http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cf872776fc84128bb779ce2b83a37c884c3203ae

[oss-security] 20150526 CVE request: vulnerability in the kernel tty subsystem.

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

74820

RHSA-2016:1395

https://bugzilla.redhat.com/show_bug.cgi?id=1218879

https://github.com/torvalds/linux/commit/cf872776fc84128bb779ce2b83a37c884c3203ae

https://www.kernel.org/pub/linux/kernel/next/patch-v3.13-rc4-next-20131218.xz

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The ipx_recvmsg function in net/ipx/af_ipx.c in the     Linux kernel before 3.12.4 updates a certain length     value without ensuring that an associated data     structure has been initialized, which allows local     users to obtain sensitive information from kernel     memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg     system call.(CVE-2013-7268i1/4%0

  - The move_pages system call in mm/migrate.c in the Linux     kernel doesn't check the effective uid of the target     process. This enables a local attacker to learn the     memory layout of a setuid executable allowing     mitigation of ASLR.(CVE-2017-14140i1/4%0

  - Multiple array index errors in drivers/hid/hid-core.c     in the Human Interface Device (HID) subsystem in the     Linux kernel through 3.11 allow physically proximate     attackers to execute arbitrary code or cause a denial     of service (heap memory corruption) via a crafted     device that provides an invalid Report     ID.(CVE-2013-2888i1/4%0

  - It was found that if a Non-Maskable Interrupt (NMI)     occurred immediately after a SYSCALL call or before a     SYSRET call with the user RSP pointing to the NMI IST     stack, the kernel could skip that NMI.(CVE-2015-3291i1/4%0

  - The sound/core/seq_device.c in the Linux kernel, before     4.13.4, allows local users to cause a denial of service     (snd_rawmidi_dev_seq_free use-after-free and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16528i1/4%0

  - net/ceph/auth_x.c in Ceph, as used in the Linux kernel     before 3.16.3, does not properly consider the     possibility of kmalloc failure, which allows remote     attackers to cause a denial of service (system crash)     or possibly have unspecified other impact via a long     unencrypted auth ticket.(CVE-2014-6417i1/4%0

  - A NULL pointer dereference flaw was found in the Linux     kernel: the NFSv4.2 migration code improperly     initialized the kernel structure. A local,     authenticated user could use this flaw to cause a panic     of the NFS client (denial of service).(CVE-2015-8746i1/4%0

  - A stack-based buffer overflow flaw was found in the     TechnoTrend/Hauppauge DEC USB device driver. A local     user with write access to the corresponding device     could use this flaw to crash the kernel or,     potentially, elevate their privileges on the     system.(CVE-2014-8884i1/4%0

  - A flaw was found in the linux kernel's implementation     of the airspy USB device driver in which a leak was     found when a subdev or SDR are plugged into the host.An     attacker can create an targeted USB device which can     emulate 64 of these devices. Then by emulating an     additional device which continuously connects and     disconnects, each connection attempt will leak memory     which can not be recovered.(CVE-2016-5400i1/4%0

  - The sound/usb/mixer.c in the Linux kernel, before     4.13.8, allows local users to cause a denial of service     (snd_usb_mixer_interrupt use-after-free and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16527i1/4%0

  - The Human Interface Device (HID) subsystem in the Linux     kernel through 3.11, when CONFIG_LOGITECH_FF,     CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled,     allows physically proximate attackers to cause a denial     of service (heap-based out-of-bounds write) via a     crafted device, related to (1) drivers/hid/hid-lgff.c,     (2) drivers/hid/hid-lg3ff.c, and (3)     drivers/hid/hid-lg4ff.c.(CVE-2013-2893i1/4%0

  - It was found that reporting emulation failures to user     space could lead to either a local (CVE-2014-7842) or a     L2-i1/4zL1 (CVE-2010-5313) denial of service. In the case     of a local denial of service, an attacker must have     access to the MMIO area or be able to access an I/O     port. Please note that on certain systems, HPET is     mapped to userspace as part of vdso (vvar) and thus an     unprivileged user may generate MMIO transactions (and     enter the emulator) this way.(CVE-2014-7842i1/4%0

  - A flaw was discovered in the way the Linux kernel's TTY     subsystem handled the tty shutdown phase. A local,     unprivileged user could use this flaw to cause denial     of service on the system by holding a reference to the     ldisc lock during tty shutdown, causing a     deadlock.(CVE-2015-4170i1/4%0

  - The __ip6_append_data function in net/ipv6/ip6_output.c     in the Linux kernel through 4.11.3 is too late in     checking whether an overwrite of an skb data structure     may occur, which allows local users to cause a denial     of service (system crash) via crafted system     calls.(CVE-2017-9242i1/4%0

  - The Linux kernel built with the KVM visualization     support (CONFIG_KVM), with nested visualization(nVMX)     feature enabled (nested=1), was vulnerable to a stack     buffer overflow issue. The vulnerability could occur     while traversing guest page table entries to resolve     guest virtual address(gva). An L1 guest could use this     flaw to crash the host kernel resulting in denial of     service (DoS) or potentially execute arbitrary code on     the host to gain privileges on the     system.(CVE-2017-12188i1/4%0

  - The recalculate_apic_map function in     arch/x86/kvm/lapic.c in the KVM subsystem in the Linux     kernel through 3.12.5 allows guest OS users to cause a     denial of service (host OS crash) via a crafted ICR     write operation in x2apic mode.(CVE-2013-6376i1/4%0

  - The wanxl_ioctl function in drivers/net/wan/wanxl.c in     the Linux kernel before 3.11.7 does not properly     initialize a certain data structure, which allows local     users to obtain sensitive information from kernel     memory via an ioctl call.(CVE-2014-1445i1/4%0

  - The restore_fpu_checking function in     arch/x86/include/asm/fpu-internal.h in the Linux kernel     before 3.12.8 on the AMD K7 and K8 platforms does not     clear pending exceptions before proceeding to an EMMS     instruction, which allows local users to cause a denial     of service (task kill) or possibly gain privileges via     a crafted application.(CVE-2014-1438i1/4%0

  - A race condition was found in the way the Linux     kernel's memory subsystem handled the copy-on-write     (COW) breakage of private read-only memory mappings. An     unprivileged, local user could use this flaw to gain     write access to otherwise read-only memory mappings and     thus increase their privileges on the     system.(CVE-2016-5195i1/4%0

  - Algorithms not compatible with mcryptd could be spawned     by mcryptd with a direct crypto_alloc_tfm invocation     using a 'mcryptd(alg)' name construct. This causes     mcryptd to crash the kernel if an arbitrary 'alg' is     incompatible and not intended to be used with     mcryptd.(CVE-2016-10147i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was found that the Linux kernel's implementation of     vectored pipe read and write functionality did not take     into account the I/O vectors that were already     processed when retrying after a failed atomic access     operation, potentially resulting in memory corruption     due to an I/O vector array overrun. A local,     unprivileged user could use this flaw to crash the     system or, potentially, escalate their privileges on     the system.(CVE-2015-1805)

  - net/llc/sysctl_net_llc.c in the Linux kernel before     3.19 uses an incorrect data type in a sysctl table,     which allows local users to obtain potentially     sensitive information from kernel memory or possibly     have unspecified other impact by accessing a sysctl     entry.(CVE-2015-2041)

  - net/rds/sysctl.c in the Linux kernel before 3.19 uses     an incorrect data type in a sysctl table, which allows     local users to obtain potentially sensitive information     from kernel memory or possibly have unspecified other     impact by accessing a sysctl entry.(CVE-2015-2042)

  - Xen 3.3.x through 4.5.x and the Linux kernel through     3.19.1 do not properly restrict access to PCI command     registers, which might allow local guest OS users to     cause a denial of service (non-maskable interrupt and     host crash) by disabling the (1) memory or (2) I/O     decoding for a PCI Express device and then accessing     the device, which triggers an Unsupported Request (UR)     response.(CVE-2015-2150)

  - A stack-based buffer overflow flaw was found in the     Linux kernel's early load microcode functionality. On a     system with UEFI Secure Boot enabled, a local,     privileged user could use this flaw to increase their     privileges to the kernel (ring0) level, bypassing     intended restrictions in place.(CVE-2015-2666)

  - The xsave/xrstor implementation in     arch/x86/include/asm/xsave.h in the Linux kernel before     3.19.2 creates certain .altinstr_replacement pointers     and consequently does not provide any protection     against instruction faulting, which allows local users     to cause a denial of service (panic) by triggering a     fault, as demonstrated by an unaligned memory operand     or a non-canonical address memory     operand.(CVE-2015-2672)

  - A flaw was found in the way the Linux kernel's 32-bit     emulation implementation handled forking or closing of     a task with an 'int80' entry. A local user could     potentially use this flaw to escalate their privileges     on the system.(CVE-2015-2830)

  - It was found that the Linux kernel's TCP/IP protocol     suite implementation for IPv6 allowed the Hop Limit     value to be set to a smaller value than the default     one. An attacker on a local network could use this flaw     to prevent systems on that network from sending or     receiving network packets.(CVE-2015-2922)

  - A flaw was found in the way the Linux kernel's file     system implementation handled rename operations in     which the source was inside and the destination was     outside of a bind mount. A privileged user inside a     container could use this flaw to escape the bind mount     and, potentially, escalate their privileges on the     system.(CVE-2015-2925)

  - A race condition flaw was found in the way the Linux     kernel's SCTP implementation handled Address     Configuration lists when performing Address     Configuration Change (ASCONF). A local attacker could     use this flaw to crash the system via a race condition     triggered by setting certain ASCONF options on a     socket.(CVE-2015-3212)

  - mm/memory.c in the Linux kernel before 4.1.4 mishandles     anonymous pages, which allows local users to gain     privileges or cause a denial of service (page tainting)     via a crafted application that triggers writing to page     zero.(CVE-2015-3288)

  - A flaw was found in the way the Linux kernel's nested     NMI handler and espfix64 functionalities interacted     during NMI processing. A local, unprivileged user could     use this flaw to crash the system or, potentially,     escalate their privileges on the system.(CVE-2015-3290)

  - It was found that if a Non-Maskable Interrupt (NMI)     occurred immediately after a SYSCALL call or before a     SYSRET call with the user RSP pointing to the NMI IST     stack, the kernel could skip that NMI.(CVE-2015-3291)

  - A buffer overflow flaw was found in the way the Linux     kernel's Intel AES-NI instructions optimized version of     the RFC4106 GCM mode decryption functionality handled     fragmented packets. A remote attacker could use this     flaw to crash, or potentially escalate their privileges     on, a system over a connection with an active AES-GCM     mode IPSec security association.(CVE-2015-3331)

  - A race condition flaw was found between the chown and     execve system calls. When changing the owner of a     setuid user binary to root, the race condition could     momentarily make the binary setuid root. A local,     unprivileged user could potentially use this flaw to     escalate their privileges on the system.(CVE-2015-3339)

  - It was found that the Linux kernel's ping socket     implementation did not properly handle socket unhashing     during spurious disconnects, which could lead to a     use-after-free flaw. On x86-64 architecture systems, a     local user able to create ping sockets could use this     flaw to crash the system. On non-x86-64 architecture     systems, a local user able to create ping sockets could     use this flaw to escalate their privileges on the     system.(CVE-2015-3636)

  - An inode data validation error was found in Linux     kernels built with UDF file system (CONFIG_UDF_FS)     support. An attacker able to mount a     corrupted/malicious UDF file system image could cause     the kernel to crash.(CVE-2015-4167)

  - A flaw was discovered in the way the Linux kernel's TTY     subsystem handled the tty shutdown phase. A local,     unprivileged user could use this flaw to cause denial     of service on the system by holding a reference to the     ldisc lock during tty shutdown, causing a     deadlock.(CVE-2015-4170)

  - A flaw was discovered in the kernel's collect_mounts     function. If the kernel's audit subsystem called     collect_mounts to audit an unmounted path, it could     panic the system. With this flaw, an unprivileged user     could call umount(MNT_DETACH) to launch a     denial-of-service attack.(CVE-2015-4177)

  - A DoS flaw was found for a Linux kernel built for the     x86 architecture which had the KVM virtualization     support(CONFIG_KVM) enabled. The kernel would be     vulnerable to a NULL pointer dereference flaw in Linux     kernel's kvm_apic_has_events() function while doing an     ioctl. An unprivileged user able to access the     '/dev/kvm' device could use this flaw to crash the     system kernel.(CVE-2015-4692)

  - A flaw was found in the kernel's implementation of the     Berkeley Packet Filter (BPF). A local attacker could     craft BPF code to crash the system by creating a     situation in which the JIT compiler would fail to     correctly optimize the JIT image on the last pass. This     would lead to the CPU executing instructions that were     not part of the JIT code.(CVE-2015-4700)

  - A buffer overflow flaw was found in the way the Linux     kernel's virtio-net subsystem handled certain fraglists     when the GRO (Generic Receive Offload) functionality     was enabled in a bridged network configuration. An     attacker on the local network could potentially use     this flaw to crash the system, or, although unlikely,     elevate their privileges on the system.(CVE-2015-5156)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - A flaw was discovered in the way the Linux kernel's TTY     subsystem handled the tty shutdown phase. A local,     unprivileged user could use this flaw to cause denial     of service on the system by holding a reference to the     ldisc lock during tty shutdown, causing a     deadlock.(CVE-2015-4170)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7 Extended Update Support.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fix :

* A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause denial of service on the system by holding a reference to the ldisc lock during tty shutdown, causing a deadlock.
(CVE-2015-4170, Moderate)

This update also fixes the following bugs :

* When Small Computer System Interface (SCSI) devices were removed or deleted, a system crash could occur due to a race condition between listing all SCSI devices and SCSI device removal. The provided patch ensures that the starting node for the klist_iter_init_node() function is actually a member of the list before using it. As a result, a system crash no longer occurs in the described scenario. (BZ#1333402)

* When creating Virtual Functions (VF) on the ixgbe driver, the Media Access Control (MAC) address for each VF could be random if not explicitly set. When generating a random MAC address, it was possible to set the address to zero. As a consequence, transmitted packets were discarded without being sent, and the user was not able to access the network. The provided patchset ensures that the VFs always end up with valid MAC addresses. As a result, packets are now transmitted as expected, and the user is able to access the network. (BZ#1335405)

* Under significant load, some applications such as logshifter could generate bursts of log messages too large for the system logger to spool. Due to a race condition, log messages from that application could then be lost even after the log volume dropped to manageable levels. This update fixes the kernel mechanism used to notify the transmitter end of the socket used by the system logger that more space is available on the receiver side, removing a race condition which previously caused the sender to stop transmitting new messages and allowing all log messages to be processed correctly. (BZ#1337602)

* When a USB serial driver was trying to acquire a line-discipline reference, a lockdep warning could occur due to the tty ldisc semaphore that was not fully initialized. With this update, a set of patches has been backported from upstream that fix this bug and no warnings occur in the aforementioned scenario. (BZ#1343554)

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Updated kernel-rt packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system.
(CVE-2015-2925, Important)

* A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system.
(CVE-2015-7613, Important)

* It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker able to continuously spawn new processes within a single memory-constrained cgroup during an OOM event could use this flaw to lock up the system. (CVE-2014-8171, Moderate)

* A race condition flaw was found between the chown and execve system calls. When changing the owner of a setuid user binary to root, the race condition could momentarily make the binary setuid root. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate)

* A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system by holding a reference to the ldisc lock during tty shutdown, causing a deadlock.
(CVE-2015-4170, Moderate)

* A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate)

* A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low)

* An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process.
(CVE-2014-9419, Low)

* A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low)

Red Hat would like to thank Linn Crosetto of HP for reporting the CVE-2015-7837 issue. The CVE-2015-5283 issue was discovered by Ji Jianwen from Red Hat engineering.

The kernel-rt packages have been upgraded to version 3.10.0-326.rt56.204, which provides a number of bug fixes and enhancements. (BZ#1201915, BZ#1211724)

This update also fixes several bugs and adds multiple enhancements.
Refer to the following Red Hat Knowledgebase article for information on the most significant of these changes :

https://access.redhat.com/articles/2055783

All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect.

* A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system.
(CVE-2015-2925, Important)

* A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system.
(CVE-2015-7613, Important)

* It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. (CVE-2010-5313, CVE-2014-7842, Moderate)

* A flaw was found in the way the Linux kernel's KVM subsystem handled non-canonical addresses when emulating instructions that change the RIP (for example, branches or calls). A guest user with access to an I/O or MMIO region could use this flaw to crash the guest.
(CVE-2014-3647, Moderate)

* It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker could use this flaw to lock up the system.
(CVE-2014-8171, Moderate)

* A race condition flaw was found between the chown and execve system calls. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate)

* A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-4170, Moderate)

* A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate)

* A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-6526, Moderate)

* A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low)

* An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process.
(CVE-2014-9419, Low)

* It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Scientific Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor. (CVE-2015-0239, Low)

* A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low)

Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 7. This is the second regular update.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system.
(CVE-2015-2925, Important)

* A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system.
(CVE-2015-7613, Important)

* It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. (CVE-2010-5313, CVE-2014-7842, Moderate)

* A flaw was found in the way the Linux kernel's KVM subsystem handled non-canonical addresses when emulating instructions that change the RIP (for example, branches or calls). A guest user with access to an I/O or MMIO region could use this flaw to crash the guest.
(CVE-2014-3647, Moderate)

* It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker could use this flaw to lock up the system.
(CVE-2014-8171, Moderate)

* A race condition flaw was found between the chown and execve system calls. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate)

* A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-4170, Moderate)

* A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate)

* A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-6526, Moderate)

* A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low)

* An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process.
(CVE-2014-9419, Low)

* It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Red Hat Enterprise Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor.
(CVE-2015-0239, Low)

* A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low)

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2015-2152 advisory.

  - The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a     bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability     than CVE-2014-9644. (CVE-2013-7421)

  - The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a     bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name     field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421.
    (CVE-2014-9644)

  - The memory resource controller (aka memcg) in the Linux kernel allows local users to cause a denial of     service (deadlock) by spawning new processes within a memory-constrained cgroup. (CVE-2014-8171)

  - The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not     ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which     makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that     reads a TLS base address. (CVE-2014-9419)

  - The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS     lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of     service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYSENTER     instruction. (CVE-2015-0239)

  - Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local     users to gain privileges by executing a setuid program at a time instant when a chown to root is in     progress, and the ownership is changed but the setuid bit is not yet stripped. (CVE-2015-3339)

  - Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a     denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure     report, a similar issue to CVE-2014-7842. (CVE-2010-5313)

  - arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 does not properly perform     RIP changes, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted     application. (CVE-2014-3647)

  - Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a     denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO     transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313.
    (CVE-2014-7842)

  - The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename     actions inside a bind mount, which allows local users to bypass an intended container protection mechanism     by renaming a directory, related to a double-chroot attack. (CVE-2015-2925)

  - Race condition in the ldsem_cmpxchg function in drivers/tty/tty_ldsem.c in the Linux kernel before     3.13-rc4-next-20131218 allows local users to cause a denial of service (ldsem_down_read and     ldsem_down_write deadlock) by establishing a new tty thread during shutdown of a previous tty thread.
    (CVE-2015-4170)

  - The sctp_init function in net/sctp/protocol.c in the Linux kernel before 4.2.3 has an incorrect sequence     of protocol-initialization steps, which allows local users to cause a denial of service (panic or memory     corruption) by creating SCTP sockets before all of the steps have finished. (CVE-2015-5283)

  - The perf_callchain_user_64 function in arch/powerpc/perf/callchain.c in the Linux kernel before 4.0.2 on     ppc64 platforms allows local users to cause a denial of service (infinite loop) via a deep 64-bit     userspace backtrace. (CVE-2015-6526)

  - Race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to     gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against     uninitialized data, related to msg.c, shm.c, and util.c. (CVE-2015-7613)

  - The Linux kernel, as used in Red Hat Enterprise Linux 7, kernel-rt, and Enterprise MRG 2 and when booted     with UEFI Secure Boot enabled, allows local users to bypass intended securelevel/secureboot restrictions     by leveraging improper handling of secure_boot flag across kexec reboot. (CVE-2015-7837)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
124982	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1529)	Nessus	Huawei Local Security Checks	medium
124811	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1487)	Nessus	Huawei Local Security Checks	high
99791	EulerOS 2.0 SP1 : kernel (EulerOS-SA-2016-1028)	Nessus	Huawei Local Security Checks	medium
92029	RHEL 7 : kernel (RHSA-2016:1395)	Nessus	Red Hat Local Security Checks	medium
88571	RHEL 7 : kernel-rt (RHSA-2015:2411)	Nessus	Red Hat Local Security Checks	medium
87559	Scientific Linux Security Update : kernel on SL7.x x86_64 (20151119)	Nessus	Scientific Linux Local Security Checks	medium
87135	CentOS 7 : kernel (CESA-2015:2152)	Nessus	CentOS Local Security Checks	high
87090	Oracle Linux 7 : kernel (ELSA-2015-2152)	Nessus	Oracle Linux Local Security Checks	high
86972	RHEL 7 : kernel (RHSA-2015:2152)	Nessus	Red Hat Local Security Checks	high

CVE-2015-4170

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

medium

high

medium

medium

medium

medium

high

high

high