http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6265539776a0810b7ce6398c27866ddb9c6bd154

DSA-3981

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.1

100651

https://bugzilla.redhat.com/show_bug.cgi?id=1489078

https://bugzilla.suse.com/show_bug.cgi?id=1057474

https://github.com/torvalds/linux/commit/6265539776a0810b7ce6398c27866ddb9c6bd154

https://source.android.com/security/bulletin/2017-09-01

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The IPv6 DCCP implementation in the Linux kernel     mishandles inheritance, which allows local users to     cause a denial of service or possibly have unspecified     other impact via crafted system calls, a related issue     to CVE-2017-8890. An unprivileged local user could use     this flaw to induce kernel memory corruption on the     system, leading to a crash. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9076i1/4%0

  - It was found that the driver_override implementation in     base/platform.c in the Linux kernel is susceptible to     race condition when different threads are reading vs     storing a different driver override.(CVE-2017-12146i1/4%0

  - The Linux Kernel imposes a size restriction on the     arguments and environmental strings passed through     RLIMIT_STACK/RLIMIT_INFINITY, but does not take the     argument and environment pointers into account, which     allows attackers to bypass this     limitation.(CVE-2017-1000365i1/4%0

  - A buffer overflow flaw was found in the way the Linux     kernel's eCryptfs implementation decoded encrypted file     names. A local, unprivileged user could use this flaw     to crash the system or, potentially, escalate their     privileges on the system.(CVE-2014-9683i1/4%0

  - The Linux kernel was found vulnerable to an integer     overflow in the     drivers/video/fbdev/uvesafb.c:uvesafb_setcmap()     function. The vulnerability could result in local     attackers being able to crash the kernel or potentially     elevate privileges.(CVE-2018-13406i1/4%0

  - net/ceph/auth_x.c in Ceph, as used in the Linux kernel     before 3.16.3, does not properly validate auth replies,     which allows remote attackers to cause a denial of     service (system crash) or possibly have unspecified     other impact via crafted data from the IP address of a     Ceph Monitor.(CVE-2014-6418i1/4%0

  - A NULL pointer dereference flaw was found in the way     the Linux kernel's Common Internet File System (CIFS)     implementation handled mounting of file system shares.
    A remote attacker could use this flaw to crash a client     system that would mount a file system share from a     malicious server.(CVE-2014-7145i1/4%0

  - The udp6_ufo_fragment function in     net/ipv6/udp_offload.c in the Linux kernel through     3.12, when UDP Fragmentation Offload (UFO) is enabled,     does not properly perform a certain size comparison     before inserting a fragment header, which allows remote     attackers to cause a denial of service (panic) via a     large IPv6 UDP packet, as demonstrated by use of the     Token Bucket Filter (TBF) queueing     discipline.(CVE-2013-4563i1/4%0

  - The do_umount function in fs/namespace.c in the Linux     kernel through 3.17 does not require the CAP_SYS_ADMIN     capability for do_remount_sb calls that change the root     filesystem to read-only, which allows local users to     cause a denial of service (loss of writability) by     making certain unshare system calls, clearing the /     MNT_LOCKED flag, and making an MNT_FORCE umount system     call.(CVE-2014-7975i1/4%0

  - drivers/tty/n_tty.c in the Linux kernel before 4.14.11     allows local attackers (who are able to access pseudo     terminals) to hang/block further usage of any pseudo     terminal devices due to an EXTPROC versus ICANON     confusion in TIOCINQ.(CVE-2018-18386i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - scsi: iscsi_tcp: set BDI_CAP_STABLE_WRITES when data     digest enabled (Jianchao Wang) [Orabug: 27726302]

  - block: fix bio_will_gap for first bvec with offset (Ming     Lei) 

  - block: relax check on sg gap (Ming Lei) [Orabug:
    27775588]

  - block: don't optimize for non-cloned bio in     bio_get_last_bvec (Ming Lei) [Orabug: 27775588]

  - block: merge: get the 1st and last bvec via helpers     (Ming Lei) 

  - block: get the 1st and last bvec via helpers (Ming Lei)     [Orabug: 27775588]

  - block: check virt boundary in bio_will_gap (Ming Lei)     [Orabug: 27775588]

  - block: bio: introduce helpers to get the 1st and last     bvec (Ming Lei) 

  - Failing to send a CLOSE if file is opened WRONLY and     server reboots on a 4.x mount (Olga Kornievskaia)     [Orabug: 27848303]

  - ext4: add validity checks for bitmap block numbers     (Theodore Ts'o) [Orabug: 27854373] (CVE-2018-1093)     (CVE-2018-1093)

  - ocfs2: Take inode cluster lock before moving reflinked     inode from orphan dir (Ashish Samant) [Orabug: 27869411]

  - Input: gtco - fix potential out-of-bound access (Dmitry     Torokhov) [Orabug: 27869844] (CVE-2017-16643)

  - Input: ims-psu - check if CDC union descriptor is sane     (Dmitry Torokhov) [Orabug: 27870333] (CVE-2017-16645)

  - vfio/pci: Virtualize Maximum Payload Size (Alex     Williamson)

  - vfio-pci: Virtualize PCIe & AF FLR (Alex Williamson)

  - uek-rpm: Disable DMA CMA (Jianchao Wang) [Orabug:
    27892359]

  - nvme-pci: fix multiple ctrl removal scheduling (Rakesh     Pandit) 

  - nvme-pci: Fix nvme queue cleanup if IRQ setup fails     (Jianchao Wang) 

  - nvme/pci: Fix stuck nvme reset (Keith Busch) [Orabug:
    27892359]

  - nvme: don't schedule multiple resets (Keith Busch)     [Orabug: 27892359]

  - blk-mq: fix use-after-free in blk_mq_free_tag_set     (Junichi Nomura) 

  - USB: core: prevent malicious bNumInterfaces overflow     (Alan Stern) 

  - driver core: platform: fix race condition with     driver_override (Adrian Salido) [Orabug: 27897874]     (CVE-2017-12146)

  - usb/core: usb_alloc_dev: fix setting of ->portnum     (Nicolai Stange)

Description of changes:

[4.1.12-124.14.2.el7uek]
- scsi: iscsi_tcp: set BDI_CAP_STABLE_WRITES when data digest enabled (Jianchao Wang)  [Orabug: 27726302]
- block: fix bio_will_gap() for first bvec with offset (Ming Lei) [Orabug: 27775588]
- block: relax check on sg gap (Ming Lei)  [Orabug: 27775588]
- block: don't optimize for non-cloned bio in bio_get_last_bvec() (Ming Lei)  [Orabug: 27775588]
- block: merge: get the 1st and last bvec via helpers (Ming Lei) [Orabug: 27775588]
- block: get the 1st and last bvec via helpers (Ming Lei)  [Orabug: 27775588]
- block: check virt boundary in bio_will_gap() (Ming Lei)  [Orabug: 27775588]
- block: bio: introduce helpers to get the 1st and last bvec (Ming Lei) [Orabug: 27775588]
- Failing to send a CLOSE if file is opened WRONLY and server reboots on a 4.x mount (Olga Kornievskaia)  [Orabug: 27848303]
- ext4: add validity checks for bitmap block numbers (Theodore Ts'o) [Orabug: 27854373]  {CVE-2018-1093} {CVE-2018-1093}
- ocfs2: Take inode cluster lock before moving reflinked inode from orphan dir (Ashish Samant)  [Orabug: 27869411]
- Input: gtco - fix potential out-of-bound access (Dmitry Torokhov) [Orabug: 27869844]  {CVE-2017-16643}
- Input: ims-psu - check if CDC union descriptor is sane (Dmitry Torokhov)  [Orabug: 27870333]  {CVE-2017-16645}
- vfio/pci: Virtualize Maximum Payload Size (Alex Williamson)
- vfio-pci: Virtualize PCIe   AF FLR (Alex Williamson)
- uek-rpm: Disable DMA CMA (Jianchao Wang)  [Orabug: 27892359]
- nvme-pci: fix multiple ctrl removal scheduling (Rakesh Pandit) [Orabug: 27892359]
- nvme-pci: Fix nvme queue cleanup if IRQ setup fails (Jianchao Wang) [Orabug: 27892359]
- nvme/pci: Fix stuck nvme reset (Keith Busch)  [Orabug: 27892359]
- nvme: don't schedule multiple resets (Keith Busch)  [Orabug: 27892359]
- blk-mq: fix use-after-free in blk_mq_free_tag_set() (Junichi Nomura) [Orabug: 27892359]
- USB: core: prevent malicious bNumInterfaces overflow (Alan Stern) [Orabug: 27895909]
- driver core: platform: fix race condition with driver_override (Adrian Salido)  [Orabug: 27897874]  {CVE-2017-12146}
- usb/core: usb_alloc_dev(): fix setting of ->portnum (Nicolai Stange) [Orabug: 27908746]

USN-3508-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.

Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405)

Yonggang Guo discovered that a race condition existed in the driver subsystem in the Linux kernel. A local attacker could use this to possibly gain administrative privileges. (CVE-2017-12146).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405)

Yonggang Guo discovered that a race condition existed in the driver subsystem in the Linux kernel. A local attacker could use this to possibly gain administrative privileges. (CVE-2017-12146).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks.

  - CVE-2017-7518     Andy Lutomirski discovered that KVM is prone to an     incorrect debug exception (#DB) error occurring while     emulating a syscall instruction. A process inside a     guest can take advantage of this flaw for privilege     escalation inside a guest.

  - CVE-2017-7558 (stretch only)     Stefano Brivio of Red Hat discovered that the SCTP     subsystem is prone to a data leak vulnerability due to     an out-of-bounds read flaw, allowing to leak up to 100     uninitialized bytes to userspace.

  - CVE-2017-10661 (jessie only)     Dmitry Vyukov of Google reported that the timerfd     facility does not properly handle certain concurrent     operations on a single file descriptor. This allows a     local attacker to cause a denial of service or     potentially execute arbitrary code.

  - CVE-2017-11600     Bo Zhang reported that the xfrm subsystem does not     properly validate one of the parameters to a netlink     message. Local users with the CAP_NET_ADMIN capability     can use this to cause a denial of service or potentially     to execute arbitrary code.

  - CVE-2017-12134 / #866511 / XSA-229     Jan H. Schoenherr of Amazon discovered that when Linux     is running in a Xen PV domain on an x86 system, it may     incorrectly merge block I/O requests. A buggy or     malicious guest may trigger this bug in dom0 or a PV     driver domain, causing a denial of service or     potentially execution of arbitrary code.

  This issue can be mitigated by disabling merges on the underlying   back-end block devices, e.g.:echo 2 >   /sys/block/nvme0n1/queue/nomerges

  - CVE-2017-12146 (stretch only)     Adrian Salido of Google reported a race condition in     access to the'driver_override' attribute for platform     devices in sysfs. If unprivileged users are permitted to     access this attribute, this might allow them to gain     privileges.

  - CVE-2017-12153     Bo Zhang reported that the cfg80211 (wifi) subsystem     does not properly validate the parameters to a netlink     message. Local users with the CAP_NET_ADMIN capability     (in any user namespace with a wifi device) can use this     to cause a denial of service.

  - CVE-2017-12154     Jim Mattson of Google reported that the KVM     implementation for Intel x86 processors did not     correctly handle certain nested hypervisor     configurations. A malicious guest (or nested guest in a     suitable L1 hypervisor) could use this for denial of     service.

  - CVE-2017-14106     Andrey Konovalov discovered that a user-triggerable     division by zero in the tcp_disconnect() function could     result in local denial of service.

  - CVE-2017-14140     Otto Ebeling reported that the move_pages() system call     performed insufficient validation of the UIDs of the     calling and target processes, resulting in a partial     ASLR bypass. This made it easier for local users to     exploit vulnerabilities in programs installed with the     set-UID permission bit set.

  - CVE-2017-14156     'sohu0106' reported an information leak in the atyfb     video driver. A local user with access to a framebuffer     device handled by this driver could use this to obtain     sensitive information.

  - CVE-2017-14340     Richard Wareing discovered that the XFS implementation     allows the creation of files with the 'realtime' flag on     a filesystem with no realtime device, which can result     in a crash (oops). A local user with access to an XFS     filesystem that does not have a realtime device can use     this for denial of service.

  - CVE-2017-14489     ChunYu Wang of Red Hat discovered that the iSCSI     subsystem does not properly validate the length of a     netlink message, leading to memory corruption. A local     user with permission to manage iSCSI devices can use     this for denial of service or possibly to execute     arbitrary code.

  - CVE-2017-14497 (stretch only)     Benjamin Poirier of SUSE reported that vnet headers are     not properly handled within the tpacket_rcv() function     in the raw packet (af_packet) feature. A local user with     the CAP_NET_RAW capability can take advantage of this     flaw to cause a denial of service (buffer overflow, and     disk and memory corruption) or have other impact.

  - CVE-2017-1000111     Andrey Konovalov of Google reported a race condition in     the raw packet (af_packet) feature. Local users with the     CAP_NET_RAW capability can use this for denial of     service or possibly to execute arbitrary code.

  - CVE-2017-1000112     Andrey Konovalov of Google reported a race condition     flaw in the UDP Fragmentation Offload (UFO) code. A     local user can use this flaw for denial of service or     possibly to execute arbitrary code.

  - CVE-2017-1000251 / #875881     Armis Labs discovered that the Bluetooth subsystem does     not properly validate L2CAP configuration responses,     leading to a stack-based buffer overflow. This is one of     several vulnerabilities dubbed 'Blueborne'. A nearby     attacker can use this to cause a denial of service or     possibly to execute arbitrary code on a system with     Bluetooth enabled.

  - CVE-2017-1000252 (stretch only)     Jan H. Schoenherr of Amazon reported that the KVM     implementation for Intel x86 processors did not     correctly validate interrupt injection requests. A local     user with permission to use KVM could use this for     denial of service.

  - CVE-2017-1000370     The Qualys Research Labs reported that a large argument     or environment list can result in ASLR bypass for 32-bit     PIE binaries.

  - CVE-2017-1000371     The Qualys Research Labs reported that a large argument     or environment list can result in a stack/heap clash for     32-bit PIE binaries.

  - CVE-2017-1000380     Alexander Potapenko of Google reported a race condition     in the ALSA (sound) timer driver, leading to an     information leak. A local user with permission to access     sound devices could use this to obtain sensitive     information.

Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited by any local user.

ID	Name	Product	Family	Severity
124823	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1500)	Nessus	Huawei Local Security Checks	high
109426	OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0037)	Nessus	OracleVM Local Security Checks	high
109386	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4084)	Nessus	Oracle Linux Local Security Checks	high
105103	Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3508-2) (Dirty COW)	Nessus	Ubuntu Local Security Checks	high
105102	Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3508-1) (Dirty COW)	Nessus	Ubuntu Local Security Checks	high
103365	Debian DSA-3981-1 : linux - security update (BlueBorne) (Stack Clash)	Nessus	Debian Local Security Checks	high

CVE-2017-12146

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins