102321

1040058

https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/bugfix/all/bpf-reject-out-of-bounds-stack-pointer-calculation.patch?h=stretch-security

USN-3523-3

USN-3523-2

DSA-4073

https://www.spinics.net/lists/stable/msg206985.html

The 4.14.11 stable kernel update contains a number of important fixes across the tree. This also includes the KPTI patches to mitigate the Meltdown vulnerability for x86 architectures.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel did not properly check the relationship between pointer values and the BPF stack. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17863)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16995)

Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel contained a branch-pruning logic issue around unreachable code. A local attacker could use this to cause a denial of service. (CVE-2017-17862)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel mishandled pointer data values in some situations. A local attacker could use this to to expose sensitive information (kernel memory). (CVE-2017-17864).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3523-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS.

Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2017-5754)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel did not properly check the relationship between pointer values and the BPF stack. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17863)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16995)

Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel contained a branch-pruning logic issue around unreachable code. A local attacker could use this to cause a denial of service. (CVE-2017-17862)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel mishandled pointer data values in some situations. A local attacker could use this to to expose sensitive information (kernel memory). (CVE-2017-17864).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2017-5754)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel did not properly check the relationship between pointer values and the BPF stack. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17863)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16995)

Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel contained a branch-pruning logic issue around unreachable code. A local attacker could use this to cause a denial of service. (CVE-2017-17862)

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel mishandled pointer data values in some situations. A local attacker could use this to to expose sensitive information (kernel memory). (CVE-2017-17864).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 4.14.11 stable kernel update contains a number of important fixes across the tree. This also includes the KPTI patches to mitigate the Meltdown vulnerability for x86 architectures

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2017-8824     Mohamed Ghannam discovered that the DCCP implementation     did not correctly manage resources when a socket is     disconnected and reconnected, potentially leading to a     use-after-free. A local user could use this for denial     of service (crash or data corruption) or possibly for     privilege escalation. On systems that do not already     have the dccp module loaded, this can be mitigated by     disabling it:echo >> /etc/modprobe.d/disable-dccp.conf     install dccp false

  - CVE-2017-16538     Andrey Konovalov reported that the dvb-usb-lmedm04 media     driver did not correctly handle some error conditions     during initialisation. A physically present user with a     specially designed USB device can use this to cause a     denial of service (crash).

  - CVE-2017-16644     Andrey Konovalov reported that the hdpvr media driver     did not correctly handle some error conditions during     initialisation. A physically present user with a     specially designed USB device can use this to cause a     denial of service (crash).

  - CVE-2017-16995     Jann Horn discovered that the Extended BPF verifier did     not correctly model the behaviour of 32-bit load     instructions. A local user can use this for privilege     escalation.

  - CVE-2017-17448     Kevin Cernekee discovered that the netfilter subsystem     allowed users with the CAP_NET_ADMIN capability in any     user namespace, not just the root namespace, to enable     and disable connection tracking helpers. This could lead     to denial of service, violation of network security     policy, or have other impact.

  - CVE-2017-17449     Kevin Cernekee discovered that the netlink subsystem     allowed users with the CAP_NET_ADMIN capability in any     user namespace to monitor netlink traffic in all net     namespaces, not just those owned by that user namespace.
    This could lead to exposure of sensitive information.

  - CVE-2017-17450     Kevin Cernekee discovered that the xt_osf module allowed     users with the CAP_NET_ADMIN capability in any user     namespace to modify the global OS fingerprint list.

  - CVE-2017-17558     Andrey Konovalov reported that that USB core did not     correctly handle some error conditions during     initialisation. A physically present user with a     specially designed USB device can use this to cause a     denial of service (crash or memory corruption), or     possibly for privilege escalation.

  - CVE-2017-17712     Mohamed Ghannam discovered a race condition in the IPv4     raw socket implementation. A local user could use this     to obtain sensitive information from the kernel.

  - CVE-2017-17741     Dmitry Vyukov reported that the KVM implementation for     x86 would over-read data from memory when emulating an     MMIO write if the kvm_mmio tracepoint was enabled. A     guest virtual machine might be able to use this to cause     a denial of service (crash).

  - CVE-2017-17805     It was discovered that some implementations of the     Salsa20 block cipher did not correctly handle     zero-length input. A local user could use this to cause     a denial of service (crash) or possibly have other     security impact.

  - CVE-2017-17806     It was discovered that the HMAC implementation could be     used with an underlying hash algorithm that requires a     key, which was not intended. A local user could use this     to cause a denial of service (crash or memory     corruption), or possibly for privilege escalation.

  - CVE-2017-17807     Eric Biggers discovered that the KEYS subsystem lacked a     check for write permission when adding keys to a     process's default keyring. A local user could use this     to cause a denial of service or to obtain sensitive     information.

  - CVE-2017-17862     Alexei Starovoitov discovered that the Extended BPF     verifier ignored unreachable code, even though it would     still be processed by JIT compilers. This could possibly     be used by local users for denial of service. It also     increases the severity of bugs in determining     unreachable code.

  - CVE-2017-17863     Jann Horn discovered that the Extended BPF verifier did     not correctly model pointer arithmetic on the stack     frame pointer. A local user can use this for privilege     escalation.

  - CVE-2017-17864     Jann Horn discovered that the Extended BPF verifier     could fail to detect pointer leaks from conditional     code. A local user could use this to obtain sensitive     information in order to exploit other vulnerabilities.

  - CVE-2017-1000407     Andrew Honig reported that the KVM implementation for     Intel processors allowed direct access to host I/O port     0x80, which is not generally safe. On some systems this     allows a guest VM to cause a denial of service (crash)     of the host.

  - CVE-2017-1000410     Ben Seri reported that the Bluetooth subsystem did not     correctly handle short EFS information elements in L2CAP     messages. An attacker able to communicate over Bluetooth     could use this to obtain sensitive information from the     kernel.

The various problems in the Extended BPF verifier can be mitigated by disabling use of Extended BPF by unprivileged users:sysctl kernel.unprivileged_bpf_disabled=1

Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-17448 can be exploited by any local user.

ID	Name	Product	Family	Severity
106024	Fedora 27 : kernel (2018-22d5fa8a90)	Nessus	Fedora Local Security Checks	high
105748	Ubuntu 17.10 : linux-raspi2 vulnerabilities (USN-3523-3)	Nessus	Ubuntu Local Security Checks	high
105747	Ubuntu 16.04 LTS : linux-hwe, linux-azure, linux-gcp, linux-oem vulnerabilities (USN-3523-2) (Meltdown)	Nessus	Ubuntu Local Security Checks	high
105726	Ubuntu 17.10 : linux vulnerabilities (USN-3523-1) (Meltdown)	Nessus	Ubuntu Local Security Checks	high
105596	Fedora 26 : kernel (2018-8ed5eff2c0)	Nessus	Fedora Local Security Checks	high
105433	Debian DSA-4073-1 : linux - security update	Nessus	Debian Local Security Checks	high

CVE-2017-17863

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins