http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8a5e5e02fc83aaf67053ab53b359af08c6c49aaf

http://source.android.com/security/bulletin/2016-03-01.html

DSA-3607

[oss-security] 20150502 Re: CVE request for a fixed bug existed in all versions of linux kernel from KeenTeam

84260

USN-2967-1

USN-2967-2

USN-2968-1

USN-2968-2

USN-2969-1

USN-2970-1

USN-2971-1

USN-2971-2

USN-2971-3

https://github.com/torvalds/linux/commit/8a5e5e02fc83aaf67053ab53b359af08c6c49aaf

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - An integer overflow flaw was found in the way the Linux     kernel's netfilter connection tracking implementation     loaded extensions. An attacker on a local network could     potentially send a sequence of specially crafted     packets that would initiate the loading of a large     number of extensions, causing the targeted system in     that network to crash.(CVE-2014-9715)

  - A flaw was found in the Linux kernel which could cause     a kernel panic when restoring machine specific     registers on the PowerPC platform. Incorrect     transactional memory state registers could     inadvertently change the call path on return from     userspace and cause the kernel to enter an unknown     state and crash.(CVE-2015-8844)

  - A timing flaw was found in the Chrome EC driver in the     Linux kernel. An attacker could abuse timing to skip     validation checks to copy additional data from     userspace possibly increasing privilege or crashing the     system.(CVE-2016-6156)

  - A race condition flaw was found in the way the Linux     kernel's IPC subsystem initialized certain fields in an     IPC object structure that were later used for     permission checking before inserting the object into a     globally visible list. A local, unprivileged user could     potentially use this flaw to elevate their privileges     on the system.(CVE-2015-7613)

  - A path length checking flaw was found in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support. An     attacker able to mount a corrupted/malicious UDF file     system image could use this flaw to leak kernel memory     to user-space.(CVE-2014-9731)

  - A race condition leading to a NULL pointer dereference     was found in the Linux kernel's Link Layer Control     implementation. A local attacker with access to ping     sockets could use this flaw to crash the     system.(CVE-2017-2671)

  - The f2fs implementation in the Linux kernel, before     4.14, mishandles reference counts associated with     f2fs_wait_discard_bios calls. This allows local users     to cause a denial of service (BUG), as demonstrated by     fstrim.(CVE-2017-18200)

  - The LIST_POISON feature in include/linux/poison.h in     the Linux kernel before 4.3, as used in Android 6.0.1     before 2016-03-01, does not properly consider the     relationship to the mmap_min_addr value, which makes it     easier for attackers to bypass a poison-pointer     protection mechanism by triggering the use of an     uninitialized list entry, aka Android internal bug     26186802, a different vulnerability than     CVE-2015-3636.(CVE-2016-0821)

  - The xsave/xrstor implementation in     arch/x86/include/asm/xsave.h in the Linux kernel before     3.19.2 creates certain .altinstr_replacement pointers     and consequently does not provide any protection     against instruction faulting, which allows local users     to cause a denial of service (panic) by triggering a     fault, as demonstrated by an unaligned memory operand     or a non-canonical address memory     operand.(CVE-2015-2672)

  - The n_tty_write function in drivers/tty/n_tty.c in the     Linux kernel through 3.14.3 does not properly manage     tty driver access in the 'LECHO & !OPOST' case, which     allows local users to cause a denial of service (memory     corruption and system crash) or gain privileges by     triggering a race condition involving read and write     operations with long strings.(CVE-2014-0196)

  - In the Linux kernel through 4.14.13,     drivers/block/loop.c mishandles lo_release     serialization, which allows attackers to cause a denial     of service (__lock_acquire use-after-free) or possibly     have unspecified other impact.(CVE-2018-5344)

  - The lbs_debugfs_write function in     drivers/net/wireless/libertas/debugfs.c in the Linux     kernel through 3.12.1 allows local users to cause a     denial of service (OOPS) by leveraging root privileges     for a zero-length write operation.(CVE-2013-6378)

  - A NULL-pointer dereference vulnerability was discovered     in the Linux kernel. The kernel's Reliable Datagram     Sockets (RDS) protocol implementation did not verify     that an underlying transport existed before creating a     connection to a remote server. A local system user     could exploit this flaw to crash the system by creating     sockets at specific times to trigger a NULL pointer     dereference.(CVE-2015-6937)

  - A stack buffer overflow flaw was found in the way the     Bluetooth subsystem of the Linux kernel processed     pending L2CAP configuration responses from a client. On     systems with the stack protection feature enabled in     the kernel (CONFIG_CC_STACKPROTECTOR=y, which is     enabled on all architectures other than s390x and     ppc64le), an unauthenticated attacker able to initiate     a connection to a system via Bluetooth could use this     flaw to crash the system. Due to the nature of the     stack protection feature, code execution cannot be     fully ruled out, although we believe it is unlikely. On     systems without the stack protection feature (ppc64le     the Bluetooth modules are not built on s390x), an     unauthenticated attacker able to initiate a connection     to a system via Bluetooth could use this flaw to     remotely execute arbitrary code on the system with ring     0 (kernel) privileges.(CVE-2017-1000251)

  - Integer signedness error in the MSM QDSP6 audio driver     for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allows attackers to gain     privileges or cause a denial of service (memory     corruption) via a crafted application that makes an     ioctl call.(CVE-2016-2066)

  - The bcm_char_ioctl function in     drivers/staging/bcm/Bcmchar.c in the Linux kernel     before 3.12 does not initialize a certain data     structure, which allows local users to obtain sensitive     information from kernel memory via an     IOCTL_BCM_GET_DEVICE_DRIVER_INFO ioctl     call.(CVE-2013-4515)

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled malformed Address Configuration Change Chunks     (ASCONF). A remote attacker could use either of these     flaws to crash the system.(CVE-2014-3673)

  - It was found that paravirt_patch_call/jump() functions     in the arch/x86/kernel/paravirt.c in the Linux kernel     mishandles certain indirect calls, which makes it     easier for attackers to conduct Spectre-v2 attacks     against paravirtualized guests.(CVE-2018-15594)

  - It was found that the Linux kernel's KVM implementation     did not ensure that the host CR4 control register value     remained unchanged across VM entries on the same     virtual CPU. A local, unprivileged user could use this     flaw to cause a denial of service on the     system.(CVE-2014-3690)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bound write in     jbd2_journal_dirty_metadata(), a denial of service, and     a system crash by mounting and operating on a crafted     ext4 filesystem image.(CVE-2018-10883)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A use-after-free flaw was found in the way the Linux     kernel's key management subsystem handled keyring     object reference counting in certain error path of the     join_session_keyring() function. A local, unprivileged     user could use this flaw to escalate their privileges     on the system.(CVE-2016-0728)

  - A flaw was found in the way the Linux kernel's ASN.1     DER decoder processed certain certificate files with     tags of indefinite length. A local, unprivileged user     could use a specially crafted X.509 certificate DER     file to crash the system or, potentially, escalate     their privileges on the system.(CVE-2016-0758)

  - The LIST_POISON feature in include/linux/poison.h in     the Linux kernel before 4.3, as used in Android 6.0.1     before 2016-03-01, does not properly consider the     relationship to the mmap_min_addr value, which makes it     easier for attackers to bypass a poison-pointer     protection mechanism by triggering the use of an     uninitialized list entry, aka Android internal bug     26186802, a different vulnerability than     CVE-2015-3636.(CVE-2016-0821)

  - The pagemap_open function in fs/proc/task_mmu.c in the     Linux kernel before 3.19.3, as used in Android 6.0.1     before 2016-03-01, allows local users to obtain     sensitive physical-address information by reading a     pagemap file, aka Android internal bug     25739721.(CVE-2016-0823)

  - The aio_mount function in fs/aio.c in the Linux kernel     does not properly restrict execute access, which makes     it easier for local users to bypass intended SELinux     W^X policy restrictions.(CVE-2016-10044)

  - It was found that the fix for CVE-2016-9576 was     incomplete: the Linux kernel's sg implementation did     not properly restrict write operations in situations     where the KERNEL_DS option is set. A local attacker to     read or write to arbitrary kernel memory locations or     cause a denial of service (use-after-free) by     leveraging write access to a /dev/sg     device.(CVE-2016-10088)

  - A use-after-free flaw was found in the Linux kernel     which enables a race condition in the L2TPv3 IP     Encapsulation feature. A local user could use this flaw     to escalate their privileges or crash the     system.(CVE-2016-10200)

  - Mounting a crafted EXT4 image read-only leads to an     attacker controlled memory corruption and     SLAB-Out-of-Bounds reads.(CVE-2016-10208)

  - The Linux kernel allows remote attackers to execute     arbitrary code via UDP traffic that triggers an unsafe     second checksum calculation during execution of a recv     system call with the MSG_PEEK flag. This may create a     kernel panic or memory corruption leading to privilege     escalation.(CVE-2016-10229)

  - The overlayfs implementation in the Linux kernel     through 4.5.2 does not properly maintain POSIX ACL     xattr data, which allows local users to gain privileges     by leveraging a group-writable setgid     directory.(CVE-2016-1575)

  - The overlayfs implementation in the Linux kernel     through 4.5.2 does not properly restrict the mount     namespace, which allows local users to gain privileges     by mounting an overlayfs filesystem on top of a FUSE     filesystem, and then executing a crafted setuid     program.(CVE-2016-1576)

  - A syntax vulnerability was discovered in the kernel's     ASN1.1 DER decoder, which could lead to memory     corruption or a complete local denial of service     through x509 certificate DER files. A local system user     could use a specially created key file to trigger     BUG_ON() in the public_key_verify_signature() function     (crypto/asymmetric_keys/public_key.c), to cause a     kernel panic and crash the system.(CVE-2016-2053)

  - A flaw was discovered in the way the Linux kernel dealt     with paging structures. When the kernel invalidated a     paging structure that was not in use locally, it could,     in principle, race against another CPU that is     switching to a process that uses the paging structure     in question. A local user could use a thread running     with a stale cached virtual->physical translation to     potentially escalate their privileges if the     translation in question were writable and the physical     page got reused for something critical (for example, a     page table).(CVE-2016-2069)

  - A divide-by-zero vulnerability was found in a way the     kernel processes TCP connections. The error can occur     if a connection starts another cwnd reduction phase by     setting tp->prior_cwnd to the current cwnd (0) in     tcp_init_cwnd_reduction(). A remote, unauthenticated     attacker could use this flaw to crash the kernel     (denial of service).(CVE-2016-2070)

  - It was discovered that the atl2_probe() function in the     Atheros L2 Ethernet driver in the Linux kernel     incorrectly enabled scatter/gather I/O. A remote     attacker could use this flaw to obtain potentially     sensitive information from the kernel     memory.(CVE-2016-2117)

  - The create_fixed_stream_quirk function in     sound/usb/quirks.c in the snd-usb-audio driver in the     Linux kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (NULL pointer     dereference or double free, and system crash) via a     crafted endpoints value in a USB device     descriptor.(CVE-2016-2184)

  - The ati_remote2_probe function in     drivers/input/misc/ati_remote2.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2185)

  - The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186)

  - The gtco_probe function in drivers/input/tablet/gtco.c     in the Linux kernel through 4.5.2 allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     endpoints value in a USB device     descriptor.(CVE-2016-2187)

  - The iowarrior_probe function in     drivers/usb/misc/iowarrior.c in the Linux kernel before     4.5.1 allows physically proximate attackers to cause a     denial of service (NULL pointer dereference and system     crash) via a crafted endpoints value in a USB device     descriptor.(CVE-2016-2188)

  - A flaw was found in the USB-MIDI Linux kernel driver: a     double-free error could be triggered for the 'umidi'     object. An attacker with physical access to the system     could use this flaw to escalate their     privileges.(CVE-2016-2384)

  - The snd_seq_ioctl_remove_events function in     sound/core/seq/seq_clientmgr.c in the Linux kernel     before 4.4.1 does not verify FIFO assignment before     proceeding with FIFO clearing, which allows local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted ioctl call.(CVE-2016-2543)

  - Race condition in the queue_delete function in     sound/core/seq/seq_queue.c in the Linux kernel before     4.4.1 allows local users to cause a denial of service     (use-after-free and system crash) by making an ioctl     call at a certain time.(CVE-2016-2544)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2015-7515, CVE-2016-2184, CVE-2016-2185,     CVE-2016-2186, CVE-2016-2187, CVE-2016-3136,     CVE-2016-3137, CVE-2016-3138, CVE-2016-3140     Ralf Spenneberg of OpenSource Security reported that     various USB drivers do not sufficiently validate USB     descriptors. This allowed a physically present user with     a specially designed USB device to cause a denial of     service (crash).

  - CVE-2016-0821     Solar Designer noted that the list 'poisoning' feature,     intended to mitigate the effects of bugs in list     manipulation in the kernel, used poison values within     the range of virtual addresses that can be allocated by     user processes.

  - CVE-2016-1237     David Sinquin discovered that nfsd does not check     permissions when setting ACLs, allowing users to grant     themselves permissions to a file by setting the ACL.

  - CVE-2016-1583     Jann Horn of Google Project Zero reported that the     eCryptfs filesystem could be used together with the proc     filesystem to cause a kernel stack overflow. If the     ecryptfs-utils package is installed, local users could     exploit this, via the mount.ecryptfs_private program,     for denial of service (crash) or possibly for privilege     escalation.

  - CVE-2016-2117     Justin Yackoski of Cryptonite discovered that the     Atheros L2 ethernet driver incorrectly enables     scatter/gather I/O. A remote attacker could take     advantage of this flaw to obtain potentially sensitive     information from kernel memory.

  - CVE-2016-2143     Marcin Koscielnicki discovered that the fork     implementation in the Linux kernel on s390 platforms     mishandles the case of four page-table levels, which     allows local users to cause a denial of service (system     crash).

  - CVE-2016-3070     Jan Stancek of Red Hat discovered a local denial of     service vulnerability in AIO handling.

  - CVE-2016-3134     The Google Project Zero team found that the netfilter     subsystem does not sufficiently validate filter table     entries. A user with the CAP_NET_ADMIN capability could     use this for denial of service (crash) or possibly for     privilege escalation. Debian disables unprivileged user     namespaces by default, if locally enabled with the     kernel.unprivileged_userns_clone sysctl, this allows     privilege escalation.

  - CVE-2016-3156     Solar Designer discovered that the IPv4 implementation     in the Linux kernel did not perform the destruction of     inet device objects properly. An attacker in a guest OS     could use this to cause a denial of service (networking     outage) in the host OS.

  - CVE-2016-3157 / XSA-171     Andy Lutomirski discovered that the x86_64 (amd64) task     switching implementation did not correctly update the     I/O permission level when running as a Xen paravirtual     (PV) guest. In some configurations this would allow     local users to cause a denial of service (crash) or to     escalate their privileges within the guest.

  - CVE-2016-3672     Hector Marco and Ismael Ripoll noted that it was     possible to disable Address Space Layout Randomisation     (ASLR) for x86_32 (i386) programs by removing the stack     resource limit. This made it easier for local users to     exploit security flaws in programs that have the setuid     or setgid flag set.

  - CVE-2016-3951     It was discovered that the cdc_ncm driver would free     memory prematurely if certain errors occurred during its     initialisation. This allowed a physically present user     with a specially designed USB device to cause a denial     of service (crash) or possibly to escalate their     privileges.

  - CVE-2016-3955     Ignat Korchagin reported that the usbip subsystem did     not check the length of data received for a USB buffer.
    This allowed denial of service (crash) or privilege     escalation on a system configured as a usbip client, by     the usbip server or by an attacker able to impersonate     it over the network. A system configured as a usbip     server might be similarly vulnerable to physically     present users.

  - CVE-2016-3961 / XSA-174     Vitaly Kuznetsov of Red Hat discovered that Linux     allowed the use of hugetlbfs on x86 (i386 and amd64)     systems even when running as a Xen paravirtualised (PV)     guest, although Xen does not support huge pages. This     allowed users with access to /dev/hugepages to cause a     denial of service (crash) in the guest.

  - CVE-2016-4470     David Howells of Red Hat discovered that a local user     can trigger a flaw in the Linux kernel's handling of key     lookups in the keychain subsystem, leading to a denial     of service (crash) or possibly to privilege escalation.

  - CVE-2016-4482, CVE-2016-4485, CVE-2016-4486,     CVE-2016-4569, CVE-2016-4578, CVE-2016-4580,     CVE-2016-5243, CVE-2016-5244

    Kangjie Lu reported that the USB devio, llc, rtnetlink,     ALSA timer, x25, tipc, and rds facilities leaked     information from the kernel stack.

  - CVE-2016-4565     Jann Horn of Google Project Zero reported that various     components in the InfiniBand stack implemented unusual     semantics for the write() operation. On a system with     InfiniBand drivers loaded, local users could use this     for denial of service or privilege escalation.

  - CVE-2016-4581     Tycho Andersen discovered that in some situations the     Linux kernel did not handle propagated mounts correctly.
    A local user can take advantage of this flaw to cause a     denial of service (system crash).

  - CVE-2016-4805     Baozeng Ding discovered a use-after-free in the generic     PPP layer in the Linux kernel. A local user can take     advantage of this flaw to cause a denial of service     (system crash), or potentially escalate their     privileges.

  - CVE-2016-4913     Al Viro found that the ISO9660 filesystem implementation     did not correctly count the length of certain invalid     name entries. Reading a directory containing such name     entries would leak information from kernel memory. Users     permitted to mount disks or disk images could use this     to obtain sensitive information.

  - CVE-2016-4997 / CVE-2016-4998     Jesse Hertz and Tim Newsham discovered that missing     input sanitising in Netfilter socket handling may result     in denial of service. Debian disables unprivileged user     namespaces by default, if locally enabled with the     kernel.unprivileged_userns_clone sysctl, this also     allows privilege escalation.

This update fixes the CVEs described below.

CVE-2016-0821

Solar Designer noted that the list 'poisoning' feature, intended to mitigate the effects of bugs in list manipulation in the kernel, used poison values within the range of virtual addresses that can be allocated by user processes.

CVE-2016-1583

Jann Horn of Google Project Zero reported that the eCryptfs filesystem could be used together with the proc filesystem to cause a kernel stack overflow. If the ecryptfs-utils package was installed, local users could exploit this, via the mount.ecryptfs_private program, for denial of service (crash) or possibly for privilege escalation.

CVE-2016-2184, CVE-2016-2185, CVE-2016-2186, CVE-2016-2187, CVE-2016-3136, CVE-2016-3137, CVE-2016-3138, CVE-2016-3140

Ralf Spenneberg of OpenSource Security reported that various USB drivers do not sufficiently validate USB descriptors. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash). Not all the drivers have yet been fixed.

CVE-2016-3134

The Google Project Zero team found that the netfilter subsystem does not sufficiently validate filter table entries. A user with the CAP_NET_ADMIN capability could use this for denial of service (crash) or possibly for privilege escalation.

CVE-2016-3157 / XSA-171

Andy Lutomirski discovered that the x86_64 (amd64) task switching implementation did not correctly update the I/O permission level when running as a Xen paravirtual (PV) guest. In some configurations this would allow local users to cause a denial of service (crash) or to escalate their privileges within the guest.

CVE-2016-3672

Hector Marco and Ismael Ripoll noted that it was still possible to disable Address Space Layout Randomisation (ASLR) for x86_32 (i386) programs by removing the stack resource limit. This made it easier for local users to exploit security flaws in programs that have the setuid or setgid flag set.

CVE-2016-3951

It was discovered that the cdc_ncm driver would free memory prematurely if certain errors occurred during its initialisation. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash) or possibly to escalate their privileges.

CVE-2016-3955

Ignat Korchagin reported that the usbip subsystem did not check the length of data received for a USB buffer. This allowed denial of service (crash) or privilege escalation on a system configured as a usbip client, by the usbip server or by an attacker able to impersonate it over the network. A system configured as a usbip server might be similarly vulnerable to physically present users.

CVE-2016-3961 / XSA-174

Vitaly Kuznetsov of Red Hat discovered that Linux allowed use of hugetlbfs on x86 (i386 and amd64) systems even when running as a Xen paravirtualised (PV) guest, although Xen does not support huge pages.
This allowed users with access to /dev/hugepages to cause a denial of service (crash) in the guest.

CVE-2016-4482, CVE-2016-4485, CVE-2016-4486, CVE-2016-4569, CVE-2016-4578, CVE-2016-4580, CVE-2016-5243, CVE-2016-5244

Kangjie Lu reported that the USB devio, llc, rtnetlink, ALSA timer, x25, tipc, and rds facilities leaked information from the kernel stack.

CVE-2016-4565

Jann Horn of Google Project Zero reported that various components in the InfiniBand stack implemented unusual semantics for the write() operation. On a system with InfiniBand drivers loaded, local users could use this for denial of service or privilege escalation.

CVE-2016-4913

Al Viro found that the ISO9660 filesystem implementation did not correctly count the length of certain invalid name entries. Reading a directory containing such name entries would leak information from kernel memory. Users permitted to mount disks or disk images could use this to obtain sensitive information.

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.81-1.

This update also fixes bug #627782, which caused data corruption in some applications running on an aufs filesystem, and includes many other bug fixes from upstream stable updates 3.2.79, 3.2.80 and 3.2.81.

For Debian 8 'Jessie', these problems will be fixed soon.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7515)

Zach Riggle discovered that the Linux kernel's list poison feature did not take into account the mmap_min_addr value. A local attacker could use this to bypass the kernel's poison-pointer protection mechanism while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2184)

Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2185)

Ralf Spenneberg discovered that the PowerMate USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2186)

Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2188)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the MCT USB RS232 Converter device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3136)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Cypress M8 USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash).
(CVE-2016-3137)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the USB abstract device control driver for modems and ISDN adapters did not validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3138)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Linux kernel's USB driver for Digi AccelePort serial converters did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3140)

It was discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. (CVE-2016-3156)

Andy Lutomirski discovered that the Linux kernel did not properly context- switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use this to cause a denial of service (guest OS crash), gain privileges, or obtain sensitive information. (CVE-2016-3157)

It was discovered that the Linux kernel's USB driver for IMS Passenger Control Unit devices did not properly validate the device's interfaces. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3689).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-2971-1 fixed vulnerabilities in the Linux kernel for Ubuntu 15.10.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 15.10 for Ubuntu 14.04 LTS.

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7515)

Zach Riggle discovered that the Linux kernel's list poison feature did not take into account the mmap_min_addr value. A local attacker could use this to bypass the kernel's poison-pointer protection mechanism while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2184)

Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2185)

Ralf Spenneberg discovered that the PowerMate USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2186)

Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2188)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the MCT USB RS232 Converter device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3136)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Cypress M8 USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash).
(CVE-2016-3137)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the USB abstract device control driver for modems and ISDN adapters did not validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3138)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Linux kernel's USB driver for Digi AccelePort serial converters did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3140)

It was discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. (CVE-2016-3156)

Andy Lutomirski discovered that the Linux kernel did not properly context- switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use this to cause a denial of service (guest OS crash), gain privileges, or obtain sensitive information. (CVE-2016-3157)

It was discovered that the Linux kernel's USB driver for IMS Passenger Control Unit devices did not properly validate the device's interfaces. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3689).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7515)

Ben Hawkes discovered that the Linux kernel's AIO interface allowed single writes greater than 2GB, which could cause an integer overflow when writing to certain filesystems, socket or device types. A local attacker could this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8830)

Zach Riggle discovered that the Linux kernel's list poison feature did not take into account the mmap_min_addr value. A local attacker could use this to bypass the kernel's poison-pointer protection mechanism while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2184)

Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2185)

Ralf Spenneberg discovered that the PowerMate USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2186)

Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2188)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the MCT USB RS232 Converter device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3136)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Cypress M8 USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash).
(CVE-2016-3137)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the USB abstract device control driver for modems and ISDN adapters did not validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3138)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Linux kernel's USB driver for Digi AccelePort serial converters did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3140)

It was discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. (CVE-2016-3156)

Andy Lutomirski discovered that the Linux kernel did not properly context- switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use this to cause a denial of service (guest OS crash), gain privileges, or obtain sensitive information. (CVE-2016-3157)

It was discovered that the Linux kernel's USB driver for IMS Passenger Control Unit devices did not properly validate the device's interfaces. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3689).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7515)

Ben Hawkes discovered that the Linux kernel's AIO interface allowed single writes greater than 2GB, which could cause an integer overflow when writing to certain filesystems, socket or device types. A local attacker could this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8830)

Zach Riggle discovered that the Linux kernel's list poison feature did not take into account the mmap_min_addr value. A local attacker could use this to bypass the kernel's poison-pointer protection mechanism while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2184)

Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2185)

Ralf Spenneberg discovered that the PowerMate USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2186)

Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2188)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the USB abstract device control driver for modems and ISDN adapters did not validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3138)

It was discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. (CVE-2016-3156)

Andy Lutomirski discovered that the Linux kernel did not properly context- switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use this to cause a denial of service (guest OS crash), gain privileges, or obtain sensitive information. (CVE-2016-3157).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-2968-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7515)

Ben Hawkes discovered that the Linux kernel's AIO interface allowed single writes greater than 2GB, which could cause an integer overflow when writing to certain filesystems, socket or device types. A local attacker could this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8830)

It was discovered that the Linux kernel did not keep accurate track of pipe buffer details when error conditions occurred, due to an incomplete fix for CVE-2015-1805. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-0774)

Zach Riggle discovered that the Linux kernel's list poison feature did not take into account the mmap_min_addr value. A local attacker could use this to bypass the kernel's poison-pointer protection mechanism while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2184)

Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2185)

Ralf Spenneberg discovered that the PowerMate USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2186)

Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2188)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the MCT USB RS232 Converter device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3136)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Cypress M8 USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash).
(CVE-2016-3137)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the USB abstract device control driver for modems and ISDN adapters did not validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3138)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Linux kernel's USB driver for Digi AccelePort serial converters did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3140)

It was discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. (CVE-2016-3156)

Andy Lutomirski discovered that the Linux kernel did not properly context- switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use this to cause a denial of service (guest OS crash), gain privileges, or obtain sensitive information. (CVE-2016-3157)

It was discovered that the Linux kernel's USB driver for IMS Passenger Control Unit devices did not properly validate the device's interfaces. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3689).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7515)

Ben Hawkes discovered that the Linux kernel's AIO interface allowed single writes greater than 2GB, which could cause an integer overflow when writing to certain filesystems, socket or device types. A local attacker could this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8830)

It was discovered that the Linux kernel did not keep accurate track of pipe buffer details when error conditions occurred, due to an incomplete fix for CVE-2015-1805. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-0774)

Zach Riggle discovered that the Linux kernel's list poison feature did not take into account the mmap_min_addr value. A local attacker could use this to bypass the kernel's poison-pointer protection mechanism while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2184)

Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2185)

Ralf Spenneberg discovered that the PowerMate USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2186)

Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2188)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the MCT USB RS232 Converter device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3136)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Cypress M8 USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash).
(CVE-2016-3137)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the USB abstract device control driver for modems and ISDN adapters did not validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3138)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Linux kernel's USB driver for Digi AccelePort serial converters did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3140)

It was discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. (CVE-2016-3156)

Andy Lutomirski discovered that the Linux kernel did not properly context- switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use this to cause a denial of service (guest OS crash), gain privileges, or obtain sensitive information. (CVE-2016-3157)

It was discovered that the Linux kernel's USB driver for IMS Passenger Control Unit devices did not properly validate the device's interfaces. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3689).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Linux kernel did not properly enforce rlimits for file descriptors sent over UNIX domain sockets. A local attacker could use this to cause a denial of service. (CVE-2013-4312)

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7515)

Ralf Spenneberg discovered that the USB driver for Clie devices in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7566)

Ralf Spenneberg discovered that the usbvision driver in the Linux kernel did not properly sanity check the interfaces and endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7833)

It was discovered that a race condition existed when handling heartbeat- timeout events in the SCTP implementation of the Linux kernel. A remote attacker could use this to cause a denial of service.
(CVE-2015-8767)

Venkatesh Pottem discovered a use-after-free vulnerability in the Linux kernel's CXGB3 driver. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8812)

It was discovered that a race condition existed in the ioctl handler for the TTY driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2016-0723)

It was discovered that the Linux kernel did not keep accurate track of pipe buffer details when error conditions occurred, due to an incomplete fix for CVE-2015-1805. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-0774)

Zach Riggle discovered that the Linux kernel's list poison feature did not take into account the mmap_min_addr value. A local attacker could use this to bypass the kernel's poison-pointer protection mechanism while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Andy Lutomirski discovered a race condition in the Linux kernel's translation lookaside buffer (TLB) handling of flush events. A local attacker could use this to cause a denial of service or possibly leak sensitive information. (CVE-2016-2069)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework did not verify that a FIFO was attached to a client before attempting to clear it. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-2543)

Dmitry Vyukov discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) framework between timer setup and closing of the client, resulting in a use-after-free. A local attacker could use this to cause a denial of service. (CVE-2016-2544)

Dmitry Vyukov discovered a race condition in the timer handling implementation of the Advanced Linux Sound Architecture (ALSA) framework, resulting in a use-after-free. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-2545)

Dmitry Vyukov discovered race conditions in the Advanced Linux Sound Architecture (ALSA) framework's timer ioctls leading to a use-after-free. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-2546)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework's handling of high resolution timers did not properly manage its data structures. A local attacker could use this to cause a denial of service (system hang or crash) or possibly execute arbitrary code. (CVE-2016-2547, CVE-2016-2548)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework's handling of high resolution timers could lead to a deadlock condition. A local attacker could use this to cause a denial of service (system hang). (CVE-2016-2549)

Ralf Spenneberg discovered that the USB driver for Treo devices in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2016-2782)

It was discovered that the Linux kernel did not enforce limits on the amount of data allocated to buffer pipes. A local attacker could use this to cause a denial of service (resource exhaustion).
(CVE-2016-2847).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124986	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1533)	Nessus	Huawei Local Security Checks	high
124815	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1491)	Nessus	Huawei Local Security Checks	critical
91886	Debian DSA-3607-1 : linux - security update	Nessus	Debian Local Security Checks	critical
91687	Debian DLA-516-1 : linux security update	Nessus	Debian Local Security Checks	critical
91094	Ubuntu 15.10 : linux-raspi2 vulnerabilities (USN-2971-3)	Nessus	Ubuntu Local Security Checks	high
91093	Ubuntu 14.04 LTS : linux-lts-wily vulnerabilities (USN-2971-2)	Nessus	Ubuntu Local Security Checks	high
91092	Ubuntu 15.10 : linux vulnerabilities (USN-2971-1)	Nessus	Ubuntu Local Security Checks	high
91091	Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-2970-1)	Nessus	Ubuntu Local Security Checks	high
91090	Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-2969-1)	Nessus	Ubuntu Local Security Checks	high
91089	Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2968-2)	Nessus	Ubuntu Local Security Checks	high
91088	Ubuntu 14.04 LTS : linux vulnerabilities (USN-2968-1)	Nessus	Ubuntu Local Security Checks	high
91087	Ubuntu 12.04 LTS : linux vulnerabilities (USN-2967-1)	Nessus	Ubuntu Local Security Checks	critical

CVE-2016-0821

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins