DSA-3791

94686

https://source.android.com/security/bulletin/2016-12-01.html

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2016-8405: An information disclosure vulnerability     in kernel components including the ION subsystem,     Binder, USB driver and networking subsystem could enable     a local malicious application to access data outside of     its permission levels. (bnc#1099942).

  - CVE-2017-13305: A information disclosure vulnerability     existed in the encrypted-keys handling. (bnc#1094353).

  - CVE-2018-1000204: A malformed SG_IO ioctl issued for a     SCSI device could lead to a local kernel information     leak manifesting in up to approximately 1000 memory     pages copied to the userspace. The problem has limited     scope as non-privileged users usually have no     permissions to access SCSI device files. (bnc#1096728).

  - CVE-2018-1068: A flaw was found in the implementation of     32-bit syscall interface for bridging. This allowed a     privileged user to arbitrarily write to a limited range     of kernel memory (bnc#1085107).

  - CVE-2018-1130: A NULL pointer dereference in     dccp_write_xmit() function in net/dccp/output.c allowed     a local user to cause a denial of service by a number of     certain crafted system calls (bnc#1092904).

  - CVE-2018-12233: In the ea_get function in fs/jfs/xattr.c     a memory corruption bug in JFS can be triggered by     calling setxattr twice with two different extended     attribute names on the same file. This vulnerability can     be triggered by an unprivileged user with the ability to     create files and execute programs. A kmalloc call is     incorrect, leading to slab-out-of-bounds in jfs_xattr     (bnc#1097234).

  - CVE-2018-13053: The alarm_timer_nsleep function in     kernel/time/alarmtimer.c had an integer overflow via a     large relative timeout because ktime_add_safe is not     used (bnc#1099924).

  - CVE-2018-13406: An integer overflow in the     uvesafb_setcmap function in     drivers/video/fbdev/uvesafb.c kernel could result in     local attackers being able to crash the kernel or     potentially elevate privileges because kmalloc_array is     not used (bnc#1098016 1100418).

  - CVE-2018-3620: Local attackers on baremetal systems     could use speculative code patterns on hyperthreaded     processors to read data present in the L1 Datacache used     by other hyperthreads on the same CPU core, potentially     leaking sensitive data. (bnc#1087081).

  - CVE-2018-3646: Local attackers in virtualized guest     systems could use speculative code patterns on     hyperthreaded processors to read data present in the L1     Datacache used by other hyperthreads on the same CPU     core, potentially leaking sensitive data, even from     other virtual machines or the host system.
    (bnc#1089343).

  - CVE-2018-5803: An error in the '_sctp_make_chunk()'     function (net/sctp/sm_make_chunk.c) when handling SCTP     packets length could be exploited to cause a kernel     crash (bnc#1083900).

  - CVE-2018-5814: Multiple race condition errors when     handling probe, disconnect, and rebind operations could     be exploited to trigger a use-after-free condition or a     NULL pointer dereference by sending multiple USB over IP     packets (bnc#1096480).

  - CVE-2018-7492: A NULL pointer dereference was found in     the net/rds/rdma.c __rds_rdma_map() function allowing     local attackers to cause a system panic and a     denial-of-service, related to RDS_GET_MR and     RDS_GET_MR_FOR_DEST (bnc#1082962).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2018-3620: Local attackers on baremetal systems     could use speculative code patterns on hyperthreaded     processors to read data present in the L1 Datacache used     by other hyperthreads on the same CPU core, potentially     leaking sensitive data. (bnc#1087081).

  - CVE-2018-3646: Local attackers in virtualized guest     systems could use speculative code patterns on     hyperthreaded processors to read data present in the L1     Datacache used by other hyperthreads on the same CPU     core, potentially leaking sensitive data, even from     other virtual machines or the host system.
    (bnc#1089343).

  - CVE-2018-1000204: A malformed SG_IO ioctl issued for a     SCSI device could lead to a local kernel information     leak manifesting in up to approximately 1000 memory     pages copied to the userspace. The problem has limited     scope as non-privileged users usually have no     permissions to access SCSI device files. (bnc#1096728).

  - CVE-2018-13053: The alarm_timer_nsleep function in     kernel/time/alarmtimer.c had an integer overflow via a     large relative timeout because ktime_add_safe is not     used (bnc#1099924).

  - CVE-2018-13406: An integer overflow in the     uvesafb_setcmap function in     drivers/video/fbdev/uvesafb.c could result in local     attackers being able to crash the kernel or potentially     elevate privileges because kmalloc_array is not used     (bnc#1098016 bnc#1100418).

  - CVE-2016-8405: An information disclosure vulnerability     in kernel components including the ION subsystem,     Binder, USB driver and networking subsystem could enable     a local malicious application to access data outside of     its permission levels. (bnc#1099942).

  - CVE-2018-5814: Multiple race condition errors when     handling probe, disconnect, and rebind operations could     be exploited to trigger a use-after-free condition or a     NULL pointer dereference by sending multiple USB over IP     packets (bnc#1096480).

  - CVE-2018-12233: In the ea_get function in fs/jfs/xattr.c     a memory corruption bug in JFS can be triggered by     calling setxattr twice with two different extended     attribute names on the same file. This vulnerability can     be triggered by an unprivileged user with the ability to     create files and execute programs. (bnc#1097234).

  - CVE-2017-13305: A information disclosure vulnerability     in the Upstream kernel encrypted-keys. (bnc#1094353).

  - CVE-2018-1130: A NULL pointer dereference in     dccp_write_xmit() function in net/dccp/output.c allowed     a local user to cause a denial of service by a number of     certain crafted system calls (bnc#1092904).

  - CVE-2018-1068: A flaw was found in the implementation of     32-bit syscall interface for bridging. This allowed a     privileged user to arbitrarily write to a limited range     of kernel memory (bnc#1085107).

  - CVE-2018-5803: An error in the '_sctp_make_chunk()'     function (net/sctp/sm_make_chunk.c) when handling SCTP     packets length could be exploited to cause a kernel     crash (bnc#1083900).

  - CVE-2018-7492: A NULL pointer dereference was found in     the net/rds/rdma.c __rds_rdma_map() function allowed     local attackers to cause a system panic and a     denial-of-service, related to RDS_GET_MR and     RDS_GET_MR_FOR_DEST (bnc#1082962).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Peter Pi discovered that the colormap handling for frame buffer devices in the Linux kernel contained an integer overflow. A local attacker could use this to disclose sensitive information (kernel memory). (CVE-2016-8405)

It was discovered that the Linux kernel did not properly restrict RLIMIT_STACK size. A local attacker could use this in conjunction with another vulnerability to possibly execute arbitrary code.
(CVE-2017-1000365)

It was discovered that SELinux in the Linux kernel did not properly handle empty writes to /proc/pid/attr. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2618)

Shi Lei  discovered that the RxRPC Kerberos 5 ticket handling code in the Linux kernel did not properly verify metadata. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7482).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Please note that this update changes the Linux HWE kernel to the 4.10 based kernel from Ubuntu 17.04, superseding the 4.8 based HWE kernel from Ubuntu 16.10.

Ben Harris discovered that the Linux kernel would strip extended privilege attributes of files when performing a failed unprivileged system call. A local attacker could use this to cause a denial of service. (CVE-2015-1350)

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208)

Peter Pi discovered that the colormap handling for frame buffer devices in the Linux kernel contained an integer overflow. A local attacker could use this to disclose sensitive information (kernel memory). (CVE-2016-8405)

It was discovered that an integer overflow existed in the InfiniBand RDMA over ethernet (RXE) transport implementation in the Linux kernel.
A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-8636)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)

CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet discovered that the netfiler subsystem in the Linux kernel mishandled IPv6 packet reassembly. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-9755)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

It was discovered that SELinux in the Linux kernel did not properly handle empty writes to /proc/pid/attr. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2618)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that the freelist-randomization in the SLAB memory allocator allowed duplicate freelist entries. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-5546)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

It was discovered that a fencepost error existed in the pipe_advance() function in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5550)

It was discovered that the Linux kernel did not clear the setgid bit during a setxattr call on a tmpfs filesystem. A local attacker could use this to gain elevated group privileges. (CVE-2017-5551)

Murray McAllister discovered that an integer overflow existed in the VideoCore DRM driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-5576)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made improper assumptions about internal data layout when performing checksums. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7187)

It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261)

It was discovered that the USB Cypress HID drivers for the Linux kernel did not properly validate reported information from the device.
An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-7273)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion).
(CVE-2017-8925)

Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts.

  - CVE-2016-6786 / CVE-2016-6787     It was discovered that the performance events subsystem     does not properly manage locks during certain     migrations, allowing a local attacker to escalate     privileges. This can be mitigated by disabling     unprivileged use of performance events:sysctl     kernel.perf_event_paranoid=3

  - CVE-2016-8405     Peter Pi of Trend Micro discovered that the frame buffer     video subsystem does not properly check bounds while     copying color maps to userspace, causing a heap buffer     out-of-bounds read, leading to information disclosure.

  - CVE-2016-9191     CAI Qian discovered that reference counting is not     properly handled within proc_sys_readdir in the sysctl     implementation, allowing a local denial of service     (system hang) or possibly privilege escalation.

  - CVE-2017-2583     Xiaohan Zhang reported that KVM for amd64 does not     correctly emulate loading of a null stack selector. This     can be used by a user in a guest VM for denial of     service (on an Intel CPU) or to escalate privileges     within the VM (on an AMD CPU).

  - CVE-2017-2584     Dmitry Vyukov reported that KVM for x86 does not     correctly emulate memory access by the SGDT and SIDT     instructions, which can result in a use-after-free and     information leak.

  - CVE-2017-2596     Dmitry Vyukov reported that KVM leaks page references     when emulating a VMON for a nested hypervisor. This can     be used by a privileged user in a guest VM for denial of     service or possibly to gain privileges in the host.

  - CVE-2017-2618     It was discovered that an off-by-one in the handling of     SELinux attributes in /proc/pid/attr could result in     local denial of service.

  - CVE-2017-5549     It was discovered that the KLSI KL5KUSB105 serial USB     device driver could log the contents of uninitialised     kernel memory, resulting in an information leak.

  - CVE-2017-5551     Jan Kara found that changing the POSIX ACL of a file on     tmpfs never cleared its set-group-ID flag, which should     be done if the user changing it is not a member of the     group-owner. In some cases, this would allow the     user-owner of an executable to gain the privileges of     the group-owner.

  - CVE-2017-5897     Andrey Konovalov discovered an out-of-bounds read flaw     in the ip6gre_err function in the IPv6 networking code.

  - CVE-2017-5970     Andrey Konovalov discovered a denial-of-service flaw in     the IPv4 networking code. This can be triggered by a     local or remote attacker if a local UDP or raw socket     has the IP_RETOPTS option enabled.

  - CVE-2017-6001     Di Shen discovered a race condition between concurrent     calls to the performance events subsystem, allowing a     local attacker to escalate privileges. This flaw exists     because of an incomplete fix of CVE-2016-6786. This can     be mitigated by disabling unprivileged use of     performance events: sysctl kernel.perf_event_paranoid=3

  - CVE-2017-6074     Andrey Konovalov discovered a use-after-free     vulnerability in the DCCP networking code, which could     result in denial of service or local privilege     escalation. On systems that do not already have the dccp     module loaded, this can be mitigated by disabling     it:echo >> /etc/modprobe.d/disable-dccp.conf install     dccp false

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts.

CVE-2014-9888

Russell King found that on ARM systems, memory allocated for DMA buffers was mapped with executable permission. This made it easier to exploit other vulnerabilities in the kernel.

CVE-2014-9895

Dan Carpenter found that the MEDIA_IOC_ENUM_LINKS ioctl on media devices resulted in an information leak.

CVE-2016-6786 / CVE-2016-6787

It was discovered that the performance events subsystem does not properly manage locks during certain migrations, allowing a local attacker to escalate privileges. This can be mitigated by disabling unprivileged use of performance events: sysctl kernel.perf_event_paranoid=3

CVE-2016-8405

Peter Pi of Trend Micro discovered that the frame buffer video subsystem does not properly check bounds while copying color maps to userspace, causing a heap buffer out-of-bounds read, leading to information disclosure.

CVE-2017-5549

It was discovered that the KLSI KL5KUSB105 serial USB device driver could log the contents of uninitialised kernel memory, resulting in an information leak.

CVE-2017-6001

Di Shen discovered a race condition between concurrent calls to the performance events subsystem, allowing a local attacker to escalate privileges. This flaw exists because of an incomplete fix of CVE-2016-6786. This can be mitigated by disabling unprivileged use of performance events: sysctl kernel.perf_event_paranoid=3

CVE-2017-6074

Andrey Konovalov discovered a use-after-free vulnerability in the DCCP networking code, which could result in denial of service or local privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.84-2.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.39-1+deb8u1 or earlier.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
111833	SUSE SLES11 Security Update : kernel (SUSE-SU-2018:2366-1) (Foreshadow)	Nessus	SuSE Local Security Checks	high
111782	SUSE SLES11 Security Update : kernel (SUSE-SU-2018:2332-1) (Foreshadow)	Nessus	SuSE Local Security Checks	high
102261	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3381-1) (Stack Clash)	Nessus	Ubuntu Local Security Checks	high
101929	Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3361-1)	Nessus	Ubuntu Local Security Checks	critical
97357	Debian DSA-3791-1 : linux - security update	Nessus	Debian Local Security Checks	high
97332	Debian DLA-833-1 : linux security update	Nessus	Debian Local Security Checks	high

CVE-2016-8405

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins