http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d4fdf8ba0e5808ba9ad6b44337783bd9935e0982

https://github.com/torvalds/linux/commit/d4fdf8ba0e5808ba9ad6b44337783bd9935e0982

USN-3910-1

USN-3910-2

DSA-4187

DSA-4188

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The atalk_recvmsg function in net/appletalk/ddp.c in     the Linux kernel before 3.12.4 updates a certain length     value without ensuring that an associated data     structure has been initialized, which allows local     users to obtain sensitive information from kernel     memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg     system call.(CVE-2013-7267i1/4%0

  - fs/f2fs/segment.c in the Linux kernel allows local     users to cause a denial of service (NULL pointer     dereference and panic) by using a noflush_merge option     that triggers a NULL value for a flush_cmd_control data     structure.(CVE-2017-18241i1/4%0

  - fs/pnode.c in the Linux kernel before 4.5.4 does not     properly traverse a mount propagation tree in a certain     case involving a slave mount, which allows local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted series of mount system     calls.(CVE-2016-4581i1/4%0

  - drivers/vhost/net.c in the Linux kernel before 3.13.10,     when mergeable buffers are disabled, does not properly     validate packet lengths, which allows guest OS users to     cause a denial of service (memory corruption and host     OS crash) or possibly gain privileges on the host OS     via crafted packets, related to the handle_rx and     get_rx_bufs functions.(CVE-2014-0077i1/4%0

  - It was found that the fix for CVE-2016-9576 was     incomplete: the Linux kernel's sg implementation did     not properly restrict write operations in situations     where the KERNEL_DS option is set. A local attacker to     read or write to arbitrary kernel memory locations or     cause a denial of service (use-after-free) by     leveraging write access to a /dev/sg     device.(CVE-2016-10088i1/4%0

  - ** DISPUTED ** An issue was discovered in the Linux     kernel through 4.17.2. Since the page allocator does     not yield CPU resources to the owner of the oom_lock     mutex, a local unprivileged user can trivially lock up     the system forever by wasting CPU resources from the     page allocator (e.g., via concurrent page fault events)     when the global OOM killer is invoked. NOTE: the     software maintainer has not accepted certain proposed     patches, in part because of a viewpoint that 'the     underlying problem is non-trivial to     handle.'(CVE-2016-10723i1/4%0

  - A flaw was found in the way the Linux kernel's ASN.1     DER decoder processed certain certificate files with     tags of indefinite length. A local, unprivileged user     could use a specially crafted X.509 certificate DER     file to crash the system or, potentially, escalate     their privileges on the system.(CVE-2016-0758i1/4%0

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled the association's output queue. A remote     attacker could send specially crafted packets that     would cause the system to use an excessive amount of     memory, leading to a denial of     service.(CVE-2014-3688i1/4%0

  - A use-after-free flaw was found in the way the     ping_init_sock() function of the Linux kernel handled     the group_info reference counter. A local, unprivileged     user could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-2851i1/4%0

  - The compat_get_timex function in kernel/compat.c in the     Linux kernel before 4.16.9 allows local users to obtain     sensitive information from kernel memory via     adjtimex.(CVE-2018-11508i1/4%0

  - The cdc_parse_cdc_header() function in     'drivers/usb/core/message.c' in the Linux kernel,     before 4.13.6, allows local users to cause a denial of     service (out-of-bounds read and system crash) or     possibly have unspecified other impact via a crafted     USB device. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely.(CVE-2017-16534i1/4%0

  - A flaw was found in the crypto subsystem of the Linux     kernel before version kernel-4.15-rc4. The 'null     skcipher' was being dropped when each af_alg_ctx was     freed instead of when the aead_tfm was freed. This can     cause the null skcipher to be freed while it is still     in use leading to a local user being able to crash the     system or possibly escalate     privileges.(CVE-2018-14619i1/4%0

  - The crypto_skcipher_init_tfm function in     crypto/skcipher.c in the Linux kernel through 4.11.2     relies on a setkey function that lacks a key-size     check, which allows local users to cause a denial of     service (NULL pointer dereference) via a crafted     application.(CVE-2017-9211i1/4%0

  - kernel/events/core.c in the performance subsystem in     the Linux kernel before 4.0 mismanages locks during     certain migrations, which allows local users to gain     privileges via a crafted application, aka Android     internal bug 30955111.(CVE-2016-6786i1/4%0

  - The KEYS subsystem in the Linux kernel omitted an     access-control check when writing a key to the current     task's default keyring, allowing a local user to bypass     security checks to the keyring. This compromises the     validity of the keyring for those who rely on     it.(CVE-2017-17807i1/4%0

  - A use-after-free flaw was found in the way the Linux     kernel's SCTP implementation handled authentication key     reference counting during INIT collisions. A remote     attacker could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2015-1421i1/4%0

  - The waitid implementation in kernel/exit.c in the Linux     kernel through 4.13.4 accesses rusage data structures     in unintended cases. This can allow local users to     obtain sensitive information and bypass the KASLR     protection mechanism via a crafted system     call.(CVE-2017-14954i1/4%0

  - It was found that the Linux kernel's keyring     implementation would leak memory when adding a key to a     keyring via the add_key() function. A local attacker     could use this flaw to exhaust all available memory on     the system.(CVE-2015-1333i1/4%0

  - The msm_ipc_router_close function in     net/ipc_router/ipc_router_socket.c in the ipc_router     component for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allow attackers to cause a     denial of service (NULL pointer dereference) or     possibly have unspecified other impact by triggering     failure of an accept system call for an AF_MSM_IPC     socket.(CVE-2016-5870i1/4%0

  - A reachable assertion failure flaw was found in the     Linux kernel built with KVM virtualisation(CONFIG_KVM)     support with Virtual Function I/O feature (CONFIG_VFIO)     enabled. This failure could occur if a malicious guest     device sent a virtual interrupt (guest IRQ) with a     larger (i1/4z1024) index value.(CVE-2017-1000252i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3910-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that the f2fs filesystem implementation in the Linux kernel did not handle the noflush_merge mount option correctly. An attacker could use this to cause a denial of service (system crash).
(CVE-2017-18241)

It was discovered that the procfs filesystem did not properly handle processes mapping some memory elements onto files. A local attacker could use this to block utilities that examine the procfs filesystem to report operating system state, such as ps(1). (CVE-2018-1120)

Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985)

It was discovered that multiple integer overflows existed in the hugetlbfs implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-7740)

Jann Horn discovered a race condition in the fork() system call in the Linux kernel. A local attacker could use this to gain access to services that cache authorizations. (CVE-2019-6133).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the f2fs filesystem implementation in the Linux kernel did not handle the noflush_merge mount option correctly. An attacker could use this to cause a denial of service (system crash).
(CVE-2017-18241)

It was discovered that the procfs filesystem did not properly handle processes mapping some memory elements onto files. A local attacker could use this to block utilities that examine the procfs filesystem to report operating system state, such as ps(1). (CVE-2018-1120)

Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985)

It was discovered that multiple integer overflows existed in the hugetlbfs implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-7740)

Jann Horn discovered a race condition in the fork() system call in the Linux kernel. A local attacker could use this to gain access to services that cache authorizations. (CVE-2019-6133).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the linux package has been released.

New kernel packages are available for Slackware 14.2 to fix security issues.

The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument could have caused a buffer overflow (bnc#1097356)

CVE-2018-1000204: Prevent infoleak caused by incorrect handling of the SG_IO ioctl (bsc#1096728).

CVE-2017-18249: The add_free_nid function did not properly track an allocated nid, which allowed local users to cause a denial of service (race condition) or possibly have unspecified other impact via concurrent threads (bnc#1087036)

CVE-2018-3665: Prevent disclosure of FPU registers (including XMM and AVX registers) between processes. These registers might contain encryption keys when doing SSE accelerated AES enc/decryption (bsc#1087086)

CVE-2017-18241: Prevent a NULL pointer dereference by using a noflush_merge option that triggers a NULL value for a flush_cmd_control data structure (bnc#1086400)

CVE-2017-13305: Prevent information disclosure vulnerability in encrypted-keys (bsc#1094353).

CVE-2018-1093: The ext4_valid_block_bitmap function allowed attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image because balloc.c and ialloc.c did not validate bitmap block numbers (bsc#1087095).

CVE-2018-1094: The ext4_fill_super function did not always initialize the crc32c checksum driver, which allowed attackers to cause a denial of service (ext4_xattr_inode_hash NULL pointer dereference and system crash) via a crafted ext4 image (bsc#1087007).

CVE-2018-1092: The ext4_iget function mishandled the case of a root directory with a zero i_links_count, which allowed attackers to cause a denial of service (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image (bsc#1087012).

CVE-2018-1130: NULL pointer dereference in dccp_write_xmit() function that allowed a local user to cause a denial of service by a number of certain crafted system calls (bsc#1092904).

CVE-2018-1065: The netfilter subsystem mishandled the case of a rule blob that contains a jump but lacks a user-defined chain, which allowed local users to cause a denial of service (NULL pointer dereference) by leveraging the CAP_NET_RAW or CAP_NET_ADMIN capability (bsc#1083650).

CVE-2018-5803: Prevent error in the '_sctp_make_chunk()' function when handling SCTP packets length that could have been exploited to cause a kernel crash (bnc#1083900).

CVE-2018-7492: Prevent NULL pointer dereference in the net/rds/rdma.c
__rds_rdma_map() function that allowed local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST (bsc#1082962).

CVE-2018-1000199: Prevent vulnerability in modify_user_hw_breakpoint() that could have caused a crash and possibly memory corruption (bsc#1089895).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of 'linux', 'linux-esx' packages of Photon OS has been released.

The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2018-5848: In the function wmi_set_ie(), the length     validation code did not handle unsigned integer overflow     properly. As a result, a large value of the 'ie_len'     argument could have caused a buffer overflow     (bnc#1097356)

  - CVE-2018-1000204: Prevent infoleak caused by incorrect     handling of the SG_IO ioctl (bsc#1096728).

  - CVE-2017-18249: The add_free_nid function did not     properly track an allocated nid, which allowed local     users to cause a denial of service (race condition) or     possibly have unspecified other impact via concurrent     threads (bnc#1087036)

  - CVE-2018-3665: Prevent disclosure of FPU registers     (including XMM and AVX registers) between processes.
    These registers might contain encryption keys when doing     SSE accelerated AES enc/decryption (bsc#1087086)

  - CVE-2017-18241: Prevent a NULL pointer dereference by     using a noflush_merge option that triggers a NULL value     for a flush_cmd_control data structure (bnc#1086400)

  - CVE-2017-13305: Prevent information disclosure     vulnerability in encrypted-keys (bsc#1094353).

  - CVE-2018-1093: The ext4_valid_block_bitmap function     allowed attackers to cause a denial of service     (out-of-bounds read and system crash) via a crafted ext4     image because balloc.c and ialloc.c did not validate     bitmap block numbers (bsc#1087095).

  - CVE-2018-1094: The ext4_fill_super function did not     always initialize the crc32c checksum driver, which     allowed attackers to cause a denial of service     (ext4_xattr_inode_hash NULL pointer dereference and     system crash) via a crafted ext4 image (bsc#1087007).

  - CVE-2018-1092: The ext4_iget function mishandled the     case of a root directory with a zero i_links_count,     which allowed attackers to cause a denial of service     (ext4_process_freed_data NULL pointer dereference and     OOPS) via a crafted ext4 image (bsc#1087012).

  - CVE-2018-1130: NULL pointer dereference in     dccp_write_xmit() function that allowed a local user to     cause a denial of service by a number of certain crafted     system calls (bsc#1092904).

  - CVE-2018-1065: The netfilter subsystem mishandled the     case of a rule blob that contains a jump but lacks a     user-defined chain, which allowed local users to cause a     denial of service (NULL pointer dereference) by     leveraging the CAP_NET_RAW or CAP_NET_ADMIN capability     (bsc#1083650).

  - CVE-2018-5803: Prevent error in the '_sctp_make_chunk()'     function when handling SCTP packets length that could     have been exploited to cause a kernel crash     (bnc#1083900).

  - CVE-2018-7492: Prevent NULL pointer dereference in the     net/rds/rdma.c __rds_rdma_map() function that allowed     local attackers to cause a system panic and a     denial-of-service, related to RDS_GET_MR and     RDS_GET_MR_FOR_DEST (bsc#1082962).

  - CVE-2018-1000199: Prevent vulnerability in     modify_user_hw_breakpoint() that could have caused a     crash and possibly memory corruption (bsc#1089895).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.136 to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2018-5848: In the function wmi_set_ie(), the length     validation code did not handle unsigned integer overflow     properly. As a result, a large value of the 'ie_len'     argument could have caused a buffer overflow     (bnc#1097356).

  - CVE-2017-18249: The add_free_nid function did not     properly track an allocated nid, which allowed local     users to cause a denial of service (race condition) or     possibly have unspecified other impact via concurrent     threads (bnc#1087036).

  - CVE-2018-3665: Prevent disclosure of FPU registers     (including XMM and AVX registers) between processes.
    These registers might contain encryption keys when doing     SSE accelerated AES enc/decryption (bsc#1087086).

  - CVE-2017-18241: Prevent a NULL pointer dereference by     using a noflush_merge option that triggers a NULL value     for a flush_cmd_control data structure (bnc#1086400).

  - CVE-2017-17741: The KVM implementation in the Linux     kernel allowed attackers to obtain potentially sensitive     information from kernel memory, aka a write_mmio     stack-based out-of-bounds read (bnc#1073311).

  - CVE-2018-12233: In the ea_get function in     fs/jfs/xattr.c, a memory corruption bug in JFS can be     triggered by calling setxattr twice with two different     extended attribute names on the same file. This     vulnerability can be triggered by an unprivileged user     with the ability to create files and execute programs. A     kmalloc call is incorrect, leading to slab-out-of-bounds     in jfs_xattr (bnc#1097234).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2017-5715     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 2 (branch target   injection) and is mitigated for the x86 architecture (amd64 and   i386) by using the 'retpoline' compiler feature which allows   indirect branches to be isolated from speculative execution.

  - CVE-2017-5753     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 1 (bounds-check   bypass) and is mitigated by identifying vulnerable code sections   (array bounds checking followed by array access) and replacing the   array access with the speculation-safe array_index_nospec()   function.

  More use sites will be added over time.

  - CVE-2017-17975     Tuba Yavuz reported a use-after-free flaw in the     USBTV007 audio-video grabber driver. A local user could     use this for denial of service by triggering failure of     audio registration.

  - CVE-2017-18193     Yunlei He reported that the f2fs implementation does not     properly handle extent trees, allowing a local user to     cause a denial of service via an application with     multiple threads.

  - CVE-2017-18216     Alex Chen reported that the OCFS2 filesystem failed to     hold a necessary lock during nodemanager sysfs file     operations, potentially leading to a NULL pointer     dereference. A local user could use this for denial of     service.

  - CVE-2017-18218     Jun He reported a use-after-free flaw in the Hisilicon     HNS ethernet driver. A local user could use this for     denial of service.

  - CVE-2017-18222     It was reported that the Hisilicon Network Subsystem     (HNS) driver implementation does not properly handle     ethtool private flags. A local user could use this for     denial of service or possibly have other impact.

  - CVE-2017-18224     Alex Chen reported that the OCFS2 filesystem omits the     use of a semaphore and consequently has a race condition     for access to the extent tree during read operations in     DIRECT mode. A local user could use this for denial of     service.

  - CVE-2017-18241     Yunlei He reported that the f2fs implementation does not     properly initialise its state if the 'noflush_merge'     mount option is used. A local user with access to a     filesystem mounted with this option could use this to     cause a denial of service.

  - CVE-2017-18257     It was reported that the f2fs implementation is prone to     an infinite loop caused by an integer overflow in the
    __get_data_block() function. A local user can use this     for denial of service via crafted use of the open and     fallocate system calls with an FS_IOC_FIEMAP ioctl.

  - CVE-2018-1065     The syzkaller tool found a NULL pointer dereference flaw     in the netfilter subsystem when handling certain     malformed iptables rulesets. A local user with the     CAP_NET_RAW or CAP_NET_ADMIN capability (in any user     namespace) could use this to cause a denial of service.
    Debian disables unprivileged user namespaces by default.

  - CVE-2018-1066     Dan Aloni reported to Red Hat that the CIFS client     implementation would dereference a NULL pointer if the     server sent an invalid response during NTLMSSP setup     negotiation. This could be used by a malicious server     for denial of service.

  - CVE-2018-1068     The syzkaller tool found that the 32-bit compatibility     layer of ebtables did not sufficiently validate offset     values. On a 64-bit kernel, a local user with the     CAP_NET_ADMIN capability (in any user namespace) could     use this to overwrite kernel memory, possibly leading to     privilege escalation. Debian disables unprivileged user     namespaces by default.

  - CVE-2018-1092     Wen Xu reported that a crafted ext4 filesystem image     would trigger a null dereference when mounted. A local     user able to mount arbitrary filesystems could use this     for denial of service.

  - CVE-2018-1093     Wen Xu reported that a crafted ext4 filesystem image     could trigger an out-of-bounds read in the     ext4_valid_block_bitmap() function. A local user able to     mount arbitrary filesystems could use this for denial of     service.

  - CVE-2018-1108     Jann Horn reported that crng_ready() does not properly     handle the crng_init variable states and the RNG could     be treated as cryptographically safe too early after     system boot.

  - CVE-2018-5803     Alexey Kodanev reported that the SCTP protocol did not     range-check the length of chunks to be created. A local     or remote user could use this to cause a denial of     service.

  - CVE-2018-7480     Hou Tao discovered a double-free flaw in the     blkcg_init_queue() function in block/blk-cgroup.c. A     local user could use this to cause a denial of service     or have other impact.

  - CVE-2018-7566     Fan LongFei reported a race condition in the ALSA     (sound) sequencer core, between write and ioctl     operations. This could lead to an out-of-bounds access     or use-after-free. A local user with access to a     sequencer device could use this for denial of service or     possibly for privilege escalation.

  - CVE-2018-7740     Nic Losby reported that the hugetlbfs filesystem's mmap     operation did not properly range-check the file offset.
    A local user with access to files on a hugetlbfs     filesystem could use this to cause a denial of service.

  - CVE-2018-7757     Jason Yan reported a memory leak in the SAS     (Serial-Attached SCSI) subsystem. A local user on a     system with SAS devices could use this to cause a denial     of service.

  - CVE-2018-7995     Seunghun Han reported a race condition in the x86 MCE     (Machine Check Exception) driver. This is unlikely to     have any security impact.

  - CVE-2018-8087     A memory leak flaw was found in the hwsim_new_radio_nl()     function in the simulated radio testing tool driver for     mac80211, allowing a local user to cause a denial of     service.

  - CVE-2018-8781     Eyal Itkin reported that the udl (DisplayLink) driver's     mmap operation did not properly range-check the file     offset. A local user with access to a udl framebuffer     device could exploit this to overwrite kernel memory,     leading to privilege escalation.

  - CVE-2018-8822     Dr Silvio Cesare of InfoSect reported that the ncpfs     client implementation did not validate reply lengths     from the server. An ncpfs server could use this to cause     a denial of service or remote code execution in the     client.

  - CVE-2018-10323     Wen Xu reported a NULL pointer dereference flaw in the     xfs_bmapi_write() function triggered when mounting and     operating a crafted xfs filesystem image. A local user     able to mount arbitrary filesystems could use this for     denial of service.

  - CVE-2018-1000199     Andy Lutomirski discovered that the ptrace subsystem did     not sufficiently validate hardware breakpoint settings.
    Local users can use this to cause a denial of service,     or possibly for privilege escalation, on x86 (amd64 and     i386) and possibly other architectures.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2015-9016     Ming Lei reported a race condition in the multiqueue     block layer (blk-mq). On a system with a driver using     blk-mq (mtip32xx, null_blk, or virtio_blk), a local user     might be able to use this for denial of service or     possibly for privilege escalation.

  - CVE-2017-0861     Robb Glasser reported a potential use-after-free in the     ALSA (sound) PCM core. We believe this was not possible     in practice.

  - CVE-2017-5715     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 2 (branch target   injection) and is mitigated for the x86 architecture (amd64 and   i386) by using the 'retpoline' compiler feature which allows   indirect branches to be isolated from speculative execution.

  - CVE-2017-5753     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 1 (bounds-check   bypass) and is mitigated by identifying vulnerable code sections   (array bounds checking followed by array access) and replacing the   array access with the speculation-safe array_index_nospec()   function.

  More use sites will be added over time.

  - CVE-2017-13166     A bug in the 32-bit compatibility layer of the v4l2     ioctl handling code has been found. Memory protections     ensuring user-provided buffers always point to userland     memory were disabled, allowing destination addresses to     be in kernel space. On a 64-bit kernel a local user with     access to a suitable video device can exploit this to     overwrite kernel memory, leading to privilege     escalation.

  - CVE-2017-13220     Al Viro reported that the Bluetooth HIDP implementation     could dereference a pointer before performing the     necessary type check. A local user could use this to     cause a denial of service.

  - CVE-2017-16526     Andrey Konovalov reported that the UWB subsystem may     dereference an invalid pointer in an error case. A local     user might be able to use this for denial of service.

  - CVE-2017-16911     Secunia Research reported that the USB/IP vhci_hcd     driver exposed kernel heap addresses to local users.
    This information could aid the exploitation of other     vulnerabilities.

  - CVE-2017-16912     Secunia Research reported that the USB/IP stub driver     failed to perform a range check on a received packet     header field, leading to an out-of-bounds read. A remote     user able to connect to the USB/IP server could use this     for denial of service.

  - CVE-2017-16913     Secunia Research reported that the USB/IP stub driver     failed to perform a range check on a received packet     header field, leading to excessive memory allocation. A     remote user able to connect to the USB/IP server could     use this for denial of service.

  - CVE-2017-16914     Secunia Research reported that the USB/IP stub driver     failed to check for an invalid combination of fields in     a received packet, leading to a NULL pointer     dereference. A remote user able to connect to the USB/IP     server could use this for denial of service.

  - CVE-2017-18017     Denys Fedoryshchenko reported that the netfilter     xt_TCPMSS module failed to validate TCP header lengths,     potentially leading to a use-after-free. If this module     is loaded, it could be used by a remote attacker for     denial of service or possibly for code execution.

  - CVE-2017-18203     Hou Tao reported that there was a race condition in     creation and deletion of device-mapper (DM) devices. A     local user could potentially use this for denial of     service.

  - CVE-2017-18216     Alex Chen reported that the OCFS2 filesystem failed to     hold a necessary lock during nodemanager sysfs file     operations, potentially leading to a NULL pointer     dereference. A local user could use this for denial of     service.

  - CVE-2017-18232     Jason Yan reported a race condition in the SAS     (Serial-Attached SCSI) subsystem, between probing and     destroying a port. This could lead to a deadlock. A     physically present attacker could use this to cause a     denial of service.

  - CVE-2017-18241     Yunlei He reported that the f2fs implementation does not     properly initialise its state if the 'noflush_merge'     mount option is used. A local user with access to a     filesystem mounted with this option could use this to     cause a denial of service.

  - CVE-2018-1066     Dan Aloni reported to Red Hat that the CIFS client     implementation would dereference a NULL pointer if the     server sent an invalid response during NTLMSSP setup     negotiation. This could be used by a malicious server     for denial of service.

  - CVE-2018-1068     The syzkaller tool found that the 32-bit compatibility     layer of ebtables did not sufficiently validate offset     values. On a 64-bit kernel, a local user with the     CAP_NET_ADMIN capability (in any user namespace) could     use this to overwrite kernel memory, possibly leading to     privilege escalation. Debian disables unprivileged user     namespaces by default.

  - CVE-2018-1092     Wen Xu reported that a crafted ext4 filesystem image     would trigger a null dereference when mounted. A local     user able to mount arbitrary filesystems could use this     for denial of service.

  - CVE-2018-5332     Mohamed Ghannam reported that the RDS protocol did not     sufficiently validate RDMA requests, leading to an     out-of-bounds write. A local attacker on a system with     the rds module loaded could use this for denial of     service or possibly for privilege escalation.

  - CVE-2018-5333     Mohamed Ghannam reported that the RDS protocol did not     properly handle an error case, leading to a NULL pointer     dereference. A local attacker on a system with the rds     module loaded could possibly use this for denial of     service.

  - CVE-2018-5750     Wang Qize reported that the ACPI sbshc driver logged a     kernel heap address. This information could aid the     exploitation of other vulnerabilities.

  - CVE-2018-5803     Alexey Kodanev reported that the SCTP protocol did not     range-check the length of chunks to be created. A local     or remote user could use this to cause a denial of     service.

  - CVE-2018-6927     Li Jinyue reported that the FUTEX_REQUEUE operation on     futexes did not check for negative parameter values,     which might lead to a denial of service or other     security impact.

  - CVE-2018-7492     The syzkaller tool found that the RDS protocol was     lacking a null pointer check. A local attacker on a     system with the rds module loaded could use this for     denial of service.

  - CVE-2018-7566     Fan LongFei reported a race condition in the ALSA     (sound) sequencer core, between write and ioctl     operations. This could lead to an out-of-bounds access     or use-after-free. A local user with access to a     sequencer device could use this for denial of service or     possibly for privilege escalation.

  - CVE-2018-7740     Nic Losby reported that the hugetlbfs filesystem's mmap     operation did not properly range-check the file offset.
    A local user with access to files on a hugetlbfs     filesystem could use this to cause a denial of service.

  - CVE-2018-7757     Jason Yan reported a memory leak in the SAS     (Serial-Attached SCSI) subsystem. A local user on a     system with SAS devices could use this to cause a denial     of service.

  - CVE-2018-7995     Seunghun Han reported a race condition in the x86 MCE     (Machine Check Exception) driver. This is unlikely to     have any security impact.

  - CVE-2018-8781     Eyal Itkin reported that the udl (DisplayLink) driver's     mmap operation did not properly range-check the file     offset. A local user with access to a udl framebuffer     device could exploit this to overwrite kernel memory,     leading to privilege escalation.

  - CVE-2018-8822     Dr Silvio Cesare of InfoSect reported that the ncpfs     client implementation did not validate reply lengths     from the server. An ncpfs server could use this to cause     a denial of service or remote code execution in the     client.

  - CVE-2018-1000004     Luo Quan reported a race condition in the ALSA (sound)     sequencer core, between multiple ioctl operations. This     could lead to a deadlock or use-after-free. A local user     with access to a sequencer device could use this for     denial of service or possibly for privilege escalation.

  - CVE-2018-1000199     Andy Lutomirski discovered that the ptrace subsystem did     not sufficiently validate hardware breakpoint settings.
    Local users can use this to cause a denial of service,     or possibly for privilege escalation, on x86 (amd64 and     i386) and possibly other architectures.

ID	Name	Product	Family	Severity
124987	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1534)	Nessus	Huawei Local Security Checks	critical
122893	Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3910-2)	Nessus	Ubuntu Local Security Checks	medium
122892	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3910-1)	Nessus	Ubuntu Local Security Checks	medium
121841	Photon OS 1.0: Linux PHSA-2018-1.0-0135	Nessus	PhotonOS Local Security Checks	medium
121505	Slackware 14.2 : Slackware 14.2 kernel (SSA:2019-030-01)	Nessus	Slackware Local Security Checks	high
118272	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1855-2)	Nessus	SuSE Local Security Checks	high
111937	Photon OS 1.0: Linux PHSA-2018-1.0-0135 (deprecated)	Nessus	PhotonOS Local Security Checks	medium
110838	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1855-1)	Nessus	SuSE Local Security Checks	high
110660	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:1772-1)	Nessus	SuSE Local Security Checks	medium
110658	openSUSE Security Update : the Linux Kernel (openSUSE-2018-656) (Spectre)	Nessus	SuSE Local Security Checks	high
109518	Debian DSA-4188-1 : linux - security update (Spectre)	Nessus	Debian Local Security Checks	high
109517	Debian DSA-4187-1 : linux - security update (Spectre)	Nessus	Debian Local Security Checks	critical

CVE-2017-18241

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins