[oss-security] 20170823 CVE-2017-7558: Linux kernel: sctp: out-of-bounds read in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info()

100466

1039221

RHSA-2017:2918

RHSA-2017:2930

RHSA-2017:2931

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7558

[linux-netdev] 20170823 [PATCH net] sctp: Avoid out-of-bounds reads from address storage

DSA-3981

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions past bounds check. The flaw     relies on the presence of a precisely-defined     instruction sequence in the privileged code and the     fact that memory writes occur to an address which     depends on the untrusted value. Such writes cause an     update into the microprocessor's data cache even for     speculatively executed instructions that never actually     commit (retire). As a result, an unprivileged attacker     could use this flaw to influence speculative execution     and/or read privileged memory by conducting targeted     cache side-channel attacks.(CVE-2018-3693)

  - A flaw named SegmentSmack was found in the way the     Linux kernel handled specially crafted TCP packets. A     remote attacker could use this flaw to trigger time and     calculation expensive calls to tcp_collapse_ofo_queue()     and tcp_prune_ofo_queue() functions by sending     specially modified packets within ongoing TCP sessions     which could lead to a CPU saturation and hence a denial     of service on the system. Maintaining the denial of     service condition requires continuous two-way TCP     sessions to a reachable open port, thus the attacks     cannot be performed using spoofed IP     addresses.(CVE-2018-5390)

  - It was found that the raw midi kernel driver does not     protect against concurrent access which leads to a     double realloc (double free) in     snd_rawmidi_input_params() and     snd_rawmidi_output_status() which are part of     snd_rawmidi_ioctl() handler in rawmidi.c file. A     malicious local attacker could possibly use this for     privilege escalation.(CVE-2018-10902)

  - Integer overflow in the aio_setup_single_vector     function in fs/aio.c in the Linux kernel 4.0 allows     local users to cause a denial of service or possibly     have unspecified other impact via a large AIO iovec.
    NOTE: this vulnerability exists because of a     CVE-2012-6701 regression.(CVE-2015-8830)

  - A flaw was found in the Linux networking subsystem     where a local attacker with CAP_NET_ADMIN capabilities     could cause an out-of-bounds memory access by creating     a smaller-than-expected ICMP header and sending to its     destination via sendto().(CVE-2016-8399)

  - Out-of-bounds kernel heap access vulnerability was     found in xfrm, kernel's IP framework for transforming     packets. An error dealing with netlink messages from an     unprivileged user leads to arbitrary read/write and     privilege escalation.(CVE-2017-7184)

  - The Linux kernel was found to be vulnerable to a NULL     pointer dereference bug in the __netlink_ns_capable()     function in the net/netlink/af_netlink.c file. A local     attacker could exploit this when a net namespace with a     netnsid is assigned to cause a kernel panic and a     denial of service.i1/4^CVE-2018-14646i1/4%0

  - A flaw was found where the kernel truncated the value     used to indicate the size of a buffer which it would     later become zero using an untruncated value. This can     corrupt memory outside of the original     allocation.(CVE-2017-9725)

  - A bug in the 32-bit compatibility layer of the ioctl     handling code of the v4l2 video driver in the Linux     kernel has been found. A memory protection mechanism     ensuring that user-provided buffers always point to a     userspace memory were disabled, allowing destination     address to be in a kernel space. This flaw could be     exploited by an attacker to overwrite a kernel memory     from an unprivileged userspace process, leading to     privilege escalation.(CVE-2017-13166)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions (a commonly used performance     optimization). There are three primary variants of the     issue which differ in the way the speculative execution     can be exploited. Variant CVE-2017-5754 relies on the     fact that, on impacted microprocessors, during     speculative execution of instruction permission faults,     exception generation triggered by a faulting access is     suppressed until the retirement of the whole     instruction block. In a combination with the fact that     memory accesses may populate the cache even when the     block is being dropped and never committed (executed),     an unprivileged local attacker could use this flaw to     read privileged (kernel space) memory by conducting     targeted cache side-channel attacks. Note:
    CVE-2017-5754 affects Intel x86-64 microprocessors. AMD     x86-64 microprocessors are not affected by this     issue.(CVE-2017-5754)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions (a commonly used performance     optimization). There are three primary variants of the     issue which differ in the way the speculative execution     can be exploited. Variant CVE-2017-5753 triggers the     speculative execution by performing a bounds-check     bypass. It relies on the presence of a     precisely-defined instruction sequence in the     privileged code as well as the fact that memory     accesses may cause allocation into the microprocessor's     data cache even for speculatively executed instructions     that never actually commit (retire). As a result, an     unprivileged attacker could use this flaw to cross the     syscall boundary and read privileged memory by     conducting targeted cache side-channel     attacks.(CVE-2017-5753)

  - A flaw was found in the Linux kernel's skcipher     component, which affects the skcipher_recvmsg function.
    Attackers using a specific input can lead to a     privilege escalation.i1/4^CVE-2017-13215i1/4%0

  - The tcpmss_mangle_packet function in     net/netfilter/xt_TCPMSS.c in the Linux kernel before     4.11, and 4.9.x before 4.9.36, allows remote attackers     to cause a denial of service (use-after-free and memory     corruption) or possibly have unspecified other impact     by leveraging the presence of xt_TCPMSS in an iptables     action. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely.i1/4^CVE-2017-18017i1/4%0

  - A kernel data leak due to an out-of-bound read was     found in the Linux kernel in     inet_diag_msg_sctp{,l}addr_fill() and     sctp_get_sctp_info() functions present since version     4.7-rc1 through version 4.13. A data leak happens when     these functions fill in sockaddr data structures used     to export socket's diagnostic information. As a result,     up to 100 bytes of the slab data could be leaked to a     userspace.i1/4^CVE-2017-7558i1/4%0

  - Use-after-free vulnerability in the snd_pcm_info()     function in the ALSA subsystem in the Linux kernel     allows attackers to induce a kernel memory corruption     and possibly crash or lock up a system. Due to the     nature of the flaw, a privilege escalation cannot be     fully ruled out, although we believe it is     unlikely.i1/4^CVE-2017-0861i1/4%0

  - Improper validation in the bnx2x network card driver of     the Linux kernel version 4.15 can allow for denial of     service (DoS) attacks via a packet with a gso_size     larger than ~9700 bytes. Untrusted guest VMs can     exploit this vulnerability in the host machine, causing     a crash in the network card.i1/4^CVE-2018-1000026i1/4%0

  - An error in the '_sctp_make_chunk()' function     (net/sctp/sm_make_chunk.c) when handling SCTP, packet     length can be exploited by a malicious local user to     cause a kernel crash and a DoS.i1/4^CVE-2018-5803i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important)

* A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.
(CVE-2017-1000111, Important)

* An exploitable memory corruption flaw was found in the Linux kernel.
The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option.
If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important)

* A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate)

* Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate)

* An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)

* A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate)

* The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate)

* A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate)

Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112.
The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat).

Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article:
https://access.redhat.com/node/3212921.

An update for kernel-rt is now available for Red Hat Enterprise MRG 2.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important)

* A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.
(CVE-2017-1000111, Important)

* An exploitable memory corruption flaw was found in the Linux kernel.
The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option.
If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important)

* Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate)

* An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)

* A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate)

* The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate)

* A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate)

* A flaw was found where the XFS filesystem code mishandles a user-settable inode flag in the Linux kernel prior to 4.14-rc1. This can cause a local denial of service via a kernel panic.
(CVE-2017-14340, Moderate)

Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112.
The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat) and the CVE-2017-14340 issue was discovered by Dave Chinner (Red Hat).

Bug Fix(es) :

* kernel-rt packages have been upgraded to the 3.10.0-693.5.2 source tree, which provides number of bug fixes over the previous version.
(BZ#1489085)

Description of changes:

- [3.10.0-693.5.2.0.1.el7.OL7]
- [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug 22552377]
- Oracle Linux certificates (Alexey Petrenko)
- Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(<A HREF='https://oss.oracle.com/mailman/listinfo/el-errata'>alexey.petrenko at oracle.com</A>)
- Update x509.genkey [bug 24817676]

[3.10.0-693.5.2.el7]
- [mm] page_cgroup: Fix Kernel bug during boot with memory cgroups enabled (Larry Woodman) [1491970 1483747]
- Revert: [mm] Fix Kernel bug during boot with memory cgroups enabled (Larry Woodman) [1491970 1483747]

[3.10.0-693.5.1.el7]
- [netdrv] i40e: point wb_desc at the nvm_wb_desc during i40e_read_nvm_aq (Stefan Assmann) [1491972 1484232]
- [netdrv] i40e: avoid NVM acquire deadlock during NVM update (Stefan Assmann) [1491972 1484232]
- [mm] Fix Kernel bug during boot with memory cgroups enabled (Larry Woodman) [1491970 1483747]
- [fs] nfsv4: Ensure we don't re-test revoked and freed stateids (Dave Wysochanski) [1491969 1459733]
- [netdrv] bonding: commit link status change after propose (Jarod Wilson) [1491121 1469790]
- [mm] page_alloc: ratelimit PFNs busy info message (Jonathan Toppins) [1491120 1383179]
- [netdrv] cxgb4: avoid crash on PCI error recovery path (Gustavo Duarte) [1489872 1456990]
- [scsi] Add STARGET_CREATED_REMOVE state to scsi_target_state (Ewan Milne) [1489814 1468727]
- [net] tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Davide Caratti) [1488341 1487061] {CVE-2017-14106}
- [net] tcp: fix 0 divide in __tcp_select_window() (Davide Caratti) [1488341 1487061] {CVE-2017-14106}
- [net] sctp: Avoid out-of-bounds reads from address storage (Stefano Brivio) [1484356 1484355] {CVE-2017-7558}
- [net] udp: consistently apply ufo or fragmentation (Davide Caratti) [1481530 1481535] {CVE-2017-1000112}
- [net] udp: account for current skb length when deciding about UFO (Davide Caratti) [1481530 1481535] {CVE-2017-1000112}
- [net] ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output (Davide Caratti) [1481530 1481535] {CVE-2017-1000112}
- [net] udp: avoid ufo handling on IP payload compression packets (Stefano Brivio) [1490263 1464161]
- [pci] hv: Use vPCI protocol version 1.2 (Vitaly Kuznetsov) [1478256 1459202]
- [pci] hv: Add vPCI version protocol negotiation (Vitaly Kuznetsov) [1478256 1459202]
- [pci] hv: Use page allocation for hbus structure (Vitaly Kuznetsov) [1478256 1459202]
- [pci] hv: Fix comment formatting and use proper integer fields (Vitaly Kuznetsov) [1478256 1459202]
- [net] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() (Stefano Brivio) [1477007 1477010] {CVE-2017-7542}
- [net] ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [1477007 1477010] {CVE-2017-7542}
- [net] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (Hannes Frederic Sowa) [1435672 1435670] {CVE-2017-7184}
- [net] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window (Hannes Frederic Sowa) [1435672 1435670] {CVE-2017-7184}
- [net] l2cap: prevent stack overflow on incoming bluetooth packet (Neil Horman) [1489788 1489789] {CVE-2017-1000251}

[3.10.0-693.4.1.el7]
- [fs] nfsv4: Add missing nfs_put_lock_context() (Benjamin Coddington) [1487271 1476826]
- [fs] nfs: discard nfs_lockowner structure (Benjamin Coddington) [1487271 1476826]
- [fs] nfsv4: enhance nfs4_copy_lock_stateid to use a flock stateid if there is one (Benjamin Coddington) [1487271 1476826]
- [fs] nfsv4: change nfs4_select_rw_stateid to take a lock_context inplace of lock_owner (Benjamin Coddington) [1487271 1476826]
- [fs] nfsv4: change nfs4_do_setattr to take an open_context instead of a nfs4_state (Benjamin Coddington) [1487271 1476826]
- [fs] nfsv4: add flock_owner to open context (Benjamin Coddington) [1487271 1476826]
- [fs] nfs: remove l_pid field from nfs_lockowner (Benjamin Coddington) [1487271 1476826]
- [x86] platform/uv/bau: Disable BAU on single hub configurations (Frank Ramsay) [1487159 1487160 1472455 1473353]
- [x86] platform/uv/bau: Fix congested_response_us not taking effect (Frank Ramsay) [1487159 1472455]
- [fs] cifs: Disable encryption capability for RHEL 7.4 kernel (Sachin Prabhu) [1485445 1485445]
- [fs] sunrpc: Handle EADDRNOTAVAIL on connection failures (Dave Wysochanski) [1484269 1479043]
- [fs] include/linux/printk.h: include pr_fmt in pr_debug_ratelimited (Sachin Prabhu) [1484267 1472823]
- [fs] printk: pr_debug_ratelimited: check state first to reduce 'callbacks suppressed' messages (Sachin Prabhu) [1484267 1472823]
- [net] packet: fix tp_reserve race in packet_set_ring (Stefano Brivio) [1481938 1481940] {CVE-2017-1000111}
- [fs] proc: revert /proc/<pid>/maps [stack:TID] annotation (Waiman Long) [1481724 1448534]
- [net] ping: check minimum size on ICMP header length (Matteo Croce) [1481578 1481573] {CVE-2016-8399}
- [ipc] mqueue: fix a use-after-free in sys_mq_notify() (Davide Caratti) [1476128 1476126] {CVE-2017-11176}
- [netdrv] brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (Stanislaw Gruszka) [1474778 1474784] {CVE-2017-7541}

[3.10.0-693.3.1.el7]
- [block] blk-mq-tag: fix wakeup hang after tag resize (Ming Lei) [1487281 1472434]

Security Fix(es) :

  - Out-of-bounds kernel heap access vulnerability was found     in xfrm, kernel's IP framework for transforming packets.
    An error dealing with netlink messages from an     unprivileged user leads to arbitrary read/write and     privilege escalation. (CVE-2017-7184, Important)

  - A race condition issue leading to a use-after-free flaw     was found in the way the raw packet sockets are     implemented in the Linux kernel networking subsystem     handling synchronization. A local user able to open a     raw packet socket (requires the CAP_NET_RAW capability)     could use this flaw to elevate their privileges on the     system. (CVE-2017-1000111, Important)

  - An exploitable memory corruption flaw was found in the     Linux kernel. The append path can be erroneously     switched from UFO to non-UFO in ip_ufo_append_data()     when building an UFO packet with MSG_MORE option. If     unprivileged user namespaces are available, this flaw     can be exploited to gain root privileges.
    (CVE-2017-1000112, Important)

  - A flaw was found in the Linux networking subsystem where     a local attacker with CAP_NET_ADMIN capabilities could     cause an out-of-bounds memory access by creating a     smaller-than-expected ICMP header and sending to its     destination via sendto(). (CVE-2016-8399, Moderate)

  - Kernel memory corruption due to a buffer overflow was     found in brcmf_cfg80211_mgmt_tx() function in Linux     kernels from v3.9-rc1 to v4.13-rc1. The vulnerability     can be triggered by sending a crafted NL80211_CMD_FRAME     packet via netlink. This flaw is unlikely to be     triggered remotely as certain userspace code is needed     for this. An unprivileged local user could use this flaw     to induce kernel memory corruption on the system,     leading to a crash. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out, although     it is unlikely. (CVE-2017-7541, Moderate)

  - An integer overflow vulnerability in     ip6_find_1stfragopt() function was found. A local     attacker that has privileges (of CAP_NET_RAW) to open     raw socket can cause an infinite loop inside the     ip6_find_1stfragopt() function. (CVE-2017-7542,     Moderate)

  - A kernel data leak due to an out-of-bound read was found     in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill()     and sctp_get_sctp_info() functions present since version     4.7-rc1 through version 4.13. A data leak happens when     these functions fill in sockaddr data structures used to     export socket's diagnostic information. As a result, up     to 100 bytes of the slab data could be leaked to a     userspace. (CVE-2017-7558, Moderate)

  - The mq_notify function in the Linux kernel through     4.11.9 does not set the sock pointer to NULL upon entry     into the retry logic. During a user- space close of a     Netlink socket, it allows attackers to possibly cause a     situation where a value may be used after being freed     (use-after-free) which may lead to memory corruption or     other unspecified other impact. (CVE-2017-11176,     Moderate)

  - A divide-by-zero vulnerability was found in the
    __tcp_select_window function in the Linux kernel. This     can result in a kernel panic causing a local denial of     service. (CVE-2017-14106, Moderate)

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important)

* A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.
(CVE-2017-1000111, Important)

* An exploitable memory corruption flaw was found in the Linux kernel.
The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option.
If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important)

* A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate)

* Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate)

* An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)

* A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate)

* The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate)

* A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate)

Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112.
The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat).

Bug Fix(es) :

* The kernel-rt packages have been upgraded to the 3.10.0-693.5.2 source tree, which provides number of bug fixes over the previous version. (BZ# 1489084)

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-2930 advisory.

  - An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious     application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate     because it first requires compromising a privileged process and current compiler optimizations restrict     access to the vulnerable code. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID:
    A-31349935. (CVE-2016-8399)

  - The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not     validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root     privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-     image-* package 4.8.0.41.52. (CVE-2017-7184)

  - The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the     Linux kernel before 4.12.3 allows local users to cause a denial of service (buffer overflow and system     crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet. (CVE-2017-7541)

  - Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed     CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in     packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar:
    lock the socket for the update. This issue may be exploitable, we did not investigate further. As this     issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user     namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW. (CVE-2017-1000111)

  - The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause     a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect     within a certain tcp_recvmsg code path. (CVE-2017-14106)

  - Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet     with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send()     calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In     case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and     the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap =     skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to     become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in     IPv6 code. The bug was introduced in e89e9cf539a2 ([IPv4/IPv6]: UFO Scatter-gather approach) on Oct 18     2005. (CVE-2017-1000112)

  - The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry     into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial     of service (use-after-free) or possibly have unspecified other impact. (CVE-2017-11176)

  - The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local     users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open     a raw socket. (CVE-2017-7542)

  - A kernel data leak due to an out-of-bound read was found in the Linux kernel in     inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through     version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export     socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a     userspace. (CVE-2017-7558)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

A buffer overflow was discovered in tpacket_rcv() function in the Linux kernel since v4.6-rc1 through v4.13. A number of socket-related syscalls can be made to set up a configuration when each packet received by a network interface can cause writing up to 10 bytes to a kernel memory outside of a kernel buffer. This can cause unspecified kernel data corruption effects, including damage of in-memory and on-disk XFS data. (CVE-2017-14497)

A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558)

Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks.

  - CVE-2017-7518     Andy Lutomirski discovered that KVM is prone to an     incorrect debug exception (#DB) error occurring while     emulating a syscall instruction. A process inside a     guest can take advantage of this flaw for privilege     escalation inside a guest.

  - CVE-2017-7558 (stretch only)     Stefano Brivio of Red Hat discovered that the SCTP     subsystem is prone to a data leak vulnerability due to     an out-of-bounds read flaw, allowing to leak up to 100     uninitialized bytes to userspace.

  - CVE-2017-10661 (jessie only)     Dmitry Vyukov of Google reported that the timerfd     facility does not properly handle certain concurrent     operations on a single file descriptor. This allows a     local attacker to cause a denial of service or     potentially execute arbitrary code.

  - CVE-2017-11600     Bo Zhang reported that the xfrm subsystem does not     properly validate one of the parameters to a netlink     message. Local users with the CAP_NET_ADMIN capability     can use this to cause a denial of service or potentially     to execute arbitrary code.

  - CVE-2017-12134 / #866511 / XSA-229     Jan H. Schoenherr of Amazon discovered that when Linux     is running in a Xen PV domain on an x86 system, it may     incorrectly merge block I/O requests. A buggy or     malicious guest may trigger this bug in dom0 or a PV     driver domain, causing a denial of service or     potentially execution of arbitrary code.

  This issue can be mitigated by disabling merges on the underlying   back-end block devices, e.g.:echo 2 >   /sys/block/nvme0n1/queue/nomerges

  - CVE-2017-12146 (stretch only)     Adrian Salido of Google reported a race condition in     access to the'driver_override' attribute for platform     devices in sysfs. If unprivileged users are permitted to     access this attribute, this might allow them to gain     privileges.

  - CVE-2017-12153     Bo Zhang reported that the cfg80211 (wifi) subsystem     does not properly validate the parameters to a netlink     message. Local users with the CAP_NET_ADMIN capability     (in any user namespace with a wifi device) can use this     to cause a denial of service.

  - CVE-2017-12154     Jim Mattson of Google reported that the KVM     implementation for Intel x86 processors did not     correctly handle certain nested hypervisor     configurations. A malicious guest (or nested guest in a     suitable L1 hypervisor) could use this for denial of     service.

  - CVE-2017-14106     Andrey Konovalov discovered that a user-triggerable     division by zero in the tcp_disconnect() function could     result in local denial of service.

  - CVE-2017-14140     Otto Ebeling reported that the move_pages() system call     performed insufficient validation of the UIDs of the     calling and target processes, resulting in a partial     ASLR bypass. This made it easier for local users to     exploit vulnerabilities in programs installed with the     set-UID permission bit set.

  - CVE-2017-14156     'sohu0106' reported an information leak in the atyfb     video driver. A local user with access to a framebuffer     device handled by this driver could use this to obtain     sensitive information.

  - CVE-2017-14340     Richard Wareing discovered that the XFS implementation     allows the creation of files with the 'realtime' flag on     a filesystem with no realtime device, which can result     in a crash (oops). A local user with access to an XFS     filesystem that does not have a realtime device can use     this for denial of service.

  - CVE-2017-14489     ChunYu Wang of Red Hat discovered that the iSCSI     subsystem does not properly validate the length of a     netlink message, leading to memory corruption. A local     user with permission to manage iSCSI devices can use     this for denial of service or possibly to execute     arbitrary code.

  - CVE-2017-14497 (stretch only)     Benjamin Poirier of SUSE reported that vnet headers are     not properly handled within the tpacket_rcv() function     in the raw packet (af_packet) feature. A local user with     the CAP_NET_RAW capability can take advantage of this     flaw to cause a denial of service (buffer overflow, and     disk and memory corruption) or have other impact.

  - CVE-2017-1000111     Andrey Konovalov of Google reported a race condition in     the raw packet (af_packet) feature. Local users with the     CAP_NET_RAW capability can use this for denial of     service or possibly to execute arbitrary code.

  - CVE-2017-1000112     Andrey Konovalov of Google reported a race condition     flaw in the UDP Fragmentation Offload (UFO) code. A     local user can use this flaw for denial of service or     possibly to execute arbitrary code.

  - CVE-2017-1000251 / #875881     Armis Labs discovered that the Bluetooth subsystem does     not properly validate L2CAP configuration responses,     leading to a stack-based buffer overflow. This is one of     several vulnerabilities dubbed 'Blueborne'. A nearby     attacker can use this to cause a denial of service or     possibly to execute arbitrary code on a system with     Bluetooth enabled.

  - CVE-2017-1000252 (stretch only)     Jan H. Schoenherr of Amazon reported that the KVM     implementation for Intel x86 processors did not     correctly validate interrupt injection requests. A local     user with permission to use KVM could use this for     denial of service.

  - CVE-2017-1000370     The Qualys Research Labs reported that a large argument     or environment list can result in ASLR bypass for 32-bit     PIE binaries.

  - CVE-2017-1000371     The Qualys Research Labs reported that a large argument     or environment list can result in a stack/heap clash for     32-bit PIE binaries.

  - CVE-2017-1000380     Alexander Potapenko of Google reported a race condition     in the ALSA (sound) timer driver, leading to an     information leak. A local user with permission to access     sound devices could use this to obtain sensitive     information.

Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited by any local user.

According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities :

  - A kernel data leak due to an out-of-bound read was     found in the Linux kernel in     inet_diag_msg_sctp{,l}addr_fill() and     sctp_get_sctp_info() functions present since version     4.7-rc1 through version 4.13. A data leak happens when     these functions fill in sockaddr data structures used     to export socket's diagnostic information. As a result,     up to 100 bytes of the slab data could be leaked to a     userspace.

  - The __ip6_append_data function in net/ipv6/ip6_output.c     in the Linux kernel through 4.11.3 is too late in     checking whether an overwrite of an skb data structure     may occur, which allows local users to cause a denial     of service (system crash) via crafted system calls.

  - A divide-by-zero vulnerability was found in the
    __tcp_select_window function in the Linux kernel. This     can result in a kernel panic causing a local     denial-of-service.

Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 4.12.9 stable kernel update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
127146	NewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0004)	Nessus	NewStart CGSL Local Security Checks	critical
124992	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1539)	Nessus	Huawei Local Security Checks	critical
104106	CentOS 7 : kernel (CESA-2017:2930)	Nessus	CentOS Local Security Checks	high
104090	RHEL 6 : MRG (RHSA-2017:2918)	Nessus	Red Hat Local Security Checks	high
104088	Oracle Linux 7 : kernel (ELSA-2017-2930-1) (BlueBorne)	Nessus	Oracle Linux Local Security Checks	high
104008	Scientific Linux Security Update : kernel on SL7.x x86_64 (20171019)	Nessus	Scientific Linux Local Security Checks	high
104004	RHEL 7 : kernel-rt (RHSA-2017:2931)	Nessus	Red Hat Local Security Checks	high
104003	RHEL 7 : kernel (RHSA-2017:2930)	Nessus	Red Hat Local Security Checks	high
104001	Oracle Linux 7 : kernel (ELSA-2017-2930)	Nessus	Oracle Linux Local Security Checks	high
103653	Amazon Linux AMI : kernel (ALAS-2017-901)	Nessus	Amazon Linux Local Security Checks	high
103365	Debian DSA-3981-1 : linux - security update (BlueBorne) (Stack Clash)	Nessus	Debian Local Security Checks	high
102981	Virtuozzo 7 : readykernel-patch (VZA-2017-079)	Nessus	Virtuozzo Local Security Checks	high
102980	Virtuozzo 7 : readykernel-patch (VZA-2017-078)	Nessus	Virtuozzo Local Security Checks	high
102898	Fedora 26 : kernel (2017-78c4c71539)	Nessus	Fedora Local Security Checks	high
102895	Fedora 25 : kernel (2017-4b4c022807)	Nessus	Fedora Local Security Checks	high

CVE-2017-7558

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

high

high

high

high

high

high

high

high

high

high

high

high

high