http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6aeb75e6adfaed16e58780309613a578fe1ee90b

106802

https://bugzilla.suse.com/show_bug.cgi?id=1123706

https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.3

https://github.com/torvalds/linux/commit/6aeb75e6adfaed16e58780309613a578fe1ee90b

USN-3933-1

USN-3933-2

The remote OracleVM system is missing necessary patches to address critical security updates :

  - scsi: libfc: sanitize E_D_TOV and R_A_TOV setting     (Hannes Reinecke) [Orabug: 25933179]

  - scsi: libfc: use configured rport E_D_TOV (Hannes     Reinecke) [Orabug: 25933179]

  - scsi: libfc: additional debugging messages (Hannes     Reinecke) [Orabug: 25933179]

  - scsi: libfc: don't advance state machine for incoming     FLOGI (Hannes Reinecke) [Orabug: 25933179]

  - scsi: libfc: Do not login if the port is already started     (Hannes Reinecke) [Orabug: 25933179]

  - scsi: libfc: Do not drop down to FLOGI for     fc_rport_login (Hannes Reinecke) [Orabug: 25933179]

  - scsi: libfc: Do not take rdata->rp_mutex when processing     a -FC_EX_CLOSED ELS response. (Chad Dupuis) [Orabug:
    25933179]

  - scsi: libfc: Fixup disc_mutex handling (Hannes Reinecke)     [Orabug: 25933179]

  - xve: arm ud tx cq to generate completion interrupts     (Ajaykumar Hotchandani) [Orabug: 28267050]

  - net: sched: run ingress qdisc without locks (Alexei     Starovoitov) [Orabug: 29395374]

  - bnxt_en: Fix typo in firmware message timeout logic.
    (Michael Chan) [Orabug: 29412112]

  - bnxt_en: Wait longer for the firmware message response     to complete. (Michael Chan) [Orabug: 29412112]

  - mm,vmscan: Make unregister_shrinker no-op if     register_shrinker failed. (Tetsuo Handa) [Orabug:
    29456281]

  - X.509: Handle midnight alternative notation in     GeneralizedTime (David Howells) [Orabug: 29460344]     (CVE-2015-5327)

  - X.509: Support leap seconds (David Howells) [Orabug:
    29460344] (CVE-2015-5327)

  - X.509: Fix the time validation [ver #2] (David Howells)     [Orabug: 29460344] (CVE-2015-5327) (CVE-2015-5327)

  - be2net: enable new Kconfig items in kernel configs     (Brian Maly) [Orabug: 29475071]

  - benet: remove broken and unused macro (Lubomir Rintel)     [Orabug: 29475071]

  - be2net: don't flip hw_features when VXLANs are     added/deleted (Davide Caratti) [Orabug: 29475071]

  - be2net: Fix memory leak in be_cmd_get_profile_config     (Petr Oros) [Orabug: 29475071]

  - be2net: Use Kconfig flag to support for     enabling/disabling adapters (Petr Oros) [Orabug:
    29475071]

  - be2net: Mark expected switch fall-through (Gustavo A. R.
    Silva) [Orabug: 29475071]

  - be2net: fix spelling mistake 'seqence' -> 'sequence'     (Colin Ian King) [Orabug: 29475071]

  - be2net: Update the driver version to 12.0.0.0 (Suresh     Reddy) [Orabug: 29475071]

  - be2net: gather debug info and reset adapter (only for     Lancer) on a tx-timeout (Suresh Reddy) [Orabug:
    29475071]

  - be2net: move rss_flags field in rss_info to ensure     proper alignment (Ivan Vecera) [Orabug: 29475071]

  - be2net: re-order fields in be_error_recovert to avoid     hole (Ivan Vecera) [Orabug: 29475071]

  - be2net: remove unused tx_jiffies field from be_tx_stats     (Ivan Vecera) [Orabug: 29475071]

  - be2net: move txcp field in be_tx_obj to eliminate holes     in the struct (Ivan Vecera) [Orabug: 29475071]

  - be2net: reorder fields in be_eq_obj structure (Ivan     Vecera) [Orabug: 29475071]

  - be2net: remove unused old custom busy-poll fields (Ivan     Vecera) [Orabug: 29475071]

  - be2net: remove unused old AIC info (Ivan Vecera)     [Orabug: 29475071]

  - be2net: Fix error detection logic for BE3 (Suresh Reddy)     [Orabug: 29475071]

  - scsi: sd: Do not override max_sectors_kb sysfs setting     (Martin K. Petersen) [Orabug: 29596510]

  - USB: serial: io_ti: fix div-by-zero in set_termios     (Johan Hovold) [Orabug: 29487834] (CVE-2017-18360)

  - bnxt_en: Drop oversize TX packets to prevent errors.
    (Michael Chan) [Orabug: 29516462]

  - x86/speculation: Read per-cpu value of     x86_spec_ctrl_priv in x86_virt_spec_ctrl (Alejandro     Jimenez) [Orabug: 29526401]

  - x86/speculation: Keep enhanced IBRS on when prctl is     used for SSBD control (Alejandro Jimenez) [Orabug:
    29526401]

  - USB: hso: Fix OOB memory access in     hso_probe/hso_get_config_data (Hui Peng) [Orabug:
    29605982] (CVE-2018-19985) (CVE-2018-19985)

  - swiotlb: save io_tlb_used to local variable before     leaving critical section (Dongli Zhang) [Orabug:
    29637525]

  - swiotlb: dump used and total slots when swiotlb buffer     is full (Dongli Zhang) [Orabug: 29637525]

  - x86/bugs, kvm: don't miss SSBD when IBRS is in use.
    (Quentin Casasnovas) [Orabug: 29642113]

  - cifs: Fix use after free of a mid_q_entry (Shuning     Zhang) [Orabug: 29654888]

  - binfmt_elf: switch to new creds when switching to new mm     (Linus Torvalds) [Orabug: 29677233] (CVE-2019-11190)

  - x86/microcode: Don't return error if microcode update is     not needed (Boris Ostrovsky) [Orabug: 29759756]

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-4642 advisory.

  - Out-of-bounds memory read in the x509_decode_time function in x509_cert_parser.c in Linux kernels 4.3-rc1     and after. (CVE-2015-5327)

  - In change_port_settings in drivers/usb/serial/io_ti.c in the Linux kernel before 4.11.3, local users could     cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud     rates. (CVE-2017-18360)

  - The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num     from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds     (OOB) read that potentially allows arbitrary read in the kernel address space. (CVE-2018-19985)

  - The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because     install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the     ptrace_may_access() check has a race condition when reading /proc/pid/stat. (CVE-2019-11190)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In the Linux kernel through 4.14.13, the     rds_message_alloc_sgs() function does not validate a     value that is used during DMA page allocation, leading     to a heap-based out-of-bounds write (related to the     rds_rdma_extra_size() function in 'net/rds/rdma.c') and     thus to a system panic. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2018-5332)

  - In the Linux kernel through 4.14.13, the     rds_cmsg_atomic() function in 'net/rds/rdma.c'     mishandles cases where page pinning fails or an invalid     address is supplied by a user. This can lead to a NULL     pointer dereference in rds_atomic_free_op() and thus to     a system panic.(CVE-2018-5333)

  - A flaw was found in the Linux kernel's handling of     loopback devices. An attacker, who has permissions to     setup loopback disks, may create a denial of service or     other unspecified actions.(CVE-2018-5344)

  - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c     in the Linux kernel, through 4.14.15, allows local     users to obtain sensitive address information by     reading dmesg data from an SBS HC printk     call.(CVE-2018-5750)

  - The futex_requeue function in kernel/futex.c in the     Linux kernel, before 4.14.15, might allow attackers to     cause a denial of service (integer overflow) or     possibly have unspecified other impacts by triggering a     negative wake or requeue value. Due to the nature of     the flaw, privilege escalation cannot be fully ruled     out, although we believe it is unlikely.(CVE-2018-6927)

  - Memory leak in the sas_smp_get_phy_events function in     drivers/scsi/libsas/sas_expander.c in the Linux kernel     allows local users to cause a denial of service (kernel     memory exhaustion) via multiple read accesses to files     in the /sys/class/sas_phy directory.(CVE-2018-7757)

  - A an integer overflow vulnerability was discovered in     the Linux kernel, from version 3.4 through 4.15, in the     drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() function. An     attacker with access to the udldrmfb driver could     exploit this to obtain full read and write permissions     on kernel physical pages, resulting in a code execution     in kernel space.(CVE-2018-8781)

  - A flaw was found in the way the Linux KVM module     processed the trap flag(TF) bit in EFLAGS during     emulation of the syscall instruction, which leads to a     debug exception(#DB) being raised in the guest stack. A     user/process inside a guest could use this flaw to     potentially escalate their privileges inside the guest.
    Linux guests are not affected by this.(CVE-2017-7518)

  - A division-by-zero in set_termios(), when debugging is     enabled, was found in the Linux kernel. When the     [io_ti] driver is loaded, a local unprivileged attacker     can request incorrect high transfer speed in the     change_port_settings() in the     drivers/usb/serial/io_ti.c so that the divisor value     becomes zero and causes a system crash resulting in a     denial of service.(CVE-2017-18360)

  - It was found that the Linux kernel can hit a BUG_ON()     statement in the __xfs_get_blocks() in the     fs/xfs/xfs_aops.c because of a race condition between     direct and memory-mapped I/O associated with a hole in     a file that is handled with BUG_ON() instead of an I/O     failure. This allows a local unprivileged attacker to     cause a system crash and a denial of     service.(CVE-2016-10741)

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and reused. This is     fixed in the following kernel versions: 4.9.135,     4.14.78, 4.18.16, 4.19.(CVE-2018-18281)

  - An issue was discovered in the proc_pid_stack function     in fs/proc/base.c in the Linux kernel. An attacker with     a local account can trick the stack unwinder code to     leak stack contents to userspace. The fix allows only     root to inspect the kernel stack of an arbitrary     task.(CVE-2018-17972)

  - An issue was discovered in can_can_gw_rcv in     net/can/gw.c in the Linux kernel through 4.19.13. The     CAN frame modification rules allow bitwise logical     operations that can be also applied to the can_dlc     field. Because of a missing check, the CAN drivers may     write arbitrary content beyond the data registers in     the CAN controller's I/O memory when processing can-gw     manipulated outgoing frames. This is related to     cgw_csum_xor_rel. An unprivileged user can trigger a     system crash (general protection fault).(CVE-2019-3701)

  - A flaw was found In the Linux kernel, through version     4.19.6, where a local user could exploit a     use-after-free in the ALSA driver by supplying a     malicious USB Sound device (with zero interfaces) that     is mishandled in usb_audio_probe in sound/usb/card.c.
    An attacker could corrupt memory and possibly escalate     privileges if the attacker is able to have physical     access to the system.(CVE-2018-19824)

  - A security flaw was found in the Linux kernel in a way     that the cleancache subsystem clears an inode after the     final file truncation (removal). The new file created     with the same inode may contain leftover pages from     cleancache and the old file data instead of the new     one.(CVE-2018-16862)

  - A use-after-free flaw can occur in the Linux kernel due     to a race condition between packet_do_bind() and     packet_notifier() functions called for an AF_PACKET     socket. An unprivileged, local user could use this flaw     to induce kernel memory corruption on the system,     leading to an unresponsive system or to a crash. Due to     the nature of the flaw, privilege escalation cannot be     fully ruled out.(CVE-2018-18559)

  - A new software page cache side channel attack scenario     was discovered in operating systems that implement the     very common 'page cache' caching mechanism. A malicious     user/process could use 'in memory' page-cache knowledge     to infer access timings to shared memory and gain     knowledge which can be used to reduce effectiveness of     cryptographic strength by monitoring algorithmic     behavior, infer access patterns of memory to determine     code paths taken, and exfiltrate data to a blinded     attacker through page-granularity access times as a     side-channel.(CVE-2019-5489)

  - A flaw was found in mmap in the Linux kernel allowing     the process to map a null page. This allows attackers     to abuse this mechanism to turn null pointer     dereferences into workable exploits.(CVE-2019-9213)

  - A flaw named FragmentSmack was found in the way the     Linux kernel handled reassembly of fragmented IPv4 and     IPv6 packets. A remote attacker could use this flaw to     trigger time and calculation expensive fragment     reassembly algorithm by sending specially crafted     packets which could lead to a CPU saturation and hence     a denial of service on the system.(CVE-2018-5391)

  - An issue was discovered in the Linux kernel through     4.19. An information leak in cdrom_ioctl_select_disc in     drivers/cdrom/cdrom.c could be used by local attackers     to read kernel memory because a cast from unsigned long     to int interferes with bounds checking.(CVE-2018-18710)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - drivers/hid/hid-zpff.c in the Human Interface Device     (HID) subsystem in the Linux kernel through 3.11, when     CONFIG_HID_ZEROPLUS is enabled, allows physically     proximate attackers to cause a denial of service     (heap-based out-of-bounds write) via a crafted     device.(CVE-2013-2889i1/4%0

  - The capabilities implementation in the Linux kernel     before 3.14.8 does not properly consider that     namespaces are inapplicable to inodes, which allows     local users to bypass intended chmod restrictions by     first creating a user namespace, as demonstrated by     setting the setgid bit on a file with group ownership     of root.(CVE-2014-4014i1/4%0

  - The function drivers/usb/core/config.c in the Linux     kernel, allows local users to cause a denial of service     (out-of-bounds read and system crash) or possibly have     unspecified other impact via a crafted USB device,     related to the USB_DT_INTERFACE_ASSOCIATION     descriptor.(CVE-2017-16531i1/4%0

  - The snd_timer_interrupt function in sound/core/timer.c     in the Linux kernel before 4.4.1 does not properly     maintain a certain linked list, which allows local     users to cause a denial of service (race condition and     system crash) via a crafted ioctl     call.(CVE-2016-2545i1/4%0

  - A flaw was found in the Linux kernel where the deletion     of a file or directory could trigger an unmount and     reveal data under a mount point. This flaw was     inadvertently introduced with the new feature of being     able to lazily unmount a mount tree when using file     system user namespaces.(CVE-2015-4176i1/4%0

  - The do_shmat function in ipc/shm.c in the Linux kernel,     through 4.9.12, does not restrict the address     calculated by a certain rounding operation. This allows     privileged local users to map page zero and,     consequently, bypass a protection mechanism that exists     for the mmap system call. This is possible by making     crafted shmget and shmat system calls in a privileged     context.(CVE-2017-5669i1/4%0

  - In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the     Linux kernel, before 4.13, local users can cause a     denial of service (use-after-free and BUG) or possibly     have unspecified other impact by leveraging differences     in skb handling between hns_nic_net_xmit_hw and     hns_nic_net_xmit.(CVE-2017-18218i1/4%0

  - The ioapic_deliver function in virt/kvm/ioapic.c in the     Linux kernel through 3.14.1 does not properly validate     the kvm_irq_delivery_to_apic return value, which allows     guest OS users to cause a denial of service (host OS     crash) via a crafted entry in the redirection table of     an I/O APIC. NOTE: the affected code was moved to the     ioapic_service function before the vulnerability was     announced.(CVE-2014-0155i1/4%0

  - A flaw was found in the way the Linux kernel's Crypto     subsystem handled automatic loading of kernel modules.
    A local user could use this flaw to load any installed     kernel module, and thus increase the attack surface of     the running kernel.(CVE-2013-7421i1/4%0

  - Off-by-one error in the get_prng_bytes function in     crypto/ansi_cprng.c in the Linux kernel through 3.11.4     makes it easier for context-dependent attackers to     defeat cryptographic protection mechanisms via multiple     requests for small amounts of data, leading to improper     management of the state of the consumed     data.(CVE-2013-4345i1/4%0

  - sound/core/timer.c in the Linux kernel before 4.4.1     uses an incorrect type of mutex, which allows local     users to cause a denial of service (race condition,     use-after-free, and system crash) via a crafted ioctl     call.(CVE-2016-2546i1/4%0

  - The do_get_mempolicy function in mm/mempolicy.c in the     Linux kernel before 4.12.9 allows local users to cause     a denial of service (use-after-free) or possibly have     unspecified other impact via crafted system     calls.(CVE-2018-10675i1/4%0

  - A certain backport in the TCP Fast Open implementation     for the Linux kernel before 3.18 does not properly     maintain a count value, which allow local users to     cause a denial of service (system crash) via the Fast     Open feature, as demonstrated by visiting the     chrome://flags/#enable-tcp-fast-open URL when using     certain 3.10.x through 3.16.x kernel builds, including     longterm-maintenance releases and ckt (aka Canonical     Kernel Team) builds.(CVE-2015-3332i1/4%0

  - It was found that the try_to_unmap_cluster() function     in the Linux kernel's Memory Managment subsystem did     not properly handle page locking in certain cases,     which could potentially trigger the BUG_ON() macro in     the mlock_vma_page() function. A local, unprivileged     user could use this flaw to crash the     system.(CVE-2014-3122i1/4%0

  - The blkcg_init_queue function in block/blk-cgroup.c in     the Linux kernel, before 4.11, allows local users to     cause a denial of service (double free) or possibly     have unspecified other impact by triggering a creation     failure.(CVE-2018-7480i1/4%0

  - The create_fixed_stream_quirk function in     sound/usb/quirks.c in the snd-usb-audio driver in the     Linux kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (NULL pointer     dereference or double free, and system crash) via a     crafted endpoints value in a USB device     descriptor.(CVE-2016-2184i1/4%0

  - The etm_setup_aux function in     drivers/hwtracing/coresight/coresight-etm-perf.c in the     Linux kernel before 4.10.2 allows attackers to cause a     denial of service (panic) because a parameter is     incorrectly used as a local variable.(CVE-2018-11232i1/4%0

  - A division-by-zero in set_termios(), when debugging is     enabled, was found in the Linux kernel. When the     [io_ti] driver is loaded, a local unprivileged attacker     can request incorrect high transfer speed in the     change_port_settings() in the     drivers/usb/serial/io_ti.c so that the divisor value     becomes zero and causes a system crash resulting in a     denial of service.(CVE-2017-18360i1/4%0

  - A flaw was found where the XFS filesystem code     mishandles a user-settable inode flag in the Linux     kernel prior to 4.14-rc1. This can cause a local denial     of service via a kernel panic.(CVE-2017-14340i1/4%0

  - An issue was discovered in the Linux kernel through     4.19. An information leak in cdrom_ioctl_select_disc in     drivers/cdrom/cdrom.c could be used by local attackers     to read kernel memory because a cast from unsigned long     to int interferes with bounds     checking.(CVE-2018-18710i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A division-by-zero in set_termios(), when debugging is     enabled, was found in the Linux kernel. When the     [io_ti] driver is loaded, a local unprivileged attacker     can request incorrect high transfer speed in the     change_port_settings() in the     drivers/usb/serial/io_ti.c so that the divisor value     becomes zero and causes a system crash resulting in a     denial of service.i1/4^CVE-2017-18360i1/4%0

  - A flaw was found In the Linux kernel, through version     4.19.6, where a local user could exploit a     use-after-free in the ALSA driver by supplying a     malicious USB Sound device (with zero interfaces) that     is mishandled in usb_audio_probe in sound/usb/card.c.
    An attacker could corrupt memory and possibly escalate     privileges if the attacker is able to have physical     access to the system.i1/4^CVE-2018-19824i1/4%0

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and     reused.i1/4^CVE-2018-18281i1/4%0

  - A use-after-free flaw can occur in the Linux kernel due     to a race condition between packet_do_bind() and     packet_notifier() functions called for an AF_PACKET     socket. An unprivileged, local user could use this flaw     to induce kernel memory corruption on the system,     leading to an unresponsive system or to a crash. Due to     the nature of the flaw, privilege escalation cannot be     fully ruled out.i1/4^CVE-2018-18559i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found In the Linux kernel, through version     4.19.6, where a local user could exploit a     use-after-free in the ALSA driver by supplying a     malicious USB Sound device (with zero interfaces) that     is mishandled in usb_audio_probe in sound/usb/card.c.
    An attacker could corrupt memory and possibly escalate     privileges if the attacker is able to have physical     access to the system.i1/4^CVE-2018-19824i1/4%0

  - It was found that the Linux kernel can hit a BUG_ON()     statement in the __xfs_get_blocks() in the     fs/xfs/xfs_aops.c because of a race condition between     direct and memory-mapped I/O associated with a hole in     a file that is handled with BUG_ON() instead of an I/O     failure. This allows a local unprivileged attacker to     cause a system crash and a denial of     service.i1/4^CVE-2016-10741i1/4%0

  - A division-by-zero in set_termios(), when debugging is     enabled, was found in the Linux kernel. When the     [io_ti] driver is loaded, a local unprivileged attacker     can request incorrect high transfer speed in the     change_port_settings() in the     drivers/usb/serial/io_ti.c so that the divisor value     becomes zero and causes a system crash resulting in a     denial of service.i1/4^CVE-2017-18360i1/4%0

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and     reused.i1/4^CVE-2018-18281i1/4%0

  - A use-after-free flaw can occur in the Linux kernel due     to a race condition between packet_do_bind() and     packet_notifier() functions called for an AF_PACKET     socket. An unprivileged, local user could use this flaw     to induce kernel memory corruption on the system,     leading to an unresponsive system or to a crash. Due to     the nature of the flaw, privilege escalation cannot be     fully ruled out.i1/4^CVE-2018-18559i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that an information leak vulnerability existed in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could possibly expose sensitive information (kernel memory). (CVE-2017-1000410)

It was discovered that the USB serial device driver in the Linux kernel did not properly validate baud rate settings when debugging is enabled. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18360)

Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19824)

Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel.
An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460)

Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974)

Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM).
(CVE-2019-7222)

Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A division-by-zero in set_termios(), when debugging is     enabled, was found in the Linux kernel. When the     [io_ti] driver is loaded, a local unprivileged attacker     can request incorrect high transfer speed in the     change_port_settings() in the     drivers/usb/serial/io_ti.c so that the divisor value     becomes zero and causes a system crash resulting in a     denial of service. (CVE-2017-18360)

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and     reused.(CVE-2018-18281)

  - A flaw was discovered in the Linux kernel's USB     subsystem in the __usb_get_extra_descriptor() function     in the drivers/usb/core/usb.c which mishandles a size     check during the reading of an extra descriptor data.
    By using a specially crafted USB device which sends a     forged extra descriptor, an unprivileged user with     physical access to the system can potentially cause a     privilege escalation or trigger a system crash or lock     up and thus to cause a denial of service     (DoS).(CVE-2018-20169)

  - It was found that the Linux kernel can hit a BUG_ON()     statement in the __xfs_get_blocks() in the     fs/xfs/xfs_aops.c because of a race condition between     direct and memory-mapped I/O associated with a hole in     a file that is handled with BUG_ON() instead of an I/O     failure. This allows a local unprivileged attacker to     cause a system crash and a denial of     service.(CVE-2016-10741)

  - A use-after-free flaw can occur in the Linux kernel due     to a race condition between packet_do_bind() and     packet_notifier() functions called for an AF_PACKET     socket. An unprivileged, local user could use this flaw     to induce kernel memory corruption on the system,     leading to an unresponsive system or to a crash. Due to     the nature of the flaw, privilege escalation cannot be     fully ruled out. (CVE-2018-18559)

  - An issue was discovered in can_can_gw_rcv in     net/can/gw.c in the Linux kernel through 4.19.13. The     CAN frame modification rules allow bitwise logical     operations that can be also applied to the can_dlc     field. Because of a missing check, the CAN drivers may     write arbitrary content beyond the data registers in     the CAN controller's I/O memory when processing can-gw     manipulated outgoing frames. This is related to     cgw_csum_xor_rel. An unprivileged user can trigger a     system crash (general protection fault).(CVE-2019-3701)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause a use-after-free in     ext4_xattr_set_entry function and a denial of service     or unspecified other impact may occur by renaming a     file in a crafted ext4 filesystem     image.(CVE-2018-10879)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bound write in     jbd2_journal_dirty_metadata(), a denial of service, and     a system crash by mounting and operating on a crafted     ext4 filesystem image.(CVE-2018-10883)

  - It was found that the raw midi kernel driver does not     protect against concurrent access which leads to a     double realloc (double free) in     snd_rawmidi_input_params() and     snd_rawmidi_output_status() which are part of     snd_rawmidi_ioctl() handler in rawmidi.c file. A     malicious local attacker could possibly use this for     privilege escalation.(CVE-2018-10902)

  - The Linux kernel is vulnerable to a NULL pointer     dereference in the ext4/xattr.c:ext4_xattr_inode_hash()     function. An attacker could trick a legitimate user or     a privileged attacker could exploit this to cause a     NULL pointer dereference with a crafted ext4 image.
    (CVE-2018-1094)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was discovered in the Linux kernel's USB     subsystem in the __usb_get_extra_descriptor() function     in the drivers/usb/core/usb.c which mishandles a size     check during the reading of an extra descriptor data.
    By using a specially crafted USB device which sends a     forged extra descriptor, an unprivileged user with     physical access to the system can potentially cause a     privilege escalation or trigger a system crash or lock     up and thus to cause a denial of service     (DoS).(CVE-2018-20169)

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and     reused.(CVE-2018-18281)

  - A division-by-zero in set_termios(), when debugging is     enabled, was found in the Linux kernel. When the     [io_ti] driver is loaded, a local unprivileged attacker     can request incorrect high transfer speed in the     change_port_settings() in the     drivers/usb/serial/io_ti.c so that the divisor value     becomes zero and causes a system crash resulting in a     denial of service. (CVE-2017-18360)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bound access in     ext4_get_group_info function, a denial of service, and     a system crash by mounting and operating on a crafted     ext4 filesystem image.(CVE-2018-10881)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bounds write and a     denial of service or unspecified other impact is     possible by mounting and operating a crafted ext4     filesystem image.(CVE-2018-10878)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2016-10741: fs/xfs/xfs_aops.c allowed local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated with a hole) that is handled with BUG_ON instead of an I/O failure (bnc#1114920 bnc#1124010).

CVE-2017-18360: In change_port_settings in drivers/usb/serial/io_ti.c local users could cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud rates (bnc#1123706).

CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319).

CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841).

CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).

CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743).

CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).

CVE-2019-7222: A information leak in exception handling in KVM could be used to expose host memory to guests. (bnc#1124735).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A security flaw was found in the ip_frag_reasm()     function in net/ipv4/ip_fragment.c in the Linux kernel     which can cause a later system crash in     ip_do_fragment(). With certain non-default, but     non-rare, configuration of a victim host, an attacker     can trigger this crash remotely, thus leading to a     remote denial of service.(CVE-2018-14641)

  - A flaw named FragmentSmack was found in the way the     Linux kernel handled reassembly of fragmented IPv4 and     IPv6 packets. A remote attacker could use this flaw to     trigger time and calculation expensive fragment     reassembly algorithm by sending specially crafted     packets which could lead to a CPU saturation and hence     a denial of service on the system.(CVE-2018-5391)

  - The resv_map_release function in mm/hugetlb.c in the     Linux kernel, through 4.15.7, allows local users to     cause a denial of service (BUG) via a crafted     application that makes mmap system calls and has a     large pgoff argument to the remap_file_pages system     call. (CVE-2018-7740)

  - A use-after-free vulnerability was found in the way the     Linux kernel's KVM hypervisor emulates a preemption     timer for L2 guests when nested (=1) virtualization is     enabled. This high resolution timer(hrtimer) runs when     a L2 guest is active. After VM exit, the sync_vmcs12()     timer object is stopped. The use-after-free occurs if     the timer object is freed before calling sync_vmcs12()     routine. A guest user/process could use this flaw to     crash the host kernel resulting in a denial of service     or, potentially, gain privileged access to a system.
    (CVE-2019-7221)

  - An information leakage issue was found in the way Linux     kernel's KVM hypervisor handled page fault exceptions     while emulating instructions like VMXON, VMCLEAR,     VMPTRLD, and VMWRITE with memory address as an operand.
    It occurs if the operand is a mmio address, as the     returned exception object holds uninitialized stack     memory contents. A guest user/process could use this     flaw to leak host's stack memory contents to a guest.
    (CVE-2019-7222)

  - The xfs_dinode_verify function in     fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel can     cause a NULL pointer dereference in     xfs_ilock_attr_map_shared function. An attacker could     trick a legitimate user or a privileged attacker could     exploit this by mounting a crafted xfs filesystem image     to cause a kernel panic and thus a denial of service.
    (CVE-2018-10322)

  - The Linux kernel is vulnerable to a NULL pointer     dereference in the     ext4/mballoc.c:ext4_process_freed_data() function. An     attacker could trick a legitimate user or a privileged     attacker could exploit this by mounting a crafted ext4     image to cause a kernel panic.(CVE-2018-1092)

  - The Linux kernel is vulnerable to a NULL pointer     dereference in the ext4/xattr.c:ext4_xattr_inode_hash()     function. An attacker could trick a legitimate user or     a privileged attacker could exploit this to cause a     NULL pointer dereference with a crafted ext4 image.
    (CVE-2018-1094)

  - An issue was discovered in the XFS filesystem in     fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A     NULL pointer dereference may occur for a corrupted xfs     image after xfs_da_shrink_inode() is called with a NULL     bp. This can lead to a system crash and a denial of     service. (CVE-2018-13094)

  - A flaw was found in the Linux kernel with files on     tmpfs and hugetlbfs. An attacker is able to bypass file     permissions on filesystems mounted with tmpfs/hugetlbs     to modify a file and possibly disrupt normal system     behavior. At this time there is an understanding there     is no crash or privilege escalation but the impact of     modifications on these filesystems of files in     production systems may have adverse affects.
    (CVE-2018-18397)

  - A use-after-free flaw can occur in the Linux kernel due     to a race condition between packet_do_bind() and     packet_notifier() functions called for an AF_PACKET     socket. An unprivileged, local user could use this flaw     to induce kernel memory corruption on the system,     leading to an unresponsive system or to a crash. Due to     the nature of the flaw, privilege escalation cannot be     fully ruled out. (CVE-2018-18559)

  - A flaw was found In the Linux kernel, through version     4.19.6, where a local user could exploit a     use-after-free in the ALSA driver by supplying a     malicious USB Sound device (with zero interfaces) that     is mishandled in usb_audio_probe in sound/usb/card.c.
    An attacker could corrupt memory and possibly escalate     privileges if the attacker is able to have physical     access to the system.(CVE-2018-19824)

  - An issue was discovered in the Linux kernel before     4.18.11. The ipddp_ioctl function in     drivers/net/appletalk/ipddp.c allows local users to     obtain sensitive kernel address information by     leveraging CAP_NET_ADMIN to read the ipddp_route dev     and next fields via an SIOCFINDIPDDPRT ioctl call.
    (CVE-2018-20511)

  - A use-after-free vulnerability was found in the way the     Linux kernel's KVM hypervisor implements its device     control API. While creating a device via     kvm_ioctl_create_device(), the device holds a reference     to a VM object, later this reference is transferred to     the caller's file descriptor table. If such file     descriptor was to be closed, reference count to the VM     object could become zero, potentially leading to a     use-after-free issue. A user/process could use this     flaw to crash the guest VM resulting in a denial of     service issue or, potentially, gain privileged access     to a system. (CVE-2019-6974)

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and     reused.(CVE-2018-18281)

  - A division-by-zero in set_termios(), when debugging is     enabled, was found in the Linux kernel. When the     [io_ti] driver is loaded, a local unprivileged attacker     can request incorrect high transfer speed in the     change_port_settings() in the     drivers/usb/serial/io_ti.c so that the divisor value     becomes zero and causes a system crash resulting in a     denial of service. (CVE-2017-18360)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391)

* kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344)

* kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781)

* kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902)

* kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405)

* kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830)

* kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861)

* kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661)

* kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805)

* kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208)

* kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120)

* kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130)

* kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344)

* kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803)

* kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848)

* kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878)

* kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026)

* kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913)

* kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232)

* kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092)

* kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094)

* kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118)

* kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740)

* kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757)

* kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322)

* kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879)

* kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881)

* kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883)

* kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940)

Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120;
Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2018-3083 advisory.

  - The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM     (aka alternate name) entries containing \0 characters, which allows local users to obtain sensitive     information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem.
    (CVE-2016-4913)

  - Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or     cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations     that leverage improper might_cancel queueing. (CVE-2017-10661)

  - Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows     attackers to gain privileges via unspecified vectors. (CVE-2017-0861)

  - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local     users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE:
    this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830)

  - In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the
    _sctp_make_chunk() function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be     exploited to cause a kernel crash. (CVE-2018-5803)

  - Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit()     function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of     certain crafted system calls. (CVE-2018-1130)

  - The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c at the Linux kernel version 3.4 and up to and     including 4.15 has an integer-overflow vulnerability allowing local users with access to the udldrmfb     driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution     in kernel space. (CVE-2018-8781)

  - The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8     doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the     show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read     arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).
    (CVE-2017-18344)

  - The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially     modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by     sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered     and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel     with the increase of the IP fragment reassembly queue size. (CVE-2018-5391)

  - The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create     files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and     is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a     plain file whose group ownership is that group. The intended behavior was that the non-member can trigger     creation of a directory (but not a plain file) whose group ownership is that group. The non-member can     escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)

  - The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length     inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface     (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel     crash) or have unspecified other impact by executing a crafted sequence of system calls that use the     blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation     (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable. (CVE-2017-17805)

  - The madvise_willneed function in mm/madvise.c in the Linux kernel before 4.14.4 allows local users to     cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.
    (CVE-2017-18208)

  - The Serial Attached SCSI (SAS) implementation in the Linux kernel through 4.15.9 mishandles a mutex within     libsas, which allows local users to cause a denial of service (deadlock) by triggering certain error-     handling code. (CVE-2017-18232)

  - The ext4_iget function in fs/ext4/inode.c in the Linux kernel through 4.15.15 mishandles the case of a     root directory with a zero i_links_count, which allows attackers to cause a denial of service     (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image. (CVE-2018-1092)

  - In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow     properly. As a result, a large value of the 'ie_len' argument can cause a buffer overflow in all Android     releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel.
    (CVE-2018-5848)

  - Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux     kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read     accesses to files in the /sys/class/sas_phy directory, as demonstrated by the     /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file. (CVE-2018-7757)

  - The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows     local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a     crafted xfs image. (CVE-2018-10322)

  - A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write and     a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4     filesystem image. (CVE-2018-10878)

  - The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.15.15 does not always     initialize the crc32c checksum driver, which allows attackers to cause a denial of service     (ext4_xattr_inode_hash NULL pointer dereference and system crash) via a crafted ext4 image.
    (CVE-2018-1094)

  - Linux kernel vhost since version 4.8 does not properly initialize memory in messages passed between     virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow     local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device     file. (CVE-2018-1118)

  - A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a     process's memory containing command line arguments (or environment strings), an attacker can cause     utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the     /proc//cmdline (or /proc//environ) files to block indefinitely (denial of service) or for some     controlled time (as a synchronization primitive for other attacks). (CVE-2018-1120)

  - In the Linux kernel through 4.14.13, drivers/block/loop.c mishandles lo_release serialization, which     allows attackers to cause a denial of service (__lock_acquire use-after-free) or possibly have unspecified     other impact. (CVE-2018-5344)

  - The resv_map_release function in mm/hugetlb.c in the Linux kernel through 4.15.7 allows local users to     cause a denial of service (BUG) via a crafted application that makes mmap system calls and has a large     pgoff argument to the remap_file_pages system call. (CVE-2018-7740)

  - A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause a use-after-free in     ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a     file in a crafted ext4 filesystem image. (CVE-2018-10879)

  - A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in     ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a     crafted ext4 filesystem image. (CVE-2018-10881)

  - A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write in     jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a     crafted ext4 filesystem image. (CVE-2018-10883)

  - It was found that the raw midi kernel driver does not protect against concurrent access which leads to a     double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part     of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for     privilege escalation. (CVE-2018-10902)

  - The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6 allows     local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out     kernel memory. (CVE-2018-10940)

  - Linux Linux kernel version at least v4.8 onwards, probably well before contains a Insufficient input     validation vulnerability in bnx2x network card driver that can result in DoS: Network card firmware     assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very     large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VM..
    (CVE-2018-1000026)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391)

* kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344)

* kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781)

* kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902)

* kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405)

* kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830)

* kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861)

* kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661)

* kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805)

* kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208)

* kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120)

* kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130)

* kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344)

* kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803)

* kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848)

* kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878)

* kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026)

* kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913)

* kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232)

* kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092)

* kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094)

* kernel: vhost: Information disclosure in vhost.c:vhost_new_msg() (CVE-2018-1118)

* kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740)

* kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757)

* kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322)

* kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879)

* kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881)

* kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883)

* kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940)

Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120;
Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.

ID	Name	Product	Family	Severity
125615	OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0022)	Nessus	OracleVM Local Security Checks	medium
125235	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4642)	Nessus	Oracle Linux Local Security Checks	medium
124834	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1512)	Nessus	Huawei Local Security Checks	high
124795	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1471)	Nessus	Huawei Local Security Checks	high
123721	EulerOS Virtualization 2.5.4 : kernel (EulerOS-SA-2019-1253)	Nessus	Huawei Local Security Checks	high
123712	EulerOS Virtualization 2.5.3 : kernel (EulerOS-SA-2019-1244)	Nessus	Huawei Local Security Checks	high
123682	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3933-1)	Nessus	Ubuntu Local Security Checks	high
123605	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-1131)	Nessus	Huawei Local Security Checks	medium
123121	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-1108)	Nessus	Huawei Local Security Checks	medium
122891	SUSE SLES11 Security Update : kernel (SUSE-SU-2019:13979-1)	Nessus	SuSE Local Security Checks	high
122699	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-1076)	Nessus	Huawei Local Security Checks	high
118990	CentOS 7 : kernel (CESA-2018:3083)	Nessus	CentOS Local Security Checks	high
118770	Oracle Linux 7 : kernel (ELSA-2018-3083)	Nessus	Oracle Linux Local Security Checks	high
118528	RHEL 7 : kernel-rt (RHSA-2018:3096)	Nessus	Red Hat Local Security Checks	high
118525	RHEL 7 : kernel (RHSA-2018:3083)	Nessus	Red Hat Local Security Checks	high

CVE-2017-18360

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

medium

medium

high

high

high

high

high

medium

medium

high

high

high

high

high

high