https://source.android.com/security/bulletin/pixel/2017-12-01

USN-3753-1

USN-3753-2

USN-3820-1

USN-3820-2

USN-3820-3

USN-3822-1

USN-3822-2

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Array index error in the tcm_vhost_make_tpg function in     drivers/vhost/scsi.c in the Linux kernel before 4.0     might allow guest OS users to cause a denial of service     (memory corruption) or possibly have unspecified other     impact via a crafted VHOST_SCSI_SET_ENDPOINT ioctl     call. NOTE: the affected function was renamed to     vhost_scsi_make_tpg before the vulnerability was     announced.(CVE-2015-4036)

  - The ecryptfs_privileged_open function in     fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3     allows local users to gain privileges or cause a denial     of service (stack memory consumption) via vectors     involving crafted mmap calls for /proc pathnames,     leading to recursive pagefault handling.(CVE-2016-1583)

  - It was found that SCSI driver in the Linux kernel can     improperly access userspace memory outside the provided     buffer. A local privileged attacker could potentially     use this flaw to expose information from the kernel     memory.(CVE-2017-13168)

  - The acpi_ds_create_operands() function in     drivers/acpi/acpica/dsutils.c in the Linux kernel     through 4.12.9 does not flush the operand cache and     causes a kernel stack dump, which allows local users to     obtain sensitive information from kernel memory and     bypass the KASLR protection mechanism (in the kernel     through 4.9) via a crafted ACPI table.(CVE-2017-13693)

  - The acpi_ps_complete_final_op() function in     drivers/acpi/acpica/psobject.c in the Linux kernel     through 4.12.9 does not flush the node and node_ext     caches and causes a kernel stack dump, which allows     local users to obtain sensitive information from kernel     memory and bypass the KASLR protection mechanism (in     the kernel through 4.9) via a crafted ACPI     table.(CVE-2017-13694)

  - The acpi_ns_evaluate() function in     drivers/acpi/acpica/nseval.c in the Linux kernel     through 4.12.9 does not flush the operand cache and     causes a kernel stack dump, which allows local users to     obtain sensitive information from kernel memory and     bypass the KASLR protection mechanism (in the kernel     through 4.9) via a crafted ACPI table.(CVE-2017-13695)

  - The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h     in the Linux kernel before 4.13.2 does not verify that     a filesystem has a realtime device, which allows local     users to cause a denial of service (NULL pointer     dereference and OOPS) via vectors related to setting an     RHINHERIT flag on a directory.(CVE-2017-14340)

  - The xfs_bmap_extents_to_btree function in     fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through     4.16.3 allows local users to cause a denial of service     (xfs_bmapi_write NULL pointer dereference) via a     crafted xfs image.(CVE-2018-10323)

  - A flaw was found in Linux kernel in the ext4 filesystem     code. A use-after-free is possible in     ext4_ext_remove_space() function when mounting and     operating a crafted ext4 image.(CVE-2018-10876)

  - A flaw was found in the Linux kernel ext4 filesystem.
    An out-of-bound access is possible in the     ext4_ext_drop_refs() function when operating on a     crafted ext4 filesystem image.(CVE-2018-10877)

  - The pcpu_embed_first_chunk function in mm/percpu.c in     the Linux kernel through 4.14.14 allows local users to     obtain sensitive address information by reading dmesg     data from a(CVE-2018-5995)

  - Memory leak in the irda_bind function in     net/irda/af_irda.c and later in     drivers/staging/irda/net/af_irda.c in the Linux kernel     before 4.17 allows local users to cause a denial of     service (memory consumption) by repeatedly binding an     AF_IRDA socket.(CVE-2018-6554)

  - A NULL pointer dereference was found in the     net/rds/rdma.c __rds_rdma_map() function in the Linux     kernel before 4.14.7 allowing local attackers to cause     a system panic and a denial-of-service, related to     RDS_GET_MR and RDS_GET_MR_FOR_DEST.(CVE-2018-7492)

  - ** DISPUTED ** Race condition in the     store_int_with_restart() function in     arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel     through 4.15.7 allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck<cpu     number> directory. NOTE: a third party has indicated     that this report is not security     relevant.(CVE-2018-7995)

  - Non-optimized code for key handling of shared futexes     was found in the Linux kernel in the form of unbounded     contention time due to the page lock for real-time     users. Before the fix, the page lock was an     unnecessarily heavy lock for the futex path that     protected too much. After the fix, the page lock is     only required in a specific corner case.(CVE-2018-9422)

  - A memory leak in the ccp_run_sha_cmd() function in     drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-128c66429247.(CVE-2019-18808)

  - In the Linux kernel before 5.1, there is a memory leak     in __feat_register_sp() in net/dccp/feat.c, which may     cause denial of service, aka     CID-1d3ff0950e2b.(CVE-2019-20096)

  - An issue was discovered in the Linux kernel before     5.4.7. The prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of     service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka     CID-b43d1f9f7067.(CVE-2019-20812)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):** DISPUTED ** Multiple     integer overflows in the lzo1x_decompress_safe function     in lib/lzo/lzo1x_decompress_safe.c in the LZO     decompressor in the Linux kernel before 3.15.2 allow     context-dependent attackers to cause a denial of     service (memory corruption) via a crafted Literal Run.
    NOTE: the author of the LZO algorithms says 'the Linux     kernel is *not* affected media hype.'(CVE-2014-4608)A     certain backport in the TCP Fast Open implementation     for the Linux kernel before 3.18 does not properly     maintain a count value, which allow local users to     cause a denial of service (system crash) via the Fast     Open feature, as demonstrated by visiting the     chrome://flags/#enable-tcp-fast-open URL when using     certain 3.10.x through 3.16.x kernel builds, including     longterm-maintenance releases and ckt (aka Canonical     Kernel Team) builds.(CVE-2015-3332)An elevation of     privilege vulnerability in the kernel scsi driver.
    Product: Android. Versions: Android kernel. Android ID     A-65023233.(CVE-2017-13168)An issue was discovered in     drivers/i2c/i2c-core-smbus.c in the Linux kernel before     4.14.15. There is an out of bounds write in the     function i2c_smbus_xfer_emulated.(CVE-2017-18551)An     issue was discovered in net/ipv6/ip6mr.c in the Linux     kernel before 4.11. By setting a specific socket     option, an attacker can control a pointer in kernel     land and cause an inet_csk_listen_stop general     protection fault, or potentially execute arbitrary code     under certain circumstances. The issue can be triggered     as root (e.g., inside a default LXC container or with     the CAP_NET_ADMIN capability) or after namespace     unsharing. This occurs because sk_type and protocol are     not checked in the appropriate part of the ip6_mroute_*     functions. NOTE: this affects Linux distributions that     use 4.9.x longterm kernels before     4.9.187.(CVE-2017-18509)An issue was discovered in the     Linux kernel before 4.14.11. A double free may be     caused by the function allocate_trace_buffer in the     file kernel/trace/trace.c.(CVE-2017-18595)An issue was     discovered in the Linux kernel through 4.17.10. There     is a NULL pointer dereference and panic in     hfsplus_lookup() in fs/hfsplus/dir.c when opening a     file (that is purportedly a hard link) in an hfs+     filesystem that has malformed catalog data, and is     mounted read-only without a metadata     directory.(CVE-2018-14617)An issue was discovered in     write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in     the Linux kernel through 5.3.2. The cxgb4 driver is     directly calling dma_map_single (a DMA function) from a     stack variable. This could allow an attacker to trigger     a Denial of Service, exploitable if this driver is used     on an architecture for which this stack/DMA interaction     has security relevance.(CVE-2019-17075)Double free     vulnerability in the snd_usbmidi_create function in     sound/usb/midi.c in the Linux kernel before 4.5 allows     physically proximate attackers to cause a denial of     service (panic) or possibly have unspecified other     impact via vectors involving an invalid USB     descriptor.(CVE-2016-2384)fsamespace.c in the Linux     kernel through 3.16.1 does not properly restrict     clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and     changing MNT_ATIME_MASK during a remount of a bind     mount, which allows local users to gain privileges,     interfere with backups and auditing on systems that had     atime enabled, or cause a denial of service (excessive     filesystem updating) on systems that had atime disabled     via a 'mount -o remount' command within a user     namespace.(CVE-2014-5207)fs/overlayfs/dir.c in the     OverlayFS filesystem implementation in the Linux kernel     before 4.6 does not properly verify the upper dentry     before proceeding with unlink and rename system-call     processing, which allows local users to cause a denial     of service (system crash) via a rename system call that     specifies a self-hardlink.(CVE-2016-6197)In the Linux     kernel before 4.1.4, a buffer overflow occurs when     checking userspace params in     drivers/media/dvb-frontends/cx24116.c. The maximum size     for a DiSEqC command is 6, according to the userspace     API. However, the code allows larger values such as     23.(CVE-2015-9289)In the Linux kernel through 5.3.2,     cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c     does not reject a long SSID IE, leading to a Buffer     Overflow.(CVE-2019-17133)Insufficient access control in     the Intel(R) PROSet/Wireless WiFi Software driver     before version 21.10 may allow an unauthenticated user     to potentially enable denial of service via adjacent     access.(CVE-2019-0136)Linux distributions that have not     patched their long-term kernels with     https://git.kernel.org/linus/a87938b2e246b81b4fb713edb3     71a9fa3c5c3c86 (committed on April 14, 2015). This     kernel vulnerability was fixed in April 2015 by commit     a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to     Linux 3.10.77 in May 2015), but it was not recognized     as a security threat. With     CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a     normal top-down address allocation strategy,     load_elf_binary() will attempt to map a PIE binary into     an address range immediately below mm->mmap_base.
    Unfortunately, load_elf_ binary() does not take account     of the need to allocate sufficient space for the entire     binary which means that, while the first PT_LOAD     segment is mapped below mm->mmap_base, the subsequent     PT_LOAD segment(s) end up being mapped above     mm->mmap_base into the are that is supposed to be the     'gap' between the stack and the     binary.(CVE-2017-1000253)Race condition in the     sclp_ctl_ioctl_sccb function in     drivers/s390/char/sclp_ctl.c in the Linux kernel before     4.6 allows local users to obtain sensitive information     from kernel memory by changing a certain length value,     aka a 'double fetch'     vulnerability.(CVE-2016-6130)rtl_p2p_noa_ie in drivers     et/wireless/realtek/rtlwifi/ps.c in the Linux kernel     through 5.3.6 lacks a certain upper-bound check,     leading to a buffer     overflow.(CVE-2019-17666)sound/core/timer.c in the     Linux kernel through 4.6 does not initialize certain r1     data structures, which allows local users to obtain     sensitive information from kernel stack memory via     crafted use of the ALSA timer interface, related to the     (1) snd_timer_user_ccallback and (2)     snd_timer_user_tinterrupt     functions.(CVE-2016-4578)Systems with microprocessors     utilizing speculative execution and branch prediction     may allow unauthorized disclosure of information to an     attacker with local user access via a side-channel     analysis.(CVE-2017-5753)The acm_probe function in     drivers/usb/class/cdc-acm.c in the Linux kernel before     4.5.1 allows physically proximate attackers to cause a     denial of service (NULL pointer dereference and system     crash) via a USB device without both a control and a     data endpoint descriptor.(CVE-2016-3138)The     arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel     through 4.8.2 does not restrict a certain length field,     which allows local users to gain privileges or cause a     denial of service (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control     code.(CVE-2016-7425)The ati_remote2_probe function in     drivers/input/misc/ati_remote2.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2185)The     create_fixed_stream_quirk function in     sound/usb/quirks.c in the snd-usb-audio driver in the     Linux kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (NULL pointer     dereference or double free, and system crash) via a     crafted endpoints value in a USB device     descriptor.(CVE-2016-2184)The digi_port_init function     in drivers/usb/serial/digi_acceleport.c in the Linux     kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (NULL pointer     dereference and system crash) via a crafted endpoints     value in a USB device descriptor.(CVE-2016-3140)The     do_remount function in fsamespace.c in the Linux kernel     through 3.16.1 does not maintain the MNT_LOCK_READONLY     bit across a remount of a bind mount, which allows     local users to bypass an intended read-only restriction     and defeat certain sandbox protection mechanisms via a     'mount -o remount' command within a user     namespace.(CVE-2014-5206)The gtco_probe function in     drivers/input/tablet/gtco.c in the Linux kernel through     4.5.2 allows physically proximate attackers to cause a     denial of service (NULL pointer dereference and system     crash) via a crafted endpoints value in a USB device     descriptor.(CVE-2016-2187)The hub_activate function in     drivers/usb/core/hub.c in the Linux kernel before 4.3.5     does not properly maintain a hub-interface data     structure, which allows physically proximate attackers     to cause a denial of service (invalid memory access and     system crash) or possibly have unspecified other impact     by unplugging a USB hub device.(CVE-2015-8816)The     ims_pcu_parse_cdc_data function in     drivers/input/misc/ims-pcu.c in the Linux kernel before     4.5.1 allows physically proximate attackers to cause a     denial of service (system crash) via a USB device     without both a master and a slave     interface.(CVE-2016-3689)The Linux Kernel running on     AMD64 systems will sometimes map the contents of PIE     executable, the heap or ld.so to where the stack is     mapped allowing attackers to more easily manipulate the     stack. Linux Kernel version 4.11.5 is     affected.(CVE-2017-1000379)The powermate_probe function     in drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186)The signal     implementation in the Linux kernel before 4.3.5 on     powerpc platforms does not check for an MSR with both     the S and T bits set, which allows local users to cause     a denial of service (TM Bad Thing exception and panic)     via a crafted application.(CVE-2015-8844)The     snd_timer_user_params function in sound/core/timer.c in     the Linux kernel through 4.6 does not initialize a     certain data structure, which allows local users to     obtain sensitive information from kernel stack memory     via crafted use of the ALSA timer     interface.(CVE-2016-4569)The tm_reclaim_thread function     in arch/powerpc/kernel/process.c in the Linux kernel     before 4.4.1 on powerpc platforms does not ensure that     TM suspend mode exists before proceeding with a     tm_reclaim call, which allows local users to cause a     denial of service (TM Bad Thing exception and panic)     via a crafted application.(CVE-2015-8845)The VFS     subsystem in the Linux kernel 3.x provides an     incomplete set of requirements for setattr operations     that underspecifies removing extended privilege     attributes, which allows local users to cause a denial     of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program.(CVE-2015-1350)The wacom_probe function     in drivers/input/tablet/wacom_sys.c in the Linux kernel     before 3.17 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-3139)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel's NFS41+     subsystem. NFS41+ shares mounted in different network     namespaces at the same time can make bc_svc_process()     use wrong back-channel IDs and cause a use-after-free     vulnerability. Thus a malicious container user can     cause a host kernel memory corruption and a system     panic. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out.(CVE-2018-16884)

  - An elevation of privilege vulnerability in the kernel     scsi driver. Product: Android. Versions: Android     kernel. Android ID A-65023233.(CVE-2017-13168)

  - A flaw in the load_elf_binary() function in the Linux     kernel allows a local attacker to leak the base address     of .text and stack sections for setuid binaries and     bypass ASLR because install_exec_creds() is called too     late in this function.(CVE-2019-11190)

  - The SCTP socket buffer used by a userspace application     is not accounted by the cgroups subsystem. An attacker     can use this flaw to cause a denial of service     attack.(CVE-2019-3874)

  - A flaw was found in the Linux kernel ext4 filesystem.
    An out-of-bound access is possible in the     ext4_ext_drop_refs() function when operating on a     crafted ext4 filesystem image.(CVE-2018-10877)

  - Non-optimized code for key handling of shared futexes     was found in the Linux kernel in the form of unbounded     contention time due to the page lock for real-time     users. Before the fix, the page lock was an     unnecessarily heavy lock for the futex path that     protected too much. After the fix, the page lock is     only required in a specific corner case.(CVE-2018-9422)

  - A flaw was found in the Linux kernel in the     hid_debug_events_read() function in the     drivers/hid/hid-debug.c file. A lack of the certain     checks may allow a privileged user ('root') to achieve     an out-of-bounds write and thus receiving user space     buffer corruption.(CVE-2018-9516i1/4%0

  - A vulnerability was found in polkit. When     authentication is performed by a non-root user to     perform an administrative task, the authentication is     temporarily cached in such a way that a local attacker     could impersonate the authorized process, thus gaining     access to elevated privileges.(CVE-2019-6133)

  - A flaw was found in the implementation of the 'fill     buffer', a mechanism used by modern CPUs when a     cache-miss is made on L1 CPU cache. If an attacker can     generate a load operation that would create a page     fault, the execution will continue speculatively with     incorrect data from the fill buffer while the data is     fetched from higher level caches. This response time     can be measured to infer data in the fill buffer.
    (CVE-2018-12130)

  - Modern Intel microprocessors implement hardware-level     micro-optimizations to improve the performance of     writing data back to CPU caches. The write operation is     split into STA (STore Address) and STD (STore Data)     sub-operations. These sub-operations allow the     processor to hand-off address generation logic into     these sub-operations for optimized writes. Both of     these sub-operations write to a shared distributed     processor structure called the 'processor store     buffer'. As a result, an unprivileged attacker could     use this flaw to read private data resident within the     CPU's processor store buffer. (CVE-2018-12126)

  - Microprocessors use a aEUR~load portaEURtm subcomponent to     perform load operations from memory or IO. During a     load operation, the load port receives data from the     memory or IO subsystem and then provides the data to     the CPU registers and operations in the CPUaEURtms     pipelines. Stale load operations results are stored in     the 'load port' table until overwritten by newer     operations. Certain load-port operations triggered by     an attacker can be used to reveal data about previous     stale requests leaking data back to the attacker via a     timing side-channel. (CVE-2018-12127)

  - Uncacheable memory on some microprocessors utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access. (CVE-2019-11091)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An elevation of privilege vulnerability in the kernel     scsi driver. Product: Android. Versions: Android     kernel. Android ID A-65023233.(CVE-2017-13168)

  - Non-optimized code for key handling of shared futexes     was found in the Linux kernel in the form of unbounded     contention time due to the page lock for real-time     users. Before the fix, the page lock was an     unnecessarily heavy lock for the futex path that     protected too much. After the fix, the page lock is     only required in a specific corner case.(CVE-2018-9422)

  - A flaw in the load_elf_binary() function in the Linux     kernel allows a local attacker to leak the base address     of .text and stack sections for setuid binaries and     bypass ASLR because install_exec_creds() is called too     late in this function.(CVE-2019-11190)

  - A flaw was found in the Linux kernel ext4 filesystem.
    An out-of-bound access is possible in the     ext4_ext_drop_refs() function when operating on a     crafted ext4 filesystem image.(CVE-2018-10877)

  - A vulnerability was found in polkit. When     authentication is performed by a non-root user to     perform an administrative task, the authentication is     temporarily cached in such a way that a local attacker     could impersonate the authorized process, thus gaining     access to elevated privileges.(CVE-2019-6133)

  - A flaw was found in the Linux kernel in the function     hso_probe() which reads if_num value from the USB     device (as an u8) and uses it without a length check to     index an array, resulting in an OOB memory read in     hso_probe() or hso_get_config_data(). An attacker with     a forged USB device and physical access to a system     (needed to connect such a device) can cause a system     crash and a denial of service.(CVE-2018-19985)

  - A flaw was found in the Linux kernel's implementation     of logical link control and adaptation protocol     (L2CAP), part of the Bluetooth stack in the     l2cap_parse_conf_rsp and l2cap_parse_conf_req     functions. An attacker with physical access within the     range of standard Bluetooth transmission can create a     specially crafted packet. The response to this     specially crafted packet can contain part of the kernel     stack which can be used in a further     attack.(CVE-2019-3460)

  - A flaw was found in the Linux kernels implementation of     Logical link control and adaptation protocol (L2CAP),     part of the Bluetooth stack. An attacker with physical     access within the range of standard Bluetooth     transmission can create a specially crafted packet. The     response to this specially crafted packet can contain     part of the kernel stack which can be used in a further     attack.(CVE-2019-3459)

  - A flaw was found in the Linux kernel's NFS41+     subsystem. NFS41+ shares mounted in different network     namespaces at the same time can make bc_svc_process()     use wrong back-channel IDs and cause a use-after-free     vulnerability. Thus a malicious container user can     cause a host kernel memory corruption and a system     panic. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out.(CVE-2018-16884)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2018-4300 advisory.

  - The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length     inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface     (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel     crash) or have unspecified other impact by executing a crafted sequence of system calls that use the     blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation     (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable. (CVE-2017-17805)

  - It was found that the raw midi kernel driver does not protect against concurrent access which leads to a     double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part     of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for     privilege escalation. (CVE-2018-10902)

  - An elevation of privilege vulnerability in the kernel scsi driver. Product: Android. Versions: Android     kernel. Android ID A-65023233. (CVE-2017-13168)

  - ** DISPUTED ** Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with     dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel     heap pages to the userspace. This has been fixed upstream in     https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has     limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the     Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties     dispute the relevance of this report, noting that the requirement for an attacker to have both the     CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it virtually impossible to exploit.
    (CVE-2018-1000204)

  - An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc     in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from     unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and     CVE-2018-16658. (CVE-2018-18710)

  - The UDF filesystem implementation in the Linux kernel before 3.18.2 does not validate certain lengths,     which allows local users to cause a denial of service (buffer over-read and system crash) via a crafted     filesystem image, related to fs/udf/inode.c and fs/udf/symlink.c. (CVE-2014-9728)

  - The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in the Linux kernel before 4.6.1 supports MSR 0x2f8,     which allows guest OS users to read or write to the kvm_arch_vcpu data structure, and consequently obtain     sensitive information or cause a denial of service (system crash), via a crafted ioctl call.
    (CVE-2016-3713)

  - The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the     underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based     hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a     kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing     SHA-3 initialization. (CVE-2017-17806)

  - An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel     through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM     ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the     location of kernel code and data and bypass kernel security protections such as KASLR. (CVE-2018-7755)

  - ** DISPUTED ** drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to     cause a denial of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party     disputes the relevance of this report because the failure can only occur for physically proximate     attackers who unplug SAS Host Bus Adapter cables. (CVE-2018-10021)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:447!     (Mike Kravetz) 

  - scsi: libsas: fix memory leak in sas_smp_get_phy_events     (Jason Yan) [Orabug: 27927687] (CVE-2018-7757)

  - KVM: vmx: shadow more fields that are read/written on     every vmexits (Paolo Bonzini) [Orabug: 28581045]

  - vhost/scsi: Use common handling code in request queue     handler (Bijan Mottahedeh) [Orabug: 28775573]

  - vhost/scsi: Extract common handling code from control     queue handler (Bijan Mottahedeh) [Orabug: 28775573]

  - vhost/scsi: Respond to control queue operations (Bijan     Mottahedeh) 

  - scsi: lpfc: devloss timeout race condition caused null     pointer reference (James Smart) [Orabug: 27994179]

  - scsi: qla2xxx: Fix race condition between iocb timeout     and initialisation (Ben Hutchings) [Orabug: 28013813]

  - i40e: Add programming descriptors to cleaned_count     (Alexander Duyck) 

  - i40e: Fix memory leak related filter programming status     (Alexander Duyck) [Orabug: 28228724]

  - xen-swiotlb: use actually allocated size on check     physical continuous (Joe Jin) [Orabug: 28258102]

  - Revert 'Revert 'xen-swiotlb: fix the check condition for     xen_swiotlb_free_coherent'' (Dongli Zhang) [Orabug:
    28258102]

  - net/mlx4_en: fix potential use-after-free with     dma_unmap_page (Sarah Newman) [Orabug: 28376051]

  - ocfs2: fix ocfs2 read block panic (Junxiao Bi) [Orabug:
    28580543]

  - block: fix bdi vs gendisk lifetime mismatch (Dan     Williams) [Orabug: 28645416]

  - e1000e: Fix link check race condition (Benjamin Poirier)     [Orabug: 28716958]

  - Revert 'e1000e: Separate signaling for link check/link     up' (Benjamin Poirier) [Orabug: 28716958]

  - e1000e: Avoid missed interrupts following ICR read     (Benjamin Poirier) 

  - e1000e: Fix queue interrupt re-raising in Other     interrupt (Benjamin Poirier) [Orabug: 28716958]

  - Partial revert 'e1000e: Avoid receiver overrun interrupt     bursts' (Benjamin Poirier) [Orabug: 28716958]

  - e1000e: Remove Other from EIAC (Benjamin Poirier)     [Orabug: 28716958]

  - Fix error code in nfs_lookup_verify_inode (Lance     Shelton) [Orabug: 28789030]

  - workqueue: Allow modifying low level unbound workqueue     cpumask (Lai Jiangshan) [Orabug: 28813166]

  - workqueue: Create low-level unbound workqueues cpumask     (Frederic Weisbecker) [Orabug: 28813166]

  - scsi: sg: mitigate read/write abuse (Jann Horn) [Orabug:
    28824718] (CVE-2017-13168)

  - Revert 'rds: RDS (tcp) hangs on sendto to unresponding     address' (Brian Maly) [Orabug: 28837953]

  - x86/speculation: Retpoline should always be available on     Skylake (Alexandre Chartre) [Orabug: 28801831]

  - x86/speculation: Add sysfs entry to enable/disable     retpoline (Alexandre Chartre) [Orabug: 28607548]

  - x86/speculation: Switch to IBRS when loading a     non-retpoline module (Alexandre Chartre) [Orabug:
    28607548]

  - x86/speculation: Remove unnecessary retpoline     alternatives (Alexandre Chartre) [Orabug: 28607548]

  - x86/speculation: Use static key to enable/disable     retpoline (Alexandre Chartre) [Orabug: 28607548]

  - locking/static_keys: Provide DECLARE and well as DEFINE     macros (Tony Luck) [Orabug: 28607548]

  - jump_label: remove bug.h, atomic.h dependencies for     HAVE_JUMP_LABEL (Jason Baron) [Orabug: 28607548]

  - locking/static_key: Fix concurrent static_key_slow_inc     (Paolo Bonzini) [Orabug: 28607548]

  - jump_label: make static_key_enabled work on     static_key_true/false types too (Tejun Heo) [Orabug:
    28607548]

  - locking/static_keys: Fix up the static keys     documentation (Jonathan Corbet) [Orabug: 28607548]

  - locking/static_keys: Fix a silly typo (Jonathan Corbet)     [Orabug: 28607548]

  - jump label, locking/static_keys: Update docs (Jason     Baron) [Orabug: 28607548]

  - x86/asm: Add asm macros for static keys/jump labels     (Andy Lutomirski) 

  - x86/asm: Error out if asm/jump_label.h is included     inappropriately (Andy Lutomirski) [Orabug: 28607548]

  - jump_label/x86: Work around asm build bug on     older/backported GCCs (Peter Zijlstra) [Orabug:
    28607548]

  - locking/static_keys: Add a new static_key interface     (Peter Zijlstra) 

  - locking/static_keys: Rework update logic (Peter     Zijlstra) [Orabug: 28607548]

  - jump_label: Add jump_entry_key helper (Peter Zijlstra)     [Orabug: 28607548]

  - jump_label, locking/static_keys: Rename     JUMP_LABEL_TYPE_* and related helpers to the static_key*     pattern (Peter Zijlstra) [Orabug: 28607548]

  - jump_label: Rename JUMP_LABEL_[EN,DIS]ABLE to     JUMP_LABEL_[JMP,NOP] (Peter Zijlstra) [Orabug: 28607548]

  - module, jump_label: Fix module locking (Peter Zijlstra)     [Orabug: 28607548]

  - x86/speculation: Protect against userspace-userspace     spectreRSB (Jiri Kosina) [Orabug: 28631590]     (CVE-2018-15572)

  - x86/spectre_v2: Remove remaining references to lfence     mitigation (Alejandro Jimenez) [Orabug: 28631590]     (CVE-2018-15572)

  - Revert 'md: allow a partially recovered device to be     hot-added to an array.' (NeilBrown) [Orabug: 28702623]

  - x86/bugs: ssbd_ibrs_selected called prematurely (Daniel     Jordan) 

  - net/mlx4_core: print firmware version during driver     loading (Qing Huang) [Orabug: 28809377]

  - mm: numa: Do not trap faults on shared data section     pages. (Henry Willard) [Orabug: 28814880]

  - hugetlbfs: dirty pages as they are added to pagecache     (Mike Kravetz) 

  - rds: RDS (tcp) hangs on sendto to unresponding address     (Ka-Cheong Poon) [Orabug: 28762608]

  - nfs: fix a deadlock in nfs client initialization (Scott     Mayhew) 

  - infiniband: fix a possible use-after-free bug (Cong     Wang) [Orabug: 28774517] (CVE-2018-14734)

Jim Mattson discovered that the KVM implementation in the Linux kernel mismanages the #BP and #OF exceptions. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash). (CVE-2016-9588)

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16649)

It was discovered that an integer overflow existed in the CD-ROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-16658)

It was discovered that an integer overflow existed in the HID Bluetooth implementation in the Linux kernel that could lead to a buffer overwrite. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-9363).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Felix Wilhelm discovered that the Xen netback driver in the Linux kernel did not properly perform input validation in some situations.
An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-15471)

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

It was discovered that an integer overflow existed in the CD-ROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-16658)

It was discovered that an integer overflow existed in the HID Bluetooth implementation in the Linux kernel that could lead to a buffer overwrite. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-9363).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3820-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.

Felix Wilhelm discovered that the Xen netback driver in the Linux kernel did not properly perform input validation in some situations.
An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-15471)

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

It was discovered that an integer overflow existed in the CD-ROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-16658)

It was discovered that an integer overflow existed in the HID Bluetooth implementation in the Linux kernel that could lead to a buffer overwrite. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-9363).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2018-4270 advisory.

  - An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in     mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly     gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.
    (CVE-2018-17182)

  - drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11 allows ucma_leave_multicast to access a     certain data structure after a cleanup step in ucma_process_join, which allows attackers to cause a denial     of service (use-after-free). (CVE-2018-14734)

  - The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1     does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-     userspace spectreRSB attacks. (CVE-2018-15572)

  - An elevation of privilege vulnerability in the kernel scsi driver. Product: Android. Versions: Android     kernel. Android ID A-65023233. (CVE-2017-13168)

  - An issue was discovered in the Linux kernel through 4.17.10. There is out-of-bounds access in     write_extent_buffer() when mounting and operating a crafted btrfs image, because of a lack of verification     that each block group has a corresponding chunk at mount time, within btrfs_read_block_groups in     fs/btrfs/extent-tree.c. (CVE-2018-14610)

  - An issue was discovered in the Linux kernel through 4.17.10. There is a use-after-free in     try_merge_free_space() when mounting a crafted btrfs image, because of a lack of chunk type flag checks in     btrfs_check_chunk_valid in fs/btrfs/volumes.c. (CVE-2018-14611)

  - arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the arm64 platform mishandles the     KVM_SET_ON_REG ioctl. This is exploitable by attackers who can create virtual machines. An attacker can     arbitrarily redirect the hypervisor flow of control (with full register control). An attacker can also     cause a denial of service (hypervisor panic) via an illegal exception return. This occurs because of     insufficient restrictions on userspace access to the core register file, and because PSTATE.M validation     does not prevent unintended execution modes. (CVE-2018-18021)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2018-4265 advisory.

  - Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux     kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read     accesses to files in the /sys/class/sas_phy directory, as demonstrated by the     /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file. (CVE-2018-7757)

  - An elevation of privilege vulnerability in the kernel scsi driver. Product: Android. Versions: Android     kernel. Android ID A-65023233. (CVE-2017-13168)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)

Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)

Wen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)

Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-12233)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)

Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)

Wen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)

Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-12233)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
141697	EulerOS Virtualization 3.0.2.2 : kernel (EulerOS-SA-2020-2222)	Nessus	Huawei Local Security Checks	high
132134	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2599)	Nessus	Huawei Local Security Checks	high
125513	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-1586)	Nessus	Huawei Local Security Checks	high
124431	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-1304)	Nessus	Huawei Local Security Checks	high
119535	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4300)	Nessus	Oracle Linux Local Security Checks	high
119010	OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0273)	Nessus	OracleVM Local Security Checks	high
118973	Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-3822-1)	Nessus	Ubuntu Local Security Checks	high
118970	Ubuntu 14.04 LTS : Linux kernel (Azure) vulnerabilities (USN-3820-3)	Nessus	Ubuntu Local Security Checks	high
118969	Ubuntu 16.04 LTS : Linux kernel (HWE) vulnerabilities (USN-3820-2)	Nessus	Ubuntu Local Security Checks	high
118968	Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-3820-1)	Nessus	Ubuntu Local Security Checks	high
118861	Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4270)	Nessus	Oracle Linux Local Security Checks	high
118814	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4265)	Nessus	Oracle Linux Local Security Checks	high
112112	Ubuntu 14.04 LTS : Linux kernel (Xenial HWE) vulnerabilities (USN-3753-2)	Nessus	Ubuntu Local Security Checks	high
112111	Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-3753-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2017-13168

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high