101267

RHSA-2018:0395

RHSA-2018:0412

https://bugzilla.redhat.com/show_bug.cgi?id=1500380

https://patchwork.kernel.org/patch/9996579/

https://patchwork.kernel.org/patch/9996587/

The remote NewStart CGSL host, running version MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities:

  - A flaw was found in the Linux kernel's key management     system where it was possible for an attacker to escalate     privileges or crash the machine. If a user key gets     negatively instantiated, an error code is cached in the     payload area. A negatively instantiated key may be then     be positively instantiated by updating it with valid     data. However, the ->update key type method must be     aware that the error code may be there. (CVE-2015-8539)

  - A flaw was found in the way the Linux KVM module     processed the trap flag(TF) bit in EFLAGS during     emulation of the syscall instruction, which leads to a     debug exception(#DB) being raised in the guest stack. A     user/process inside a guest could use this flaw to     potentially escalate their privileges inside the guest.
    Linux guests are not affected by this. (CVE-2017-7518)

  - A vulnerability was found in the Key Management sub     component of the Linux kernel, where when trying to     issue a KEYTCL_READ on a negative key would lead to a     NULL pointer dereference. A local attacker could use     this flaw to crash the kernel. (CVE-2017-12192)

  - The Linux kernel built with the KVM visualization     support (CONFIG_KVM), with nested visualization(nVMX)     feature enabled (nested=1), was vulnerable to a stack     buffer overflow issue. The vulnerability could occur     while traversing guest page table entries to resolve     guest virtual address(gva). An L1 guest could use this     flaw to crash the host kernel resulting in denial of     service (DoS) or potentially execute arbitrary code on     the host to gain privileges on the system.
    (CVE-2017-12188)

  - A flaw was found in the Linux kernel's implementation of     associative arrays introduced in 3.13. This     functionality was backported to the 3.10 kernels in Red     Hat Enterprise Linux 7. The flaw involved a null pointer     dereference in assoc_array_apply_edit() due to incorrect     node-splitting in assoc_array implementation. This     affects the keyring key type and thus key addition and     link creation operations may cause the kernel to panic.
    (CVE-2017-12193)

  - It was found that fanout_add() in     'net/packet/af_packet.c' in the Linux kernel, before     version 4.13.6, allows local users to gain privileges     via crafted system calls that trigger mishandling of     packet_fanout data structures, because of a race     condition (involving fanout_add and packet_do_bind) that     leads to a use-after-free bug. (CVE-2017-15649)

  - A vulnerability was found in the Linux kernel where the     keyctl_set_reqkey_keyring() function leaks the thread     keyring. This allows an unprivileged local user to     exhaust kernel memory and thus cause a DoS.
    (CVE-2017-7472)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The ipx_recvmsg function in net/ipx/af_ipx.c in the     Linux kernel before 3.12.4 updates a certain length     value without ensuring that an associated data     structure has been initialized, which allows local     users to obtain sensitive information from kernel     memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg     system call.(CVE-2013-7268)

  - The move_pages system call in mm/migrate.c in the Linux     kernel doesn't check the effective uid of the target     process. This enables a local attacker to learn the     memory layout of a setuid executable allowing     mitigation of ASLR.(CVE-2017-14140)

  - Multiple array index errors in drivers/hid/hid-core.c     in the Human Interface Device (HID) subsystem in the     Linux kernel through 3.11 allow physically proximate     attackers to execute arbitrary code or cause a denial     of service (heap memory corruption) via a crafted     device that provides an invalid Report     ID.(CVE-2013-2888)

  - It was found that if a Non-Maskable Interrupt (NMI)     occurred immediately after a SYSCALL call or before a     SYSRET call with the user RSP pointing to the NMI IST     stack, the kernel could skip that NMI.(CVE-2015-3291)

  - The sound/core/seq_device.c in the Linux kernel, before     4.13.4, allows local users to cause a denial of service     (snd_rawmidi_dev_seq_free use-after-free and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16528)

  - net/ceph/auth_x.c in Ceph, as used in the Linux kernel     before 3.16.3, does not properly consider the     possibility of kmalloc failure, which allows remote     attackers to cause a denial of service (system crash)     or possibly have unspecified other impact via a long     unencrypted auth ticket.(CVE-2014-6417)

  - A NULL pointer dereference flaw was found in the Linux     kernel: the NFSv4.2 migration code improperly     initialized the kernel structure. A local,     authenticated user could use this flaw to cause a panic     of the NFS client (denial of service).(CVE-2015-8746)

  - A stack-based buffer overflow flaw was found in the     TechnoTrend/Hauppauge DEC USB device driver. A local     user with write access to the corresponding device     could use this flaw to crash the kernel or,     potentially, elevate their privileges on the     system.(CVE-2014-8884)

  - A flaw was found in the linux kernel's implementation     of the airspy USB device driver in which a leak was     found when a subdev or SDR are plugged into the host.An     attacker can create an targeted USB device which can     emulate 64 of these devices. Then by emulating an     additional device which continuously connects and     disconnects, each connection attempt will leak memory     which can not be recovered.(CVE-2016-5400)

  - The sound/usb/mixer.c in the Linux kernel, before     4.13.8, allows local users to cause a denial of service     (snd_usb_mixer_interrupt use-after-free and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16527)

  - The Human Interface Device (HID) subsystem in the Linux     kernel through 3.11, when CONFIG_LOGITECH_FF,     CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled,     allows physically proximate attackers to cause a denial     of service (heap-based out-of-bounds write) via a     crafted device, related to (1) drivers/hid/hid-lgff.c,     (2) drivers/hid/hid-lg3ff.c, and (3)     drivers/hid/hid-lg4ff.c.(CVE-2013-2893)

  - It was found that reporting emulation failures to user     space could lead to either a local (CVE-2014-7842) or a     L2->L1 (CVE-2010-5313) denial of service. In the case     of a local denial of service, an attacker must have     access to the MMIO area or be able to access an I/O     port. Please note that on certain systems, HPET is     mapped to userspace as part of vdso (vvar) and thus an     unprivileged user may generate MMIO transactions (and     enter the emulator) this way.(CVE-2014-7842)

  - A flaw was discovered in the way the Linux kernel's TTY     subsystem handled the tty shutdown phase. A local,     unprivileged user could use this flaw to cause denial     of service on the system by holding a reference to the     ldisc lock during tty shutdown, causing a     deadlock.(CVE-2015-4170)

  - The __ip6_append_data function in net/ipv6/ip6_output.c     in the Linux kernel through 4.11.3 is too late in     checking whether an overwrite of an skb data structure     may occur, which allows local users to cause a denial     of service (system crash) via crafted system     calls.(CVE-2017-9242)

  - The Linux kernel built with the KVM visualization     support (CONFIG_KVM), with nested visualization(nVMX)     feature enabled (nested=1), was vulnerable to a stack     buffer overflow issue. The vulnerability could occur     while traversing guest page table entries to resolve     guest virtual address(gva). An L1 guest could use this     flaw to crash the host kernel resulting in denial of     service (DoS) or potentially execute arbitrary code on     the host to gain privileges on the     system.(CVE-2017-12188)

  - The recalculate_apic_map function in     arch/x86/kvm/lapic.c in the KVM subsystem in the Linux     kernel through 3.12.5 allows guest OS users to cause a     denial of service (host OS crash) via a crafted ICR     write operation in x2apic mode.(CVE-2013-6376)

  - The wanxl_ioctl function in drivers/net/wan/wanxl.c in     the Linux kernel before 3.11.7 does not properly     initialize a certain data structure, which allows local     users to obtain sensitive information from kernel     memory via an ioctl call.(CVE-2014-1445)

  - The restore_fpu_checking function in     arch/x86/include/asm/fpu-internal.h in the Linux kernel     before 3.12.8 on the AMD K7 and K8 platforms does not     clear pending exceptions before proceeding to an EMMS     instruction, which allows local users to cause a denial     of service (task kill) or possibly gain privileges via     a crafted application.(CVE-2014-1438)

  - A race condition was found in the way the Linux     kernel's memory subsystem handled the copy-on-write     (COW) breakage of private read-only memory mappings. An     unprivileged, local user could use this flaw to gain     write access to otherwise read-only memory mappings and     thus increase their privileges on the     system.(CVE-2016-5195)

  - Algorithms not compatible with mcryptd could be spawned     by mcryptd with a direct crypto_alloc_tfm invocation     using a 'mcryptd(alg)' name construct. This causes     mcryptd to crash the kernel if an arbitrary 'alg' is     incompatible and not intended to be used with     mcryptd.(CVE-2016-10147)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An integer overflow vulnerability was found in the     ring_buffer_resize() calculations in which a privileged     user can adjust the size of the ringbuffer message     size. These calculations can create an issue where the     kernel memory allocator will not allocate the correct     count of pages yet expect them to be usable. This can     lead to the ftrace() output to appear to corrupt kernel     memory and possibly be used for privileged escalation     or more likely kernel panic.(CVE-2016-9754)

  - A flaw was found in the Linux kernel's implementation     of setsockopt for the SO_{SND|RCV}BUFFORCE setsockopt()     system call. Users with non-namespace CAP_NET_ADMIN are     able to trigger this call and create a situation in     which the sockets sendbuff data size could be negative.
    This could adversely affect memory allocations and     create situations where the system could crash or cause     memory corruption.(CVE-2016-9793)

  - A use-after-free vulnerability was found in ALSA pcm     layer, which allows local users to cause a denial of     service, memory corruption, or possibly other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2016-9794)

  - A double free vulnerability was found in netlink_dump,     which could cause a denial of service or possibly other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2016-9806)

  - A race condition issue leading to a use-after-free flaw     was found in the way the raw packet sockets are     implemented in the Linux kernel networking subsystem     handling synchronization. A local user able to open a     raw packet socket (requires the CAP_NET_RAW capability)     can use this issue to crash the     system.(CVE-2017-1000111)

  - An exploitable memory corruption flaw was found in the     Linux kernel. The append path can be erroneously     switched from UFO to non-UFO in ip_ufo_append_data()     when building an UFO packet with MSG_MORE option. If     unprivileged user namespaces are available, this flaw     can be exploited to gain root     privileges.(CVE-2017-1000112)

  - A stack buffer overflow flaw was found in the way the     Bluetooth subsystem of the Linux kernel processed     pending L2CAP configuration responses from a client. On     systems with the stack protection feature enabled in     the kernel (CONFIG_CC_STACKPROTECTOR=y, which is     enabled on all architectures other than s390x and     ppc64le), an unauthenticated attacker able to initiate     a connection to a system via Bluetooth could use this     flaw to crash the system. Due to the nature of the     stack protection feature, code execution cannot be     fully ruled out, although we believe it is unlikely. On     systems without the stack protection feature (ppc64le;
    the Bluetooth modules are not built on s390x), an     unauthenticated attacker able to initiate a connection     to a system via Bluetooth could use this flaw to     remotely execute arbitrary code on the system with ring     0 (kernel) privileges.(CVE-2017-1000251)

  - A reachable assertion failure flaw was found in the     Linux kernel built with KVM virtualisation(CONFIG_KVM)     support with Virtual Function I/O feature (CONFIG_VFIO)     enabled. This failure could occur if a malicious guest     device sent a virtual interrupt (guest IRQ) with a     larger (>1024) index value.(CVE-2017-1000252)

  - A flaw was found in the way memory was being allocated     on the stack for user space binaries. If heap (or     different memory region) and stack memory regions were     adjacent to each other, an attacker could use this flaw     to jump over the stack guard gap, cause controlled     memory corruption on process stack or the adjacent     memory region, and thus increase their privileges on     the system. This is a kernel-side mitigation which     increases the stack guard gap size from one page to 1     MiB to make successful exploitation of this issue more     difficult.(CVE-2017-1000364)

  - The Linux Kernel imposes a size restriction on the     arguments and environmental strings passed through     RLIMIT_STACK/RLIMIT_INFINITY, but does not take the     argument and environment pointers into account, which     allows attackers to bypass this     limitation.(CVE-2017-1000365)

  - The offset2lib patch as used in the Linux Kernel     contains a vulnerability that allows a PIE binary to be     execve()'ed with 1GB of arguments or environmental     strings then the stack occupies the address 0x80000000     and the PIE binary is mapped above 0x40000000     nullifying the protection of the offset2lib patch. This     affects Linux Kernel version 4.11.5 and earlier. This     is a different issue than CVE-2017-1000371. This issue     appears to be limited to i386 based     systems.(CVE-2017-1000370)

  - A flaw was found in the processing of incoming L2CAP     bluetooth commands. Uninitialized stack variables can     be sent to an attacker leaking data in kernel address     space.(CVE-2017-1000410)

  - A race condition was found in the Linux kernel before     version 4.11-rc1 in 'fs/timerfd.c' file which allows a     local user to cause a kernel list corruption or     use-after-free via simultaneous operations with a file     descriptor which leverage improper 'might_cancel'     queuing. An unprivileged local user could use this flaw     to cause a denial of service of the system. Due to the     nature of the flaw, privilege escalation cannot be     fully ruled out, although we believe it is     unlikely.(CVE-2017-10661)

  - Memory leak in the virtio_gpu_object_create function in     drivers/gpu/drm/virtio/virtgpu_object.c in the Linux     kernel through 4.11.8 allows attackers to cause a     denial of service (memory consumption) by triggering     object-initialization failures.(CVE-2017-10810)

  - The make_response function in     drivers/block/xen-blkback/blkback.c in the Linux kernel     before 4.11.8 allows guest OS users to obtain sensitive     information from host OS (or other guest OS) kernel     memory by leveraging the copying of uninitialized     padding fields in Xen block-interface response     structures, aka XSA-216.(CVE-2017-10911)

  - A use-after-free flaw was found in the Netlink     functionality of the Linux kernel networking subsystem.
    Due to the insufficient cleanup in the mq_notify     function, a local attacker could potentially use this     flaw to escalate their privileges on the     system.(CVE-2017-11176)

  - Buffer overflow in the mp_override_legacy_irq()     function in arch/x86/kernel/acpi/boot.c in the Linux     kernel through 4.12.2 allows local users to gain     privileges via a crafted ACPI table.(CVE-2017-11473)

  - The xfrm_migrate() function in the     net/xfrm/xfrm_policy.c file in the Linux kernel built     with CONFIG_XFRM_MIGRATE does not verify if the dir     parameter is less than XFRM_POLICY_MAX. This allows a     local attacker to cause a denial of service     (out-of-bounds access) or possibly have unspecified     other impact by sending a XFRM_MSG_MIGRATE netlink     message. This flaw is present in the Linux kernel since     an introduction of XFRM_MSG_MIGRATE in 2.6.21-rc1, up     to 4.13-rc3.(CVE-2017-11600)

  - A security flaw was discovered in     nl80211_set_rekey_data() function in the Linux kernel     since v3.1-rc1 through v4.13. This function does not     check whether the required attributes are present in a     netlink request. This request can be issued by a user     with CAP_NET_ADMIN privilege and may result in NULL     dereference and a system crash.(CVE-2017-12153)

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization (nVMX) feature     enabled (nested=1), is vulnerable to a crash due to     disabled external interrupts. As L2 guest could access     (r/w) hardware CR8 register of the host(L0). In a     nested visualization setup, L2 guest user could use     this flaw to potentially crash the host(L0) resulting     in DoS.(CVE-2017-12154)

  - The Linux kernel built with the KVM visualization     support (CONFIG_KVM), with nested visualization(nVMX)     feature enabled (nested=1), was vulnerable to a stack     buffer overflow issue. The vulnerability could occur     while traversing guest page table entries to resolve     guest virtual address(gva). An L1 guest could use this     flaw to crash the host kernel resulting in denial of     service (DoS) or potentially execute arbitrary code on     the host to gain privileges on the     system.(CVE-2017-12188)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the linux package has been released.

An update of [linux] packages for PhotonOS has been released.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

These updated kernel packages include several security issues and numerous bug fixes, some of which you can see below. Space precludes documenting all of these bug fixes in this advisory. To see the complete list of bug fixes, users are directed to the related Knowledge Article: https://access.redhat.com/articles/3368501.

Security Fix(es) :

* Kernel: KVM: MMU potential stack buffer overrun during page walks (CVE-2017-12188, Important)

* Kernel: KVM: debug exception via syscall emulation (CVE-2017-7518, Moderate)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Security Fix(es) :

  - Kernel: KVM: MMU potential stack buffer overrun during     page walks (CVE-2017-12188, Important)

  - Kernel: KVM: debug exception via syscall emulation     (CVE-2017-7518, Moderate)

From Red Hat Security Advisory 2018:0395 :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

These updated kernel packages include several security issues and numerous bug fixes, some of which you can see below. Space precludes documenting all of these bug fixes in this advisory. To see the complete list of bug fixes, users are directed to the related Knowledge Article: https://access.redhat.com/articles/3368501.

Security Fix(es) :

* Kernel: KVM: MMU potential stack buffer overrun during page walks (CVE-2017-12188, Important)

* Kernel: KVM: debug exception via syscall emulation (CVE-2017-7518, Moderate)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* Kernel: KVM: MMU potential stack buffer overrun during page walks (CVE-2017-12188, Important)

* Kernel: KVM: debug exception via syscall emulation (CVE-2017-7518, Moderate)

Bug Fix(es) :

* The kernel-rt packages have been upgraded to the 3.10.0-693.21.1 source tree, which provides a number of bug fixes over the previous version. (BZ# 1537671)

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in the key management     subsystem of the Linux kernel. An update on an     uninstantiated key could cause a kernel panic, leading     to denial of service (DoS).(CVE-2017-15299)

  - It was found that fanout_add() in     'net/packet/af_packet.c' in the Linux kernel, before     version 4.13.6, allows local users to gain privileges     via crafted system calls that trigger mishandling of     packet_fanout data structures, because of a race     condition (involving fanout_add and packet_do_bind)     that leads to a use-after-free bug.(CVE-2017-15649)

  - The keyctl_read_key function in security/keys/keyctl.c     in the Key Management subcomponent in the Linux kernel     before 4.13.5 does not properly consider that a key may     be possessed but negatively instantiated, which allows     local users to cause a denial of service (OOPS and     system crash) via a crafted KEYCTL_READ     operation.(CVE-2017-12192)

  - The Linux kernel built with the KVM visualization     support (CONFIG_KVM), with nested visualization(nVMX)     feature enabled (nested=1), was vulnerable to a stack     buffer overflow issue. The vulnerability could occur     while traversing guest page table entries to resolve     guest virtual address(gva). An L1 guest could use this     flaw to crash the host kernel resulting in denial of     service (DoS) or potentially execute arbitrary code on     the host to gain privileges on the     system.(CVE-2017-12188)

  - The imon_probe function in drivers/media/rc/imon.c in     the Linux kernel through 4.13.11 allows local users to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via a crafted USB device.(CVE-2017-16537)

  - drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux     kernel through 4.13.11 allows local users to cause a     denial of service (general protection fault and system     crash) or possibly have unspecified other impact via a     crafted USB device, related to a missing warm-start     check and incorrect attach timing     (dm04_lme2510_frontend_attach versus     dm04_lme2510_tuner).(CVE-2017-16538)

  - The cx231xx_usb_probe function in     drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux     kernel through 4.13.11 allows local users to cause a     denial of service (NULL pointer dereference and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16536)

  - The usb_get_bos_descriptor function in     drivers/usb/core/config.c in the Linux kernel before     4.13.10 allows local users to cause a denial of service     (out-of-bounds read and system crash) or possibly have     unspecified other impact via a crafted USB     device.(CVE-2017-16535)

  - The cdc_parse_cdc_header function in     drivers/usb/core/message.c in the Linux kernel before     4.13.6 allows local users to cause a denial of service     (out-of-bounds read and system crash) or possibly have     unspecified other impact via a crafted USB     device.(CVE-2017-16534)

  - The usbhid_parse function in     drivers/hid/usbhid/hid-core.c in the Linux kernel     before 4.13.8 allows local users to cause a denial of     service (out-of-bounds read and system crash) or     possibly have unspecified other impact via a crafted     USB device.(CVE-2017-16533)

  - The get_endpoints function in     drivers/usb/misc/usbtest.c in the Linux kernel through     4.13.11 allows local users to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact via a crafted USB     device.(CVE-2017-16532)

  - drivers/usb/core/config.c in the Linux kernel before     4.13.6 allows local users to cause a denial of service     (out-of-bounds read and system crash) or possibly have     unspecified other impact via a crafted USB device,     related to the USB_DT_INTERFACE_ASSOCIATION     descriptor.(CVE-2017-16531)

  - The uas driver in the Linux kernel before 4.13.6 allows     local users to cause a denial of service (out-of-bounds     read and system crash) or possibly have unspecified     other impact via a crafted USB device, related to     drivers/usb/storage/uas-detect.h and     drivers/usb/storage/uas.c.(CVE-2017-16530)

  - The snd_usb_create_streams function in sound/usb/card.c     in the Linux kernel before 4.13.6 allows local users to     cause a denial of service (out-of-bounds read and     system crash) or possibly have unspecified other impact     via a crafted USB device.(CVE-2017-16529)

  - sound/core/seq_device.c in the Linux kernel before     4.13.4 allows local users to cause a denial of service     (snd_rawmidi_dev_seq_free use-after-free and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16528)

  - sound/usb/mixer.c in the Linux kernel before 4.13.8     allows local users to cause a denial of service     (snd_usb_mixer_interrupt use-after-free and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16527)

  - drivers/uwb/uwbd.c in the Linux kernel before 4.13.6     allows local users to cause a denial of service     (general protection fault and system crash) or possibly     have unspecified other impact via a crafted USB     device.(CVE-2017-16526)

  - The usb_serial_console_disconnect function in     drivers/usb/serial/console.c in the Linux kernel before     4.13.8 allows local users to cause a denial of service     (use-after-free and system crash) or possibly have     unspecified other impact via a crafted USB device,     related to disconnection and failed     setup.(CVE-2017-16525)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the KVM subsystem in the Linux kernel did not properly keep track of nested levels in guest page tables. A local attacker in a guest VM could use this to cause a denial of service (host OS crash) or possibly execute arbitrary code in the host OS.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the KVM subsystem in the Linux kernel did not properly keep track of nested levels in guest page tables. A local attacker in a guest VM could use this to cause a denial of service (host OS crash) or possibly execute arbitrary code in the host OS.
(CVE-2017-12188)

It was discovered that on the PowerPC architecture, the kernel did not properly sanitize the signal stack when handling sigreturn(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-1000255)

Bo Zhang discovered that the netlink wireless configuration interface in the Linux kernel did not properly validate attributes when handling certain requests. A local attacker with the CAP_NET_ADMIN could use this to cause a denial of service (system crash). (CVE-2017-12153)

It was discovered that the nested KVM implementation in the Linux kernel in some situations did not properly prevent second level guests from reading and writing the hardware CR8 register. A local attacker in a guest could use this to cause a denial of service (system crash).
(CVE-2017-12154)

Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux kernel did not properly track reference counts when merging buffers. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2017-12190)

It was discovered that the key management subsystem in the Linux kernel did not properly restrict key reads on negatively instantiated keys. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12192)

It was discovered that the ATI Radeon framebuffer driver in the Linux kernel did not properly initialize a data structure returned to user space. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14156)

ChunYu Wang discovered that the iSCSI transport implementation in the Linux kernel did not properly validate data structures. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-14489)

Alexander Potapenko discovered an information leak in the waitid implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14954)

It was discovered that a race condition existed in the ALSA subsystem of the Linux kernel when creating and deleting a port via ioctl(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15265)

Dmitry Vyukov discovered that the Floating Point Unit (fpu) subsystem in the Linux kernel did not properly handle attempts to set reserved bits in a task's extended state (xstate) area. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-15537)

It was discovered that a race condition existed in the packet fanout implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15649)

Andrey Konovalov discovered a use-after-free vulnerability in the USB serial console driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16525)

Andrey Konovalov discovered that the Ultra Wide Band driver in the Linux kernel did not properly check for an error condition. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16526)

Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16527)

Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel did not properly validate USB audio buffer descriptors. A physically proximate attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16529)

Andrey Konovalov discovered that the USB unattached storage driver in the Linux kernel contained out-of-bounds error when handling alternative settings. A physically proximate attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16530)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB interface association descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16531)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB HID descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16533)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate CDC metadata. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16534).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3484-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.

It was discovered that the KVM subsystem in the Linux kernel did not properly keep track of nested levels in guest page tables. A local attacker in a guest VM could use this to cause a denial of service (host OS crash) or possibly execute arbitrary code in the host OS.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5,     when nested virtualisation is used, does not properly     traverse guest pagetable entries to resolve a guest     virtual address, which allows L1 guest OS users to     execute arbitrary code on the host OS or cause a denial     of service (incorrect index during page walking, and     host OS crash), aka an MMU potential stack buffer     overrun.(CVE-2017-12188)

  - A vulnerability was found in the Key Management sub     component of the Linux kernel, where when trying to     issue a KEYTCL_READ on negative key would lead to a     NULL pointer dereference. A local attacker could use     this flaw to crash the kernel.(CVE-2017-12192)

  - security/keys/keyctl.c in the Linux kernel before     4.11.5 does not consider the case of a NULL payload in     conjunction with a nonzero length value, which allows     local users to cause a denial of service (NULL pointer     dereference and OOPS) via a crafted add_key or keyctl     system call, a different vulnerability than     CVE-2017-12192.(CVE-2017-15274)

  - Linux kernel: heap out-of-bounds in AF_PACKET sockets.
    This new issue is analogous to previously disclosed     CVE-2016-8655. In both cases, a socket option that     changes socket state may race with safety checks in     packet_set_ring. Previously with PACKET_VERSION. This     time with PACKET_RESERVE. The solution is similar: lock     the socket for the update. This issue may be     exploitable, we did not investigate further. As this     issue affects PF_PACKET sockets, it requires     CAP_NET_RAW in the process namespace. But note that     with user namespaces enabled, any process can create a     namespace in which it has     CAP_NET_RAW.(CVE-2017-1000111)

  - Use-after-free vulnerability in the Linux kernel before     4.14-rc5 allows local users to have unspecified impact     via vectors related to /dev/snd/seq.(CVE-2017-15265)

  - net/packet/af_packet.c in the Linux kernel before     4.13.6 allows local users to gain privileges via     crafted system calls that trigger mishandling of     packet_fanout data structures, because of a race     condition (involving fanout_add and packet_do_bind)     that leads to a use-after-free, a different     vulnerability than CVE-2017-6346.(CVE-2017-15649)

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux     kernel before 4.13.4 allows local users to obtain     sensitive information from uninitialized kernel     heap-memory locations via an SG_GET_REQUEST_TABLE ioctl     call for /dev/sg0.(CVE-2017-14991)

  - An exploitable memory corruption flaw was found in the     Linux kernel. The append path can be erroneously     switched from UFO to non-UFO in ip_ufo_append_data()     when building an UFO packet with MSG_MORE option. If     unprivileged user namespaces are available, this flaw     can be exploited to gain root     privileges.(CVE-2017-1000112)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities :

  - Linux kernel built with the KVM virtualisation support     (CONFIG_KVM), with nested virtualisation (nVMX) feature     enabled (nested=1), is vulnerable to a stack buffer     overflow issue. It could occur while traversing guest     pagetable entries to resolve guest virtual address. A     guest system could use this flaw to crash the host     kernel resulting in DoS, or potentially execute     arbitrary code on the host.

  - A flaw was found in the Linux networking subsystem     where a local attacker with CAP_NET_ADMIN capabilities     could cause an out-of-bounds memory access by creating     a smaller-than-expected ICMP header and sending to its     destination via sendto().

  - It was found that in the Linux kernel through     v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in     'block/bio.c' do unbalanced pages refcounting if IO     vector has small consecutive buffers belonging to the     same page. bio_add_pc_page() merges them into one, but     the page reference is never dropped, causing a memory     leak and possible system lockup due to out-of-memory     condition.

Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
127165	NewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0014)	Nessus	NewStart CGSL Local Security Checks	high
124982	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1529)	Nessus	Huawei Local Security Checks	high
124821	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1498)	Nessus	Huawei Local Security Checks	high
121754	Photon OS 2.0: Linux PHSA-2017-0043	Nessus	PhotonOS Local Security Checks	high
111892	Photon OS 2.0: Linux PHSA-2017-0043 (deprecated)	Nessus	PhotonOS Local Security Checks	high
107271	CentOS 7 : kernel (CESA-2018:0395)	Nessus	CentOS Local Security Checks	medium
107210	Scientific Linux Security Update : kernel on SL7.x x86_64	Nessus	Scientific Linux Local Security Checks	medium
107203	Oracle Linux 7 : kernel (ELSA-2018-0395)	Nessus	Oracle Linux Local Security Checks	medium
107189	RHEL 7 : kernel-rt (RHSA-2018:0412)	Nessus	Red Hat Local Security Checks	medium
107186	RHEL 7 : kernel (RHSA-2018:0395)	Nessus	Red Hat Local Security Checks	medium
104911	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2017-1292)	Nessus	Huawei Local Security Checks	high
104738	Ubuntu 16.04 LTS : linux-azure vulnerability (USN-3488-1)	Nessus	Ubuntu Local Security Checks	medium
104737	Ubuntu 17.10 : linux, linux-raspi2 vulnerabilities (USN-3487-1)	Nessus	Ubuntu Local Security Checks	high
104734	Ubuntu 16.04 LTS : linux-gcp vulnerability (USN-3484-3)	Nessus	Ubuntu Local Security Checks	medium
104715	Ubuntu 16.04 LTS : linux-hwe vulnerability (USN-3484-2)	Nessus	Ubuntu Local Security Checks	medium
104714	Ubuntu 17.04 : linux, linux-raspi2 vulnerability (USN-3484-1)	Nessus	Ubuntu Local Security Checks	medium
104296	EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)	Nessus	Huawei Local Security Checks	high
104132	Virtuozzo 7 : readykernel-patch (VZA-2017-098)	Nessus	Virtuozzo Local Security Checks	high

CVE-2017-12188

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins