DSA-3981

99131

https://access.redhat.com/security/cve/CVE-2017-1000371

42273

42276

https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Input: ff-memless - kill timer in destroy (Oliver     Neukum) [Orabug: 31213691] (CVE-2019-19524)

  - libertas: Fix two buffer overflows at parsing bss     descriptor (Wen Huang) [Orabug: 31351307]     (CVE-2019-14896) (CVE-2019-14897) (CVE-2019-14897)

  - binfmt_elf: use ELF_ET_DYN_BASE only for PIE (Kees Cook)     [Orabug: 31352068] (CVE-2017-1000370) (CVE-2017-1000371)     (CVE-2017-1000370)

  - NFSv4.0: Remove transport protocol name from non-UCS     client ID (Chuck Lever) [Orabug: 31357212]

  - NFSv4.0: Remove cl_ipaddr from non-UCS client ID (Chuck     Lever) 

  - xen/manage: enable C_A_D to force reboot (Dongli Zhang)     [Orabug: 31387466]

  - acpi: disable erst (Wengang Wang) [Orabug: 31194253]

  - mdio_bus: Fix use-after-free on device_register fails     (YueHaibing) [Orabug: 31222292] (CVE-2019-12819)

  - rds: ib: Fix dysfunctional long address resolve timeout     (Hakon Bugge) 

  - vxlan: don't migrate permanent fdb entries during learn     (Roopa Prabhu) 

  - USB: iowarrior: fix use-after-free on disconnect (Johan     Hovold) [Orabug: 31351061] (CVE-2019-19528)

  - usb: iowarrior: fix deadlock on disconnect (Oliver     Neukum) [Orabug: 31351061] (CVE-2019-19528)

  - mremap: properly flush TLB before releasing the page     (Linus Torvalds) [Orabug: 31352011] (CVE-2018-18281)

  - Input: add safety guards to input_set_keycode (Dmitry     Torokhov) [Orabug: 31200558] (CVE-2019-20636)

  - media: stv06xx: add missing descriptor sanity checks     (Johan Hovold) [Orabug: 31200579] (CVE-2020-11609)

  - media: ov519: add missing endpoint sanity checks (Johan     Hovold) [Orabug: 31213758] (CVE-2020-11608)

  - media: xirlink_cit: add missing descriptor sanity checks     (Johan Hovold) [Orabug: 31213767] (CVE-2020-11668)

  - mwifiex: pcie: Fix memory leak in     mwifiex_pcie_init_evt_ring (Navid Emamdoost) [Orabug:
    31263147] (CVE-2019-19057)

  - USB: core: Fix races in character device registration     and deregistraion (Alan Stern) [Orabug: 31317667]     (CVE-2019-19537)

Description of changes:

[4.1.12-124.39.5.el7uek]
- Input: ff-memless - kill timer in destroy() (Oliver Neukum)  [Orabug: 31213691]  {CVE-2019-19524}
- libertas: Fix two buffer overflows at parsing bss descriptor (Wen Huang)  [Orabug: 31351307]  {CVE-2019-14896} {CVE-2019-14897} {CVE-2019-14897}
- binfmt_elf: use ELF_ET_DYN_BASE only for PIE (Kees Cook)  [Orabug: 31352068]  {CVE-2017-1000370} {CVE-2017-1000371} {CVE-2017-1000370}
- NFSv4.0: Remove transport protocol name from non-UCS client ID (Chuck Lever)  [Orabug: 31357212]
- NFSv4.0: Remove cl_ipaddr from non-UCS client ID (Chuck Lever)  [Orabug: 31357212]
- xen/manage: enable C_A_D to force reboot (Dongli Zhang)  [Orabug: 31387466]

[4.1.12-124.39.4.el7uek]
- acpi: disable erst (Wengang Wang)  [Orabug: 31194253]
- mdio_bus: Fix use-after-free on device_register fails (YueHaibing)  [Orabug: 31222292]  {CVE-2019-12819}
- rds: ib: Fix dysfunctional long address resolve timeout (H&aring kon Bugge)  [Orabug: 31302708]
- vxlan: dont migrate permanent fdb entries during learn (Roopa Prabhu)  [Orabug: 31325318]
- USB: iowarrior: fix use-after-free on disconnect (Johan Hovold)  [Orabug: 31351061]  {CVE-2019-19528}
- usb: iowarrior: fix deadlock on disconnect (Oliver Neukum)  [Orabug: 31351061]  {CVE-2019-19528}
- mremap: properly flush TLB before releasing the page (Linus Torvalds)  [Orabug: 31352011]  {CVE-2018-18281}

[4.1.12-124.39.3.el7uek]
- Input: add safety guards to input_set_keycode() (Dmitry Torokhov)  [Orabug: 31200558]  {CVE-2019-20636}
- media: stv06xx: add missing descriptor sanity checks (Johan Hovold)  [Orabug: 31200579]  {CVE-2020-11609}
- media: ov519: add missing endpoint sanity checks (Johan Hovold)  [Orabug: 31213758]  {CVE-2020-11608}
- media: xirlink_cit: add missing descriptor sanity checks (Johan Hovold)  [Orabug: 31213767]  {CVE-2020-11668}
- mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring (Navid Emamdoost)  [Orabug: 31263147]  {CVE-2019-19057}
- USB: core: Fix races in character device registration and deregistraion (Alan Stern)  [Orabug: 31317667]  {CVE-2019-19537}

According to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities :

  - Kernel: NetLabel: null pointer dereference while     receiving CIPSO packet with null category may cause     kernel panic.

  - kernel: rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel lacks a certain upper-bound check, leading to a     buffer overflow.

  - kernel: buffer overflow in cfg80211_mgd_wext_giwessid     in net/wireless/wext-sme.c.

  - kernel: out-of-bounds write in mpol_parse_str function     in mm/mempolicy.c.

  - kernel: use-after-free in n_tty_receive_buf_common     function in drivers/tty/n_tty.c.

  - kernel: unprivileged users able to create RAW sockets     in AF_ISDN network protocol.

  - kernel: memory leak in register_queue_kobjects() in     net/core/net-sysfs.c leads to denial of service.

  - kernel: offset2lib allows for the stack guard page to     be jumped over.

Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1524 advisory.

  - kernel: offset2lib allows for the stack guard page to be     jumped over (CVE-2017-1000371)

  - kernel: rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel lacks a certain upper-bound check, leading to a     buffer overflow (CVE-2019-17666)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Security Fix(es) :

  - kernel: rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel lacks a certain upper-bound check, leading to a     buffer overflow (CVE-2019-17666)

  - kernel: offset2lib allows for the stack guard page to be     jumped over (CVE-2017-1000371)

From Red Hat Security Advisory 2020:1524 :

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1524 advisory.

  - kernel: offset2lib allows for the stack guard page to be     jumped over (CVE-2017-1000371)

  - kernel: rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel lacks a certain upper-bound check, leading to a     buffer overflow (CVE-2019-17666)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the version of Junos Space running on the remote device is < 17.1R1, and is therefore affected by multiple vulnerabilities.

Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks.

  - CVE-2017-7518     Andy Lutomirski discovered that KVM is prone to an     incorrect debug exception (#DB) error occurring while     emulating a syscall instruction. A process inside a     guest can take advantage of this flaw for privilege     escalation inside a guest.

  - CVE-2017-7558 (stretch only)     Stefano Brivio of Red Hat discovered that the SCTP     subsystem is prone to a data leak vulnerability due to     an out-of-bounds read flaw, allowing to leak up to 100     uninitialized bytes to userspace.

  - CVE-2017-10661 (jessie only)     Dmitry Vyukov of Google reported that the timerfd     facility does not properly handle certain concurrent     operations on a single file descriptor. This allows a     local attacker to cause a denial of service or     potentially execute arbitrary code.

  - CVE-2017-11600     Bo Zhang reported that the xfrm subsystem does not     properly validate one of the parameters to a netlink     message. Local users with the CAP_NET_ADMIN capability     can use this to cause a denial of service or potentially     to execute arbitrary code.

  - CVE-2017-12134 / #866511 / XSA-229     Jan H. Schoenherr of Amazon discovered that when Linux     is running in a Xen PV domain on an x86 system, it may     incorrectly merge block I/O requests. A buggy or     malicious guest may trigger this bug in dom0 or a PV     driver domain, causing a denial of service or     potentially execution of arbitrary code.

  This issue can be mitigated by disabling merges on the underlying   back-end block devices, e.g.:echo 2 >   /sys/block/nvme0n1/queue/nomerges

  - CVE-2017-12146 (stretch only)     Adrian Salido of Google reported a race condition in     access to the'driver_override' attribute for platform     devices in sysfs. If unprivileged users are permitted to     access this attribute, this might allow them to gain     privileges.

  - CVE-2017-12153     Bo Zhang reported that the cfg80211 (wifi) subsystem     does not properly validate the parameters to a netlink     message. Local users with the CAP_NET_ADMIN capability     (in any user namespace with a wifi device) can use this     to cause a denial of service.

  - CVE-2017-12154     Jim Mattson of Google reported that the KVM     implementation for Intel x86 processors did not     correctly handle certain nested hypervisor     configurations. A malicious guest (or nested guest in a     suitable L1 hypervisor) could use this for denial of     service.

  - CVE-2017-14106     Andrey Konovalov discovered that a user-triggerable     division by zero in the tcp_disconnect() function could     result in local denial of service.

  - CVE-2017-14140     Otto Ebeling reported that the move_pages() system call     performed insufficient validation of the UIDs of the     calling and target processes, resulting in a partial     ASLR bypass. This made it easier for local users to     exploit vulnerabilities in programs installed with the     set-UID permission bit set.

  - CVE-2017-14156     'sohu0106' reported an information leak in the atyfb     video driver. A local user with access to a framebuffer     device handled by this driver could use this to obtain     sensitive information.

  - CVE-2017-14340     Richard Wareing discovered that the XFS implementation     allows the creation of files with the 'realtime' flag on     a filesystem with no realtime device, which can result     in a crash (oops). A local user with access to an XFS     filesystem that does not have a realtime device can use     this for denial of service.

  - CVE-2017-14489     ChunYu Wang of Red Hat discovered that the iSCSI     subsystem does not properly validate the length of a     netlink message, leading to memory corruption. A local     user with permission to manage iSCSI devices can use     this for denial of service or possibly to execute     arbitrary code.

  - CVE-2017-14497 (stretch only)     Benjamin Poirier of SUSE reported that vnet headers are     not properly handled within the tpacket_rcv() function     in the raw packet (af_packet) feature. A local user with     the CAP_NET_RAW capability can take advantage of this     flaw to cause a denial of service (buffer overflow, and     disk and memory corruption) or have other impact.

  - CVE-2017-1000111     Andrey Konovalov of Google reported a race condition in     the raw packet (af_packet) feature. Local users with the     CAP_NET_RAW capability can use this for denial of     service or possibly to execute arbitrary code.

  - CVE-2017-1000112     Andrey Konovalov of Google reported a race condition     flaw in the UDP Fragmentation Offload (UFO) code. A     local user can use this flaw for denial of service or     possibly to execute arbitrary code.

  - CVE-2017-1000251 / #875881     Armis Labs discovered that the Bluetooth subsystem does     not properly validate L2CAP configuration responses,     leading to a stack-based buffer overflow. This is one of     several vulnerabilities dubbed 'Blueborne'. A nearby     attacker can use this to cause a denial of service or     possibly to execute arbitrary code on a system with     Bluetooth enabled.

  - CVE-2017-1000252 (stretch only)     Jan H. Schoenherr of Amazon reported that the KVM     implementation for Intel x86 processors did not     correctly validate interrupt injection requests. A local     user with permission to use KVM could use this for     denial of service.

  - CVE-2017-1000370     The Qualys Research Labs reported that a large argument     or environment list can result in ASLR bypass for 32-bit     PIE binaries.

  - CVE-2017-1000371     The Qualys Research Labs reported that a large argument     or environment list can result in a stack/heap clash for     32-bit PIE binaries.

  - CVE-2017-1000380     Alexander Potapenko of Google reported a race condition     in the ALSA (sound) timer driver, leading to an     information leak. A local user with permission to access     sound devices could use this to obtain sensitive     information.

Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited by any local user.

The 4.11.6 update contains a number of important fixes across the tree, including the recently announced 'stack clash'

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be jmp'ed over, this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010). (CVE-2017-1000364)

The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIMIT_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365 . (CVE-2017-1000371)

ID	Name	Product	Family	Severity
137217	OracleVM 3.4 : Unbreakable / etc (OVMSA-2020-0020) (Stack Clash)	Nessus	OracleVM Local Security Checks	critical
137173	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5708) (Stack Clash)	Nessus	Oracle Linux Local Security Checks	critical
136804	Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2020-037)	Nessus	Virtuozzo Local Security Checks	high
136020	CentOS 6 : kernel (CESA-2020:1524) (Stack Clash)	Nessus	CentOS Local Security Checks	high
135959	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20200422) (Stack Clash)	Nessus	Scientific Linux Local Security Checks	high
135957	Oracle Linux 6 : kernel (ELSA-2020-1524) (Stack Clash)	Nessus	Oracle Linux Local Security Checks	high
135910	RHEL 6 : kernel (RHSA-2020:1524)	Nessus	Red Hat Local Security Checks	high
104100	Juniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826)	Nessus	Junos Local Security Checks	high
103365	Debian DSA-3981-1 : linux - security update (BlueBorne) (Stack Clash)	Nessus	Debian Local Security Checks	high
101723	Fedora 26 : kernel (2017-d3ed702fe4) (Stack Clash)	Nessus	Fedora Local Security Checks	high
101068	Fedora 24 : kernel (2017-05f10e29f4) (Stack Clash)	Nessus	Fedora Local Security Checks	high
101037	Fedora 25 : kernel (2017-d7bc1b3056) (Stack Clash)	Nessus	Fedora Local Security Checks	high
100874	Amazon Linux AMI : kernel (ALAS-2017-845) (Stack Clash)	Nessus	Amazon Linux Local Security Checks	high

CVE-2017-1000371

HIGH

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

high

high

high

high

high

high

high

high

high

high

high