i2c/i2c-core-smbus.c     in the Linux kernel before 4.14.15. There is an out of     bounds write in the function     i2c_smbus_xfer_emulated.(CVE-2017-18551)

  - The rds_ib_xmit function in net/rds/ib_send.c in the     Reliable Datagram Sockets (RDS) protocol implementation     in the Linux kernel 3.7.4 and earlier allows local     users to cause a denial of service (BUG_ON and kernel     panic) by establishing an RDS connection with the     source IP address equal to the IPoIB interface's own IP     address, as demonstrated by rds-ping.(CVE-2012-2372)

  - In the Linux kernel through 5.3.2,     cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c     does not reject a long SSID IE, leading to a Buffer     Overflow.(CVE-2019-17133)

  - A memory leak in the bfad_im_get_stats() function in     drivers/scsi/bfa/bfad_attr.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     bfa_port_get_stats() failures, aka     CID-0e62395da2bd.(CVE-2019-19066)

  - The kernel in Android before 2016-08-05 on Nexus 7     (2013) devices allows attackers to gain privileges via     a crafted application, aka internal bug     28522518.(CVE-2016-3857)

  - arch/arm64/kernel/sys.c in the Linux kernel before 4.0     allows local users to bypass the 'strict page     permissions' protection mechanism and modify the     system-call table, and consequently gain privileges, by     leveraging write access.(CVE-2015-8967)

  - arch/arm64/kernel/perf_event.c in the Linux kernel     before 4.1 on arm64 platforms allows local users to     gain privileges or cause a denial of service (invalid     pointer dereference) via vectors involving events that     are mishandled during a span of multiple HW     PMUs.(CVE-2015-8955)

  - The __clear_user function in     arch/arm64/lib/clear_user.S in the Linux kernel before     3.17.4 on the ARM64 platform allows local users to     cause a denial of service (system crash) by reading one     byte beyond a /dev/zero page boundary.(CVE-2014-7843)

  - The x86/fpu (Floating Point Unit) subsystem in the     Linux kernel before 4.13.5, when a processor supports     the xsave feature but not the xsaves feature, does not     correctly handle attempts to set reserved bits in the     xstate header via the ptrace() or rt_sigreturn() system     call, allowing local users to read the FPU registers of     other processes on the system, related to     arch/x86/kernel/fpu/regset.c and     arch/x86/kernel/fpu/signal.c.(CVE-2017-15537)

  - The Linux kernel before 3.11 on ARM platforms, as used     in Android before 2016-08-05 on Nexus 5 and 7 (2013)     devices, does not properly consider user-space access     to the TPIDRURW register, which allows local users to     gain privileges via a crafted application, aka Android     internal bug 28749743 and Qualcomm internal bug     CR561044.(CVE-2014-9870)

  - ** DISPUTED ** Race condition in the     store_int_with_restart() function in     arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel     through 4.15.7 allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck     directory. NOTE: a third party has indicated that this     report is not security relevant.(CVE-2018-7995)

  - arch/x86/kernel/entry_32.S in the Linux kernel through     3.15.1 on 32-bit x86 platforms, when syscall auditing     is enabled and the sep CPU feature flag is set, allows     local users to cause a denial of service (OOPS and     system crash) via an invalid syscall number, as     demonstrated by number 1000.(CVE-2014-4508)

  - arch/x86/kernel/tls.c in the Thread Local Storage (TLS)     implementation in the Linux kernel through 3.18.1     allows local users to bypass the espfix protection     mechanism, and consequently makes it easier for local     users to bypass the ASLR protection mechanism, via a     crafted application that makes a set_thread_area system     call and later reads a 16-bit value.(CVE-2014-8133)

  - arch/mips/include/asm/thread_info.h in the Linux kernel     before 3.14.8 on the MIPS platform does not configure
    _TIF_SECCOMP checks on the fast system-call path, which     allows local users to bypass intended PR_SET_SECCOMP     restrictions by executing a crafted application without     invoking a trace or audit subsystem.(CVE-2014-4157)

  - Integer signedness error in the oz_hcd_get_desc_cnf     function in drivers/staging/ozwpan/ozhcd.c in the     OZWPAN driver in the Linux kernel through 4.0.5 allows     remote attackers to cause a denial of service (system     crash) or possibly execute arbitrary code via a crafted     packet.(CVE-2015-4001)

  - drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel through 4.0.5 does not ensure that     certain length values are sufficiently large, which     allows remote attackers to cause a denial of service     (system crash or large loop) or possibly execute     arbitrary code via a crafted packet, related to the (1)     oz_usb_rx and (2) oz_usb_handle_ep_data     functions.(CVE-2015-4002)

  - The oz_usb_handle_ep_data function in     drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel through 4.0.5 allows remote     attackers to cause a denial of service (divide-by-zero     error and system crash) via a crafted     packet.(CVE-2015-4003)

  - The OZWPAN driver in the Linux kernel through 4.0.5     relies on an untrusted length field during packet     parsing, which allows remote attackers to obtain     sensitive information from kernel memory or cause a     denial of service (out-of-bounds read and system crash)     via a crafted packet.(CVE-2015-4004)

  - Race condition in the sclp_ctl_ioctl_sccb function in     drivers/s390/char/sclp_ctl.c in the Linux kernel before     4.6 allows local users to obtain sensitive information     from kernel memory by changing a certain length value,     aka a 'double fetch' vulnerability.(CVE-2016-6130)

  - The print_binder_transaction_ilocked function in     drivers/android/binder.c in the Linux kernel 4.14.90     allows local users to obtain sensitive address     information by reading '*from *code *flags' lines in a     debugfs file.(CVE-2018-20510)

  - In the Linux kernel before 4.1.4, a buffer overflow     occurs when checking userspace params in     drivers/media/dvb-frontends/cx24116.c. The maximum size     for a DiSEqC command is 6, according to the userspace     API. However, the code allows larger values such as     23.(CVE-2015-9289)

  - The saa7164_bus_get function in     drivers/media/pci/saa7164/saa7164-bus.c in the Linux     kernel through 4.11.5 allows local users to cause a     denial of service (out-of-bounds array access) or     possibly have unspecified other impact by changing a     certain sequence-number value, aka a 'double fetch'     vulnerability.(CVE-2017-8831)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A use-after-free vulnerability was found in DCCP socket     code affecting the Linux kernel since 2.6.16. This     vulnerability could allow an attacker to their escalate     privileges.(CVE-2017-8824)

  - The OZWPAN driver in the Linux kernel through 4.0.5     relies on an untrusted length field during packet     parsing, which allows remote attackers to obtain     sensitive information from kernel memory or cause a     denial of service (out-of-bounds read and system crash)     via a crafted packet.(CVE-2015-4004)

  - Integer signedness error in the MSM V4L2 video driver     for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allows attackers to gain     privileges or cause a denial of service (array overflow     and memory corruption) via a crafted application that     triggers an msm_isp_axi_create_stream     call.(CVE-2016-2061)

  - A denial of service flaw was found in the way the Linux     kernel's XFS file system implementation ordered     directory hashes under certain conditions. A local     attacker could use this flaw to corrupt the file system     by creating directories with colliding hash values,     potentially resulting in a system crash.(CVE-2014-7283)

  - It was found that the Linux kernel's ping socket     implementation did not properly handle socket unhashing     during spurious disconnects, which could lead to a     use-after-free flaw. On x86-64 architecture systems, a     local user able to create ping sockets could use this     flaw to crash the system. On non-x86-64 architecture     systems, a local user able to create ping sockets could     use this flaw to escalate their privileges on the     system.(CVE-2015-3636)

  - Incorrect buffer length handling was found in the     ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in     the Linux kernel, which could be exploited by malicious     NCPFS servers to crash the kernel or possibly execute     an arbitrary code.(CVE-2018-8822)

  - ** DISPUTED ** Kernel Samepage Merging (KSM) in the     Linux kernel 2.6.32 through 4.x does not prevent use of     a write-timing side channel, which allows guest OS     users to defeat the ASLR protection mechanism on other     guest OS instances via a Cross-VM ASL INtrospection     (CAIN) attack. NOTE: the vendor states 'Basically if     you care about this attack vector, disable     deduplication.' Share-until-written approaches for     memory conservation among mutually untrusting tenants     are inherently detectable for information disclosure,     and can be classified as potentially misunderstood     behaviors rather than vulnerabilities.(CVE-2015-2877)

  - The tty_set_termios_ldisc() function in     'drivers/tty/tty_ldisc.c' in the Linux kernel before     4.5 allows local users to obtain sensitive information     from kernel memory by reading a tty data     structure.(CVE-2015-8964)

  - An issue was discovered in the Linux kernel through     4.17.2. vbg_misc_device_ioctl() in     drivers/virt/vboxguest/vboxguest_linux.c reads the same     user data twice with copy_from_user. The header part of     the user data is double-fetched, and a malicious user     thread can tamper with the critical variables     (hdr.size_in and hdr.size_out) in the header between     the two fetches because of a race condition, leading to     severe kernel errors, such as buffer over-accesses.
    This bug can cause a local denial of service and     information leakage.(CVE-2018-12633)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2018-1092)

  - fs/f2fs/extent_cache.c in the Linux kernel, before     4.13, mishandles extent trees. This allows local users     to cause a denial of service via an application with     multiple threads.(CVE-2017-18193)

  - A design flaw was found in the file extended attribute     handling of the Linux kernel's handling of cached     attributes. Too many entries in the cache cause a soft     lockup while attempting to iterate the cache and access     relevant locks.(CVE-2015-8952)

  - Off-by-one error in the pipe_advance function in     lib/iov_iter.c in the Linux kernel before 4.9.5 allows     local users to obtain sensitive information from     uninitialized heap-memory locations in opportunistic     circumstances by reading from a pipe after an incorrect     buffer-release decision.(CVE-2017-5550)

  - The HMAC implementation (crypto/hmac.c) in the Linux     kernel, before 4.14.8, does not validate that the     underlying cryptographic hash algorithm is unkeyed.
    This allows a local attacker, able to use the     AF_ALG-based hash interface     (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash     algorithm (CONFIG_CRYPTO_SHA3), to cause a kernel stack     buffer overflow by executing a crafted sequence of     system calls that encounter a missing SHA-3     initialization.(CVE-2017-17806)

  - The mp_get_count function in     drivers/staging/sb105x/sb_pci_mp.c in the Linux kernel     before 3.12 does not initialize a certain data     structure, which allows local users to obtain sensitive     information from kernel stack memory via a TIOCGICOUNT     ioctl call.(CVE-2013-4516)

  - The perf_cpu_time_max_percent_handler function in     kernel/events/core.c in the Linux kernel before 4.11     allows local users to cause a denial of service     (integer overflow) or possibly have unspecified other     impact via a large value, as demonstrated by an     incorrect sample-rate calculation.(CVE-2017-18255)

  - An issue was discovered in the btrfs filesystem code in     the Linux kernel. An invalid pointer dereference in
    __del_reloc_root() in fs/btrfs/relocation.c when     mounting a crafted btrfs image could lead to a system     crash and a denial of service.(CVE-2018-14609)

  - The oz_usb_handle_ep_data function in     drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel through 4.0.5 allows remote     attackers to cause a denial of service (divide-by-zero     error and system crash) via a crafted     packet.(CVE-2015-4003)

  - drivers/hid/hid-logitech-dj.c in the Human Interface     Device (HID) subsystem in the Linux kernel through     3.11, when CONFIG_HID_LOGITECH_DJ is enabled, allows     physically proximate attackers to cause a denial of     service (NULL pointer dereference and OOPS) or obtain     sensitive information from kernel memory via a crafted     device.(CVE-2013-2895)

  - drivers/usb/serial/cypress_m8.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a USB device without both an     interrupt-in and an interrupt-out endpoint descriptor,     related to the cypress_generic_port_probe and     cypress_open functions.(CVE-2016-3137)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-2117)

Jann Horn discovered that eCryptfs improperly attempted to use the mmap() handler of a lower filesystem that did not implement one, causing a recursive page fault to occur. A local unprivileged attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-1583)

Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB over wifi device drivers in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2015-4004)

Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2187)

Hector Marco and Ismael Ripoll discovered that the Linux kernel would improperly disable Address Space Layout Randomization (ASLR) for x86 processes running in 32 bit mode if stack-consumption resource limits were disabled. A local attacker could use this to make it easier to exploit an existing vulnerability in a setuid/setgid program.
(CVE-2016-3672)

Andrey Konovalov discovered that the CDC Network Control Model USB driver in the Linux kernel did not cancel work events queued if a later error occurred, resulting in a use-after-free. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3951)

It was discovered that an out-of-bounds write could occur when handling incoming packets in the USB/IP implementation in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-3955)

Vitaly Kuznetsov discovered that the Linux kernel did not properly suppress hugetlbfs support in X86 paravirtualized guests. An attacker in the guest OS could cause a denial of service (guest system crash).
(CVE-2016-3961)

Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4485)

Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4486)

Jann Horn discovered that the InfiniBand interfaces within the Linux kernel could be coerced into overwriting kernel memory. A local unprivileged attacker could use this to possibly gain administrative privileges on systems where InifiniBand related kernel modules are loaded. (CVE-2016-4565)

It was discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local unprivileged attacker could use this to cause a denial of service (system crash).
(CVE-2016-4581).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-2117)

Jann Horn discovered that eCryptfs improperly attempted to use the mmap() handler of a lower filesystem that did not implement one, causing a recursive page fault to occur. A local unprivileged attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-1583)

Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB over wifi device drivers in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2015-4004)

Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2187)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the MCT USB RS232 Converter device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3136)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Cypress M8 USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash).
(CVE-2016-3137)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Linux kernel's USB driver for Digi AccelePort serial converters did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3140)

Hector Marco and Ismael Ripoll discovered that the Linux kernel would improperly disable Address Space Layout Randomization (ASLR) for x86 processes running in 32 bit mode if stack-consumption resource limits were disabled. A local attacker could use this to make it easier to exploit an existing vulnerability in a setuid/setgid program.
(CVE-2016-3672)

It was discovered that the Linux kernel's USB driver for IMS Passenger Control Unit devices did not properly validate the device's interfaces. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3689)

Andrey Konovalov discovered that the CDC Network Control Model USB driver in the Linux kernel did not cancel work events queued if a later error occurred, resulting in a use-after-free. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3951)

It was discovered that an out-of-bounds write could occur when handling incoming packets in the USB/IP implementation in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-3955)

Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4485)

Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4486)

It was discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local unprivileged attacker could use this to cause a denial of service (system crash).
(CVE-2016-4581).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-2117)

Jann Horn discovered that eCryptfs improperly attempted to use the mmap() handler of a lower filesystem that did not implement one, causing a recursive page fault to occur. A local unprivileged attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-1583)

Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB over wifi device drivers in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2015-4004)

Andy Lutomirski discovered a race condition in the Linux kernel's translation lookaside buffer (TLB) handling of flush events. A local attacker could use this to cause a denial of service or possibly leak sensitive information. (CVE-2016-2069)

Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2187)

Hector Marco and Ismael Ripoll discovered that the Linux kernel would improperly disable Address Space Layout Randomization (ASLR) for x86 processes running in 32 bit mode if stack-consumption resource limits were disabled. A local attacker could use this to make it easier to exploit an existing vulnerability in a setuid/setgid program.
(CVE-2016-3672)

Andrey Konovalov discovered that the CDC Network Control Model USB driver in the Linux kernel did not cancel work events queued if a later error occurred, resulting in a use-after-free. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3951)

It was discovered that an out-of-bounds write could occur when handling incoming packets in the USB/IP implementation in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-3955)

Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4485)

Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4486)

It was discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local unprivileged attacker could use this to cause a denial of service (system crash).
(CVE-2016-4581).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-2117)

Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB over wifi device drivers in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2015-4004)

Andy Lutomirski discovered a race condition in the Linux kernel's translation lookaside buffer (TLB) handling of flush events. A local attacker could use this to cause a denial of service or possibly leak sensitive information. (CVE-2016-2069)

Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2187)

Hector Marco and Ismael Ripoll discovered that the Linux kernel would improperly disable Address Space Layout Randomization (ASLR) for x86 processes running in 32 bit mode if stack-consumption resource limits were disabled. A local attacker could use this to make it easier to exploit an existing vulnerability in a setuid/setgid program.
(CVE-2016-3672)

Andrey Konovalov discovered that the CDC Network Control Model USB driver in the Linux kernel did not cancel work events queued if a later error occurred, resulting in a use-after-free. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3951)

It was discovered that an out-of-bounds write could occur when handling incoming packets in the USB/IP implementation in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-3955)

Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4485)

Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4486)

It was discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local unprivileged attacker could use this to cause a denial of service (system crash).
(CVE-2016-4581).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE 13.1 kernel was updated to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2016-0728: A reference leak in keyring handling with     join_session_keyring() could lead to local attackers     gain root privileges. (bsc#962075).

  - CVE-2015-7550: A local user could have triggered a race     between read and revoke in keyctl (bnc#958951).

  - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect     functions in drivers/net/ppp/pptp.c in the Linux kernel     did not verify an address length, which allowed local     users to obtain sensitive information from kernel memory     and bypass the KASLR protection mechanism via a crafted     application (bnc#959190).

  - CVE-2015-8543: The networking implementation in the     Linux kernel did not validate protocol identifiers for     certain protocol families, which allowed local users to     cause a denial of service (NULL function pointer     dereference and system crash) or possibly gain     privileges by leveraging CLONE_NEWUSER support to     execute a crafted SOCK_RAW application (bnc#958886).

  - CVE-2014-8989: The Linux kernel did not properly     restrict dropping of supplemental group memberships in     certain namespace scenarios, which allowed local users     to bypass intended file permissions by leveraging a     POSIX ACL containing an entry for the group category     that is more restrictive than the entry for the other     category, aka a 'negative groups' issue, related to     kernel/groups.c, kernel/uid16.c, and     kernel/user_namespace.c (bnc#906545).

  - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux     kernel on the x86_64 platform mishandles IRET faults in     processing NMIs that occurred during userspace     execution, which might allow local users to gain     privileges by triggering an NMI (bnc#937969).

  - CVE-2015-7799: The slhc_init function in     drivers/net/slip/slhc.c in the Linux kernel through     4.2.3 did not ensure that certain slot numbers are     valid, which allowed local users to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted PPPIOCSMAXCID ioctl call (bnc#949936).

  - CVE-2015-8104: The KVM subsystem in the Linux kernel     through 4.2.6, and Xen 4.3.x through 4.6.x, allowed     guest OS users to cause a denial of service (host OS     panic or hang) by triggering many #DB (aka Debug)     exceptions, related to svm.c (bnc#954404).

  - CVE-2015-5307: The KVM subsystem in the Linux kernel     through 4.2.6, and Xen 4.3.x through 4.6.x, allowed     guest OS users to cause a denial of service (host OS     panic or hang) by triggering many #AC (aka Alignment     Check) exceptions, related to svm.c and vmx.c     (bnc#953527).

  - CVE-2014-9529: Race condition in the key_gc_unused_keys     function in security/keys/gc.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption or panic) or possibly have unspecified other     impact via keyctl commands that trigger access to a key     structure member during garbage collection of a key     (bnc#912202).

  - CVE-2015-7990: Race condition in the rds_sendmsg     function in net/rds/sendmsg.c in the Linux kernel     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound. NOTE: this vulnerability exists because     of an incomplete fix for CVE-2015-6937 (bnc#952384     953052).

  - CVE-2015-6937: The __rds_conn_create function in     net/rds/connection.c in the Linux kernel allowed local     users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound (bnc#945825).

  - CVE-2015-7885: The dgnc_mgmt_ioctl function in     drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel     through 4.3.3 did not initialize a certain structure     member, which allowed local users to obtain sensitive     information from kernel memory via a crafted application     (bnc#951627).

  - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in     the Linux kernel did not validate attempted changes to     the MTU value, which allowed context-dependent attackers     to cause a denial of service (packet loss) via a value     that is (1) smaller than the minimum compliant value or     (2) larger than the MTU of an interface, as demonstrated     by a Router Advertisement (RA) message that is not     validated by a daemon, a different vulnerability than     CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is     limited to the NetworkManager product (bnc#955354).

  - CVE-2015-8767: A case can occur when sctp_accept() is     called by the user during a heartbeat timeout event     after the 4-way handshake. Since sctp_assoc_migrate()     changes both assoc->base.sk and assoc->ep, the     bh_sock_lock in sctp_generate_heartbeat_event() will be     taken with the listening socket but released with the     new association socket. The result is a deadlock on any     future attempts to take the listening socket lock.
    (bsc#961509)

  - CVE-2015-8575: Validate socket address length in     sco_sock_bind() to prevent information leak     (bsc#959399).

  - CVE-2015-8551, CVE-2015-8552: xen/pciback: For     XEN_PCI_OP_disable_msi[|x] only disable if device has     MSI(X) enabled (bsc#957990).

  - CVE-2015-8550: Compiler optimizations in the XEN PV     backend drivers could have lead to double fetch     vulnerabilities, causing denial of service or arbitrary     code execution (depending on the configuration)     (bsc#957988).

The following non-security bugs were fixed :

  - ALSA: hda - Disable 64bit address for Creative HDA     controllers (bnc#814440).

  - ALSA: hda - Fix noise problems on Thinkpad T440s     (boo#958504).

  - Input: aiptek - fix crash on detecting device without     endpoints (bnc#956708).

  - KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y     (boo#956934).

  - KVM: x86: update masterclock values on TSC writes     (bsc#961739).

  - NFS: Fix a NULL pointer dereference of migration     recovery ops for v4.2 client (bsc#960839).

  - apparmor: allow SYS_CAP_RESOURCE to be sufficient to     prlimit another task (bsc#921949).

  - blktap: also call blkif_disconnect() when frontend     switched to closed (bsc#952976).

  - blktap: refine mm tracking (bsc#952976).

  - cdrom: Random writing support for BD-RE media     (bnc#959568).

  - genksyms: Handle string literals with spaces in     reference files (bsc#958510).

  - ipv4: Do not increase PMTU with Datagram Too Big message     (bsc#955224).

  - ipv6: distinguish frag queues by device for multicast     and link-local packets (bsc#955422).

  - ipv6: fix tunnel error handling (bsc#952579).

  - route: Use ipv4_mtu instead of raw rt_pmtu (bsc#955224).

  - uas: Add response iu handling (bnc#954138).

  - usbvision fix overflow of interfaces array (bnc#950998).

  - x86/evtchn: make use of PHYSDEVOP_map_pirq.

  - xen/pciback: Do not allow MSI-X ops if     PCI_COMMAND_MEMORY is not set (bsc#957990 XSA-157).

ID	Name	Product	Family	Severity
131805	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2531)	Nessus	Huawei Local Security Checks	high
124800	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1476)	Nessus	Huawei Local Security Checks	high
91566	Ubuntu 15.10 : linux-raspi2 vulnerabilities (USN-3004-1)	Nessus	Ubuntu Local Security Checks	critical
91565	Ubuntu 15.10 : linux vulnerabilities (USN-3003-1)	Nessus	Ubuntu Local Security Checks	critical
91564	Ubuntu 14.04 LTS : linux-lts-wily vulnerabilities (USN-3002-1)	Nessus	Ubuntu Local Security Checks	critical
91563	Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-3001-1)	Nessus	Ubuntu Local Security Checks	critical
91562	Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-3000-1)	Nessus	Ubuntu Local Security Checks	critical
91560	Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2998-1)	Nessus	Ubuntu Local Security Checks	critical
91425	Ubuntu 14.04 LTS : linux vulnerabilities (USN-2989-1)	Nessus	Ubuntu Local Security Checks	critical
88545	openSUSE Security Update : the Linux Kernel (openSUSE-2016-124)	Nessus	SuSE Local Security Checks	critical

CVE-2015-4004

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins