http://source.android.com/security/bulletin/2016-08-01.html

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186)

  - The snd_compr_tstamp function in     sound/core/compress_offload.c in the Linux kernel     through 4.7, as used in Android before 2016-08-05 on     Nexus 5 and 7 (2013) devices, does not properly     initialize a timestamp data structure, which allows     attackers to obtain sensitive information via a crafted     application, aka Android internal bug 28770164 and     Qualcomm internal bug CR568717.(CVE-2014-9892)

  - A memory leak in the cx23888_ir_probe() function in     drivers/media/pci/cx23885/cx23888-ir.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     kfifo_alloc() failures, aka     CID-a7b2df76b42b.(CVE-2019-19054)

  - A memory leak in the adis_update_scan_mode() function     in drivers/iio/imu/adis_buffer.c in the Linux kernel     before 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-ab612b1daf41.(CVE-2019-19060)

  - A memory leak in the adis_update_scan_mode_burst()     function in drivers/iio/imu/adis_buffer.c in the Linux     kernel before 5.3.9 allows attackers to cause a denial     of service (memory consumption), aka     CID-9c0530e898f3.(CVE-2019-19061)

  - A memory leak in the crypto_report() function in     crypto/crypto_user_base.c in the Linux kernel through     5.3.11 allows attackers to cause a denial of service     (memory consumption) by triggering crypto_report_alg()     failures, aka CID-ffdde5932042.(CVE-2019-19062)

  - A memory leak in the ccp_run_sha_cmd() function in     drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-128c66429247.(CVE-2019-18808)

  - In ashmem_ioctl of ashmem.c, there is an out-of-bounds     write due to insufficient locking when accessing asma.
    This could lead to a local elevation of privilege     enabling code execution as a privileged process with no     additional execution privileges needed. User     interaction is not needed for exploitation. Product:
    Android. Versions: Android kernel. Android ID:
    A-66954097.(CVE-2017-13216)

  - A certain backport in the TCP Fast Open implementation     for the Linux kernel before 3.18 does not properly     maintain a count value, which allow local users to     cause a denial of service (system crash) via the Fast     Open feature, as demonstrated by visiting the     chrome://flags/#enable-tcp-fast-open URL when using     certain 3.10.x through 3.16.x kernel builds, including     longterm-maintenance releases and ckt (aka Canonical     Kernel Team) builds.(CVE-2015-3332)

  - The rtnl_fill_link_ifmap function in     net/core/rtnetlink.c in the Linux kernel before 4.5.5     does not initialize a certain data structure, which     allows local users to obtain sensitive information from     kernel stack memory by reading a Netlink     message.(CVE-2016-4486)

  - The ip6gre_err function in net/ipv6/ip6_gre.c in the     Linux kernel allows remote attackers to have     unspecified impact via vectors involving GRE flags in     an IPv6 packet, which trigger an out-of-bounds     access.(CVE-2017-5897)

  - In the Linux kernel before version 4.12, Kerberos 5     tickets decoded when using the RXRPC keys incorrectly     assumes the size of a field. This could lead to the     size-remaining variable wrapping and the data pointer     going over the end of the buffer. This could possibly     lead to memory corruption and possible privilege     escalation.(CVE-2017-7482)

  - A flaw was found in the Linux Kernel where an attacker     may be able to have an uncontrolled read to     kernel-memory from within a vm guest. A race condition     between connect() and close() function may allow an     attacker using the AF_VSOCK protocol to gather a 4 byte     information leak or possibly intercept or corrupt     AF_VSOCK messages destined to other     clients.(CVE-2018-14625)

  - drivers/net/usb/asix_devices.c in the Linux kernel     through 4.13.11 allows local users to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact via a crafted     USB device.(CVE-2017-16647)

  - A memory leak in the ql_alloc_large_buffers() function     in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux     kernel before 5.3.5 allows local users to cause a     denial of service (memory consumption) by triggering     pci_dma_mapping_error() failures, aka     CID-1acb8f2a7a9f.(CVE-2019-18806)

  - An issue was discovered in the fd_locked_ioctl function     in drivers/block/floppy.c in the Linux kernel through     4.15.7. The floppy driver will copy a kernel pointer to     user memory in response to the FDGETPRM ioctl. An     attacker can send the FDGETPRM ioctl and use the     obtained kernel pointer to discover the location of     kernel code and data and bypass kernel security     protections such as KASLR.(CVE-2018-7755)

  - The usbvision driver in the Linux kernel package     3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red     Hat Enterprise Linux (RHEL) 7.1 allows physically     proximate attackers to cause a denial of service     (panic) via a nonzero bInterfaceNumber value in a USB     device descriptor.(CVE-2015-7833)

  - A flaw that allowed an attacker to corrupt memory and     possibly escalate privileges was found in the mwifiex     kernel module while connecting to a malicious wireless     network.(CVE-2019-3846)

  - drivers/net/wireless/marvell/libertas/if_sdio.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16232)

  - drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16234)

  - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14     does not check the alloc_workqueue return value,     leading to a NULL pointer dereference.(CVE-2019-16231)

  - Insufficient access control in the Intel(R)     PROSet/Wireless WiFi Software driver before version     21.10 may allow an unauthenticated user to potentially     enable denial of service via adjacent     access.(CVE-2019-0136)

  - A flaw was found in the Linux kernel. A heap based     buffer overflow in mwifiex_uap_parse_tail_ies function     in drivers/net/wireless/marvell/mwifiex/ie.c might lead     to memory corruption and possibly other     consequences.(CVE-2019-10126)

  - The Bluetooth BR/EDR specification up to and including     version 5.1 permits sufficiently low encryption key     length and does not prevent an attacker from     influencing the key length negotiation. This allows     practical brute-force attacks (aka 'KNOB') that can     decrypt traffic and inject arbitrary ciphertext without     the victim noticing.(CVE-2019-9506)

  - An issue was discovered in net/wireless/nl80211.c in     the Linux kernel through 5.2.17. It does not check the     length of variable elements in a beacon head, leading     to a buffer overflow.(CVE-2019-16746)

  - In the hidp_process_report in bluetooth, there is an     integer overflow. This could lead to an out of bounds     write with no additional execution privileges needed.
    User interaction is not needed for exploitation.
    Product: Android Versions: Android kernel Android ID:
    A-65853588 References: Upstream kernel.(CVE-2018-9363)

  - An issue was discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance.(CVE-2019-17075)

  - rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel through 5.3.6 lacks a certain upper-bound check,     leading to a buffer overflow.(CVE-2019-17666)

  - arch/arm/mm/dma-mapping.c in the Linux kernel before     3.13 on ARM platforms, as used in Android before     2016-08-05 on Nexus 5 and 7 (2013) devices, does not     prevent executable DMA mappings, which might allow     local users to gain privileges via a crafted     application, aka Android internal bug 28803642 and     Qualcomm internal bug CR642735.(CVE-2014-9888)

  - An issue was discovered in drivers/i2c/i2c-core-smbus.c     in the Linux kernel before 4.14.15. There is an out of     bounds write in the function     i2c_smbus_xfer_emulated.(CVE-2017-18551)

  - The rds_ib_xmit function in net/rds/ib_send.c in the     Reliable Datagram Sockets (RDS) protocol implementation     in the Linux kernel 3.7.4 and earlier allows local     users to cause a denial of service (BUG_ON and kernel     panic) by establishing an RDS connection with the     source IP address equal to the IPoIB interface's own IP     address, as demonstrated by rds-ping.(CVE-2012-2372)

  - In the Linux kernel through 5.3.2,     cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c     does not reject a long SSID IE, leading to a Buffer     Overflow.(CVE-2019-17133)

  - A memory leak in the bfad_im_get_stats() function in     drivers/scsi/bfa/bfad_attr.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     bfa_port_get_stats() failures, aka     CID-0e62395da2bd.(CVE-2019-19066)

  - The kernel in Android before 2016-08-05 on Nexus 7     (2013) devices allows attackers to gain privileges via     a crafted application, aka internal bug     28522518.(CVE-2016-3857)

  - arch/arm64/kernel/sys.c in the Linux kernel before 4.0     allows local users to bypass the 'strict page     permissions' protection mechanism and modify the     system-call table, and consequently gain privileges, by     leveraging write access.(CVE-2015-8967)

  - arch/arm64/kernel/perf_event.c in the Linux kernel     before 4.1 on arm64 platforms allows local users to     gain privileges or cause a denial of service (invalid     pointer dereference) via vectors involving events that     are mishandled during a span of multiple HW     PMUs.(CVE-2015-8955)

  - The __clear_user function in     arch/arm64/lib/clear_user.S in the Linux kernel before     3.17.4 on the ARM64 platform allows local users to     cause a denial of service (system crash) by reading one     byte beyond a /dev/zero page boundary.(CVE-2014-7843)

  - The x86/fpu (Floating Point Unit) subsystem in the     Linux kernel before 4.13.5, when a processor supports     the xsave feature but not the xsaves feature, does not     correctly handle attempts to set reserved bits in the     xstate header via the ptrace() or rt_sigreturn() system     call, allowing local users to read the FPU registers of     other processes on the system, related to     arch/x86/kernel/fpu/regset.c and     arch/x86/kernel/fpu/signal.c.(CVE-2017-15537)

  - The Linux kernel before 3.11 on ARM platforms, as used     in Android before 2016-08-05 on Nexus 5 and 7 (2013)     devices, does not properly consider user-space access     to the TPIDRURW register, which allows local users to     gain privileges via a crafted application, aka Android     internal bug 28749743 and Qualcomm internal bug     CR561044.(CVE-2014-9870)

  - ** DISPUTED ** Race condition in the     store_int_with_restart() function in     arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel     through 4.15.7 allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck     directory. NOTE: a third party has indicated that this     report is not security relevant.(CVE-2018-7995)

  - arch/x86/kernel/entry_32.S in the Linux kernel through     3.15.1 on 32-bit x86 platforms, when syscall auditing     is enabled and the sep CPU feature flag is set, allows     local users to cause a denial of service (OOPS and     system crash) via an invalid syscall number, as     demonstrated by number 1000.(CVE-2014-4508)

  - arch/x86/kernel/tls.c in the Thread Local Storage (TLS)     implementation in the Linux kernel through 3.18.1     allows local users to bypass the espfix protection     mechanism, and consequently makes it easier for local     users to bypass the ASLR protection mechanism, via a     crafted application that makes a set_thread_area system     call and later reads a 16-bit value.(CVE-2014-8133)

  - arch/mips/include/asm/thread_info.h in the Linux kernel     before 3.14.8 on the MIPS platform does not configure
    _TIF_SECCOMP checks on the fast system-call path, which     allows local users to bypass intended PR_SET_SECCOMP     restrictions by executing a crafted application without     invoking a trace or audit subsystem.(CVE-2014-4157)

  - Integer signedness error in the oz_hcd_get_desc_cnf     function in drivers/staging/ozwpan/ozhcd.c in the     OZWPAN driver in the Linux kernel through 4.0.5 allows     remote attackers to cause a denial of service (system     crash) or possibly execute arbitrary code via a crafted     packet.(CVE-2015-4001)

  - drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel through 4.0.5 does not ensure that     certain length values are sufficiently large, which     allows remote attackers to cause a denial of service     (system crash or large loop) or possibly execute     arbitrary code via a crafted packet, related to the (1)     oz_usb_rx and (2) oz_usb_handle_ep_data     functions.(CVE-2015-4002)

  - The oz_usb_handle_ep_data function in     drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel through 4.0.5 allows remote     attackers to cause a denial of service (divide-by-zero     error and system crash) via a crafted     packet.(CVE-2015-4003)

  - The OZWPAN driver in the Linux kernel through 4.0.5     relies on an untrusted length field during packet     parsing, which allows remote attackers to obtain     sensitive information from kernel memory or cause a     denial of service (out-of-bounds read and system crash)     via a crafted packet.(CVE-2015-4004)

  - Race condition in the sclp_ctl_ioctl_sccb function in     drivers/s390/char/sclp_ctl.c in the Linux kernel before     4.6 allows local users to obtain sensitive information     from kernel memory by changing a certain length value,     aka a 'double fetch' vulnerability.(CVE-2016-6130)

  - The print_binder_transaction_ilocked function in     drivers/android/binder.c in the Linux kernel 4.14.90     allows local users to obtain sensitive address     information by reading '*from *code *flags' lines in a     debugfs file.(CVE-2018-20510)

  - In the Linux kernel before 4.1.4, a buffer overflow     occurs when checking userspace params in     drivers/media/dvb-frontends/cx24116.c. The maximum size     for a DiSEqC command is 6, according to the userspace     API. However, the code allows larger values such as     23.(CVE-2015-9289)

  - The saa7164_bus_get function in     drivers/media/pci/saa7164/saa7164-bus.c in the Linux     kernel through 4.11.5 allows local users to cause a     denial of service (out-of-bounds array access) or     possibly have unspecified other impact by changing a     certain sequence-number value, aka a 'double fetch'     vulnerability.(CVE-2017-8831)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Chiachih Wu, Yuan-Tsung Lo, and Xuxian Jiang discovered that the legacy ABI for ARM (OABI) had incomplete access checks for epoll_wait(2) and semtimedop(2). A local attacker could use this to possibly execute arbitrary code.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes the CVEs described below.

CVE-2016-3857

Chiachih Wu reported two bugs in the ARM OABI compatibility layer that can be used by local users for privilege escalation. The OABI compatibility layer is enabled in all kernel flavours for armel and armhf.

CVE-2016-4470

Wade Mealing of the Red Hat Product Security Team reported that in some error cases the KEYS subsystem will dereference an uninitialised pointer. A local user can use the keyctl() system call for denial of service (crash) or possibly for privilege escalation.

CVE-2016-5696

Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V.
Krishnamurthy of the University of California, Riverside; and Lisa M.
Marvel of the United States Army Research Laboratory discovered that Linux's implementation of the TCP Challenge ACK feature results in a side channel that can be used to find TCP connections between specific IP addresses, and to inject messages into those connections.

Where a service is made available through TCP, this may allow remote attackers to impersonate another connected user to the server or to impersonate the server to another connected user. In case the service uses a protocol with message authentication (e.g. TLS or SSH), this vulnerability only allows denial of service (connection failure). An attack takes tens of seconds, so short-lived TCP connections are also unlikely to be vulnerable.

This may be mitigated by increasing the rate limit for TCP Challenge ACKs so that it is never exceeded: sysctl net.ipv4.tcp_challenge_ack_limit=1000000000

CVE-2016-5829

Several heap-based buffer overflow vulnerabilities were found in the hiddev driver, allowing a local user with access to a HID device to cause a denial of service or potentially escalate their privileges.

CVE-2016-6136

Pengfei Wang discovered that the audit subsystem has a 'double-fetch' or 'TOCTTOU' bug in its handling of special characters in the name of an executable. Where audit logging of execve() is enabled, this allows a local user to generate misleading log messages.

CVE-2016-6480

Pengfei Wang discovered that the aacraid driver for Adaptec RAID controllers has a 'double-fetch' or 'TOCTTOU' bug in its validation of 'FIB' messages passed through the ioctl() system call. This has no practical security impact in current Debian releases.

CVE-2016-6828

Marco Grassi reported a 'use-after-free' bug in the TCP implementation, which can be triggered by local users. The security impact is unclear, but might include denial of service or privilege escalation.

CVE-2016-7118

Marcin Szewczyk reported that calling fcntl() on a file descriptor for a directory on an aufs filesystem would result in am 'oops'. This allows local users to cause a denial of service. This is a Debian-specific regression introduced in version 3.2.81-1.

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.81-2. This version also fixes a build failure (bug #827561) for custom kernels with CONFIG_MODULES disabled, a regression in version 3.2.81-1. It also updates the PREEMPT_RT featureset to version 3.2.81-rt117.

For Debian 8 'Jessie', CVE-2016-3857 has no impact; CVE-2016-4470 and CVE-2016-5829 were fixed in linux version 3.16.7-ckt25-2+deb8u3 or earlier; and the remaining issues are fixed in version 3.16.36-1+deb8u1.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
131805	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2531)	Nessus	Huawei Local Security Checks	high
93601	Ubuntu 12.04 LTS : linux vulnerability (USN-3082-1)	Nessus	Ubuntu Local Security Checks	high
93321	Debian DLA-609-1 : linux security update	Nessus	Debian Local Security Checks	high

CVE-2016-3857

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins