http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d157bd761585605b7882935ffb86286919f62ea1

84305

USN-2930-1

USN-2930-2

USN-2930-3

USN-3054-1

USN-3055-1

USN-3056-1

USN-3057-1

https://bugzilla.redhat.com/show_bug.cgi?id=1317386

https://code.google.com/p/google-security-research/issues/detail?id=758

https://github.com/torvalds/linux/commit/d157bd761585605b7882935ffb86286919f62ea1

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - Mounting a crafted EXT4 image read-only leads to an     attacker controlled memory corruption and     SLAB-Out-of-Bounds reads.(CVE-2016-10208)

  - An issue was discovered in the hwpoison implementation     in mm/memory-failure.c in the Linux kernel before     5.0.4. When soft_offline_in_use_page() runs on a thp     tail page after pmd is split, an attacker can cause a     denial of service (BUG).(CVE-2019-10124)

  - A stack-based buffer overflow flaw was found in the     Linux kernel's early load microcode functionality. On a     system with UEFI Secure Boot enabled, a local,     privileged user could use this flaw to increase their     privileges to the kernel (ring0) level, bypassing     intended restrictions in place.(CVE-2015-2666)

  - A flaw was found in the way the Linux kernel's     networking subsystem handled offloaded packets with     multiple layers of encapsulation in the GRO (Generic     Receive Offload) code path. A remote attacker could use     this flaw to trigger unbounded recursion in the kernel     that could lead to stack corruption, resulting in a     system crash.(CVE-2016-8666)

  - The ethtool_get_wol function in net/core/ethtool.c in     the Linux kernel through 4.7, as used in Android before     2016-08-05 on Nexus 5 and 7 (2013) devices, does not     initialize a certain data structure, which allows local     users to obtain sensitive information via a crafted     application, aka Android internal bug 28803952 and     Qualcomm internal bug CR570754.(CVE-2014-9900)

  - A vulnerability was found in crypto/ahash.c in the     Linux kernel which allows attackers to cause a denial     of service (API operation calling its own callback, and     infinite recursion) by triggering EBUSY on a full     queue.(CVE-2017-7618)

  - drivers/misc/qseecom.c in the QSEECOM driver for the     Linux kernel 3.x, as used in Qualcomm Innovation Center     (QuIC) Android contributions for MSM devices and other     products, does not validate certain offset, length, and     base values within an ioctl call, which allows     attackers to gain privileges or cause a denial of     service (memory corruption) via a crafted     application.(CVE-2014-4322)

  - An integer overflow vulnerability was found in the     Linux kernel in xt_alloc_table_info, which on 32-bit     systems can lead to small structure allocation and a     copy_from_user based heap corruption.(CVE-2016-3135)

  - Stack-based buffer overflow in the     supply_lm_input_write function in     drivers/thermal/supply_lm_core.c in the MSM Thermal     driver for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allows attackers to cause a     denial of service or possibly have unspecified other     impact via a crafted application that sends a large     amount of data through the debugfs     interface.(CVE-2016-2063)

  - The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in     the Linux kernel before 3.12.4 updates a certain length     value before ensuring that an associated data structure     has been initialized, which allows local users to     obtain sensitive information from kernel stack memory     via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system     call.(CVE-2013-7264)

  - A bypass was found for the Spectre v1 hardening in the     eBPF engine of the Linux kernel. The code in the     kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic in     various cases, including cases of different branches     with different state or limits to sanitize, leading to     side-channel attacks.(CVE-2019-7308)

  - The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel mishandles     inheritance, which allows local users to cause a denial     of service or possibly have unspecified other impact     via crafted system calls, a related issue to     CVE-2017-8890. An unprivileged local user could use     this flaw to induce kernel memory corruption on the     system, leading to a crash. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9077)

  - The cgroup offline implementation in the Linux kernel     through 4.8.11 mishandles certain drain operations,     which allows local users to cause a denial of service     (system hang) by leveraging access to a container     environment for executing a crafted application, as     demonstrated by trinity.(CVE-2016-9191)

  - The KVM implementation in the Linux kernel through     4.20.5 has a Use-after-Free.(CVE-2019-7221)

  - A NULL pointer dereference flaw was found in the way     the Linux kernel's network subsystem handled socket     creation with an invalid protocol identifier. A local     user could use this flaw to crash the     system.(CVE-2015-8543)

  - The drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux     kernel, through 4.13.11, allows local users to cause a     denial of service (general protection fault and system     crash) or possibly have unspecified other impact via a     crafted USB device, related to a missing warm-start     check and incorrect attach timing     (dm04_lme2510_frontend_attach versus     dm04_lme2510_tuner).(CVE-2017-16538)

  - A use-after-free flaw was found in the way the Linux     kernel's Advanced Linux Sound Architecture (ALSA)     implementation handled user controls. A local,     privileged user could use this flaw to crash the     system.(CVE-2014-4653)

  - A vulnerability leading to a local privilege escalation     was found in apparmor in the Linux kernel. When     proc_pid_attr_write() was changed to use memdup_user     apparmor's (interface violating) assumption that the     setprocattr buffer was always a single page was     violated.(CVE-2016-6187)

  - A vulnerability was found in the Linux kernel in     'tmpfs' file system. When file permissions are modified     via 'chmod' and the user is not in the owning group or     capable of CAP_FSETID, the setgid bit is cleared in     inode_change_ok(). Setting a POSIX ACL via 'setxattr'     sets the file permissions as well as the new ACL, but     doesn't clear the setgid bit in a similar way; this     allows to bypass the check in 'chmod'.(CVE-2017-5551)

  - A flaw was found in the Linux Kernel in the     ucma_leave_multicast() function in     drivers/infiniband/core/ucma.c which allows access to a     certain data structure after freeing it in     ucma_process_join(). This allows an attacker to cause a     use-after-free bug and to induce kernel memory     corruption, leading to a system crash or other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2018-14734)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The snd_timer_interrupt function in sound/core/timer.c     in the Linux kernel before 4.4.1 does not properly     maintain a certain linked list, which allows local     users to cause a denial of service (race condition and     system crash) via a crafted ioctl call.(CVE-2016-2545)

  - sound/core/timer.c in the Linux kernel before 4.4.1     uses an incorrect type of mutex, which allows local     users to cause a denial of service (race condition,     use-after-free, and system crash) via a crafted ioctl     call.(CVE-2016-2546)

  - sound/core/timer.c in the Linux kernel before 4.4.1     employs a locking approach that does not consider slave     timer instances, which allows local users to cause a     denial of service (race condition, use-after-free, and     system crash) via a crafted ioctl call.(CVE-2016-2547)

  - sound/core/timer.c in the Linux kernel before 4.4.1     retains certain linked lists after a close or stop     action, which allows local users to cause a denial of     service (system crash) via a crafted ioctl call,     related to the (1) snd_timer_close and (2)
    _snd_timer_stop functions.(CVE-2016-2548)

  - sound/core/hrtimer.c in the Linux kernel before 4.4.1     does not prevent recursive callback access, which     allows local users to cause a denial of service     (deadlock) via a crafted ioctl call.(CVE-2016-2549)

  - A resource-exhaustion vulnerability was found in the     kernel, where an unprivileged process could allocate     and accumulate far more file descriptors than the     process' limit. A local, unauthenticated user could     exploit this flaw by sending file descriptors over a     Unix socket and then closing them to keep the process'     fd count low, thereby creating kernel-memory or     file-descriptors exhaustion (denial of     service).(CVE-2016-2550)

  - It is possible for a single process to cause an OOM     condition by filling large pipes with data that are     never read. A typical process filling 4096 pipes with 1     MB of data will use 4 GB of memory and there can be     multiple such processes, up to a     per-user-limit.(CVE-2016-2847)

  - A security flaw was found in the Linux kernel that an     attempt to move page mapped by AIO ring buffer to the     other node triggers NULL pointer dereference at     trace_writeback_dirty_page(), because     aio_fs_backing_dev_info.dev is 0.(CVE-2016-3070)

  - A security flaw was found in the Linux kernel in the     mark_source_chains() function in     'net/ipv4/netfilter/ip_tables.c'. It is possible for a     user-supplied 'ipt_entry' structure to have a large     'next_offset' field. This field is not bounds checked     prior to writing to a counter value at the supplied     offset.(CVE-2016-3134)

  - An integer overflow vulnerability was found in the     Linux kernel in xt_alloc_table_info, which on 32-bit     systems can lead to small structure allocation and a     copy_from_user based heap corruption.(CVE-2016-3135)

  - The mct_u232_msr_to_state function in     drivers/usb/serial/mct_u232.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted USB device without two     interrupt-in endpoint descriptors.(CVE-2016-3136)

  - drivers/usb/serial/cypress_m8.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a USB device without both an     interrupt-in and an interrupt-out endpoint descriptor,     related to the cypress_generic_port_probe and     cypress_open functions.(CVE-2016-3137)

  - The acm_probe function in drivers/usb/class/cdc-acm.c     in the Linux kernel before 4.5.1 allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and system crash) via a USB device     without both a control and a data endpoint     descriptor.(CVE-2016-3138)

  - The wacom_probe function in     drivers/input/tablet/wacom_sys.c in the Linux kernel     before 3.17 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-3139)

  - The digi_port_init function in     drivers/usb/serial/digi_acceleport.c in the Linux     kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (NULL pointer     dereference and system crash) via a crafted endpoints     value in a USB device descriptor.(CVE-2016-3140)

  - 'A security flaw was found in the Linux kernel's     networking subsystem that destroying the network     interface with huge number of ipv4 addresses assigned     keeps ''rtnl_lock'' spinlock for a very long time (up     to hour). This blocks many network-related operations,     including creation of new incoming ssh connections.

  - The problem is especially important for containers, as     the container owner has enough permissions to trigger     this and block a network access on a whole host,     outside the container.(CVE-2016-3156)'

  - A weakness was found in the Linux ASLR implementation.
    Any user able to running 32-bit applications in a x86     machine can disable ASLR by setting the RLIMIT_STACK     resource to unlimited.(CVE-2016-3672)

  - The ims_pcu_parse_cdc_data function in     drivers/input/misc/ims-pcu.c in the Linux kernel before     4.5.1 allows physically proximate attackers to cause a     denial of service (system crash) via a USB device     without both a master and a slave     interface.(CVE-2016-3689)

  - It was found that the Linux kernel's IPv6     implementation mishandled socket options. A local     attacker could abuse concurrent access to the socket     options to escalate their privileges, or cause a denial     of service (use-after-free and system crash) via a     crafted sendmsg system call.(CVE-2016-3841)

  - The usbip_recv_xbuff function in     drivers/usb/usbip/usbip_common.c in the Linux kernel     before 4.5.3 allows remote attackers to cause a denial     of service (out-of-bounds write) or possibly have     unspecified other impact via a crafted length value in     a USB/IP packet.(CVE-2016-3955)

  - A flaw was found in the Linux kernel's keyring handling     code: the key_reject_and_link() function could be     forced to free an arbitrary memory block. An attacker     could use this flaw to trigger a use-after-free     condition on the system, potentially allowing for     privilege escalation.(CVE-2016-4470)

  - The proc_connectinfo() function in     'drivers/usb/core/devio.c' in the Linux kernel through     4.6 does not initialize a certain data structure, which     allows local users to obtain sensitive information from     kernel stack memory via a crafted USBDEVFS_CONNECTINFO     ioctl call. The stack object 'ci' has a total size of 8     bytes. Its last 3 bytes are padding bytes which are not     initialized and are leaked to userland.(CVE-2016-4482)

  - A flaw was found in the way certain interfaces of the     Linux kernel's Infiniband subsystem used write() as     bi-directional ioctl() replacement, which could lead to     insufficient memory security checks when being invoked     using the splice() system call. A local unprivileged     user on a system with either Infiniband hardware     present or RDMA Userspace Connection Manager Access     module explicitly loaded, could use this flaw to     escalate their privileges on the system.(CVE-2016-4565)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ben Hawkes discovered an integer overflow in the Linux netfilter implementation. On systems running 32 bit kernels, a local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-3135)

It was discovered that the keyring implementation in the Linux kernel did not ensure a data structure was initialized before referencing it after an error condition occurred. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-4470)

Sasha Levin discovered that a use-after-free existed in the percpu allocator in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-4794)

Kangjie Lu discovered an information leak in the netlink implementation of the Linux kernel. A local attacker could use this to obtain sensitive information from kernel memory. (CVE-2016-5243).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An integer overflow vulnerability was found in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption. (CVE-2016-3135)

In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset. (CVE-2016-3134)

A weakness was found in the Linux ASLR implementation. Any user able to run 32-bit applications in a x86 machine can disable the ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672)

Destroying a network interface with a large number of IPv4 addresses keeps a rtnl_lock for a very long time, which can block many network-related operations. (CVE-2016-3156)

A use-after-free vulnerability was found in the kernel's socket recvmmsg subsystem. This may allow remote attackers to corrupt memory and may allow execution of arbitrary code. This corruption takes place during the error handling routines within __sys_recvmmsg() function.
(CVE-2016-7117)

(Updated on 2017-01-19: CVE-2016-7117 was fixed in this release but was previously not part of this errata.)

The 4.5.0-302 update contains a number of arm fixes, turns off DEBUG_WX, and actually seems to boot on i686.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 4.4.6 update contains a number of important fixes across the tree

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ben Hawkes discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events.
A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-3134)

Ben Hawkes discovered an integer overflow in the Linux netfilter implementation. On systems running 32 bit kernels, a local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-3135)

Ralf Spenneberg discovered that the USB driver for Clie devices in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7566)

It was discovered that a race condition existed when handling heartbeat- timeout events in the SCTP implementation of the Linux kernel. A remote attacker could use this to cause a denial of service.
(CVE-2015-8767)

It was discovered that a race condition existed in the ioctl handler for the TTY driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2016-0723)

Andrey Konovalov discovered that the ALSA USB MIDI driver incorrectly performed a double-free. A local attacker with physical access could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-2384)

Ralf Spenneberg discovered that the USB driver for Treo devices in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2016-2782).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124978	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1525)	Nessus	Huawei Local Security Checks	critical
124816	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1492)	Nessus	Huawei Local Security Checks	critical
92867	Ubuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3057-1)	Nessus	Ubuntu Local Security Checks	high
92866	Ubuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3056-1)	Nessus	Ubuntu Local Security Checks	high
92865	Ubuntu 16.04 LTS : linux vulnerabilities (USN-3055-1)	Nessus	Ubuntu Local Security Checks	high
92864	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3054-1)	Nessus	Ubuntu Local Security Checks	high
90778	Amazon Linux AMI : kernel (ALAS-2016-694)	Nessus	Amazon Linux Local Security Checks	critical
90330	Fedora 24 : kernel-4.5.0-302.fc24 (2016-81fd1b03aa)	Nessus	Fedora Local Security Checks	high
90131	Fedora 22 : kernel-4.4.6-200.fc22 (2016-3a57b19360)	Nessus	Fedora Local Security Checks	high
90128	Fedora 23 : kernel-4.4.6-300.fc23 (2016-02ed08bf15)	Nessus	Fedora Local Security Checks	high
89995	Ubuntu 15.10 : linux-raspi2 vulnerabilities (USN-2930-3)	Nessus	Ubuntu Local Security Checks	high
89935	Ubuntu 14.04 LTS : linux-lts-wily vulnerabilities (USN-2930-2)	Nessus	Ubuntu Local Security Checks	high
89934	Ubuntu 15.10 : linux vulnerabilities (USN-2930-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2016-3135

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins