RHSA-2018:2165

[debian-lts-announce] 20190327 [SECURITY] [DLA 1731-1] linux security update

[debian-lts-announce] 20190401 [SECURITY] [DLA 1731-2] linux regression update

https://source.android.com/security/bulletin/pixel/2018-04-01

USN-3631-1

USN-3631-2

USN-3655-1

USN-3655-2

The linux update issued as DLA-1731-1 caused a regression in the vmxnet3 (VMware virtual network adapter) driver. This update corrects that regression, and an earlier regression in the CIFS network filesystem implementation introduced in DLA-1422-1. For reference the original advisory text follows.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2016-10741

A race condition was discovered in XFS that would result in a crash (BUG). A local user permitted to write to an XFS volume could use this for denial of service.

CVE-2017-5753

Further instances of code that was vulnerable to Spectre variant 1 (bounds-check bypass) have been mitigated.

CVE-2017-13305

A memory over-read was discovered in the keys subsystem's encrypted key type. A local user could use this for denial of service or possibly to read sensitive information.

CVE-2018-3639 (SSB)

Multiple researchers have discovered that Speculative Store Bypass (SSB), a feature implemented in many processors, could be used to read sensitive information from another context. In particular, code in a software sandbox may be able to read sensitive information from outside the sandbox. This issue is also known as Spectre variant 4.

This update fixes bugs in the mitigations for SSB for AMD processors.

CVE-2018-5848

The wil6210 wifi driver did not properly validate lengths in scan and connection requests, leading to a possible buffer overflow. On systems using this driver, a local user with the CAP_NET_ADMIN capability could use this for denial of service (memory corruption or crash) or potentially for privilege escalation.

CVE-2018-5953

The swiotlb subsystem printed kernel memory addresses to the system log, which could help a local attacker to exploit other vulnerabilities.

CVE-2018-12896, CVE-2018-13053

Team OWL337 reported possible integer overflows in the POSIX timer implementation. These might have some security impact.

CVE-2018-16862

Vasily Averin and Pavel Tikhomirov from Virtuozzo Kernel Team discovered that the cleancache memory management feature did not invalidate cached data for deleted files. On Xen guests using the tmem driver, local users could potentially read data from other users' deleted files if they were able to create new files on the same volume.

CVE-2018-16884

A flaw was found in the NFS 4.1 client implementation. Mounting NFS shares in multiple network namespaces at the same time could lead to a user-after-free. Local users might be able to use this for denial of service (memory corruption or crash) or possibly for privilege escalation.

This can be mitigated by disabling unprivileged users from creating user namespaces, which is the default in Debian.

CVE-2018-17972

Jann Horn reported that the /proc/*/stack files in procfs leaked sensitive data from the kernel. These files are now only readable by users with the CAP_SYS_ADMIN capability (usually only root)

CVE-2018-18281

Jann Horn reported a race condition in the virtual memory manager that can result in a process briefly having access to memory after it is freed and reallocated. A local user permitted to create containers could possibly exploit this for denial of service (memory corruption) or for privilege escalation.

CVE-2018-18690

Kanda Motohiro reported that XFS did not correctly handle some xattr (extended attribute) writes that require changing the disk format of the xattr. A user with access to an XFS volume could use this for denial of service.

CVE-2018-18710

It was discovered that the cdrom driver does not correctly validate the parameter to the CDROM_SELECT_DISC ioctl. A user with access to a cdrom device could use this to read sensitive information from the kernel or to cause a denial of service (crash).

CVE-2018-19824

Hui Peng and Mathias Payer discovered a use-after-free bug in the USB audio driver. A physically present attacker able to attach a specially designed USB device could use this for privilege escalation.

CVE-2018-19985

Hui Peng and Mathias Payer discovered a missing bounds check in the hso USB serial driver. A physically present user able to attach a specially designed USB device could use this to read sensitive information from the kernel or to cause a denial of service (crash).

CVE-2018-20169

Hui Peng and Mathias Payer discovered missing bounds checks in the USB core. A physically present attacker able to attach a specially designed USB device could use this to cause a denial of service (crash) or possibly for privilege escalation.

CVE-2018-20511

InfoSect reported an information leak in the AppleTalk IP/DDP implemntation. A local user with CAP_NET_ADMIN capability could use this to read sensitive information from the kernel.

CVE-2019-3701

Muyu Yu and Marcus Meissner reported that the CAN gateway implementation allowed the frame length to be modified, typically resulting in out-of-bounds memory-mapped I/O writes. On a system with CAN devices present, a local user with CAP_NET_ADMIN capability in the initial net namespace could use this to cause a crash (oops) or other hardware-dependent impact.

CVE-2019-3819

A potential infinite loop was discovered in the HID debugfs interface exposed under /sys/kernel/debug/hid. A user with access to these files could use this for denial of service.

This interface is only accessible to root by default, which fully mitigates the issue.

CVE-2019-6974

Jann Horn reported a use-after-free bug in KVM. A local user with access to /dev/kvm could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-7221

Jim Mattson and Felix Wilhelm reported a user-after-free bug in KVM's nested VMX implementation. On systems with Intel CPUs, a local user with access to /dev/kvm could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

Nested VMX is disabled by default, which fully mitigates the issue.

CVE-2019-7222

Felix Wilhelm reported an information leak in KVM for x86. A local user with access to /dev/kvm could use this to read sensitive information from the kernel.

CVE-2019-9213

Jann Horn reported that privileged tasks could cause stack segments, including those in other processes, to grow downward to address 0. On systems lacking SMAP (x86) or PAN (ARM), this exacerbated other vulnerabilities: a NULL pointer dereference could be exploited for privilege escalation rather than only for denial of service.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.64-1.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument could have caused a buffer overflow (bnc#1097356)

CVE-2018-1000204: Prevent infoleak caused by incorrect handling of the SG_IO ioctl (bsc#1096728).

CVE-2017-18249: The add_free_nid function did not properly track an allocated nid, which allowed local users to cause a denial of service (race condition) or possibly have unspecified other impact via concurrent threads (bnc#1087036)

CVE-2018-3665: Prevent disclosure of FPU registers (including XMM and AVX registers) between processes. These registers might contain encryption keys when doing SSE accelerated AES enc/decryption (bsc#1087086)

CVE-2017-18241: Prevent a NULL pointer dereference by using a noflush_merge option that triggers a NULL value for a flush_cmd_control data structure (bnc#1086400)

CVE-2017-13305: Prevent information disclosure vulnerability in encrypted-keys (bsc#1094353).

CVE-2018-1093: The ext4_valid_block_bitmap function allowed attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image because balloc.c and ialloc.c did not validate bitmap block numbers (bsc#1087095).

CVE-2018-1094: The ext4_fill_super function did not always initialize the crc32c checksum driver, which allowed attackers to cause a denial of service (ext4_xattr_inode_hash NULL pointer dereference and system crash) via a crafted ext4 image (bsc#1087007).

CVE-2018-1092: The ext4_iget function mishandled the case of a root directory with a zero i_links_count, which allowed attackers to cause a denial of service (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image (bsc#1087012).

CVE-2018-1130: NULL pointer dereference in dccp_write_xmit() function that allowed a local user to cause a denial of service by a number of certain crafted system calls (bsc#1092904).

CVE-2018-1065: The netfilter subsystem mishandled the case of a rule blob that contains a jump but lacks a user-defined chain, which allowed local users to cause a denial of service (NULL pointer dereference) by leveraging the CAP_NET_RAW or CAP_NET_ADMIN capability (bsc#1083650).

CVE-2018-5803: Prevent error in the '_sctp_make_chunk()' function when handling SCTP packets length that could have been exploited to cause a kernel crash (bnc#1083900).

CVE-2018-7492: Prevent NULL pointer dereference in the net/rds/rdma.c
__rds_rdma_map() function that allowed local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST (bsc#1082962).

CVE-2018-1000199: Prevent vulnerability in modify_user_hw_breakpoint() that could have caused a crash and possibly memory corruption (bsc#1089895).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2016-8405: An information disclosure vulnerability     in kernel components including the ION subsystem,     Binder, USB driver and networking subsystem could enable     a local malicious application to access data outside of     its permission levels. (bnc#1099942).

  - CVE-2017-13305: A information disclosure vulnerability     existed in the encrypted-keys handling. (bnc#1094353).

  - CVE-2018-1000204: A malformed SG_IO ioctl issued for a     SCSI device could lead to a local kernel information     leak manifesting in up to approximately 1000 memory     pages copied to the userspace. The problem has limited     scope as non-privileged users usually have no     permissions to access SCSI device files. (bnc#1096728).

  - CVE-2018-1068: A flaw was found in the implementation of     32-bit syscall interface for bridging. This allowed a     privileged user to arbitrarily write to a limited range     of kernel memory (bnc#1085107).

  - CVE-2018-1130: A NULL pointer dereference in     dccp_write_xmit() function in net/dccp/output.c allowed     a local user to cause a denial of service by a number of     certain crafted system calls (bnc#1092904).

  - CVE-2018-12233: In the ea_get function in fs/jfs/xattr.c     a memory corruption bug in JFS can be triggered by     calling setxattr twice with two different extended     attribute names on the same file. This vulnerability can     be triggered by an unprivileged user with the ability to     create files and execute programs. A kmalloc call is     incorrect, leading to slab-out-of-bounds in jfs_xattr     (bnc#1097234).

  - CVE-2018-13053: The alarm_timer_nsleep function in     kernel/time/alarmtimer.c had an integer overflow via a     large relative timeout because ktime_add_safe is not     used (bnc#1099924).

  - CVE-2018-13406: An integer overflow in the     uvesafb_setcmap function in     drivers/video/fbdev/uvesafb.c kernel could result in     local attackers being able to crash the kernel or     potentially elevate privileges because kmalloc_array is     not used (bnc#1098016 1100418).

  - CVE-2018-3620: Local attackers on baremetal systems     could use speculative code patterns on hyperthreaded     processors to read data present in the L1 Datacache used     by other hyperthreads on the same CPU core, potentially     leaking sensitive data. (bnc#1087081).

  - CVE-2018-3646: Local attackers in virtualized guest     systems could use speculative code patterns on     hyperthreaded processors to read data present in the L1     Datacache used by other hyperthreads on the same CPU     core, potentially leaking sensitive data, even from     other virtual machines or the host system.
    (bnc#1089343).

  - CVE-2018-5803: An error in the '_sctp_make_chunk()'     function (net/sctp/sm_make_chunk.c) when handling SCTP     packets length could be exploited to cause a kernel     crash (bnc#1083900).

  - CVE-2018-5814: Multiple race condition errors when     handling probe, disconnect, and rebind operations could     be exploited to trigger a use-after-free condition or a     NULL pointer dereference by sending multiple USB over IP     packets (bnc#1096480).

  - CVE-2018-7492: A NULL pointer dereference was found in     the net/rds/rdma.c __rds_rdma_map() function allowing     local attackers to cause a system panic and a     denial-of-service, related to RDS_GET_MR and     RDS_GET_MR_FOR_DEST (bnc#1082962).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2018-3620: Local attackers on baremetal systems     could use speculative code patterns on hyperthreaded     processors to read data present in the L1 Datacache used     by other hyperthreads on the same CPU core, potentially     leaking sensitive data. (bnc#1087081).

  - CVE-2018-3646: Local attackers in virtualized guest     systems could use speculative code patterns on     hyperthreaded processors to read data present in the L1     Datacache used by other hyperthreads on the same CPU     core, potentially leaking sensitive data, even from     other virtual machines or the host system.
    (bnc#1089343).

  - CVE-2018-1000204: A malformed SG_IO ioctl issued for a     SCSI device could lead to a local kernel information     leak manifesting in up to approximately 1000 memory     pages copied to the userspace. The problem has limited     scope as non-privileged users usually have no     permissions to access SCSI device files. (bnc#1096728).

  - CVE-2018-13053: The alarm_timer_nsleep function in     kernel/time/alarmtimer.c had an integer overflow via a     large relative timeout because ktime_add_safe is not     used (bnc#1099924).

  - CVE-2018-13406: An integer overflow in the     uvesafb_setcmap function in     drivers/video/fbdev/uvesafb.c could result in local     attackers being able to crash the kernel or potentially     elevate privileges because kmalloc_array is not used     (bnc#1098016 bnc#1100418).

  - CVE-2016-8405: An information disclosure vulnerability     in kernel components including the ION subsystem,     Binder, USB driver and networking subsystem could enable     a local malicious application to access data outside of     its permission levels. (bnc#1099942).

  - CVE-2018-5814: Multiple race condition errors when     handling probe, disconnect, and rebind operations could     be exploited to trigger a use-after-free condition or a     NULL pointer dereference by sending multiple USB over IP     packets (bnc#1096480).

  - CVE-2018-12233: In the ea_get function in fs/jfs/xattr.c     a memory corruption bug in JFS can be triggered by     calling setxattr twice with two different extended     attribute names on the same file. This vulnerability can     be triggered by an unprivileged user with the ability to     create files and execute programs. (bnc#1097234).

  - CVE-2017-13305: A information disclosure vulnerability     in the Upstream kernel encrypted-keys. (bnc#1094353).

  - CVE-2018-1130: A NULL pointer dereference in     dccp_write_xmit() function in net/dccp/output.c allowed     a local user to cause a denial of service by a number of     certain crafted system calls (bnc#1092904).

  - CVE-2018-1068: A flaw was found in the implementation of     32-bit syscall interface for bridging. This allowed a     privileged user to arbitrarily write to a limited range     of kernel memory (bnc#1085107).

  - CVE-2018-5803: An error in the '_sctp_make_chunk()'     function (net/sctp/sm_make_chunk.c) when handling SCTP     packets length could be exploited to cause a kernel     crash (bnc#1083900).

  - CVE-2018-7492: A NULL pointer dereference was found in     the net/rds/rdma.c __rds_rdma_map() function allowed     local attackers to cause a system panic and a     denial-of-service, related to RDS_GET_MR and     RDS_GET_MR_FOR_DEST (bnc#1082962).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel-rt packages that fix two security issues and add one enhancement are now available for Red Hat Enterprise MRG 2.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* kernel: Buffer over-read in keyring subsystem allows exposing potentially sensitive information to local attacker (CVE-2017-13305)

* Kernel: FPU state information leakage via lazy FPU restore (CVE-2018-3665)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Julian Stecklina (Amazon.de), Thomas Prescher (cyberus-technology.de), and Zdenek Sojka (sysgo.com) for reporting CVE-2018-3665.

Enhancement(s) :

* The kernel-rt packages have been upgraded to version 3.10.0-693.35.1.rt56.623, which provides a number of bug fixes over the previous version. (BZ#1579972)

Users of kernel-rt are advised to upgrade to these updated packages, which add this enhancement.

The system must be rebooted for this update to take effect.

The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2018-5848: In the function wmi_set_ie(), the length     validation code did not handle unsigned integer overflow     properly. As a result, a large value of the 'ie_len'     argument could have caused a buffer overflow     (bnc#1097356)

  - CVE-2018-1000204: Prevent infoleak caused by incorrect     handling of the SG_IO ioctl (bsc#1096728).

  - CVE-2017-18249: The add_free_nid function did not     properly track an allocated nid, which allowed local     users to cause a denial of service (race condition) or     possibly have unspecified other impact via concurrent     threads (bnc#1087036)

  - CVE-2018-3665: Prevent disclosure of FPU registers     (including XMM and AVX registers) between processes.
    These registers might contain encryption keys when doing     SSE accelerated AES enc/decryption (bsc#1087086)

  - CVE-2017-18241: Prevent a NULL pointer dereference by     using a noflush_merge option that triggers a NULL value     for a flush_cmd_control data structure (bnc#1086400)

  - CVE-2017-13305: Prevent information disclosure     vulnerability in encrypted-keys (bsc#1094353).

  - CVE-2018-1093: The ext4_valid_block_bitmap function     allowed attackers to cause a denial of service     (out-of-bounds read and system crash) via a crafted ext4     image because balloc.c and ialloc.c did not validate     bitmap block numbers (bsc#1087095).

  - CVE-2018-1094: The ext4_fill_super function did not     always initialize the crc32c checksum driver, which     allowed attackers to cause a denial of service     (ext4_xattr_inode_hash NULL pointer dereference and     system crash) via a crafted ext4 image (bsc#1087007).

  - CVE-2018-1092: The ext4_iget function mishandled the     case of a root directory with a zero i_links_count,     which allowed attackers to cause a denial of service     (ext4_process_freed_data NULL pointer dereference and     OOPS) via a crafted ext4 image (bsc#1087012).

  - CVE-2018-1130: NULL pointer dereference in     dccp_write_xmit() function that allowed a local user to     cause a denial of service by a number of certain crafted     system calls (bsc#1092904).

  - CVE-2018-1065: The netfilter subsystem mishandled the     case of a rule blob that contains a jump but lacks a     user-defined chain, which allowed local users to cause a     denial of service (NULL pointer dereference) by     leveraging the CAP_NET_RAW or CAP_NET_ADMIN capability     (bsc#1083650).

  - CVE-2018-5803: Prevent error in the '_sctp_make_chunk()'     function when handling SCTP packets length that could     have been exploited to cause a kernel crash     (bnc#1083900).

  - CVE-2018-7492: Prevent NULL pointer dereference in the     net/rds/rdma.c __rds_rdma_map() function that allowed     local attackers to cause a system panic and a     denial-of-service, related to RDS_GET_MR and     RDS_GET_MR_FOR_DEST (bsc#1082962).

  - CVE-2018-1000199: Prevent vulnerability in     modify_user_hw_breakpoint() that could have caused a     crash and possibly memory corruption (bsc#1089895).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2018-3665: Prevent disclosure of FPU registers     (including XMM and AVX registers) between processes.
    These registers might contain encryption keys when doing     SSE accelerated AES enc/decryption (bsc#1087086)

  - CVE-2018-5848: In the function wmi_set_ie(), the length     validation code did not handle unsigned integer overflow     properly. As a result, a large value of the 'ie_len'     argument could have caused a buffer overflow     (bnc#1097356)

  - CVE-2018-1000204: Prevent infoleak caused by incorrect     handling of the SG_IO ioctl (bsc#1096728)

  - CVE-2017-13305: Prevent information disclosure     vulnerability in encrypted-keys (bsc#1094353)

  - CVE-2018-1094: The ext4_fill_super function did not     always initialize the crc32c checksum driver, which     allowed attackers to cause a denial of service     (ext4_xattr_inode_hash NULL pointer dereference and     system crash) via a crafted ext4 image (bsc#1087007)

  - CVE-2018-1093: The ext4_valid_block_bitmap function     allowed attackers to cause a denial of service     (out-of-bounds read and system crash) via a crafted ext4     image because balloc.c and ialloc.c do not validate     bitmap block numbers (bsc#1087095)

  - CVE-2018-1092: The ext4_iget function mishandled the     case of a root directory with a zero i_links_count,     which allowed attackers to cause a denial of service     (ext4_process_freed_data NULL pointer dereference and     OOPS) via a crafted ext4 image (bsc#1087012)

  - CVE-2018-1130: NULL pointer dereference in     dccp_write_xmit() function that allowed a local user to     cause a denial of service by a number of certain crafted     system calls (bsc#1092904)

  - CVE-2018-5803: Prevent error in the '_sctp_make_chunk()'     function when handling SCTP packets length that could     have been exploited to cause a kernel crash     (bnc#1083900)

  - CVE-2018-7492: Prevent NULL pointer dereference in the     net/rds/rdma.c __rds_rdma_map() function that allowed     local attackers to cause a system panic and a     denial-of-service, related to RDS_GET_MR and     RDS_GET_MR_FOR_DEST (bsc#1082962)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2018-3665: Prevent disclosure of FPU registers     (including XMM and AVX registers) between processes.
    These registers might contain encryption keys when doing     SSE accelerated AES enc/decryption (bsc#1087086)

  - CVE-2018-5848: In the function wmi_set_ie(), the length     validation code did not handle unsigned integer overflow     properly. As a result, a large value of the 'ie_len'     argument could have caused a buffer overflow     (bnc#1097356)

  - CVE-2018-1000204: Prevent infoleak caused by incorrect     handling of the SG_IO ioctl (bsc#1096728)

  - CVE-2017-13305: Prevent information disclosure     vulnerability in encrypted-keys (bsc#1094353)

  - CVE-2018-1094: The ext4_fill_super function did not     always initialize the crc32c checksum driver, which     allowed attackers to cause a denial of service     (ext4_xattr_inode_hash NULL pointer dereference and     system crash) via a crafted ext4 image (bsc#1087007).

  - CVE-2018-1093: The ext4_valid_block_bitmap function     allowed attackers to cause a denial of service     (out-of-bounds read and system crash) via a crafted ext4     image because balloc.c and ialloc.c do not validate     bitmap block numbers (bsc#1087095).

  - CVE-2018-1092: The ext4_iget function mishandled the     case of a root directory with a zero i_links_count,     which allowed attackers to cause a denial of service     (ext4_process_freed_data NULL pointer dereference and     OOPS) via a crafted ext4 image (bsc#1087012).

  - CVE-2018-1130: NULL pointer dereference in     dccp_write_xmit() function that allowed a local user to     cause a denial of service by a number of certain crafted     system calls (bsc#1092904)

  - CVE-2018-5803: Prevent error in the '_sctp_make_chunk()'     function when handling SCTP packets length that could     have been exploited to cause a kernel crash     (bnc#1083900)

  - CVE-2018-7492: Prevent NULL pointer dereference in the     net/rds/rdma.c __rds_rdma_map() function that allowed     local attackers to cause a system panic and a     denial-of-service, related to RDS_GET_MR and     RDS_GET_MR_FOR_DEST (bsc#1082962)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2018-3639)

Jan H. Schonherr discovered that the Xen subsystem did not properly handle block IO merges correctly in some situations. An attacker in a guest vm could use this to cause a denial of service (host crash) or possibly gain administrative privileges in the host. (CVE-2017-12134)

It was discovered that the Bluetooth HIP Protocol implementation in the Linux kernel did not properly validate HID connection setup information. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-13220)

It was discovered that a buffer overread vulnerability existed in the keyring subsystem of the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory).
(CVE-2017-13305)

It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449)

It was discovered that a race condition existed in the i8042 serial device driver implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18079)

It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203)

It was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204)

It was discovered that an infinite loop could occur in the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang).
(CVE-2017-18208)

Kefeng Wang discovered that a race condition existed in the memory locking implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18221)

Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power)

* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

* kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate)

* kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low)

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

USN-3631-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that a buffer overread vulnerability existed in the keyring subsystem of the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory).
(CVE-2017-13305)

It was discovered that the DM04/QQBOX USB driver in the Linux kernel did not properly handle device attachment and warm-start. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16538)

Luo Quan and Wei Yang discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when handling ioctl()s. A local attacker could use this to cause a denial of service (system deadlock). (CVE-2018-1000004)

Wang Qize discovered that an information disclosure vulnerability existed in the SMBus driver for ACPI Embedded Controllers in the Linux kernel. A local attacker could use this to expose sensitive information (kernel pointer addresses). (CVE-2018-5750)

Fan Long Fei  discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel that could lead to a use-after-free or an out-of-bounds buffer access. A local attacker with access to /dev/snd/seq could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-7566).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a buffer overread vulnerability existed in the keyring subsystem of the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory).
(CVE-2017-13305)

It was discovered that the DM04/QQBOX USB driver in the Linux kernel did not properly handle device attachment and warm-start. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16538)

Luo Quan and Wei Yang discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when handling ioctl()s. A local attacker could use this to cause a denial of service (system deadlock). (CVE-2018-1000004)

Wang Qize discovered that an information disclosure vulnerability existed in the SMBus driver for ACPI Embedded Controllers in the Linux kernel. A local attacker could use this to expose sensitive information (kernel pointer addresses). (CVE-2018-5750)

Fan Long Fei  discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel that could lead to a use-after-free or an out-of-bounds buffer access. A local attacker with access to /dev/snd/seq could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-7566).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

From Red Hat Security Advisory 2018:1062 :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power)

* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

* kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate)

* kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low)

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Incorrect handling in arch/x86/include/asm/ mmu_context.h:init_new_context function allowing use-after-free (CVE-2017-17053, Moderate)

* kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

* kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate)

* kernel: unlimiting the stack disables ASLR (CVE-2016-3672, Low)

* kernel: Missing permission check in move_pages system call (CVE-2017-14140, Low)

* kernel: NULL pointer dereference in rngapi_reset function (CVE-2017-15116, Low)

* kernel: Improper error handling of VM_SHARED hugetlbfs mapping in mm/ hugetlb.c (CVE-2017-15127, Low)

* kernel: Integer overflow in futex.c:futux_requeue can lead to denial of service or unspecified impact (CVE-2018-6927, Low)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H.
Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

Additional Changes :

See the Red Hat Enterprise Linux 7.5 Release Notes linked from References.

ID	Name	Product	Family	Severity
123420	Debian DLA-1731-2 : linux regression update (Spectre)	Nessus	Debian Local Security Checks	high
118272	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1855-2)	Nessus	SuSE Local Security Checks	high
111833	SUSE SLES11 Security Update : kernel (SUSE-SU-2018:2366-1) (Foreshadow)	Nessus	SuSE Local Security Checks	high
111782	SUSE SLES11 Security Update : kernel (SUSE-SU-2018:2332-1) (Foreshadow)	Nessus	SuSE Local Security Checks	high
111029	RHEL 6 : MRG (RHSA-2018:2165)	Nessus	Red Hat Local Security Checks	medium
110838	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1855-1)	Nessus	SuSE Local Security Checks	high
110658	openSUSE Security Update : the Linux Kernel (openSUSE-2018-656) (Spectre)	Nessus	SuSE Local Security Checks	high
110637	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1762-1)	Nessus	SuSE Local Security Checks	high
110636	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1761-1)	Nessus	SuSE Local Security Checks	high
110050	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3655-1) (Spectre)	Nessus	Ubuntu Local Security Checks	high
109380	CentOS 7 : kernel (CESA-2018:1062)	Nessus	CentOS Local Security Checks	critical
109315	Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3631-2)	Nessus	Ubuntu Local Security Checks	high
109314	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3631-1)	Nessus	Ubuntu Local Security Checks	high
109113	Oracle Linux 7 : kernel (ELSA-2018-1062)	Nessus	Oracle Linux Local Security Checks	critical
108997	RHEL 7 : kernel (RHSA-2018:1062)	Nessus	Red Hat Local Security Checks	critical
108984	RHEL 7 : kernel-rt (RHSA-2018:0676)	Nessus	Red Hat Local Security Checks	critical

CVE-2017-13305

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins