http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=95a762e2c8c942780948091f8f2a4f32fce1ac6f

http://openwall.com/lists/oss-security/2017/12/21/2

102288

https://bugs.chromium.org/p/project-zero/issues/detail?id=1454

https://github.com/torvalds/linux/commit/95a762e2c8c942780948091f8f2a4f32fce1ac6f

USN-3619-1

USN-3619-2

USN-3633-1

USN-3523-2

DSA-4073

44298

45010

45058

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the way the Linux kernel's perf     subsystem retrieved userlevel stack traces on PowerPC     systems. A local, unprivileged user could use this flaw     to cause a denial of service on the system by creating     a special stack layout that would force the     perf_callchain_user_64() function into an infinite     loop.(CVE-2015-6526)

  - A vulnerability was found in the Linux kernel. Payloads     of NM entries are not supposed to contain NUL. When     such entry is processed, only the part prior to the     first NUL goes into the concatenation (i.e. the     directory entry name being encoded by a bunch of NM     entries). The process stops when the amount collected     so far + the claimed amount in the current NM entry     exceed 254. However, the value returned as the total     length is the sum of *claimed* sizes, not the actual     amount collected. And that's what will be passed to     readdir() callback as the name length - 8Kb
    __copy_to_user() from a buffer allocated by
    __get_free_page().(CVE-2016-4913)

  - The perf_trace_event_perm function in     kernel/trace/trace_event_perf.c in the Linux kernel     before 3.12.2 does not properly restrict access to the     perf subsystem, which allows local users to enable     function tracing via a crafted     application.(CVE-2013-2930)

  - The mincore() implementation in mm/mincore.c in the     Linux kernel through 4.19.13 allowed local attackers to     observe page cache access patterns of other processes     on the same system, potentially allowing sniffing of     secret information. (Fixing this affects the output of     the fincore program.) Limited remote exploitation may     be possible, as demonstrated by latency differences in     accessing public files from an Apache HTTP     Server.(CVE-2019-5489)

  - It was found that the espfix functionality could be     bypassed by installing a 16-bit RW data segment into     GDT instead of LDT (which espfix checks), and using     that segment on the stack. A local, unprivileged user     could potentially use this flaw to leak kernel stack     addresses.(CVE-2014-8133)

  - An issue was discovered in the btrfs filesystem code in     the Linux kernel. An out-of-bounds access is possible     in write_extent_buffer() when mounting and operating a     crafted btrfs image due to a lack of verification at     mount time within the btrfs_read_block_groups() in     fs/btrfs/extent-tree.c function. This could lead to a     system crash and a denial of service.(CVE-2018-14610)

  - kernel/bpf/verifier.c in the Linux kernel through     4.14.8 mishandles states_equal comparisons between the     pointer data type and the UNKNOWN_VALUE data type,     which allows local users to obtain potentially     sensitive address information, aka a 'pointer     leak.'(CVE-2017-17864)

  - drivers/hid/hid-lenovo-tpkbd.c in the Human Interface     Device (HID) subsystem in the Linux kernel through     3.11, when CONFIG_HID_LENOVO_TPKBD is enabled, allows     physically proximate attackers to cause a denial of     service (heap-based out-of-bounds write) via a crafted     device.(CVE-2013-2894)

  - Memory leak in the sas_smp_get_phy_events function in     drivers/scsi/libsas/sas_expander.c in the Linux kernel     allows local users to cause a denial of service (kernel     memory exhaustion) via multiple read accesses to files     in the /sys/class/sas_phy directory.(CVE-2018-7757)

  - It was found that the original fix for CVE-2016-6786     was incomplete. There exist a race between two     concurrent sys_perf_event_open() calls when both try     and move the same pre-existing software group into a     hardware context.(CVE-2017-6001)

  - In the Linux kernel before 4.20.12,     net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP     NAT module has insufficient ASN.1 length checks (aka an     array index error), making out-of-bounds read and write     operations possible, leading to an OOPS or local     privilege escalation. This affects snmp_version and     snmp_helper.(CVE-2019-9162)

  - An information leak flaw was found in the way the Linux     kernel's Advanced Linux Sound Architecture (ALSA)     implementation handled access of the user control's     state. A local, privileged user could use this flaw to     leak kernel memory to user space.(CVE-2014-4652)

  - A flaw was found that the vfs_rename() function did not     detect hard links on overlayfs. A local, unprivileged     user could use the rename syscall on overlayfs on top     of xfs to crash the system.(CVE-2016-6198)

  - It was found that when file permissions were modified     via chmod and the user modifying them was not in the     owning group or capable of CAP_FSETID, the setgid bit     would be cleared. Setting a POSIX ACL via setxattr sets     the file permissions as well as the new ACL, but     doesn't clear the setgid bit in a similar way. This     could allow a local user to gain group privileges via     certain setgid applications.(CVE-2016-7097)

  - A flaw was found in the way the Linux kernel's Crypto     subsystem handled automatic loading of kernel modules.
    A local user could use this flaw to load any installed     kernel module, and thus increase the attack surface of     the running kernel.(CVE-2014-9644)

  - An arbitrary memory r/w access issue was found in the     Linux kernel compiled with the eBPF bpf(2) system call     (CONFIG_BPF_SYSCALL) support. The issue could occur due     to calculation errors in the eBPF verifier module,     triggered by user supplied malicious BPF program. An     unprivileged user could use this flaw to escalate their     privileges on a system. Setting parameter     'kernel.unprivileged_bpf_disabled=1' prevents such     privilege escalation by restricting access to bpf(2)     call.(CVE-2017-16995)

  - A flaw was found in the implementation of associative     arrays where the add_key systemcall and KEYCTL_UPDATE     operations allowed for a NULL payload with a nonzero     length. When accessing the payload within this length     parameters value, an unprivileged user could trivially     cause a NULL pointer dereference (kernel     oops).(CVE-2017-15274)

  - A flaw was found in the Linux kernel's keyring handling     code: the key_reject_and_link() function could be     forced to free an arbitrary memory block. An attacker     could use this flaw to trigger a use-after-free     condition on the system, potentially allowing for     privilege escalation.(CVE-2016-4470)

  - A flaw was found in the way certain interfaces of the     Linux kernel's Infiniband subsystem used write() as     bi-directional ioctl() replacement, which could lead to     insufficient memory security checks when being invoked     using the splice() system call. A local unprivileged     user on a system with either Infiniband hardware     present or RDMA Userspace Connection Manager Access     module explicitly loaded, could use this flaw to     escalate their privileges on the system.(CVE-2016-4565)

  - It was found that the Linux kernel's IPv6 network stack     did not properly validate the value of the MTU variable     when it was set. A remote attacker could potentially     use this flaw to disrupt a target system's networking     (packet loss) by setting an invalid MTU value, for     example, via a NetworkManager daemon that is processing     router advertisement packets running on the target     system.(CVE-2015-8215)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16995).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3619-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16995)

It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861)

It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407)

It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses).
(CVE-2017-11472)

It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129)

It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528)

Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532)

Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536)

Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537)

Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645)

Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646)

Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16649)

Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16650)

It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911)

It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912)

It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913)

It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2017-16914)

It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory).
(CVE-2017-16994)

It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions.
(CVE-2017-17448)

It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449)

It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450)

It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device.
A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information.
(CVE-2017-17741)

It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805)

It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806)

It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task's default keyring. A local attacker could use this to add keys to unauthorized keyrings. (CVE-2017-17807)

Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel contained a branch-pruning logic issue around unreachable code. A local attacker could use this to cause a denial of service. (CVE-2017-17862)

It was discovered that the parallel cryptography component of the Linux kernel incorrectly freed kernel memory. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18075)

It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203)

It was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204)

It was discovered that an infinite loop could occur in the the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208)

Andy Lutomirski discovered that the KVM implementation in the Linux kernel was vulnerable to a debug exception error when single-stepping through a syscall. A local attacker in a non-Linux guest vm could possibly use this to gain administrative privileges in the guest vm.
(CVE-2017-7518)

It was discovered that the Broadcom NetXtremeII ethernet driver in the Linux kernel did not properly validate Generic Segment Offload (GSO) packet sizes. An attacker could use this to cause a denial of service (interface unavailability). (CVE-2018-1000026)

It was discovered that the Reliable Datagram Socket (RDS) implementation in the Linux kernel contained an out-of-bounds write during RDMA page allocation. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-5332)

Mohamed Ghannam discovered a NULL pointer dereference in the RDS (Reliable Datagram Sockets) protocol implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5333)

Fan Long Fei  discovered that a race condition existed in loop block device implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5344)

It was discovered that an integer overflow error existed in the futex implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-6927)

It was discovered that a NULL pointer dereference existed in the RDS (Reliable Datagram Sockets) protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-7492)

It was discovered that the Broadcom UniMAC MDIO bus controller driver in the Linux kernel did not properly validate device resources. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-8043).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16995)

It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861)

It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407)

It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses).
(CVE-2017-11472)

It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129)

It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528)

Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532)

Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536)

Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537)

Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645)

Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646)

Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16649)

Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16650)

It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911)

It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912)

It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913)

It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2017-16914)

It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory).
(CVE-2017-16994)

It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions.
(CVE-2017-17448)

It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449)

It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450)

It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device.
A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information.
(CVE-2017-17741)

It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805)

It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806)

It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task's' default keyring. A local attacker could use this to add keys to unauthorized keyrings. (CVE-2017-17807)

Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel contained a branch-pruning logic issue around unreachable code. A local attacker could use this to cause a denial of service. (CVE-2017-17862)

It was discovered that the parallel cryptography component of the Linux kernel incorrectly freed kernel memory. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18075)

It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203)

It was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204)

It was discovered that an infinite loop could occur in the the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208)

Andy Lutomirski discovered that the KVM implementation in the Linux kernel was vulnerable to a debug exception error when single-stepping through a syscall. A local attacker in a non-Linux guest vm could possibly use this to gain administrative privileges in the guest vm.
(CVE-2017-7518)

It was discovered that the Broadcom NetXtremeII ethernet driver in the Linux kernel did not properly validate Generic Segment Offload (GSO) packet sizes. An attacker could use this to cause a denial of service (interface unavailability). (CVE-2018-1000026)

It was discovered that the Reliable Datagram Socket (RDS) implementation in the Linux kernel contained an out-of-bounds write during RDMA page allocation. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-5332)

Mohamed Ghannam discovered a NULL pointer dereference in the RDS (Reliable Datagram Sockets) protocol implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5333)

Fan Long Fei  discovered that a race condition existed in loop block device implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5344)

It was discovered that an integer overflow error existed in the futex implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-6927)

It was discovered that a NULL pointer dereference existed in the RDS (Reliable Datagram Sockets) protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-7492)

It was discovered that the Broadcom UniMAC MDIO bus controller driver in the Linux kernel did not properly validate device resources. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-8043).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel did not properly check the relationship between pointer values and the BPF stack. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17863)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16995)

Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel contained a branch-pruning logic issue around unreachable code. A local attacker could use this to cause a denial of service. (CVE-2017-17862)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel mishandled pointer data values in some situations. A local attacker could use this to to expose sensitive information (kernel memory). (CVE-2017-17864).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3523-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS.

Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2017-5754)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel did not properly check the relationship between pointer values and the BPF stack. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17863)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16995)

Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel contained a branch-pruning logic issue around unreachable code. A local attacker could use this to cause a denial of service. (CVE-2017-17862)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel mishandled pointer data values in some situations. A local attacker could use this to to expose sensitive information (kernel memory). (CVE-2017-17864).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2017-5754)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel did not properly check the relationship between pointer values and the BPF stack. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17863)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16995)

Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel contained a branch-pruning logic issue around unreachable code. A local attacker could use this to cause a denial of service. (CVE-2017-17862)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel mishandled pointer data values in some situations. A local attacker could use this to to expose sensitive information (kernel memory). (CVE-2017-17864).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2017-8824     Mohamed Ghannam discovered that the DCCP implementation     did not correctly manage resources when a socket is     disconnected and reconnected, potentially leading to a     use-after-free. A local user could use this for denial     of service (crash or data corruption) or possibly for     privilege escalation. On systems that do not already     have the dccp module loaded, this can be mitigated by     disabling it:echo >> /etc/modprobe.d/disable-dccp.conf     install dccp false

  - CVE-2017-16538     Andrey Konovalov reported that the dvb-usb-lmedm04 media     driver did not correctly handle some error conditions     during initialisation. A physically present user with a     specially designed USB device can use this to cause a     denial of service (crash).

  - CVE-2017-16644     Andrey Konovalov reported that the hdpvr media driver     did not correctly handle some error conditions during     initialisation. A physically present user with a     specially designed USB device can use this to cause a     denial of service (crash).

  - CVE-2017-16995     Jann Horn discovered that the Extended BPF verifier did     not correctly model the behaviour of 32-bit load     instructions. A local user can use this for privilege     escalation.

  - CVE-2017-17448     Kevin Cernekee discovered that the netfilter subsystem     allowed users with the CAP_NET_ADMIN capability in any     user namespace, not just the root namespace, to enable     and disable connection tracking helpers. This could lead     to denial of service, violation of network security     policy, or have other impact.

  - CVE-2017-17449     Kevin Cernekee discovered that the netlink subsystem     allowed users with the CAP_NET_ADMIN capability in any     user namespace to monitor netlink traffic in all net     namespaces, not just those owned by that user namespace.
    This could lead to exposure of sensitive information.

  - CVE-2017-17450     Kevin Cernekee discovered that the xt_osf module allowed     users with the CAP_NET_ADMIN capability in any user     namespace to modify the global OS fingerprint list.

  - CVE-2017-17558     Andrey Konovalov reported that that USB core did not     correctly handle some error conditions during     initialisation. A physically present user with a     specially designed USB device can use this to cause a     denial of service (crash or memory corruption), or     possibly for privilege escalation.

  - CVE-2017-17712     Mohamed Ghannam discovered a race condition in the IPv4     raw socket implementation. A local user could use this     to obtain sensitive information from the kernel.

  - CVE-2017-17741     Dmitry Vyukov reported that the KVM implementation for     x86 would over-read data from memory when emulating an     MMIO write if the kvm_mmio tracepoint was enabled. A     guest virtual machine might be able to use this to cause     a denial of service (crash).

  - CVE-2017-17805     It was discovered that some implementations of the     Salsa20 block cipher did not correctly handle     zero-length input. A local user could use this to cause     a denial of service (crash) or possibly have other     security impact.

  - CVE-2017-17806     It was discovered that the HMAC implementation could be     used with an underlying hash algorithm that requires a     key, which was not intended. A local user could use this     to cause a denial of service (crash or memory     corruption), or possibly for privilege escalation.

  - CVE-2017-17807     Eric Biggers discovered that the KEYS subsystem lacked a     check for write permission when adding keys to a     process's default keyring. A local user could use this     to cause a denial of service or to obtain sensitive     information.

  - CVE-2017-17862     Alexei Starovoitov discovered that the Extended BPF     verifier ignored unreachable code, even though it would     still be processed by JIT compilers. This could possibly     be used by local users for denial of service. It also     increases the severity of bugs in determining     unreachable code.

  - CVE-2017-17863     Jann Horn discovered that the Extended BPF verifier did     not correctly model pointer arithmetic on the stack     frame pointer. A local user can use this for privilege     escalation.

  - CVE-2017-17864     Jann Horn discovered that the Extended BPF verifier     could fail to detect pointer leaks from conditional     code. A local user could use this to obtain sensitive     information in order to exploit other vulnerabilities.

  - CVE-2017-1000407     Andrew Honig reported that the KVM implementation for     Intel processors allowed direct access to host I/O port     0x80, which is not generally safe. On some systems this     allows a guest VM to cause a denial of service (crash)     of the host.

  - CVE-2017-1000410     Ben Seri reported that the Bluetooth subsystem did not     correctly handle short EFS information elements in L2CAP     messages. An attacker able to communicate over Bluetooth     could use this to obtain sensitive information from the     kernel.

The various problems in the Extended BPF verifier can be mitigated by disabling use of Extended BPF by unprivileged users:sysctl kernel.unprivileged_bpf_disabled=1

Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-17448 can be exploited by any local user.

ID	Name	Product	Family	Severity
124985	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1532)	Nessus	Huawei Local Security Checks	high
109317	Ubuntu 16.04 LTS : linux-euclid vulnerability (USN-3633-1)	Nessus	Ubuntu Local Security Checks	high
108878	Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3619-2)	Nessus	Ubuntu Local Security Checks	high
108842	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1)	Nessus	Ubuntu Local Security Checks	high
105748	Ubuntu 17.10 : linux-raspi2 vulnerabilities (USN-3523-3)	Nessus	Ubuntu Local Security Checks	high
105747	Ubuntu 16.04 LTS : linux-hwe, linux-azure, linux-gcp, linux-oem vulnerabilities (USN-3523-2) (Meltdown)	Nessus	Ubuntu Local Security Checks	high
105726	Ubuntu 17.10 : linux vulnerabilities (USN-3523-1) (Meltdown)	Nessus	Ubuntu Local Security Checks	high
105433	Debian DSA-4073-1 : linux - security update	Nessus	Debian Local Security Checks	high

CVE-2017-16995

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins