DSA-3981

99131

https://access.redhat.com/security/cve/CVE-2017-1000371

42273

42276

https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Input: ff-memless - kill timer in destroy (Oliver     Neukum) [Orabug: 31213691] (CVE-2019-19524)

  - libertas: Fix two buffer overflows at parsing bss     descriptor (Wen Huang) [Orabug: 31351307]     (CVE-2019-14896) (CVE-2019-14897) (CVE-2019-14897)

  - binfmt_elf: use ELF_ET_DYN_BASE only for PIE (Kees Cook)     [Orabug: 31352068] (CVE-2017-1000370) (CVE-2017-1000371)     (CVE-2017-1000370)

  - NFSv4.0: Remove transport protocol name from non-UCS     client ID (Chuck Lever) [Orabug: 31357212]

  - NFSv4.0: Remove cl_ipaddr from non-UCS client ID (Chuck     Lever) 

  - xen/manage: enable C_A_D to force reboot (Dongli Zhang)     [Orabug: 31387466]

  - acpi: disable erst (Wengang Wang) [Orabug: 31194253]

  - mdio_bus: Fix use-after-free on device_register fails     (YueHaibing) [Orabug: 31222292] (CVE-2019-12819)

  - rds: ib: Fix dysfunctional long address resolve timeout     (Hakon Bugge) 

  - vxlan: don't migrate permanent fdb entries during learn     (Roopa Prabhu) 

  - USB: iowarrior: fix use-after-free on disconnect (Johan     Hovold) [Orabug: 31351061] (CVE-2019-19528)

  - usb: iowarrior: fix deadlock on disconnect (Oliver     Neukum) [Orabug: 31351061] (CVE-2019-19528)

  - mremap: properly flush TLB before releasing the page     (Linus Torvalds) [Orabug: 31352011] (CVE-2018-18281)

  - Input: add safety guards to input_set_keycode (Dmitry     Torokhov) [Orabug: 31200558] (CVE-2019-20636)

  - media: stv06xx: add missing descriptor sanity checks     (Johan Hovold) [Orabug: 31200579] (CVE-2020-11609)

  - media: ov519: add missing endpoint sanity checks (Johan     Hovold) [Orabug: 31213758] (CVE-2020-11608)

  - media: xirlink_cit: add missing descriptor sanity checks     (Johan Hovold) [Orabug: 31213767] (CVE-2020-11668)

  - mwifiex: pcie: Fix memory leak in     mwifiex_pcie_init_evt_ring (Navid Emamdoost) [Orabug:
    31263147] (CVE-2019-19057)

  - USB: core: Fix races in character device registration     and deregistraion (Alan Stern) [Orabug: 31317667]     (CVE-2019-19537)

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5708 advisory.

  - Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks.
    If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of     mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it     has been released back to the page allocator and reused. This is fixed in the following kernel versions:
    4.9.135, 4.14.78, 4.18.16, 4.19. (CVE-2018-18281)

  - An issue was discovered in the Linux kernel before 5.6.1. drivers/media/usb/gspca/ov519.c allows NULL     pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints, aka     CID-998912346c0d. (CVE-2020-11608)

  - An issue was discovered in the stv06xx subsystem in the Linux kernel before 5.6.1.
    drivers/media/usb/gspca/stv06xx/stv06xx.c and drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c mishandle     invalid descriptors, as demonstrated by a NULL pointer dereference, aka CID-485b06aadb93. (CVE-2020-11609)

  - In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB     driver) mishandles invalid descriptors, aka CID-a246b4d54770. (CVE-2020-11668)

  - The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be     execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000     and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This     affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This     issue appears to be limited to i386 based systems. (CVE-2017-1000370)

  - A stack-based buffer overflow was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip     driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary     code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and     connects to another STA. (CVE-2019-14897)

  - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB     device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)

  - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB     device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d. (CVE-2019-19528)

  - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB     device in the USB character device driver layer, aka CID-303911cfc5b9. This affects     drivers/usb/core/file.c. (CVE-2019-19537)

  - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode     table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7. (CVE-2019-20636)

  - An issue was discovered in the Linux kernel before 5.0. The function __mdiobus_register() in     drivers/net/phy/mdio_bus.c calls put_device(), which will trigger a fixed_mdio_bus_init use-after-free.
    This will cause a denial of service. (CVE-2019-12819)

  - Two memory leaks in the mwifiex_pcie_init_evt_ring() function in     drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allow attackers to cause a     denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka     CID-d10dcb615c8e. (CVE-2019-19057)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities :

  - Kernel: NetLabel: null pointer dereference while     receiving CIPSO packet with null category may cause     kernel panic.

  - kernel: rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel lacks a certain upper-bound check, leading to a     buffer overflow.

  - kernel: buffer overflow in cfg80211_mgd_wext_giwessid     in net/wireless/wext-sme.c.

  - kernel: out-of-bounds write in mpol_parse_str function     in mm/mempolicy.c.

  - kernel: use-after-free in n_tty_receive_buf_common     function in drivers/tty/n_tty.c.

  - kernel: unprivileged users able to create RAW sockets     in AF_ISDN network protocol.

  - kernel: memory leak in register_queue_kobjects() in     net/core/net-sysfs.c leads to denial of service.

  - kernel: offset2lib allows for the stack guard page to     be jumped over.

Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1524 advisory.

  - kernel: offset2lib allows for the stack guard page to be     jumped over (CVE-2017-1000371)

  - kernel: rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel lacks a certain upper-bound check, leading to a     buffer overflow (CVE-2019-17666)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Security Fix(es) :

  - kernel: rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel lacks a certain upper-bound check, leading to a     buffer overflow (CVE-2019-17666)

  - kernel: offset2lib allows for the stack guard page to be     jumped over (CVE-2017-1000371)

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-1524 advisory.

  - rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a     certain upper-bound check, leading to a buffer overflow. (CVE-2019-17666)

  - The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to     RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack     will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance     between the end of the PIE binary's read-write segment and the start of the stack becomes small enough     that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5.
    This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to     i386 based systems. (CVE-2017-1000371)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1524 advisory.

  - kernel: offset2lib allows for the stack guard page to be jumped over (CVE-2017-1000371)

  - kernel: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain     upper-bound check, leading to a buffer overflow (CVE-2019-17666)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the version of Junos Space running on the remote device is < 17.1R1, and is therefore affected by multiple vulnerabilities.

Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks.

  - CVE-2017-7518     Andy Lutomirski discovered that KVM is prone to an     incorrect debug exception (#DB) error occurring while     emulating a syscall instruction. A process inside a     guest can take advantage of this flaw for privilege     escalation inside a guest.

  - CVE-2017-7558 (stretch only)     Stefano Brivio of Red Hat discovered that the SCTP     subsystem is prone to a data leak vulnerability due to     an out-of-bounds read flaw, allowing to leak up to 100     uninitialized bytes to userspace.

  - CVE-2017-10661 (jessie only)     Dmitry Vyukov of Google reported that the timerfd     facility does not properly handle certain concurrent     operations on a single file descriptor. This allows a     local attacker to cause a denial of service or     potentially execute arbitrary code.

  - CVE-2017-11600     Bo Zhang reported that the xfrm subsystem does not     properly validate one of the parameters to a netlink     message. Local users with the CAP_NET_ADMIN capability     can use this to cause a denial of service or potentially     to execute arbitrary code.

  - CVE-2017-12134 / #866511 / XSA-229     Jan H. Schoenherr of Amazon discovered that when Linux     is running in a Xen PV domain on an x86 system, it may     incorrectly merge block I/O requests. A buggy or     malicious guest may trigger this bug in dom0 or a PV     driver domain, causing a denial of service or     potentially execution of arbitrary code.

  This issue can be mitigated by disabling merges on the underlying   back-end block devices, e.g.:echo 2 >   /sys/block/nvme0n1/queue/nomerges

  - CVE-2017-12146 (stretch only)     Adrian Salido of Google reported a race condition in     access to the'driver_override' attribute for platform     devices in sysfs. If unprivileged users are permitted to     access this attribute, this might allow them to gain     privileges.

  - CVE-2017-12153     Bo Zhang reported that the cfg80211 (wifi) subsystem     does not properly validate the parameters to a netlink     message. Local users with the CAP_NET_ADMIN capability     (in any user namespace with a wifi device) can use this     to cause a denial of service.

  - CVE-2017-12154     Jim Mattson of Google reported that the KVM     implementation for Intel x86 processors did not     correctly handle certain nested hypervisor     configurations. A malicious guest (or nested guest in a     suitable L1 hypervisor) could use this for denial of     service.

  - CVE-2017-14106     Andrey Konovalov discovered that a user-triggerable     division by zero in the tcp_disconnect() function could     result in local denial of service.

  - CVE-2017-14140     Otto Ebeling reported that the move_pages() system call     performed insufficient validation of the UIDs of the     calling and target processes, resulting in a partial     ASLR bypass. This made it easier for local users to     exploit vulnerabilities in programs installed with the     set-UID permission bit set.

  - CVE-2017-14156     'sohu0106' reported an information leak in the atyfb     video driver. A local user with access to a framebuffer     device handled by this driver could use this to obtain     sensitive information.

  - CVE-2017-14340     Richard Wareing discovered that the XFS implementation     allows the creation of files with the 'realtime' flag on     a filesystem with no realtime device, which can result     in a crash (oops). A local user with access to an XFS     filesystem that does not have a realtime device can use     this for denial of service.

  - CVE-2017-14489     ChunYu Wang of Red Hat discovered that the iSCSI     subsystem does not properly validate the length of a     netlink message, leading to memory corruption. A local     user with permission to manage iSCSI devices can use     this for denial of service or possibly to execute     arbitrary code.

  - CVE-2017-14497 (stretch only)     Benjamin Poirier of SUSE reported that vnet headers are     not properly handled within the tpacket_rcv() function     in the raw packet (af_packet) feature. A local user with     the CAP_NET_RAW capability can take advantage of this     flaw to cause a denial of service (buffer overflow, and     disk and memory corruption) or have other impact.

  - CVE-2017-1000111     Andrey Konovalov of Google reported a race condition in     the raw packet (af_packet) feature. Local users with the     CAP_NET_RAW capability can use this for denial of     service or possibly to execute arbitrary code.

  - CVE-2017-1000112     Andrey Konovalov of Google reported a race condition     flaw in the UDP Fragmentation Offload (UFO) code. A     local user can use this flaw for denial of service or     possibly to execute arbitrary code.

  - CVE-2017-1000251 / #875881     Armis Labs discovered that the Bluetooth subsystem does     not properly validate L2CAP configuration responses,     leading to a stack-based buffer overflow. This is one of     several vulnerabilities dubbed 'Blueborne'. A nearby     attacker can use this to cause a denial of service or     possibly to execute arbitrary code on a system with     Bluetooth enabled.

  - CVE-2017-1000252 (stretch only)     Jan H. Schoenherr of Amazon reported that the KVM     implementation for Intel x86 processors did not     correctly validate interrupt injection requests. A local     user with permission to use KVM could use this for     denial of service.

  - CVE-2017-1000370     The Qualys Research Labs reported that a large argument     or environment list can result in ASLR bypass for 32-bit     PIE binaries.

  - CVE-2017-1000371     The Qualys Research Labs reported that a large argument     or environment list can result in a stack/heap clash for     32-bit PIE binaries.

  - CVE-2017-1000380     Alexander Potapenko of Google reported a race condition     in the ALSA (sound) timer driver, leading to an     information leak. A local user with permission to access     sound devices could use this to obtain sensitive     information.

Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited by any local user.

The 4.11.6 update contains a number of important fixes across the tree, including the recently announced 'stack clash'

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be jmp'ed over, this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010). (CVE-2017-1000364)

The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIMIT_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365 . (CVE-2017-1000371)

ID	Name	Product	Family	Severity
137217	OracleVM 3.4 : Unbreakable / etc (OVMSA-2020-0020) (Stack Clash)	Nessus	OracleVM Local Security Checks	critical
137173	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5708)	Nessus	Oracle Linux Local Security Checks	critical
136804	Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2020-037)	Nessus	Virtuozzo Local Security Checks	high
136020	CentOS 6 : kernel (CESA-2020:1524) (Stack Clash)	Nessus	CentOS Local Security Checks	high
135959	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20200422) (Stack Clash)	Nessus	Scientific Linux Local Security Checks	high
135957	Oracle Linux 6 : kernel (ELSA-2020-1524)	Nessus	Oracle Linux Local Security Checks	high
135910	RHEL 6 : kernel (RHSA-2020:1524)	Nessus	Red Hat Local Security Checks	high
104100	Juniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826)	Nessus	Junos Local Security Checks	high
103365	Debian DSA-3981-1 : linux - security update (BlueBorne) (Stack Clash)	Nessus	Debian Local Security Checks	high
101723	Fedora 26 : kernel (2017-d3ed702fe4) (Stack Clash)	Nessus	Fedora Local Security Checks	high
101068	Fedora 24 : kernel (2017-05f10e29f4) (Stack Clash)	Nessus	Fedora Local Security Checks	high
101037	Fedora 25 : kernel (2017-d7bc1b3056) (Stack Clash)	Nessus	Fedora Local Security Checks	high
100874	Amazon Linux AMI : kernel (ALAS-2017-845) (Stack Clash)	Nessus	Amazon Linux Local Security Checks	high

CVE-2017-1000371

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

high

high

high

high

high

high

high

high

high

high

high