http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c9f838d104fed6f2f61d68164712e3204bf5271b

SUSE-SU-2018:0011

http://openwall.com/lists/oss-security/2017/05/11/1

98422

1038471

RHSA-2018:0151

RHSA-2018:0152

RHSA-2018:0181

https://bugzilla.novell.com/show_bug.cgi?id=1034862

https://bugzilla.redhat.com/show_bug.cgi?id=1442086

https://github.com/torvalds/linux/commit/c9f838d104fed6f2f61d68164712e3204bf5271b

https://lkml.org/lkml/2017/4/1/235

https://lkml.org/lkml/2017/4/3/724

42136

https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.10.13

An update for kernel-rt is now available for Red Hat Enterprise MRG 2.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* A flaw was found in the Linux kernel's key management system where it was possible for an attacker to escalate privileges or crash the machine. If a user key gets negatively instantiated, an error code is cached in the payload area. A negatively instantiated key may be then be positively instantiated by updating it with valid data. However, the ->update key type method must be aware that the error code may be there. (CVE-2015-8539, Important)

* It was found that fanout_add() in 'net/packet/af_packet.c' in the Linux kernel, before version 4.13.6, allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free bug.
(CVE-2017-15649, Important)

* A vulnerability was found in the Linux kernel where the keyctl_set_reqkey_keyring() function leaks the thread keyring. This allows an unprivileged local user to exhaust kernel memory and thus cause a DoS. (CVE-2017-7472, Moderate)

Red Hat would like to thank Dmitry Vyukov of Google engineering for reporting CVE-2015-8539.

Bug Fix(es) :

* The mlx5 driver has a number of configuration options, including the selective support for network protocols, such as InfiniBand and Ethernet. Due to a regression in the configuration of the MRG-RT kernel, the Ethernet mode of the driver was turned off. The regression has been resolved by enabling the mlx5 Ethernet mode, making the Ethernet protocol to work again. (BZ#1422778)

* The migrate_disable/enable() kernel operations are used to pin a thread to a CPU temporarily. This method is a kernel-rt specific. To keep RHEL-RT's kernel up-to-date with the latest real-time kernel, the migrate_disable/ enable routine was updated to the version present on kernel v4.9-rt. However, this version showed to be problematic. The changes in the migrate_disable/enabled have been thus reverted to a stable version, avoiding the kernel BUG. (BZ#1507831)

* The kernel-rt packages have been upgraded to version 3.10.0-693.15.1.rt56.601, which provides a number of security and bug fixes over the previous version. (BZ#1519504)

From Red Hat Security Advisory 2018:0151 :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited.

Note: This issue is present in hardware and cannot be fully fixed via software update. The updated kernel packages provide software mitigation for this hardware issue at a cost of potential performance penalty. Please refer to References section for further information about this issue and the performance impact.

In this update initial mitigations for IBM Power (PowerPC) and IBM zSeries (S390) architectures are provided.

* Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks. This fix specifically addresses S390 processors. (CVE-2017-5715, Important)

* Variant CVE-2017-5753 triggers the speculative execution by performing a bounds-check bypass. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall boundary and read privileged memory by conducting targeted cache side-channel attacks. This fix specifically addresses S390 and PowerPC processors. (CVE-2017-5753, Important)

* Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue. This fix specifically addresses PowerPC processors.
(CVE-2017-5754, Important)

Red Hat would like to thank Google Project Zero for reporting CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754.

This update also fixes the following security issues and bugs :

Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article:
https://access.redhat.com/articles/ 3327131.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited.

Note: This issue is present in hardware and cannot be fully fixed via software update. The updated kernel packages provide software mitigation for this hardware issue at a cost of potential performance penalty. Please refer to References section for further information about this issue and the performance impact.

In this update initial mitigations for IBM Power (PowerPC) and IBM zSeries (S390) architectures are provided.

* Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks. This fix specifically addresses S390 processors. (CVE-2017-5715, Important)

* Variant CVE-2017-5753 triggers the speculative execution by performing a bounds-check bypass. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall boundary and read privileged memory by conducting targeted cache side-channel attacks. This fix specifically addresses S390 and PowerPC processors. (CVE-2017-5753, Important)

* Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue. This fix specifically addresses PowerPC processors.
(CVE-2017-5754, Important)

Red Hat would like to thank Google Project Zero for reporting CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754.

This update also fixes the following security issues and bugs :

Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article:
https://access.redhat.com/articles/ 3327131.

Security Fix(es) :

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited.

Note: This issue is present in hardware and cannot be fully fixed via software update. The updated kernel packages provide software mitigation for this hardware issue at a cost of potential performance penalty.

* Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks. This fix specifically addresses S390 processors. (CVE-2017-5715, Important)

* Variant CVE-2017-5753 triggers the speculative execution by performing a bounds-check bypass. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall boundary and read privileged memory by conducting targeted cache side-channel attacks. This fix specifically addresses S390 and PowerPC processors. (CVE-2017-5753, Important)

* Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue. This fix specifically addresses PowerPC processors.
(CVE-2017-5754, Important)

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* A flaw was found in the Linux kernel's key management system where it was possible for an attacker to escalate privileges or crash the machine. If a user key gets negatively instantiated, an error code is cached in the payload area. A negatively instantiated key may be then be positively instantiated by updating it with valid data. However, the ->update key type method must be aware that the error code may be there. (CVE-2015-8539, Important)

* It was found that fanout_add() in 'net/packet/af_packet.c' in the Linux kernel, before version 4.13.6, allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free bug.
(CVE-2017-15649, Important)

* A vulnerability was found in the Linux kernel where the keyctl_set_reqkey_keyring() function leaks the thread keyring. This allows an unprivileged local user to exhaust kernel memory and thus cause a DoS. (CVE-2017-7472, Moderate)

Red Hat would like to thank Dmitry Vyukov of Google engineering for reporting CVE-2015-8539.

Bug Fix(es) :

* The kernel-rt packages have been upgraded to 3.10.0-693.15.1 source tree, which provides a number of bug fixes over the previous version.
(BZ# 1519506)

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032).

  - CVE-2017-5753: Local attackers on systems with modern     CPUs featuring deep instruction pipelining could use     attacker controllable speculative execution over code     patterns in the Linux Kernel to leak content from     otherwise not readable memory in the same address space,     allowing retrieval of passwords, cryptographic keys and     other secrets. This problem is mitigated by adding     speculative fencing on affected code paths throughout     the Linux kernel.

  - CVE-2017-5715: Local attackers on systems with modern     CPUs featuring branch prediction could use mispredicted     branches to speculatively execute code patterns that in     turn could be made to leak other non-readable content in     the same address space, an attack similar to     CVE-2017-5753. This problem is mitigated by disabling     predictive branches, depending on CPU architecture     either by firmware updates and/or fixes in the     user-kernel privilege boundaries. Please contact your     CPU / hardware vendor for potential microcode or BIOS     updates needed for this fix. As this feature can have a     performance impact, it can be disabled using the     'nospec' kernel commandline option.

  - CVE-2017-5754: Local attackers on systems with modern     CPUs featuring deep instruction pipelining could use     code patterns in userspace to speculative executive code     that would read otherwise read protected memory, an     attack similar to CVE-2017-5753. This problem is     mitigated by unmapping the Linux Kernel from the user     address space during user code execution, following a     approach called 'KAISER'. The terms used here are     'KAISER' / 'Kernel Address Isolation' and 'PTI' / 'Page     Table Isolation'. This feature is disabled on unaffected     architectures. This feature can be enabled / disabled by     the 'pti=[on|off|auto]' or 'nopti' commandline options.
    The following security bugs were fixed :

  - CVE-2017-1000251: The native Bluetooth stack in the     Linux Kernel (BlueZ) was vulnerable to a stack overflow     vulnerability in the processing of L2CAP configuration     responses resulting in Remote code execution in kernel     space (bnc#1057389).

  - CVE-2017-11600: net/xfrm/xfrm_policy.c in the Linux     kernel did not ensure that the dir value of     xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which     allowed local users to cause a denial of service     (out-of-bounds access) or possibly have unspecified     other impact via an XFRM_MSG_MIGRATE xfrm Netlink     message (bnc#1050231).

  - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2)     allowed reinstallation of the Group Temporal Key (GTK)     during the group key handshake, allowing an attacker     within radio range to replay frames from access points     to clients (bnc#1063667).

  - CVE-2017-13167: An elevation of privilege vulnerability     in the kernel sound timer was fixed. (bnc#1072876).

  - CVE-2017-14106: The tcp_disconnect function in     net/ipv4/tcp.c in the Linux kernel allowed local users     to cause a denial of service (__tcp_select_window     divide-by-zero error and system crash) by triggering a     disconnect within a certain tcp_recvmsg code path     (bnc#1056982).

  - CVE-2017-14140: The move_pages system call in     mm/migrate.c in the Linux kernel didn't check the     effective uid of the target process, enabling a local     attacker to learn the memory layout of a setuid     executable despite ASLR (bnc#1057179).

  - CVE-2017-14340: The XFS_IS_REALTIME_INODE macro in     fs/xfs/xfs_linux.h in the Linux kernel did not verify     that a filesystem has a realtime device, which allowed     local users to cause a denial of service (NULL pointer     dereference and OOPS) via vectors related to setting an     RHINHERIT flag on a directory (bnc#1058524).

  - CVE-2017-15102: The tower_probe function in     drivers/usb/misc/legousbtower.c in the Linux kernel     allowed local users (who are physically proximate for     inserting a crafted USB device) to gain privileges by     leveraging a write-what-where condition that occurs     after a race condition and a NULL pointer dereference     (bnc#1066705).

  - CVE-2017-15115: The sctp_do_peeloff function in     net/sctp/socket.c in the Linux kernel did not check     whether the intended netns is used in a peel-off action,     which allowed local users to cause a denial of service     (use-after-free and system crash) or possibly have     unspecified other impact via crafted system calls     (bnc#1068671).

  - CVE-2017-15265: Race condition in the ALSA subsystem in     the Linux kernel allowed local users to cause a denial     of service (use-after-free) or possibly have unspecified     other impact via crafted /dev/snd/seq ioctl calls,     related to sound/core/seq/seq_clientmgr.c and     sound/core/seq/seq_ports.c (bnc#1062520).

  - CVE-2017-15274: security/keys/keyctl.c in the Linux     kernel did not consider the case of a NULL payload in     conjunction with a nonzero length value, which allowed     local users to cause a denial of service (NULL pointer     dereference and OOPS) via a crafted add_key or keyctl     system call, a different vulnerability than     CVE-2017-12192 (bnc#1045327).

  - CVE-2017-15868: The bnep_add_connection function in     net/bluetooth/bnep/core.c in the Linux kernel did not     ensure that an l2cap socket is available, which allowed     local users to gain privileges via a crafted application     (bnc#1071470).

  - CVE-2017-16525: The usb_serial_console_disconnect     function in drivers/usb/serial/console.c in the Linux     kernel allowed local users to cause a denial of service     (use-after-free and system crash) or possibly have     unspecified other impact via a crafted USB device,     related to disconnection and failed setup (bnc#1066618).

  - CVE-2017-16527: sound/usb/mixer.c in the Linux kernel     allowed local users to cause a denial of service     (snd_usb_mixer_interrupt use-after-free and system     crash) or possibly have unspecified other impact via a     crafted USB device (bnc#1066625).

  - CVE-2017-16529: The snd_usb_create_streams function in     sound/usb/card.c in the Linux kernel allowed local users     to cause a denial of service (out-of-bounds read and     system crash) or possibly have unspecified other impact     via a crafted USB device (bnc#1066650).

  - CVE-2017-16531: drivers/usb/core/config.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds read and system crash) or possibly have     unspecified other impact via a crafted USB device,     related to the USB_DT_INTERFACE_ASSOCIATION descriptor     (bnc#1066671).

  - CVE-2017-16534: The cdc_parse_cdc_header function in     drivers/usb/core/message.c in the Linux kernel allowed     local users to cause a denial of service (out-of-bounds     read and system crash) or possibly have unspecified     other impact via a crafted USB device (bnc#1066693).

  - CVE-2017-16535: The usb_get_bos_descriptor function in     drivers/usb/core/config.c in the Linux kernel allowed     local users to cause a denial of service (out-of-bounds     read and system crash) or possibly have unspecified     other impact via a crafted USB device (bnc#1066700).

  - CVE-2017-16536: The cx231xx_usb_probe function in     drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux     kernel allowed local users to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact via a crafted USB device     (bnc#1066606).

  - CVE-2017-16537: The imon_probe function in     drivers/media/rc/imon.c in the Linux kernel allowed     local users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact via a crafted USB device     (bnc#1066573).

  - CVE-2017-16538: drivers/media/usb/dvb-usb-v2/lmedm04.c     in the Linux kernel allowed local users to cause a     denial of service (general protection fault and system     crash) or possibly have unspecified other impact via a     crafted USB device, related to a missing warm-start     check and incorrect attach timing     (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner)     (bnc#1066569).

  - CVE-2017-16649: The usbnet_generic_cdc_bind function in     drivers/net/usb/cdc_ether.c in the Linux kernel allowed     local users to cause a denial of service (divide-by-zero     error and system crash) or possibly have unspecified     other impact via a crafted USB device (bnc#1067085).

  - CVE-2017-16939: The XFRM dump policy implementation in     net/xfrm/xfrm_user.c in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) via a crafted SO_RCVBUF setsockopt     system call in conjunction with XFRM_MSG_GETPOLICY     Netlink messages (bnc#1069702 1069708).

  - CVE-2017-17450: net/netfilter/xt_osf.c in the Linux     kernel did not require the CAP_NET_ADMIN capability for     add_callback and remove_callback operations, which     allowed local users to bypass intended access     restrictions because the xt_osf_fingers data structure     is shared across all net namespaces (bnc#1071695     1074033).

  - CVE-2017-17558: The usb_destroy_configuration function     in drivers/usb/core/config.c in the USB core subsystem     in the Linux kernel did not consider the maximum number     of configurations and interfaces before attempting to     release resources, which allowed local users to cause a     denial of service (out-of-bounds write access) or     possibly have unspecified other impact via a crafted USB     device (bnc#1072561).

  - CVE-2017-17805: The Salsa20 encryption algorithm in the     Linux kernel did not correctly handle zero-length     inputs, allowing a local attacker able to use the     AF_ALG-based skcipher interface     (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of     service (uninitialized-memory free and kernel crash) or     have unspecified other impact by executing a crafted     sequence of system calls that use the blkcipher_walk     API. Both the generic implementation     (crypto/salsa20_generic.c) and x86 implementation     (arch/x86/crypto/salsa20_glue.c) of Salsa20 were     vulnerable (bnc#1073792).

  - CVE-2017-17806: The HMAC implementation (crypto/hmac.c)     in the Linux kernel did not validate that the underlying     cryptographic hash algorithm is unkeyed, allowing a     local attacker able to use the AF_ALG-based hash     interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3     hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel     stack-based buffer overflow by executing a crafted     sequence of system calls that encounter a missing SHA-3     initialization (bnc#1073874).

  - CVE-2017-7472: The KEYS subsystem in the Linux kernel     allowed local users to cause a denial of service (memory     consumption) via a series of     KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring     calls (bnc#1034862).

  - CVE-2017-8824: The dccp_disconnect function in     net/dccp/proto.c in the Linux kernel allowed local users     to gain privileges or cause a denial of service     (use-after-free) via an AF_UNSPEC connect system call     during the DCCP_LISTEN state (bnc#1070771).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032).

  - CVE-2017-5753: Local attackers on systems with modern     CPUs featuring deep instruction pipelining could use     attacker controllable speculative execution over code     patterns in the Linux Kernel to leak content from     otherwise not readable memory in the same address space,     allowing retrieval of passwords, cryptographic keys and     other secrets. This problem is mitigated by adding     speculative fencing on affected code paths throughout     the Linux kernel. This issue is addressed for the     x86_64, the IBM Power and IBM zSeries architecture.

  - CVE-2017-5715: Local attackers on systems with modern     CPUs featuring branch prediction could use mispredicted     branches to speculatively execute code patterns that in     turn could be made to leak other non-readable content in     the same address space, an attack similar to     CVE-2017-5753. This problem is mitigated by disabling     predictive branches, depending on CPU architecture     either by firmware updates and/or fixes in the     user-kernel privilege boundaries. This is done with help     of Linux Kernel fixes on the Intel/AMD x86_64 and IBM     zSeries architectures. On x86_64, this requires also     updates of the CPU microcode packages, delivered in     separate updates. For IBM Power and zSeries the required     firmware updates are supplied over regular channels by     IBM. As this feature can have a performance impact, it     can be disabled using the 'nospec' kernel commandline     option.

  - CVE-2017-5754: Local attackers on systems with modern     CPUs featuring deep instruction pipelining could use     code patterns in userspace to speculative executive code     that would read otherwise read protected memory, an     attack similar to CVE-2017-5753. This problem is     mitigated by unmapping the Linux Kernel from the user     address space during user code execution, following a     approach called 'KAISER'. The terms used here are     'KAISER' / 'Kernel Address Isolation' and 'PTI' / 'Page     Table Isolation'. This update does this on the Intel     x86_64 and IBM Power architecture. Updates are also     necessary for the ARM architecture, but will be     delivered in the next round of updates. This feature can     be enabled / disabled by the 'pti=[on|off|auto]' or     'nopti' commandline options. The following security bugs     were fixed :

  - CVE-2017-17806: The HMAC implementation (crypto/hmac.c)     in the Linux kernel did not validate that the underlying     cryptographic hash algorithm is unkeyed, allowing a     local attacker able to use the AF_ALG-based hash     interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3     hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel     stack-based buffer overflow by executing a crafted     sequence of system calls that encounter a missing SHA-3     initialization (bnc#1073874).

  - CVE-2017-17805: The Salsa20 encryption algorithm in the     Linux kernel did not correctly handle zero-length     inputs, allowing a local attacker able to use the     AF_ALG-based skcipher interface     (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of     service (uninitialized-memory free and kernel crash) or     have unspecified other impact by executing a crafted     sequence of system calls that use the blkcipher_walk     API. Both the generic implementation     (crypto/salsa20_generic.c) and x86 implementation     (arch/x86/crypto/salsa20_glue.c) of Salsa20 were     vulnerable (bnc#1073792).

  - CVE-2017-15868: The bnep_add_connection function in     net/bluetooth/bnep/core.c in the Linux kernel did not     ensure that an l2cap socket is available, which allowed     local users to gain privileges via a crafted application     (bnc#1071470).

  - CVE-2017-13167: An elevation of privilege vulnerability     in the kernel sound timer. (bnc#1072876).

  - CVE-2017-16538: drivers/media/usb/dvb-usb-v2/lmedm04.c     in the Linux kernel allowed local users to cause a     denial of service (general protection fault and system     crash) or possibly have unspecified other impact via a     crafted USB device, related to a missing warm-start     check and incorrect attach timing     (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner)     (bnc#1066569).

  - CVE-2017-17558: The usb_destroy_configuration function     in drivers/usb/core/config.c in the USB core subsystem     in the Linux kernel did not consider the maximum number     of configurations and interfaces before attempting to     release resources, which allowed local users to cause a     denial of service (out-of-bounds write access) or     possibly have unspecified other impact via a crafted USB     device (bnc#1072561).

  - CVE-2017-17450: net/netfilter/xt_osf.c in the Linux     kernel did not require the CAP_NET_ADMIN capability for     add_callback and remove_callback operations, which     allowed local users to bypass intended access     restrictions because the xt_osf_fingers data structure     is shared across all net namespaces (bnc#1071695).

  - CVE-2017-8824: The dccp_disconnect function in     net/dccp/proto.c in the Linux kernel allowed local users     to gain privileges or cause a denial of service     (use-after-free) via an AF_UNSPEC connect system call     during the DCCP_LISTEN state (bnc#1070771).

  - CVE-2017-16939: The XFRM dump policy implementation in     net/xfrm/xfrm_user.c in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) via a crafted SO_RCVBUF setsockopt     system call in conjunction with XFRM_MSG_GETPOLICY     Netlink messages (bnc#1069702).

  - CVE-2017-15115: The sctp_do_peeloff function in     net/sctp/socket.c in the Linux kernel did not check     whether the intended netns is used in a peel-off action,     which allowed local users to cause a denial of service     (use-after-free and system crash) or possibly have     unspecified other impact via crafted system calls     (bnc#1068671).

  - CVE-2017-14106: The tcp_disconnect function in     net/ipv4/tcp.c in the Linux kernel allowed local users     to cause a denial of service (__tcp_select_window     divide-by-zero error and system crash) by triggering a     disconnect within a certain tcp_recvmsg code path     (bnc#1056982).

  - CVE-2017-11600: net/xfrm/xfrm_policy.c in the Linux     kernel through 4.12.3, when CONFIG_XFRM_MIGRATE is     enabled, did not ensure that the dir value of     xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which     allowed local users to cause a denial of service     (out-of-bounds access) or possibly have unspecified     other impact via an XFRM_MSG_MIGRATE xfrm Netlink     message (bnc#1050231).

  - CVE-2017-7472: The KEYS subsystem in the Linux kernel     allowed local users to cause a denial of service (memory     consumption) via a series of     KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring     calls (bnc#1034862).

  - CVE-2017-16534: The cdc_parse_cdc_header function in     drivers/usb/core/message.c in the Linux kernel allowed     local users to cause a denial of service (out-of-bounds     read and system crash) or possibly have unspecified     other impact via a crafted USB device (bnc#1066693).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses.
A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-1000251)

It was discovered that the asynchronous I/O (aio) subsystem of the Linux kernel did not properly set permissions on aio memory mappings in some situations. An attacker could use this to more easily exploit other vulnerabilities. (CVE-2016-10044)

Baozeng Ding and Andrey Konovalov discovered a race condition in the L2TPv3 IP Encapsulation implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-10200)

Andreas Gruenbacher and Jan Kara discovered that the filesystem implementation in the Linux kernel did not clear the setgid bit during a setxattr call. A local attacker could use this to possibly elevate group privileges. (CVE-2016-7097)

Sergej Schumilo, Ralf Spenneberg, and Hendrik Schwartke discovered that the key management subsystem in the Linux kernel did not properly allocate memory in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-8650)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)

It was discovered that an information leak existed in
__get_user_asm_ex() in the Linux kernel. A local attacker could use this to expose sensitive information. (CVE-2016-9178)

CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

It was discovered that an integer overflow existed in the trace subsystem of the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2016-9754)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

It was discovered that the keyring implementation in the Linux kernel did not properly restrict searches for dead keys. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6951)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7187)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

It was discovered that a buffer overflow existed in the Broadcom FullMAC WLAN driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7541).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Please note that this update changes the Linux HWE kernel to the 4.10 based kernel from Ubuntu 17.04, superseding the 4.8 based HWE kernel from Ubuntu 16.10.

Ben Harris discovered that the Linux kernel would strip extended privilege attributes of files when performing a failed unprivileged system call. A local attacker could use this to cause a denial of service. (CVE-2015-1350)

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208)

Peter Pi discovered that the colormap handling for frame buffer devices in the Linux kernel contained an integer overflow. A local attacker could use this to disclose sensitive information (kernel memory). (CVE-2016-8405)

It was discovered that an integer overflow existed in the InfiniBand RDMA over ethernet (RXE) transport implementation in the Linux kernel.
A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-8636)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)

CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet discovered that the netfiler subsystem in the Linux kernel mishandled IPv6 packet reassembly. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-9755)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

It was discovered that SELinux in the Linux kernel did not properly handle empty writes to /proc/pid/attr. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2618)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that the freelist-randomization in the SLAB memory allocator allowed duplicate freelist entries. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-5546)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

It was discovered that a fencepost error existed in the pipe_advance() function in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5550)

It was discovered that the Linux kernel did not clear the setgid bit during a setxattr call on a tmpfs filesystem. A local attacker could use this to gain elevated group privileges. (CVE-2017-5551)

Murray McAllister discovered that an integer overflow existed in the VideoCore DRM driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-5576)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made improper assumptions about internal data layout when performing checksums. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7187)

It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261)

It was discovered that the USB Cypress HID drivers for the Linux kernel did not properly validate reported information from the device.
An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-7273)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion).
(CVE-2017-8925)

Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

JongHwan Kim discovered an out-of-bounds read in the TCP stack of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or leak sensitive information. (CVE-2017-7277)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

Fabian Grunbichler discovered that the Packet action API implementation in the Linux kernel improperly handled uninitialized data. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7979)

It was discovered that the Conexant USB driver in the Linux kernel improperly handled memory in some configurations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-8063)

It was discovered that the DVD USB framework in the Linux kernel improperly handled memory in some configurations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-8064)

It was discovered that the virtio console driver in the Linux kernel improperly handled memory. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-8067).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3312-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that the netfilter netlink implementation in the Linux kernel did not properly validate batch messages. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information or cause a denial of service. (CVE-2016-7917)

Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() function in the Linux kernel. A local attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-8632)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that a use-after-free vulnerability existed in the device driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-7913)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the netfilter netlink implementation in the Linux kernel did not properly validate batch messages. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information or cause a denial of service. (CVE-2016-7917)

Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() function in the Linux kernel. A local attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-8632)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that a use-after-free vulnerability existed in the device driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-7913)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts.

CVE-2016-2188

Ralf Spenneberg of OpenSource Security reported that the iowarrior device driver did not sufficiently validate USB descriptors. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash).

CVE-2016-9604

It was discovered that the keyring subsystem allowed a process to set a special internal keyring as its session keyring. The security impact in this version of the kernel is unknown.

CVE-2016-10200

Baozeng Ding and Andrey Konovalov reported a race condition in the L2TP implementation which could corrupt its table of bound sockets. A local user could use this to cause a denial of service (crash) or possibly for privilege escalation.

CVE-2017-2647 / CVE-2017-6951

idl3r reported that the keyring subsystem would allow a process to search for 'dead' keys, causing a NULL pointer dereference. A local user could use this to cause a denial of service (crash).

CVE-2017-2671

Daniel Jiang discovered a race condition in the ping socket implementation. A local user with access to ping sockets could use this to cause a denial of service (crash) or possibly for privilege escalation. This feature is not accessible to any users by default.

CVE-2017-5967

Xing Gao reported that the /proc/timer_list file showed information about all processes, not considering PID namespaces. If timer debugging was enabled by a privileged user, this leaked information to processes contained in PID namespaces.

CVE-2017-5970

Andrey Konovalov discovered a denial of service flaw in the IPv4 networking code. This can be triggered by a local or remote attacker if a local UDP or raw socket has the IP_RETOPTS option enabled.

CVE-2017-7184

Chaitin Security Research Lab discovered that the net xfrm subsystem did not sufficiently validate replay state parameters, allowing a heap buffer overflow. This can be used by a local user with the CAP_NET_ADMIN capability for privilege escalation.

CVE-2017-7261

Vladis Dronov and Murray McAllister reported that the vmwgfx driver did not sufficiently validate rendering surface parameters. In a VMware guest, this can be used by a local user to cause a denial of service (crash).

CVE-2017-7273

Benoit Camredon reported that the hid-cypress driver did not sufficiently validate HID reports. This possibly allowed a physically present user with a specially designed USB device to cause a denial of service (crash).

CVE-2017-7294

Li Qiang reported that the vmwgfx driver did not sufficiently validate rendering surface parameters. In a VMware guest, this can be used by a local user to cause a denial of service (crash) or possibly for privilege escalation.

CVE-2017-7308

Andrey Konovalov reported that the packet socket (AF_PACKET) implementation did not sufficiently validate buffer parameters. This can be used by a local user with the CAP_NET_RAW capability for privilege escalation.

CVE-2017-7472

Eric Biggers reported that the keyring subsystem allowed a thread to create new thread keyrings repeatedly, causing a memory leak. This can be used by a local user to cause a denial of service (memory exhaustion).

CVE-2017-7616

Chris Salls reported an information leak in the 32-bit big-endian compatibility implementations of set_mempolicy() and mbind(). This does not affect any architecture supported in Debian 7 LTS.

CVE-2017-7618

Sabrina Dubroca reported that the cryptographic hash subsystem does not correctly handle submission of unaligned data to a device that is already busy, resulting in infinite recursion. On some systems this can be used by local users to cause a denial of service (crash).

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.88-1. This version also includes bug fixes from upstream version 3.2.88, and fixes some older security issues in the keyring, packet socket and cryptographic hash subsystems that do not have CVE IDs.

For Debian 8 'Jessie', most of these problems have been fixed in version 3.16.43-1 which will be part of the next point release.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerability :

  - It was found that keyctl_set_reqkey_keyring() function     leaked thread keyring which could allow an unprivileged     local user to exhaust kernel memory.

Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities :

  - It was found that keyctl_set_reqkey_keyring() function     leaked thread keyring which could allow an unprivileged     local user to exhaust kernel memory.

  - net/sctp/socket.c in the Linux kernel through 4.10.1     did not properly restrict association peel-off     operations during certain wait states, which allowed     local users to cause a denial of service (invalid     unlock and double free) via a multithreaded     application.

  - Race condition in the sctp_wait_for_sndbuf function in     net/sctp/socket.c in the Linux kernel before 4.9.11     could allow local users to cause a denial of service     (assertion failure and panic) via a multithreaded     application that peeled off an association in a certain     buffer-full state.

  - Andrey Konovalov discovered that signed integer     overflows existed in the setsockopt() system call when     handling the SO_SNDBUFFORCE and SO_RCVBUFFORCE options.
    A local attacker with the CAP_NET_ADMIN capability     could use this to cause a denial of service (system     crash or memory corruption).

  - A vulnerability was discovered in the handling of pid     namespaces in the kernel. A privileged user inside a     container could trigger a kernel crash (NULL pointer     dereference in proc_flush_task()) using a sequence of     system calls including wait4().

Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
106525	RHEL 6 : kernel-rt (RHSA-2018:0181)	Nessus	Red Hat Local Security Checks	high
106364	Oracle Linux 7 : kernel (ELSA-2018-0151) (Meltdown) (Spectre)	Nessus	Oracle Linux Local Security Checks	high
106353	CentOS 7 : kernel (CESA-2018:0151) (Meltdown) (Spectre)	Nessus	CentOS Local Security Checks	high
106340	Scientific Linux Security Update : kernel on SL7.x x86_64 (Meltdown) (Spectre)	Nessus	Scientific Linux Local Security Checks	high
106331	RHEL 7 : kernel-rt (RHSA-2018:0152)	Nessus	Red Hat Local Security Checks	high
106330	RHEL 7 : kernel (RHSA-2018:0151) (Meltdown) (Spectre)	Nessus	Red Hat Local Security Checks	high
105685	SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0040-1) (BlueBorne) (KRACK) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	high
105575	SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0011-1) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	high
103326	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3422-1) (BlueBorne)	Nessus	Ubuntu Local Security Checks	high
101929	Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3361-1)	Nessus	Ubuntu Local Security Checks	critical
100668	Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3314-1)	Nessus	Ubuntu Local Security Checks	critical
100665	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3312-2)	Nessus	Ubuntu Local Security Checks	critical
100664	Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities (USN-3312-1)	Nessus	Ubuntu Local Security Checks	critical
99733	Debian DLA-922-1 : linux security update	Nessus	Debian Local Security Checks	high
99710	Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-031)	Nessus	Virtuozzo Local Security Checks	medium
99599	Virtuozzo 7 : readykernel-patch (VZA-2017-029)	Nessus	Virtuozzo Local Security Checks	high

CVE-2017-7472

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins