[oss-security] 20161107 Re: Re: kernel: fix minor infoleak in get_user_ex()

94545

USN-3146-1

USN-3146-2

https://lwn.net/Articles/705220/

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0145 for details.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-3609 advisory.

  - The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users     to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial     of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.
    (CVE-2017-12134)

  - The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through     RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into     account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and     earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23.
    (CVE-2017-1000365)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - nfsd: stricter decoding of write-like NFSv2/v3 ops (J.
    Bruce Fields) [Orabug: 25986990] (CVE-2017-7895)

  - fnic: Update fnic driver version to 1.6.0.24 (John     Sobecki) [Orabug: 24448585]

  - xen-netfront: Rework the fix for Rx stall during OOM and     network stress (Dongli Zhang) [Orabug: 25450703]

  - xen-netfront: Fix Rx stall during network stress and OOM     (Dongli Zhang) [Orabug: 25450703]

  - ipv6: Skip XFRM lookup if dst_entry in socket cache is     valid (Jakub Sitnicki)

  - uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug:
    25549809]

  - ksplice: add sysctls for determining Ksplice features.
    (Jamie Iles) 

  - signal: protect SIGNAL_UNKILLABLE from unintentional     clearing. (Jamie Iles) [Orabug: 25549809]

  - VSOCK: Fix lockdep issue. (Dongli Zhang) [Orabug:
    25559937]

  - VSOCK: sock_put wasn't safe to call in interrupt context     (Dongli Zhang) [Orabug: 25559937]

  - IB/CORE: sync the resouce access in fmr_pool (Wengang     Wang) [Orabug: 25677469]

  - KVM: x86: fix emulation of 'MOV SS, null selector'     (Paolo Bonzini) [Orabug: 25719675] (CVE-2017-2583)     (CVE-2017-2583)

  - ext4: validate s_first_meta_bg at mount time (Eryu Guan)     [Orabug: 25719738] (CVE-2016-10208)

  - sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo     Ricardo Leitner) [Orabug: 25719810] (CVE-2017-5986)

  - tcp: avoid infinite loop in tcp_splice_read (Eric     Dumazet) [Orabug: 25720813] (CVE-2017-6214)

  - lpfc cannot establish connection with targets that send     PRLI under P2P mode (Joe Jin) [Orabug: 25759083]

  - USB: visor: fix null-deref at probe (Johan Hovold)     [Orabug: 25796594] (CVE-2016-2782)

  - ipc/shm: Fix shmat mmap nil-page protection (Davidlohr     Bueso) [Orabug: 25797012] (CVE-2017-5669)

  - vhost: actually track log eventfd file     (Marc-Andr&eacute  Lureau) [Orabug: 25797052]     (CVE-2015-6252)

  - xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size     harder (Andy Whitcroft) [Orabug: 25814663]     (CVE-2017-7184)

  - xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL     replay_window (Andy Whitcroft) [Orabug: 25814663]     (CVE-2017-7184)

  - KEYS: Remove key_type::match in favour of overriding     default by match_preparse (Aniket Alshi) [Orabug:
    25823962] (CVE-2017-2647) (CVE-2017-2647)

  - USB: whiteheat: fix potential null-deref at probe (Johan     Hovold) [Orabug: 25825105] (CVE-2015-5257)     (CVE-2015-5257)

  - udf: Check path length when reading symlink (Jan Kara)     [Orabug: 25871102] (CVE-2015-9731)

  - udp: properly support MSG_PEEK with truncated buffers     (Eric Dumazet) [Orabug: 25876655] (CVE-2016-10229)

  - block: fix use-after-free in seq file (Vegard Nossum)     [Orabug: 25877530] (CVE-2016-7910)

  - Revert 'fix minor infoleak in get_user_ex' (Brian Maly)     [Orabug: 25790392] (CVE-2016-9644)

  - net: ping: check minimum size on ICMP header length     (Kees Cook) [Orabug: 25766911] (CVE-2016-8399)

  - ipv6: stop sending PTB packets for MTU < 1280 (Hagen     Paul Pfeifer) [Orabug: 25765776] (CVE-2016-10142)

  - sg_write/bsg_write is not fit to be called under     KERNEL_DS (Al Viro) [Orabug: 25765445] (CVE-2016-10088)

  - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter     chang) [Orabug: 25751996] (CVE-2017-7187)

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-3566 advisory.

  - The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel before 4.9.5     improperly emulates a MOV SS, NULL selector instruction, which allows guest OS users to cause a denial     of service (guest OS crash) or gain guest OS privileges via a crafted application. (CVE-2017-2583)

  - The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers     to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the     URG flag. (CVE-2017-6214)

  - The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not     validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root     privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-     image-* package 4.8.0.41.52. (CVE-2017-7184)

  - The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly     validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-     of-bounds read and system crash) via a crafted ext4 image. (CVE-2016-10208)

  - Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11     allows local users to cause a denial of service (assertion failure and panic) via a multithreaded     application that peels off an association in a certain buffer-full state. (CVE-2017-5986)

  - The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the     end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have     unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.
    (CVE-2017-7895)

  - The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux kernel before 4.1.5 allows local users     to cause a denial of service (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers     permanent file-descriptor allocation. (CVE-2015-6252)

  - The KEYS subsystem in the Linux kernel before 3.18 allows local users to gain privileges or cause a denial     of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain     match field, related to the keyring_search_iterator function in keyring.c. (CVE-2017-2647)

  - drivers/usb/serial/whiteheat.c in the Linux kernel before 4.2.4 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact     via a crafted USB device. NOTE: this ID was incorrectly used for an Apache Cordova issue that has the     correct ID of CVE-2015-8320. (CVE-2015-5257)

  - The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically     proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly     have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in     endpoint. (CVE-2016-2782)

  - The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address     calculated by a certain rounding operation, which allows local users to map page zero, and consequently     bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat     system calls in a privileged context. (CVE-2017-5669)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Revert 'x86/mm: Expand the exception table logic to     allow new handling options' (Brian Maly) [Orabug:
    25790387] (CVE-2016-9644)

  - Revert 'fix minor infoleak in get_user_ex' (Brian Maly)     [Orabug: 25790387] (CVE-2016-9644)

  - x86/mm: Expand the exception table logic to allow new     handling options (Tony Luck) [Orabug: 25790387]     (CVE-2016-9644)

  - rebuild bumping release

  - net: ping: check minimum size on ICMP header length     (Kees Cook) [Orabug: 25766898] (CVE-2016-8399)     (CVE-2016-8399)

  - sg_write/bsg_write is not fit to be called under     KERNEL_DS (Al Viro) [Orabug: 25765436] (CVE-2016-10088)

  - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter     chang) [Orabug: 25751984] (CVE-2017-7187)

  - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander     Popov) [Orabug: 25696677] (CVE-2017-2636)

  - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)     [Orabug: 25696677] (CVE-2017-2636)

  - If Slot Status indicates changes in both Data Link Layer     Status and Presence Detect, prioritize the Link status     change. (Jack Vogel) 

  - PCI: pciehp: Leave power indicator on when enabling     already-enabled slot (Ashok Raj) [Orabug: 25353783]

  - firewire: net: guard against rx buffer overflows (Stefan     Richter) [Orabug: 25451520] (CVE-2016-8633)

  - usbnet: cleanup after bind in probe (Oliver Neukum)     [Orabug: 25463898] (CVE-2016-3951)

  - cdc_ncm: do not call usbnet_link_change from     cdc_ncm_bind (Bj&oslash rn Mork) [Orabug: 25463898]     (CVE-2016-3951)

  - cdc_ncm: Add support for moving NDP to end of NCM frame     (Enrico Mioso) [Orabug: 25463898] (CVE-2016-3951)

  - x86/mm/32: Enable full randomization on i386 and X86_32     (Hector Marco-Gisbert) [Orabug: 25463918]     (CVE-2016-3672)

  - kvm: fix page struct leak in handle_vmon (Paolo Bonzini)     [Orabug: 25507133] (CVE-2017-2596)

  - crypto: mcryptd - Check mcryptd algorithm compatibility     (tim) [Orabug: 25507153] (CVE-2016-10147)

  - kvm: nVMX: Allow L1 to intercept software exceptions     (#BP and #OF) (Jim Mattson) [Orabug: 25507188]     (CVE-2016-9588)

  - KVM: x86: drop error recovery in em_jmp_far and     em_ret_far (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
    25507213] (CVE-2016-9756)

  - tcp: take care of truncations done by sk_filter (Eric     Dumazet) [Orabug: 25507226] (CVE-2016-8645)

  - rose: limit sk_filter trim to payload (Willem de Bruijn)     [Orabug: 25507226] (CVE-2016-8645)

  - tipc: check minimum bearer MTU (Michal Kube&#x10D ek)     [Orabug: 25507239] (CVE-2016-8632) (CVE-2016-8632)

  - fix minor infoleak in get_user_ex (Al Viro) [Orabug:
    25507269] (CVE-2016-9178)

  - scsi: arcmsr: Simplify user_len checking (Borislav     Petkov) [Orabug: 25507319] (CVE-2016-7425)

  - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer     (Dan Carpenter) [Orabug: 25507319] (CVE-2016-7425)

  - tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)     [Orabug: 25507341] (CVE-2016-7097) (CVE-2016-7097)

  - posix_acl: Clear SGID bit when setting file permissions     (Jan Kara) [Orabug: 25507341] (CVE-2016-7097)     (CVE-2016-7097)

  - ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366]     (CVE-2015-8952)

  - ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366]     (CVE-2015-8952)

  - mbcache2: reimplement mbcache (Jan Kara) [Orabug:
    25512366] (CVE-2015-8952)

  - USB: digi_acceleport: do sanity checking for the number     of ports (Oliver Neukum) [Orabug: 25512466]     (CVE-2016-3140)

  - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)     [Orabug: 25682419] (CVE-2017-6345)

  - net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli     Cohen) 

  - ipv4: keep skb->dst around in presence of IP options     (Eric Dumazet) [Orabug: 25698300] (CVE-2017-5970)

  - perf/core: Fix concurrent sys_perf_event_open vs.
    'move_group' race (Peter Zijlstra) [Orabug: 25698751]     (CVE-2017-6001)

  - ip6_gre: fix ip6gre_err invalid reads (Eric Dumazet)     [Orabug: 25699015] (CVE-2017-5897)

  - mpt3sas: Don't spam logs if logging level is 0 (Johannes     Thumshirn) 

  - xen-netfront: cast grant table reference first to type     int (Dongli Zhang)

  - xen-netfront: do not cast grant table reference to     signed short (Dongli Zhang)

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-3534 advisory.

  - The bpf_int_jit_compile function in arch/x86/net/bpf_jit_comp.c in the Linux kernel before 4.0.6 allows     local users to cause a denial of service (system crash) by creating a packet filter and then loading     crafted BPF instructions that trigger late convergence by the JIT compiler. (CVE-2015-4700)

  - The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in     situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary     kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2016-9576. (CVE-2016-10088)

  - An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious     application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate     because it first requires compromising a privileged process and current compiler optimizations restrict     access to the vulnerable code. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID:
    A-31349935. (CVE-2016-8399)

  - An issue was discovered in the IPv6 protocol specification, related to ICMP Packet Too Big (PTB) messages.
    (The scope of this CVE is all affected IPv6 implementations from all vendors.) The security implications     of IP fragmentation have been discussed at length in [RFC6274] and [RFC7739]. An attacker can leverage the     generation of IPv6 atomic fragments to trigger the use of fragmentation in an arbitrary IPv6 flow (in     scenarios in which actual fragmentation of packets is not needed) and can subsequently perform any type of     fragmentation-based attack against legacy IPv6 nodes that do not implement [RFC6946]. That is, employing     fragmentation where not actually needed allows for fragmentation-based attack vectors to be employed,     unnecessarily. We note that, unfortunately, even nodes that already implement [RFC6946] can be subject to     DoS attacks as a result of the generation of IPv6 atomic fragments. Let us assume that Host A is     communicating with Host B and that, as a result of the widespread dropping of IPv6 packets that contain     extension headers (including fragmentation) [RFC7872], some intermediate node filters fragments between     Host B and Host A. If an attacker sends a forged ICMPv6 PTB error message to Host B, reporting an MTU     smaller than 1280, this will trigger the generation of IPv6 atomic fragments from that moment on (as     required by [RFC2460]). When Host B starts sending IPv6 atomic fragments (in response to the received     ICMPv6 PTB error message), these packets will be dropped, since we previously noted that IPv6 packets with     extension headers were being dropped between Host B and Host A. Thus, this situation will result in a DoS     scenario. Another possible scenario is that in which two BGP peers are employing IPv6 transport and they     implement Access Control Lists (ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If the     aforementioned BGP peers drop IPv6 fragments but still honor received ICMPv6 PTB error messages, an     attacker could easily attack the corresponding peering session by simply sending an ICMPv6 PTB message     with a reported MTU smaller than 1280 bytes. Once the attack packet has been sent, the aforementioned     routers will themselves be the ones dropping their own traffic. (CVE-2016-10142)

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through 4.10.4 allows local users to cause     a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large     command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write     function. (CVE-2017-7187)

  - Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain     privileges or cause a denial of service (double free) by setting the HDLC line discipline. (CVE-2017-2636)

  - arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows     guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by     an L2 guest. (CVE-2016-9588)

  - The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2     does not restrict a certain length field, which allows local users to gain privileges or cause a denial of     service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. (CVE-2016-7425)

  - The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel through     4.3.3 do not verify an address length, which allows local users to obtain sensitive information from     kernel memory and bypass the KASLR protection mechanism via a crafted application. (CVE-2015-8569)

  - The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does     not properly initialize a certain data structure, which allows attackers to obtain sensitive information     from kernel stack memory via an X.25 Call Request. (CVE-2016-4580)

  - drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations,     allows remote attackers to execute arbitrary code via crafted fragmented packets. (CVE-2016-8633)

  - The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not     properly randomize the legacy base address, which makes it easier for local users to defeat the intended     restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or     setgid program, by disabling stack-consumption resource limits. (CVE-2016-3672)

  - The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, which allows local users to     cause a denial of service (system crash) via a crafted application that makes sendto system calls, related     to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c. (CVE-2016-8645)

  - The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel before 4.7.5 does not     initialize a certain integer variable, which allows local users to obtain sensitive information from     kernel stack memory by triggering failure of a get_user_ex call. (CVE-2016-9178)

  - The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1     allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system     crash) via a crafted endpoints value in a USB device descriptor. (CVE-2016-3140)

  - The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in     required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have     unspecified other impact via crafted system calls. (CVE-2017-6345)

  - The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows     attackers to cause a denial of service (system crash) via (1) an application that makes crafted system     calls or possibly (2) IPv4 traffic with invalid IP options. (CVE-2017-5970)

  - Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel 2.6.x through 4.x     before 4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a     large iov_count value in a write request. (CVE-2015-5707)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-3533 advisory.

  - The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in     situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary     kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2016-9576. (CVE-2016-10088)

  - The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr     call, which allows local users to gain group privileges by leveraging the existence of a setgid program     with restrictions on execute permissions. (CVE-2016-7097)

  - An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious     application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate     because it first requires compromising a privileged process and current compiler optimizations restrict     access to the vulnerable code. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID:
    A-31349935. (CVE-2016-8399)

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through 4.10.4 allows local users to cause     a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large     command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write     function. (CVE-2017-7187)

  - Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain     privileges or cause a denial of service (double free) by setting the HDLC line discipline. (CVE-2017-2636)

  - crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL     pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as     demonstrated by mcryptd(md5). (CVE-2016-10147)

  - arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows     guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by     an L2 guest. (CVE-2016-9588)

  - The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2     does not restrict a certain length field, which allows local users to gain privileges or cause a denial of     service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. (CVE-2016-7425)

  - drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations,     allows remote attackers to execute arbitrary code via crafted fragmented packets. (CVE-2016-8633)

  - Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel before 4.5 allows physically     proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact     by inserting a USB device with an invalid USB descriptor. (CVE-2016-3951)

  - The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not     properly randomize the legacy base address, which makes it easier for local users to defeat the intended     restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or     setgid program, by disabling stack-consumption resource limits. (CVE-2016-3672)

  - The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly     emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of page references. (CVE-2017-2596)

  - arch/x86/kvm/emulate.c in the Linux kernel before 4.8.12 does not properly initialize Code Segment (CS) in     certain error cases, which allows local users to obtain sensitive information from kernel stack memory via     a crafted application. (CVE-2016-9756)

  - The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, which allows local users to     cause a denial of service (system crash) via a crafted application that makes sendto system calls, related     to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c. (CVE-2016-8645)

  - The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the     relationship between the minimum fragment length and the maximum packet size, which allows local users to     gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN     capability. (CVE-2016-8632)

  - The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel before 4.7.5 does not     initialize a certain integer variable, which allows local users to obtain sensitive information from     kernel stack memory by triggering failure of a get_user_ex call. (CVE-2016-9178)

  - The mbcache feature in the ext2 and ext4 filesystem implementations in the Linux kernel before 4.6     mishandles xattr block caching, which allows local users to cause a denial of service (soft lockup) via     filesystem operations in environments that use many attributes, as demonstrated by Ceph and Samba.
    (CVE-2015-8952)

  - The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1     allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system     crash) via a crafted endpoints value in a USB device descriptor. (CVE-2016-3140)

  - The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in     required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have     unspecified other impact via crafted system calls. (CVE-2017-6345)

  - The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows     attackers to cause a denial of service (system crash) via (1) an application that makes crafted system     calls or possibly (2) IPv4 traffic with invalid IP options. (CVE-2017-5970)

  - Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain     privileges via a crafted application that makes concurrent perf_event_open system calls for moving a     software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for     CVE-2016-6786. (CVE-2017-6001)

  - The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have     unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds     access. (CVE-2017-5897)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Tilman Schmidt and Sasha Levin discovered a use-after-free condition in the TTY implementation in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory).
(CVE-2015-8964)

It was discovered that the Video For Linux Two (v4l2) implementation in the Linux kernel did not properly handle multiple planes when processing a VIDIOC_DQBUF ioctl(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-4568)

CAI Qian discovered that shared bind mounts in a mount namespace exponentially added entries without restriction to the Linux kernel's mount table. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-6213)

Andreas Gruenbacher and Jan Kara discovered that the filesystem implementation in the Linux kernel did not clear the setgid bit during a setxattr call. A local attacker could use this to possibly elevate group privileges. (CVE-2016-7097)

Marco Grassi discovered that the driver for Areca RAID Controllers in the Linux kernel did not properly validate control messages. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-7425)

It was discovered that the KVM implementation for x86/x86_64 in the Linux kernel could dereference a NULL pointer. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the KVM host. (CVE-2016-8630)

Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation in the Linux kernel contained a buffer overflow when handling fragmented packets. A remote attacker could use this to possibly execute arbitrary code with administrative privileges.
(CVE-2016-8633)

Marco Grassi discovered that the TCP implementation in the Linux kernel mishandles socket buffer (skb) truncation. A local attacker could use this to cause a denial of service (system crash).
(CVE-2016-8645)

Daxing Guo discovered a stack-based buffer overflow in the Broadcom IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-8658)

Andrey Konovalov discovered that the SCTP implementation in the Linux kernel improperly handled validation of incoming data. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2016-9555)

It was discovered that the __get_user_asm_ex implementation in the Linux kernel for x86/x86_64 contained extended asm statements that were incompatible with the exception table. A local attacker could use this to gain administrative privileges. (CVE-2016-9644).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3146-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that the __get_user_asm_ex implementation in the Linux kernel for x86/x86_64 contained extended asm statements that were incompatible with the exception table. A local attacker could use this to gain administrative privileges. (CVE-2016-9644)

Andreas Gruenbacher and Jan Kara discovered that the filesystem implementation in the Linux kernel did not clear the setgid bit during a setxattr call. A local attacker could use this to possibly elevate group privileges. (CVE-2016-7097)

Marco Grassi discovered that the driver for Areca RAID Controllers in the Linux kernel did not properly validate control messages. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-7425)

Daxing Guo discovered a stack-based buffer overflow in the Broadcom IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-8658).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the __get_user_asm_ex implementation in the Linux kernel for x86/x86_64 contained extended asm statements that were incompatible with the exception table. A local attacker could use this to gain administrative privileges. (CVE-2016-9644)

Andreas Gruenbacher and Jan Kara discovered that the filesystem implementation in the Linux kernel did not clear the setgid bit during a setxattr call. A local attacker could use this to possibly elevate group privileges. (CVE-2016-7097)

Marco Grassi discovered that the driver for Areca RAID Controllers in the Linux kernel did not properly validate control messages. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-7425)

Daxing Guo discovered a stack-based buffer overflow in the Broadcom IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-8658).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
102774	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0145) (Stack Clash)	Nessus	OracleVM Local Security Checks	critical
102773	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3609)	Nessus	Oracle Linux Local Security Checks	critical
100237	OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0105)	Nessus	OracleVM Local Security Checks	critical
100234	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3566)	Nessus	Oracle Linux Local Security Checks	critical
99163	OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)	Nessus	OracleVM Local Security Checks	critical
99162	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)	Nessus	OracleVM Local Security Checks	critical
99160	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3534)	Nessus	Oracle Linux Local Security Checks	high
99159	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3533)	Nessus	Oracle Linux Local Security Checks	critical
95998	Ubuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3161-4)	Nessus	Ubuntu Local Security Checks	critical
95433	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3146-2)	Nessus	Ubuntu Local Security Checks	high
95432	Ubuntu 16.04 LTS : linux vulnerabilities (USN-3146-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2016-9644

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

critical

critical

critical

critical

high

critical

critical

high

high