http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=237bbd29f7a049d310d907f4b2716a7feef9abf3

104254

https://github.com/torvalds/linux/commit/237bbd29f7a049d310d907f4b2716a7feef9abf3

USN-3754-1

https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.5

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - drivers/gpu/msm/kgsl.c in the MSM graphics driver (aka     GPU driver) for the Linux kernel 3.x, as used in     Qualcomm Innovation Center (QuIC) Android contributions     for MSM devices and other products, mishandles the     KGSL_MEMFLAGS_GPUREADONLY flag, which allows attackers     to gain privileges by leveraging accidental read-write     mappings, aka Qualcomm internal bug     CR988993.(CVE-2016-2067i1/4%0

  - Integer overflow in the mem_check_range function in     drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel     before 4.9.10 allows local users to cause a denial of     service (memory corruption), obtain sensitive     information from kernel memory, or possibly have     unspecified other impact via a write or read request     involving the 'RDMA protocol over infiniband' (aka Soft     RoCE) technology.(CVE-2016-8636i1/4%0

  - Heap-based buffer overflow in the     logi_dj_ll_raw_request function in     drivers/hid/hid-logitech-dj.c in the Linux kernel     before 3.16.2 allows physically proximate attackers to     cause a denial of service (system crash) or possibly     execute arbitrary code via a crafted device that     specifies a large report size for an LED     report.(CVE-2014-3183i1/4%0

  - The futex_requeue function in kernel/futex.c in the     Linux kernel, before 4.14.15, might allow attackers to     cause a denial of service (integer overflow) or     possibly have unspecified other impacts by triggering a     negative wake or requeue value. Due to the nature of     the flaw, privilege escalation cannot be fully ruled     out, although we believe it is     unlikely.(CVE-2018-6927i1/4%0

  - The hub_activate function in drivers/usb/core/hub.c in     the Linux kernel before 4.3.5 does not properly     maintain a hub-interface data structure, which allows     physically proximate attackers to cause a denial of     service (invalid memory access and system crash) or     possibly have unspecified other impact by unplugging a     USB hub device.(CVE-2015-8816i1/4%0

  - It was found that the blk_rq_map_user_iov() function in     the Linux kernel's block device implementation did not     properly restrict the type of iterator, which could     allow a local attacker to read or write to arbitrary     kernel memory locations or cause a denial of service     (use-after-free) by leveraging write access to a     /dev/sg device.(CVE-2016-9576i1/4%0

  - A security flaw was found in the Linux kernel's     networking subsystem that destroying the network     interface with huge number of ipv4 addresses assigned     keeps 'rtnl_lock' spinlock for a very long time (up to     hour). This blocks many network-related operations,     including creation of new incoming ssh connections.The     problem is especially important for containers, as the     container owner has enough permissions to trigger this     and block a network access on a whole host, outside the     container.(CVE-2016-3156i1/4%0

  - The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel allows     local users to obtain sensitive information (in the     dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an     io_ti USB serial device) to trigger an integer     underflow.(CVE-2017-8924i1/4%0

  - The IPv4 implementation in the Linux kernel before     3.18.8 does not properly consider the length of the     Read-Copy Update (RCU) grace period for redirecting     lookups in the absence of caching, which allows remote     attackers to cause a denial of service (memory     consumption or system crash) via a flood of     packets.(CVE-2015-1465i1/4%0

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9728i1/4%0

  - net/ipv6/ip6_output.c in the Linux kernel through     3.11.4 does not properly determine the need for UDP     Fragmentation Offload (UFO) processing of small packets     after the UFO queueing of a large packet, which allows     remote attackers to cause a denial of service (memory     corruption and system crash) or possibly have     unspecified other impact via network traffic that     triggers a large response packet.(CVE-2013-4387i1/4%0

  - It was found that nfsd is missing permissions check     when setting ACL on files, this may allow a local users     to gain access to any file by setting a crafted     ACL.(CVE-2016-1237i1/4%0

  - In the Linux kernel before 4.13.5, a local user could     create keyrings for other users via keyctl commands,     setting unwanted defaults or causing a denial of     service.(CVE-2017-18270i1/4%0

  - An issue was discovered in the Linux kernel where an     integer overflow in kernel/time/posix-timers.c in the     POSIX timer code is caused by the way the overrun     accounting works. Depending on interval and expiry time     values, the overrun can be larger than INT_MAX, but the     accounting is int based. This basically makes the     accounting values, which are visible to user space via     timer_getoverrun(2) and siginfo::si_overrun,     random.(CVE-2018-12896i1/4%0

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and reused. This is     fixed in the following kernel versions: 4.9.135,     4.14.78, 4.18.16, 4.19.(CVE-2018-18281i1/4%0

  - The netfilter subsystem in the Linux kernel through     4.15.7 mishandles the case of a rule blob that contains     a jump but lacks a user-defined chain, which allows     local users to cause a denial of service (NULL pointer     dereference) by leveraging the CAP_NET_RAW or     CAP_NET_ADMIN capability, related to arpt_do_table in     net/ipv4/netfilter/arp_tables.c, ipt_do_table in     net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in     net/ipv6/netfilter/ip6_tables.c.(CVE-2018-1065i1/4%0

  - The use of a kzalloc with an integer multiplication     allowed an integer overflow condition to be reached in     vfio_pci_intrs.c. This combined with CVE-2016-9083 may     allow an attacker to craft an attack and use     unallocated memory, potentially crashing the     machine.(CVE-2016-9084i1/4%0

  - The acm_probe function in drivers/usb/class/cdc-acm.c     in the Linux kernel before 4.5.1 allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and system crash) via a USB device     without both a control and a data endpoint     descriptor.(CVE-2016-3138i1/4%0

  - It was discovered that root can gain direct access to     an internal keyring, such as '.dns_resolver' in RHEL-7     or '.builtin_trusted_keys' upstream, by joining it as     its session keyring. This allows root to bypass module     signature verification by adding a new public key of     its own devising to the keyring.(CVE-2016-9604i1/4%0

  - An information leak flaw was found in the Linux     kernel's IEEE 802.11 wireless networking     implementation. When software encryption was used, a     remote attacker could use this flaw to leak up to 8     bytes of plaintext.(CVE-2014-8709i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The perf_cpu_time_max_percent_handler function in     kernel/events/core.c in the Linux kernel before 4.11     allows local users to cause a denial of service     (integer overflow) or possibly have unspecified other     impact via a large value, as demonstrated by an     incorrect sample-rate calculation.(CVE-2017-18255)

  - In the Linux kernel before 4.13.5, a local user could     create keyrings for other users via keyctl commands,     setting unwanted defaults or causing a denial of     service.(CVE-2017-18270)

  - The timer_create syscall implementation in     kernel/time/posix-timers.c in the Linux kernel doesn't     properly validate the sigevent-i1/4zsigev_notify field,     which leads to out-of-bounds access in the show_timer     function.(CVE-2017-18344)

  - arch/x86/kvm/emulate.c in the Linux kernel through     4.9.3 allows local users to obtain sensitive     information from kernel memory or cause a denial of     service (use-after-free) via a crafted application that     leverages instruction emulation for fxrstor, fxsave,     sgdt, and sidt.(CVE-2017-2584)

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization(nVMX) feature     enabled(nested=1), is vulnerable to host memory leakage     issue. It could occur while emulating VMXON instruction     in 'handle_vmon'. An L1 guest user could use this flaw     to leak host memory potentially resulting in     DoS.(CVE-2017-2596)

  - A race condition flaw was found in the N_HLDC Linux     kernel driver when accessing n_hdlc.tbuf list that can     lead to double free. A local, unprivileged user able to     set the HDLC line discipline on the tty device could     use this flaw to increase their privileges on the     system.(CVE-2017-2636)

  - A flaw was found that can be triggered in     keyring_search_iterator in keyring.c if type-i1/4zmatch     is NULL. A local user could use this flaw to crash the     system or, potentially, escalate their     privileges.(CVE-2017-2647)

  - A race condition leading to a NULL pointer dereference     was found in the Linux kernel's Link Layer Control     implementation. A local attacker with access to ping     sockets could use this flaw to crash the     system.(CVE-2017-2671)

  - A vulnerability was found in the Linux kernel in     'tmpfs' file system. When file permissions are modified     via 'chmod' and the user is not in the owning group or     capable of CAP_FSETID, the setgid bit is cleared in     inode_change_ok(). Setting a POSIX ACL via 'setxattr'     sets the file permissions as well as the new ACL, but     doesn't clear the setgid bit in a similar way this     allows to bypass the check in 'chmod'.(CVE-2017-5551)

  - The do_shmat function in ipc/shm.c in the Linux kernel,     through 4.9.12, does not restrict the address     calculated by a certain rounding operation. This allows     privileged local users to map page zero and,     consequently, bypass a protection mechanism that exists     for the mmap system call. This is possible by making     crafted shmget and shmat system calls in a privileged     context.(CVE-2017-5669)

  - A vulnerability was found in the Linux kernel where     having malicious IP options present would cause the     ipv4_pktinfo_prepare() function to drop/free the dst.
    This could result in a system crash or possible     privilege escalation.(CVE-2017-5970)

  - It was reported that with Linux kernel, earlier than     version v4.10-rc8, an application may trigger a BUG_ON     in sctp_wait_for_sndbuf if the socket tx buffer is     full, a thread is waiting on it to queue more data, and     meanwhile another thread peels off the association     being used by the first thread.(CVE-2017-5986)

  - It was found that the original fix for CVE-2016-6786     was incomplete. There exist a race between two     concurrent sys_perf_event_open() calls when both try     and move the same pre-existing software group into a     hardware context.(CVE-2017-6001)

  - A use-after-free flaw was found in the way the Linux     kernel's Datagram Congestion Control Protocol (DCCP)     implementation freed SKB (socket buffer) resources for     a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO     option is set on the socket. A local, unprivileged user     could use this flaw to alter the kernel memory,     allowing them to escalate their privileges on the     system.(CVE-2017-6074)

  - A flaw was found in the Linux kernel's handling of     packets with the URG flag. Applications using the     splice() and tcp_splice_read() functionality could     allow a remote attacker to force the kernel to enter a     condition in which it could loop     indefinitely.(CVE-2017-6214)

  - The hashbin_delete function in net/irda/irqueue.c in     the Linux kernel improperly manages lock dropping,     which allows local users to cause a denial of service     (deadlock) via crafted operations on IrDA     devices.(CVE-2017-6348)

  - It was found that the code in net/sctp/socket.c in the     Linux kernel through 4.10.1 does not properly restrict     association peel-off operations during certain wait     states, which allows local users to cause a denial of     service (invalid unlock and double free) via a     multithreaded application. This vulnerability was     introduced by CVE-2017-5986 fix (commit     2dcab5984841).(CVE-2017-6353)

  - The keyring_search_aux function in     security/keys/keyring.c in the Linux kernel allows     local users to cause a denial of service via a     request_key system call for the 'dead' key     type.(CVE-2017-6951)

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux     kernel allows local users to cause a denial of service     (stack-based buffer overflow) or possibly have     unspecified other impacts via a large command size in     an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds     write access in the sg_write function.(CVE-2017-7187)

  - In was found that in the Linux kernel, in     vmw_surface_define_ioctl() function in     'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a     'num_sizes' parameter is assigned a user-controlled     value which is not checked if it is zero. This is used     in a call to kmalloc() and later leads to dereferencing     ZERO_SIZE_PTR, which in turn leads to a GPF and     possibly to a kernel panic.(CVE-2017-7261)

  - An out-of-bounds write vulnerability was found in the     Linux kernel's vmw_surface_define_ioctl() function, in     the 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file. Due     to the nature of the flaw, privilege escalation cannot     be fully ruled out, although we believe it is     unlikely.(CVE-2017-7294)

  - It was found that the packet_set_ring() function of the     Linux kernel's networking implementation did not     properly validate certain block-size data. A local     attacker with CAP_NET_RAW capability could use this     flaw to trigger a buffer overflow, resulting in the     crash of the system. Due to the nature of the flaw,     privilege escalation cannot be fully ruled     out.(CVE-2017-7308)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Missing check in fs/inode.c:inode_init_owner() does not     clear SGID bit on non-directories for     non-members.(CVE-2018-13405)

  - A null pointer dereference in dccp_write_xmit()     function in net/dccp/output.c in the Linux kernel     allows a local user to cause a denial of service by a     number of certain crafted system calls.(CVE-2018-1130)

  - A flaw was found in the Linux kernel, before 4.16.6     where the cdrom_ioctl_media_changed function in     drivers/cdrom/cdrom.c allows local attackers to use a     incorrect bounds check in the CDROM driver     CDROM_MEDIA_CHANGED ioctl to read out kernel     memory.(CVE-2018-10940)

  - The madvise_willneed function in the Linux kernel     allows local users to cause a denial of service     (infinite loop) by triggering use of MADVISE_WILLNEED     for a DAX mapping.(CVE-2017-18208)

  - fuse-backed file mmap-ed onto process cmdline arguments     causes denial of service.(CVE-2018-1120)

  - Memory leak in the sas_smp_get_phy_events function in     drivers/scsi/libsas/sas_expander.c in the Linux kernel     allows local users to cause a denial of service (kernel     memory exhaustion) via multiple read accesses to files     in the /sys/class/sas_phy directory.(CVE-2018-7757)

  - A vulnerability was found in the Linux kernel's     kernel/events/core.c:perf_cpu_time_max_percent_handler(     ) function. Local privileged users could exploit this     flaw to cause a denial of service due to integer     overflow or possibly have unspecified other     impact.(CVE-2017-18255)

  - A flaw was found in the Linux kernel in the way a local     user could create keyrings for other users via keyctl     commands. This may allow an attacker to set unwanted     defaults, a denial of service, or possibly leak keyring     information between users.(CVE-2017-18270)

  - The mm subsystem in the Linux kernel through 4.10.10     does not properly enforce the CONFIG_STRICT_DEVMEM     protection mechanism, which allows local users to read     or write to kernel memory locations in the first     megabyte (and bypass slab-allocation access     restrictions) via an application that opens the     /dev/mem file, related to arch/x86/mm/init.c and     drivers/char/mem.c.(CVE-2017-7889)

  - The code in the drivers/scsi/libsas/sas_scsi_host.c     file in the Linux kernel allow a physically proximate     attacker to cause a memory leak in the ATA command     queue and, thus, denial of service by triggering     certain failure conditions.(CVE-2018-10021)

  - A flaw was found in the Linux kernel's client-side     implementation of the cifs protocol. This flaw allows     an attacker controlling the server to kernel panic a     client which has the CIFS server     mounted.(CVE-2018-1066)

  - A flaw was found in the alarm_timer_nsleep() function     in kernel/time/alarmtimer.c in the Linux kernel. The     ktime_add_safe() function is not used and an integer     overflow can happen causing an alarm not to fire or     possibly a denial-of-service if using a large relative     timeout.(CVE-2018-13053)

  - An issue was discovered in the XFS filesystem in     fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A     NULL pointer dereference may occur for a corrupted xfs     image after xfs_da_shrink_inode() is called with a NULL     bp. This can lead to a system crash and a denial of     service.(CVE-2018-13094)

  - A flaw was found in the Linux Kernel in the     ucma_leave_multicast() function in     drivers/infiniband/core/ucma.c which allows access to a     certain data structure after freeing it in     ucma_process_join(). This allows an attacker to cause a     use-after-free bug and to induce kernel memory     corruption, leading to a system crash or other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2018-14734)

  - A race condition in the store_int_with_restart()     function in arch/x86/kernel/cpu/mcheck/mce.c in the     Linux kernel allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck (cpu     number) directory.(CVE-2018-7995)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel in the way a local     user could create keyrings for other users via keyctl     commands. This may allow an attacker to set unwanted     defaults, a denial of service, or possibly leak keyring     information between users.(CVE-2017-18270)

  - A null pointer dereference in dccp_write_xmit()     function in net/dccp/output.c in the Linux kernel     allows a local user to cause a denial of service by a     number of certain crafted system calls.(CVE-2018-1130)

  - A flaw was found in the Linux kernel, before 4.16.6     where the cdrom_ioctl_media_changed function in     drivers/cdrom/cdrom.c allows local attackers to use a     incorrect bounds check in the CDROM driver     CDROM_MEDIA_CHANGED ioctl to read out kernel     memory.(CVE-2018-10940)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In the Linux kernel before 4.13.5, a local user could     create keyrings for other users via keyctl commands,     setting unwanted defaults or causing a denial of     service.(CVE-2017-18270)

  - ** DISPUTED ** Linux Kernel version 3.18 to 4.16     incorrectly handles an SG_IO ioctl on /dev/sg0 with     dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte     cmdp. This may lead to copying up to 1000 kernel heap     pages to the userspace. This has been fixed upstream in     https://github.com/torvalds/linux/commit/a45b599ad808c3     c982fdcdc12b0b8611c2f92824 already. The problem has     limited scope, as users don't usually have permissions     to access SCSI devices. On the other hand, e.g. the     Nero user manual suggests doing `chmod o+r+w /dev/sg*`     to make the devices accessible.(CVE-2018-1000204)

  - A flaw was found affecting the Linux kernel before     version 4.17. By mmap()ing a FUSE-backed file onto a     process's memory containing command line arguments (or     environment strings), an attacker can cause utilities     from psutils or procps (such as ps, w) or any other     program which makes a read() call to the     /proc/pid/cmdline (or /proc/pid/environ) files to block     indefinitely (denial of service) or for some controlled     time (as a synchronization primitive for other     attacks).(CVE-2018-1120)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208)

It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses).
(CVE-2017-11472)

It was discovered that a buffer overflow existed in the ACPI table parsing implementation in the Linux kernel. A local attacker could use this to construct a malicious ACPI table that, when loaded, caused a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-11473)

It was discovered that the generic SCSI driver in the Linux kernel did not properly initialize data returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14991)

It was discovered that a race condition existed in the packet fanout implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15649)

Andrey Konovalov discovered that the Ultra Wide Band driver in the Linux kernel did not properly check for an error condition. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16526)

Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16527)

Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel did not properly validate USB audio buffer descriptors. A physically proximate attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16529)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB interface association descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16531)

Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB HID descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16533)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB BOS metadata. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16535)

Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536)

Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537)

It was discovered that the DM04/QQBOX USB driver in the Linux kernel did not properly handle device attachment and warm-start. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16538)

Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643)

Andrey Konovalov discovered that the video4linux driver for Hauppauge HD PVR USB devices in the Linux kernel did not properly handle some error conditions. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16644)

Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645)

Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16650)

It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911)

It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912)

It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913)

It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2017-16914)

It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device.
A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558)

It was discovered that an integer overflow existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18255)

It was discovered that the keyring subsystem in the Linux kernel did not properly prevent a user from creating keyrings for other users. A local attacker could use this cause a denial of service or expose sensitive information. (CVE-2017-18270)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348)

Andy Lutomirski discovered that the KVM implementation in the Linux kernel was vulnerable to a debug exception error when single-stepping through a syscall. A local attacker in a non-Linux guest vm could possibly use this to gain administrative privileges in the guest vm.
(CVE-2017-7518)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Pengfei Wang discovered that a race condition existed in the NXP SAA7164 TV Decoder driver for the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-8831)

Pengfei Wang discovered that the Turtle Beach MultiSound audio device driver in the Linux kernel contained race conditions when fetching from the ring-buffer. A local attacker could use this to cause a denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985)

It was discovered that the wait4() system call in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service.
(CVE-2018-10087)

It was discovered that the kill() system call implementation in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2018-10124)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323)

Zhong Jiang discovered that a use-after-free vulnerability existed in the NUMA memory policy implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10675)

Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 file system that caused a denial of service (system crash) when mounted.
(CVE-2018-1092)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted.
(CVE-2018-1093)

It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-10940)

Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-12233)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that an information leak existed in the generic SCSI driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-1000204)

It was discovered that a memory leak existed in the Serial Attached SCSI (SAS) implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-10021).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power)

* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

* kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate)

* kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low)

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

From Red Hat Security Advisory 2018:1062 :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power)

* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

* kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate)

* kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low)

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* Kernel: KVM: MMU potential stack buffer overrun during page walks (CVE-2017-12188, Important)

* Kernel: KVM: debug exception via syscall emulation (CVE-2017-7518, Moderate)

Bug Fix(es) :

* The kernel-rt packages have been upgraded to the 3.10.0-693.21.1 source tree, which provides a number of bug fixes over the previous version. (BZ# 1537671)

ID	Name	Product	Family	Severity
124975	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1522)	Nessus	Huawei Local Security Checks	high
124825	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1502)	Nessus	Huawei Local Security Checks	high
122414	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-1062)	Nessus	Huawei Local Security Checks	high
117741	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2018-1297)	Nessus	Huawei Local Security Checks	medium
117586	EulerOS Virtualization 2.5.1 : kernel (EulerOS-SA-2018-1280)	Nessus	Huawei Local Security Checks	medium
112113	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3754-1)	Nessus	Ubuntu Local Security Checks	high
109380	CentOS 7 : kernel (CESA-2018:1062)	Nessus	CentOS Local Security Checks	critical
109113	Oracle Linux 7 : kernel (ELSA-2018-1062)	Nessus	Oracle Linux Local Security Checks	critical
108997	RHEL 7 : kernel (RHSA-2018:1062)	Nessus	Red Hat Local Security Checks	critical
107189	RHEL 7 : kernel-rt (RHSA-2018:0412)	Nessus	Red Hat Local Security Checks	medium

CVE-2017-18270

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins