100658

RHSA-2018:0676

RHSA-2018:1062

RHSA-2018:1130

RHSA-2018:1170

https://source.android.com/security/bulletin/2017-09-01

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Integer signedness error in the oz_hcd_get_desc_cnf function in drivers/staging/ozwpan/ozhcd.c in the     OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service     (system crash) or possibly execute arbitrary code via a crafted packet. (CVE-2015-4001)

  - drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 does not ensure     that certain length values are sufficiently large, which allows remote attackers to cause a denial of     service (system crash or large loop) or possibly execute arbitrary code via a crafted packet, related to     the (1) oz_usb_rx and (2) oz_usb_handle_ep_data functions. (CVE-2015-4002)

  - The oz_usb_handle_ep_data function in drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux     kernel through 4.0.5 allows remote attackers to cause a denial of service (divide-by-zero error and system     crash) via a crafted packet. (CVE-2015-4003)

  - The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet     parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a     denial of service (out-of-bounds read and system crash) via a crafted packet. (CVE-2015-4004)

  - arch/arm64/kernel/sys.c in the Linux kernel before 4.0 allows local users to bypass the 'strict page     permissions' protection mechanism and modify the system-call table, and consequently gain privileges, by     leveraging write access. (CVE-2015-8967)

  - The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows     local users to gain privileges or cause a denial of service (stack memory consumption) via vectors     involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling. (CVE-2016-1583)

  - In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux     kernel, a buffer overread is observed in nl80211_set_station when user space application sends attribute     NL80211_ATTR_LOCAL_MESH_POWER_MODE with data of size less than 4 bytes (CVE-2017-11089)

  - In all Qualcomm products with Android releases from CAF using the Linux kernel, during DMA allocation, due     to wrong data type of size, allocation size gets truncated which makes allocation succeed when it should     fail. (CVE-2017-9725)

  - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free     which might lead to privilege escalations. (CVE-2020-25670)

  - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-     free which might lead to privilege escalations. (CVE-2020-25671)

  - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak     and eventually hanging-up the system. (CVE-2020-25673)

  - An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-     free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is     called, aka CID-f5449e74802c. (CVE-2020-36385)

  - Improper access control in BlueZ may allow an authenticated user to potentially enable information     disclosure via adjacent access. (CVE-2021-0129)

  - There is a flaw reported in the Linux kernel in versions before 5.9 in     drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue     results from the lack of validating the existence of an object prior to performing operations on the     object. An attacker with a local account with a root privilege, can leverage this vulnerability to     escalate privileges and execute code in the context of the kernel. (CVE-2021-20292)

  - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.
    This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name     space (CVE-2021-22555)

  - A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It     allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer     before a cloning operation, aka CID-dbcc7d57bffc. (CVE-2021-28964)

  - BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements,     allowing them to execute arbitrary code within the kernel context. This affects     arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)

  - An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in     drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up     sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.
    (CVE-2021-29265)

  - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-     device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with     special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or     a leak of internal kernel information. The highest threat from this vulnerability is to system     availability. (CVE-2021-31916)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because     the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads     to writing an arbitrary value. (CVE-2021-33033)

  - An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.
    (CVE-2021-3347)

  - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer     allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an     unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)

  - net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from     kernel stack memory because parts of a data structure are uninitialized. (CVE-2021-34693)

  - A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice     into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest     threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions     before kernel 5.12-rc6 are affected (CVE-2021-3483)

  - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in     the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the     system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)

  - A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way     user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev()     together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(),     hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their     privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5. (CVE-2021-3573)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2020-0466)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - A race condition was found in the Linux kernels     implementation of the floppy disk drive controller     driver software. The impact of this issue is lessened     by the fact that the default permissions on the floppy     device (/dev/fd0) are restricted to root. If the     permissions on the device have changed the impact     changes greatly. In the default configuration root (or     equivalent) permissions are required to attack this     flaw.(CVE-2021-20261)

  - In fs/ocfs2/cluster/nodemanager.c in the Linux kernel     before 4.15, local users can cause a denial of service     (NULL pointer dereference and BUG) because a required     mutex is not used.(CVE-2017-18216)

  - The omninet_open function in     drivers/usb/serial/omninet.c in the Linux kernel before     4.10.4 allows local users to cause a denial of service     (tty exhaustion) by leveraging reference count     mishandling.(CVE-2017-8925)

  - A flaw was found in the way memory resources were freed     in the unix_stream_recvmsg function in the Linux kernel     when a signal was pending. This flaw allows an     unprivileged local user to crash the system by     exhausting available memory. The highest threat from     this vulnerability is to system     availability.(CVE-2021-20265)

  - A flaw was found in the JFS filesystem code in the     Linux Kernel which allows a local attacker with the     ability to set extended attributes to panic the system,     causing memory corruption or escalating privileges. The     highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-27815)

  - An out-of-bounds (OOB) memory access flaw was found in     x25_bind in net/x25/af_x25.c in the Linux kernel     version v5.12-rc5. A bounds check failure allows a     local attacker with a user account on the system to     gain access to out-of-bounds memory, leading to a     system crash or a leak of internal kernel information.
    The highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-35519)

  - There is a flaw reported in the Linux kernel in     versions before 5.9 in     drivers/gpu/drm/nouveau/nouveau_sgdma.c in     nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The     issue results from the lack of validating the existence     of an object prior to performing operations on the     object. An attacker with a local account with a root     privilege, can leverage this vulnerability to escalate     privileges and execute code in the context of the     kernel.(CVE-2021-20292)

  - In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux     kernel through 5.11.8, the RPA PCI Hotplug driver has a     user-tolerable buffer overflow when writing a new     device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame     directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination,     aka CID-cc7a0bb058b8.(CVE-2021-28972)

  - A race condition was discovered in get_old_root in     fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It     allows attackers to cause a denial of service (BUG)     because of a lack of locking on an extent buffer before     a cloning operation, aka     CID-dbcc7d57bffc.(CVE-2021-28964)

  - An issue was discovered in the Linux kernel before     5.11.7. usbip_sockfd_store in     drivers/usb/usbip/stub_dev.c allows attackers to cause     a denial of service (GPF) because the stub-up sequence     has race conditions during an update of the local and     shared status, aka CID-9380afd6df70.(CVE-2021-29265)

  - BPF JIT compilers in the Linux kernel through 5.11.12     have incorrect computation of branch displacements,     allowing them to execute arbitrary code within the     kernel context. This affects     arch/x86/net/bpf_jit_comp.c and     arch/x86/net/bpf_jit_comp32.c.(CVE-2021-29154)

  - The KVM implementation in the Linux kernel through     4.14.7 allows attackers to obtain potentially sensitive     information from kernel memory, aka a write_mmio     stack-based out-of-bounds read, related to     arch/x86/kvm/x86.c and     include/trace/events/kvm.h.(CVE-2017-17741)

  - An issue was discovered in the Linux kernel before     5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak     for large arguments, aka     CID-fb18802a338b.(CVE-2021-30002)

  - An issue was discovered in the Linux kernel through     4.17.10. There is an invalid pointer dereference in
    __del_reloc_root() in fs/btrfs/relocation.c when     mounting a crafted btrfs image, related to removing     reloc rb_trees when reloc control has not been     initialized.(CVE-2018-14609)

  - An issue was discovered in     fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel     through 4.17.3. A denial of service (memory corruption     and BUG) can occur for a corrupted xfs image upon     encountering an inode that is in extent format, but has     more extents than fit in the inode     fork.(CVE-2018-13095)

  - The vmw_gb_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel through 4.10.7 does not validate certain levels     data, which allows local users to cause a denial of     service (system hang) via a crafted ioctl call for a     /dev/dri/renderD* device.(CVE-2017-7346)

  - The klsi_105_get_line_state function in     drivers/usb/serial/kl5kusb105.c in the Linux kernel     before 4.9.5 places uninitialized heap-memory contents     into a log entry upon a failure to read the line     status, which allows local users to obtain sensitive     information by reading the log.(CVE-2017-5549)

  - An integer overflow in the uvesafb_setcmap function in     drivers/video/fbdev/uvesafb.c in the Linux kernel     before 4.17.4 could result in local attackers being     able to crash the kernel or potentially elevate     privileges because kmalloc_array is not     used.(CVE-2018-13406)

  - In the Linux kernel before version 4.12, Kerberos 5     tickets decoded when using the RXRPC keys incorrectly     assumes the size of a field. This could lead to the     size-remaining variable wrapping and the data pointer     going over the end of the buffer. This could possibly     lead to memory corruption and possible privilege     escalation.(CVE-2017-7482)

  - drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x     before 4.9.11 interacts incorrectly with the     CONFIG_VMAP_STACK option, which allows local users to     cause a denial of service (system crash or memory     corruption) or possibly have unspecified other impact     by leveraging use of more than one virtual page for a     DMA scatterlist.(CVE-2017-8069)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - A flaw was found in the Nosy driver in the Linux     kernel. This issue allows a device to be inserted twice     into a doubly-linked list, leading to a use-after-free     when one of these devices is removed. The highest     threat from this vulnerability is to confidentiality,     integrity, as well as system availability. Versions     before kernel 5.12-rc6 are affected(CVE-2021-3483)

  - An issue was discovered in the FUSE filesystem     implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls     make_bad_inode() in inappropriate situations, causing a     system crash. NOTE: the original fix for this     vulnerability was incomplete, and its incompleteness is     tracked as CVE-2021-28950.(CVE-2020-36322)

  - An out-of-bounds (OOB) memory write flaw was found in     list_devices in drivers/md/dm-ioctl.c in the     Multi-device driver module in the Linux kernel before     5.12. A bound check failure allows an attacker with     special user (CAP_SYS_ADMIN) privilege to gain access     to out-of-bounds memory leading to a system crash or a     leak of internal kernel information. The highest threat     from this vulnerability is to system     availability.(CVE-2021-31916)

  - A vulnerability was found in Linux Kernel, where a     refcount leak in llcp_sock_connect() causing     use-after-free which might lead to privilege     escalations.(CVE-2020-25671)

  - A vulnerability was found in Linux Kernel where     refcount leak in llcp_sock_bind() causing     use-after-free which might lead to privilege     escalations.(CVE-2020-25670)

  - A memory leak vulnerability was found in Linux kernel     in llcp_sock_connect(CVE-2020-25672)

  - The Linux kernel before 5.11.14 has a use-after-free in     cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the     CIPSO and CALIPSO refcounting for the DOI definitions     is mishandled, aka CID-ad5d07f4a9cd. This leads to     writing an arbitrary value.(CVE-2021-33033)

  - Use After Free vulnerability in nfc sockets in the     Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations,     the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability.(CVE-2021-23134)

  - A flaw use-after-free in function     hci_sock_bound_ioctl() of the Linux kernel HCI     subsystem was found in the way user detaches bluetooth     dongle or other way triggers unregister bluetooth     device event. A local user could use this flaw to crash     the system or escalate their privileges on the     system.(CVE-2021-3573)

  - An issue was discovered in the Linux kernel through     5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute     code in the kernel, aka     CID-34b1a1ce1458.(CVE-2021-3347)

  - A vulnerability was found in Linux kernel where     non-blocking socket in llcp_sock_connect() leads to     leak and eventually hanging-up the     system.(CVE-2020-25673)

  - net/bluetooth/hci_request.c in the Linux kernel through     5.12.2 has a race condition for removal of the HCI     controller.(CVE-2021-32399)

  - In all Qualcomm products with Android releases from CAF     using the Linux kernel, during DMA allocation, due to     wrong data type of size, allocation size gets truncated     which makes allocation succeed when it should     fail.(CVE-2017-9725)

  - A flaw double-free memory corruption in the Linux     kernel HCI device initialization subsystem was found in     the way user attach malicious HCI TTY Bluetooth device.
    A local user could use this flaw to crash the system.
    This flaw affects all the Linux kernel versions     starting from 3.13.(CVE-2021-3564)

  - A flaw was found in the CAN BCM networking protocol in     the Linux kernel, where a local attacker can abuse a     flaw in the CAN subsystem to corrupt memory, crash the     system or escalate privileges.(CVE-2021-3609)

  - The ip6gre_err function in net/ipv6/ip6_gre.c in the     Linux kernel allows remote attackers to have     unspecified impact via vectors involving GRE flags in     an IPv6 packet, which trigger an out-of-bounds     access.(CVE-2017-5897)

  - An Out-of-Bounds Read was discovered in     arch/arm/mach-footbridge/personal-pci.c in the Linux     kernel through 5.12.11 because of the lack of a check     for a value that shouldn't be negative, e.g., access to     element -2 of an array, aka     CID-298a58e165e4.(CVE-2021-32078)

  - In the Linux kernel before 4.20.8,     kvm_ioctl_create_device in virt/kvm/kvm_main.c     mishandles reference counting because of a race     condition, leading to a use-after-free.(CVE-2019-6974)

  - In uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2020-0404)

  - In create_pinctrl of core.c, there is a possible out of     bounds read due to a use after free. This could lead to     local information disclosure with no additional     execution privileges needed. User interaction is not     needed for exploitation.(CVE-2020-0427)

  - In kbd_keycode of keyboard.c, there is a possible out     of bounds write due to a missing bounds check. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-144161459(CVE-2020-0431)

  - In blk_mq_queue_tag_busy_iter of blk-mq-tag.c, there is     a possible use after free due to improper locking. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2020-0433)

  - In various methods of hid-multitouch.c, there is a     possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2020-0465)

  - A vulnerability was found in the Linux Kernel where the     function sunkbd_reinit having been scheduled by     sunkbd_interrupt before sunkbd being freed. Though the     dangling pointer is set to NULL in sunkbd_disconnect,     there is still an alias in sunkbd_reinit causing Use     After Free.(CVE-2020-25669)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities:

  - Integer overflow in the aio_setup_single_vector function     in fs/aio.c in the Linux kernel 4.0 allows local users     to cause a denial of service or possibly have     unspecified other impact via a large AIO iovec. NOTE:
    this vulnerability exists because of a CVE-2012-6701     regression. (CVE-2015-8830)

  - A weakness was found in the Linux ASLR implementation.
    Any user able to running 32-bit applications in a x86     machine can disable ASLR by setting the RLIMIT_STACK     resource to unlimited. (CVE-2016-3672)

  - The xc2028_set_config function in     drivers/media/tuners/tuner-xc2028.c in the Linux kernel     before 4.6 allows local users to gain privileges or     cause a denial of service (use-after-free) via vectors     involving omission of the firmware name from a certain     data structure. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely. (CVE-2016-7913)

  - Use-after-free vulnerability in the snd_pcm_info()     function in the ALSA subsystem in the Linux kernel     allows attackers to induce a kernel memory corruption     and possibly crash or lock up a system. Due to the     nature of the flaw, a privilege escalation cannot be     fully ruled out, although we believe it is unlikely.
    (CVE-2017-0861)

  - A reachable assertion failure flaw was found in the     Linux kernel built with KVM virtualisation(CONFIG_KVM)     support with Virtual Function I/O feature (CONFIG_VFIO)     enabled. This failure could occur if a malicious guest     device sent a virtual interrupt (guest IRQ) with a     larger (>1024) index value. (CVE-2017-1000252)

  - Linux kernel Virtualization Module (CONFIG_KVM) for the     Intel processor family (CONFIG_KVM_INTEL) is vulnerable     to a DoS issue. It could occur if a guest was to flood     the I/O port 0x80 with write requests. A guest user     could use this flaw to crash the host kernel resulting     in DoS. (CVE-2017-1000407)

  - A flaw was found in the processing of incoming L2CAP     bluetooth commands. Uninitialized stack variables can be     sent to an attacker leaking data in kernel address     space. (CVE-2017-1000410)

  - A race condition was found in the Linux kernel before     version 4.11-rc1 in 'fs/timerfd.c' file which allows a     local user to cause a kernel list corruption or use-     after-free via simultaneous operations with a file     descriptor which leverage improper 'might_cancel'     queuing. An unprivileged local user could use this flaw     to cause a denial of service of the system. Due to the     nature of the flaw, privilege escalation cannot be fully     ruled out, although we believe it is unlikely.
    (CVE-2017-10661)

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization (nVMX) feature     enabled (nested=1), is vulnerable to a crash due to     disabled external interrupts. As L2 guest could access     (r/w) hardware CR8 register of the host(L0). In a nested     visualization setup, L2 guest user could use this flaw     to potentially crash the host(L0) resulting in DoS.
    (CVE-2017-12154)

  - It was found that in the Linux kernel through v4.14-rc5,     bio_map_user_iov() and bio_unmap_user() in 'block/bio.c'     do unbalanced pages refcounting if IO vector has small     consecutive buffers belonging to the same page.
    bio_add_pc_page() merges them into one, but the page     reference is never dropped, causing a memory leak and     possible system lockup due to out-of-memory condition.
    (CVE-2017-12190)

  - A flaw was found in the Linux kernel's implementation of     valid_master_desc() in which a memory buffer would be     compared to a userspace value with an incorrect size of     comparison. By bruteforcing the comparison, an attacker     could determine what was in memory after the description     and possibly obtain sensitive information from kernel     memory. (CVE-2017-13305)

  - A use-after-free vulnerability was found in a network     namespaces code affecting the Linux kernel since     v4.0-rc1 through v4.15-rc5. The function     get_net_ns_by_id() does not check for the net::count     value after it has found a peer network in netns_ids idr     which could lead to double free and memory corruption.
    This vulnerability could allow an unprivileged local     user to induce kernel memory corruption on the system,     leading to a crash. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out, although     it is thought to be unlikely. (CVE-2017-15129)

  - A use-after-free vulnerability was found when issuing an     ioctl to a sound device. This could allow a user to     exploit a race condition and create memory corruption or     possibly privilege escalation. (CVE-2017-15265)

  - A flaw was found in the implementation of associative     arrays where the add_key systemcall and KEYCTL_UPDATE     operations allowed for a NULL payload with a nonzero     length. When accessing the payload within this length     parameters value, an unprivileged user could trivially     cause a NULL pointer dereference (kernel oops).
    (CVE-2017-15274)

  - The net/netfilter/nfnetlink_cthelper.c function in the     Linux kernel through 4.14.4 does not require the     CAP_NET_ADMIN capability for new, get, and del     operations. This allows local users to bypass intended     access restrictions because the nfnl_cthelper_list data     structure is shared across all net namespaces.
    (CVE-2017-17448)

  - The __netlink_deliver_tap_skb function in     net/netlink/af_netlink.c in the Linux kernel, through     4.14.4, does not restrict observations of Netlink     messages to a single net namespace, when CONFIG_NLMON is     enabled. This allows local users to obtain sensitive     information by leveraging the CAP_NET_ADMIN capability     to sniff an nlmon interface for all Netlink activity on     the system. (CVE-2017-17449)

  - The usb_destroy_configuration() function, in     'drivers/usb/core/config.c' in the USB core subsystem,     in the Linux kernel through 4.14.5 does not consider the     maximum number of configurations and interfaces before     attempting to release resources. This allows local users     to cause a denial of service, due to out-of-bounds write     access, or possibly have unspecified other impact via a     crafted USB device. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out, although     we believe it is unlikely. (CVE-2017-17558)

  - The Salsa20 encryption algorithm in the Linux kernel,     before 4.14.8, does not correctly handle zero-length     inputs. This allows a local attacker the ability to use     the AF_ALG-based skcipher interface to cause a denial of     service (uninitialized-memory free and kernel crash) or     have an unspecified other impact by executing a crafted     sequence of system calls that use the blkcipher_walk     API. Both the generic implementation     (crypto/salsa20_generic.c) and x86 implementation     (arch/x86/crypto/salsa20_glue.c) of Salsa20 are     vulnerable. (CVE-2017-17805)

  - The tcpmss_mangle_packet function in     net/netfilter/xt_TCPMSS.c in the Linux kernel before     4.11, and 4.9.x before 4.9.36, allows remote attackers     to cause a denial of service (use-after-free and memory     corruption) or possibly have unspecified other impact by     leveraging the presence of xt_TCPMSS in an iptables     action. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely. (CVE-2017-18017)

  - The Linux kernel, before version 4.14.3, is vulnerable     to a denial of service in     drivers/md/dm.c:dm_get_from_kobject() which can be     caused by local users leveraging a race condition with
    __dm_destroy() during creation and removal of DM     devices. Only privileged local users (with CAP_SYS_ADMIN     capability) can directly perform the ioctl operations     for dm device creation and removal and this would     typically be outside the direct control of the     unprivileged attacker. (CVE-2017-18203)

  - The madvise_willneed function in the Linux kernel allows     local users to cause a denial of service (infinite loop)     by triggering use of MADVISE_WILLNEED for a DAX mapping.
    (CVE-2017-18208)

  - A flaw was found where the kernel truncated the value     used to indicate the size of a buffer which it would     later become zero using an untruncated value. This can     corrupt memory outside of the original allocation.
    (CVE-2017-9725)

  - In the Linux kernel versions 4.12, 3.10, 2.6, and     possibly earlier, a race condition vulnerability exists     in the sound system allowing for a potential deadlock     and memory corruption due to use-after-free condition     and thus denial of service. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely. (CVE-2018-1000004)

  - Improper validation in the bnx2x network card driver of     the Linux kernel version 4.15 can allow for denial of     service (DoS) attacks via a packet with a gso_size     larger than ~9700 bytes. Untrusted guest VMs can exploit     this vulnerability in the host machine, causing a crash     in the network card. (CVE-2018-1000026)

  - By mmap()ing a FUSE-backed file onto a process's memory     containing command line arguments (or environment     strings), an attacker can cause utilities from psutils     or procps (such as ps, w) or any other program which     makes a read() call to the /proc//cmdline (or     /proc//environ) files to block indefinitely (denial     of service) or for some controlled time (as a     synchronization primitive for other attacks).
    (CVE-2018-1120)

  - A null pointer dereference in dccp_write_xmit() function     in net/dccp/output.c in the Linux kernel allows a local     user to cause a denial of service by a number of certain     crafted system calls. (CVE-2018-1130)

  - An issue was discovered in the proc_pid_stack function     in fs/proc/base.c in the Linux kernel. An attacker with     a local account can trick the stack unwinder code to     leak stack contents to userspace. The fix allows only     root to inspect the kernel stack of an arbitrary task.
    (CVE-2018-17972)

  - A flaw was found in the Linux kernel with files on tmpfs     and hugetlbfs. An attacker is able to bypass file     permissions on filesystems mounted with tmpfs/hugetlbs     to modify a file and possibly disrupt normal system     behavior. At this time there is an understanding there     is no crash or privilege escalation but the impact of     modifications on these filesystems of files in     production systems may have adverse affects.
    (CVE-2018-18397)

  - In the Linux kernel before 4.17, a local attacker able     to set attributes on an xfs filesystem could make this     filesystem non-operational until the next mount by     triggering an unchecked error condition during an xfs     attribute change, because xfs_attr_shortform_addname in     fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE     operations with conversion of an attr from short to long     form. (CVE-2018-18690)

  - A flaw was found in the Linux kernel's handling of     loopback devices. An attacker, who has permissions to     setup loopback disks, may create a denial of service or     other unspecified actions. (CVE-2018-5344)

  - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c     in the Linux kernel, through 4.14.15, allows local users     to obtain sensitive address information by reading dmesg     data from an SBS HC printk call. (CVE-2018-5750)

  - An error in the _sctp_make_chunk() function     (net/sctp/sm_make_chunk.c) when handling SCTP, packet     length can be exploited by a malicious local user to     cause a kernel crash and a DoS. (CVE-2018-5803)

  - In the function wmi_set_ie() in the Linux kernel the     length validation code does not handle unsigned integer     overflow properly. As a result, a large value of the     ie_len argument can cause a buffer overflow and thus a     memory corruption leading to a system crash or other or     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out, although     we believe it is unlikely. (CVE-2018-5848)

  - ALSA sequencer core initializes the event pool on demand     by invoking snd_seq_pool_init() when the first write     happens and the pool is empty. A user can reset the pool     size manually via ioctl concurrently, and this may lead     to UAF or out-of-bound access. (CVE-2018-7566)

  - A possible memory corruption due to a type confusion was     found in the Linux kernel in the sk_clone_lock()     function in the net/core/sock.c. The possibility of     local escalation of privileges cannot be fully ruled out     for a local unprivileged attacker. (CVE-2018-9568)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities:

  - Integer overflow in the aio_setup_single_vector function     in fs/aio.c in the Linux kernel 4.0 allows local users     to cause a denial of service or possibly have     unspecified other impact via a large AIO iovec. NOTE:
    this vulnerability exists because of a CVE-2012-6701     regression. (CVE-2015-8830)

  - A weakness was found in the Linux ASLR implementation.
    Any user able to running 32-bit applications in a x86     machine can disable ASLR by setting the RLIMIT_STACK     resource to unlimited. (CVE-2016-3672)

  - The xc2028_set_config function in     drivers/media/tuners/tuner-xc2028.c in the Linux kernel     before 4.6 allows local users to gain privileges or     cause a denial of service (use-after-free) via vectors     involving omission of the firmware name from a certain     data structure. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely. (CVE-2016-7913)

  - Use-after-free vulnerability in the snd_pcm_info()     function in the ALSA subsystem in the Linux kernel     allows attackers to induce a kernel memory corruption     and possibly crash or lock up a system. Due to the     nature of the flaw, a privilege escalation cannot be     fully ruled out, although we believe it is unlikely.
    (CVE-2017-0861)

  - A reachable assertion failure flaw was found in the     Linux kernel built with KVM virtualisation(CONFIG_KVM)     support with Virtual Function I/O feature (CONFIG_VFIO)     enabled. This failure could occur if a malicious guest     device sent a virtual interrupt (guest IRQ) with a     larger (>1024) index value. (CVE-2017-1000252)

  - Linux kernel Virtualization Module (CONFIG_KVM) for the     Intel processor family (CONFIG_KVM_INTEL) is vulnerable     to a DoS issue. It could occur if a guest was to flood     the I/O port 0x80 with write requests. A guest user     could use this flaw to crash the host kernel resulting     in DoS. (CVE-2017-1000407)

  - A flaw was found in the processing of incoming L2CAP     bluetooth commands. Uninitialized stack variables can be     sent to an attacker leaking data in kernel address     space. (CVE-2017-1000410)

  - A race condition was found in the Linux kernel before     version 4.11-rc1 in 'fs/timerfd.c' file which allows a     local user to cause a kernel list corruption or use-     after-free via simultaneous operations with a file     descriptor which leverage improper 'might_cancel'     queuing. An unprivileged local user could use this flaw     to cause a denial of service of the system. Due to the     nature of the flaw, privilege escalation cannot be fully     ruled out, although we believe it is unlikely.
    (CVE-2017-10661)

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization (nVMX) feature     enabled (nested=1), is vulnerable to a crash due to     disabled external interrupts. As L2 guest could access     (r/w) hardware CR8 register of the host(L0). In a nested     visualization setup, L2 guest user could use this flaw     to potentially crash the host(L0) resulting in DoS.
    (CVE-2017-12154)

  - It was found that in the Linux kernel through v4.14-rc5,     bio_map_user_iov() and bio_unmap_user() in 'block/bio.c'     do unbalanced pages refcounting if IO vector has small     consecutive buffers belonging to the same page.
    bio_add_pc_page() merges them into one, but the page     reference is never dropped, causing a memory leak and     possible system lockup due to out-of-memory condition.
    (CVE-2017-12190)

  - A flaw was found in the Linux kernel's implementation of     valid_master_desc() in which a memory buffer would be     compared to a userspace value with an incorrect size of     comparison. By bruteforcing the comparison, an attacker     could determine what was in memory after the description     and possibly obtain sensitive information from kernel     memory. (CVE-2017-13305)

  - A use-after-free vulnerability was found in a network     namespaces code affecting the Linux kernel since     v4.0-rc1 through v4.15-rc5. The function     get_net_ns_by_id() does not check for the net::count     value after it has found a peer network in netns_ids idr     which could lead to double free and memory corruption.
    This vulnerability could allow an unprivileged local     user to induce kernel memory corruption on the system,     leading to a crash. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out, although     it is thought to be unlikely. (CVE-2017-15129)

  - A use-after-free vulnerability was found when issuing an     ioctl to a sound device. This could allow a user to     exploit a race condition and create memory corruption or     possibly privilege escalation. (CVE-2017-15265)

  - A flaw was found in the implementation of associative     arrays where the add_key systemcall and KEYCTL_UPDATE     operations allowed for a NULL payload with a nonzero     length. When accessing the payload within this length     parameters value, an unprivileged user could trivially     cause a NULL pointer dereference (kernel oops).
    (CVE-2017-15274)

  - The net/netfilter/nfnetlink_cthelper.c function in the     Linux kernel through 4.14.4 does not require the     CAP_NET_ADMIN capability for new, get, and del     operations. This allows local users to bypass intended     access restrictions because the nfnl_cthelper_list data     structure is shared across all net namespaces.
    (CVE-2017-17448)

  - The __netlink_deliver_tap_skb function in     net/netlink/af_netlink.c in the Linux kernel, through     4.14.4, does not restrict observations of Netlink     messages to a single net namespace, when CONFIG_NLMON is     enabled. This allows local users to obtain sensitive     information by leveraging the CAP_NET_ADMIN capability     to sniff an nlmon interface for all Netlink activity on     the system. (CVE-2017-17449)

  - The usb_destroy_configuration() function, in     'drivers/usb/core/config.c' in the USB core subsystem,     in the Linux kernel through 4.14.5 does not consider the     maximum number of configurations and interfaces before     attempting to release resources. This allows local users     to cause a denial of service, due to out-of-bounds write     access, or possibly have unspecified other impact via a     crafted USB device. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out, although     we believe it is unlikely. (CVE-2017-17558)

  - The Salsa20 encryption algorithm in the Linux kernel,     before 4.14.8, does not correctly handle zero-length     inputs. This allows a local attacker the ability to use     the AF_ALG-based skcipher interface to cause a denial of     service (uninitialized-memory free and kernel crash) or     have an unspecified other impact by executing a crafted     sequence of system calls that use the blkcipher_walk     API. Both the generic implementation     (crypto/salsa20_generic.c) and x86 implementation     (arch/x86/crypto/salsa20_glue.c) of Salsa20 are     vulnerable. (CVE-2017-17805)

  - The tcpmss_mangle_packet function in     net/netfilter/xt_TCPMSS.c in the Linux kernel before     4.11, and 4.9.x before 4.9.36, allows remote attackers     to cause a denial of service (use-after-free and memory     corruption) or possibly have unspecified other impact by     leveraging the presence of xt_TCPMSS in an iptables     action. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely. (CVE-2017-18017)

  - The Linux kernel, before version 4.14.3, is vulnerable     to a denial of service in     drivers/md/dm.c:dm_get_from_kobject() which can be     caused by local users leveraging a race condition with
    __dm_destroy() during creation and removal of DM     devices. Only privileged local users (with CAP_SYS_ADMIN     capability) can directly perform the ioctl operations     for dm device creation and removal and this would     typically be outside the direct control of the     unprivileged attacker. (CVE-2017-18203)

  - The madvise_willneed function in the Linux kernel allows     local users to cause a denial of service (infinite loop)     by triggering use of MADVISE_WILLNEED for a DAX mapping.
    (CVE-2017-18208)

  - A flaw was found where the kernel truncated the value     used to indicate the size of a buffer which it would     later become zero using an untruncated value. This can     corrupt memory outside of the original allocation.
    (CVE-2017-9725)

  - In the Linux kernel versions 4.12, 3.10, 2.6, and     possibly earlier, a race condition vulnerability exists     in the sound system allowing for a potential deadlock     and memory corruption due to use-after-free condition     and thus denial of service. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely. (CVE-2018-1000004)

  - Improper validation in the bnx2x network card driver of     the Linux kernel version 4.15 can allow for denial of     service (DoS) attacks via a packet with a gso_size     larger than ~9700 bytes. Untrusted guest VMs can exploit     this vulnerability in the host machine, causing a crash     in the network card. (CVE-2018-1000026)

  - By mmap()ing a FUSE-backed file onto a process's memory     containing command line arguments (or environment     strings), an attacker can cause utilities from psutils     or procps (such as ps, w) or any other program which     makes a read() call to the /proc//cmdline (or     /proc//environ) files to block indefinitely (denial     of service) or for some controlled time (as a     synchronization primitive for other attacks).
    (CVE-2018-1120)

  - A null pointer dereference in dccp_write_xmit() function     in net/dccp/output.c in the Linux kernel allows a local     user to cause a denial of service by a number of certain     crafted system calls. (CVE-2018-1130)

  - An issue was discovered in the proc_pid_stack function     in fs/proc/base.c in the Linux kernel. An attacker with     a local account can trick the stack unwinder code to     leak stack contents to userspace. The fix allows only     root to inspect the kernel stack of an arbitrary task.
    (CVE-2018-17972)

  - A flaw was found in the Linux kernel with files on tmpfs     and hugetlbfs. An attacker is able to bypass file     permissions on filesystems mounted with tmpfs/hugetlbs     to modify a file and possibly disrupt normal system     behavior. At this time there is an understanding there     is no crash or privilege escalation but the impact of     modifications on these filesystems of files in     production systems may have adverse affects.
    (CVE-2018-18397)

  - In the Linux kernel before 4.17, a local attacker able     to set attributes on an xfs filesystem could make this     filesystem non-operational until the next mount by     triggering an unchecked error condition during an xfs     attribute change, because xfs_attr_shortform_addname in     fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE     operations with conversion of an attr from short to long     form. (CVE-2018-18690)

  - Modern operating systems implement virtualization of     physical memory to efficiently use available system     resources and provide inter-domain protection through     access control and isolation. The L1TF issue was found     in the way the x86 microprocessor designs have     implemented speculative execution of instructions (a     commonly used performance optimization) in combination     with handling of page-faults caused by terminated     virtual to physical address resolving process. As a     result, an unprivileged attacker could use this flaw to     read privileged memory of the kernel or other processes     and/or cross guest/host boundaries to read host memory     by conducting targeted cache side-channel attacks.
    (CVE-2018-3646)

  - A flaw was found in the Linux kernel's handling of     loopback devices. An attacker, who has permissions to     setup loopback disks, may create a denial of service or     other unspecified actions. (CVE-2018-5344)

  - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c     in the Linux kernel, through 4.14.15, allows local users     to obtain sensitive address information by reading dmesg     data from an SBS HC printk call. (CVE-2018-5750)

  - An error in the _sctp_make_chunk() function     (net/sctp/sm_make_chunk.c) when handling SCTP, packet     length can be exploited by a malicious local user to     cause a kernel crash and a DoS. (CVE-2018-5803)

  - In the function wmi_set_ie() in the Linux kernel the     length validation code does not handle unsigned integer     overflow properly. As a result, a large value of the     ie_len argument can cause a buffer overflow and thus a     memory corruption leading to a system crash or other or     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out, although     we believe it is unlikely. (CVE-2018-5848)

  - ALSA sequencer core initializes the event pool on demand     by invoking snd_seq_pool_init() when the first write     happens and the pool is empty. A user can reset the pool     size manually via ioctl concurrently, and this may lead     to UAF or out-of-bound access. (CVE-2018-7566)

  - A possible memory corruption due to a type confusion was     found in the Linux kernel in the sk_clone_lock()     function in the net/core/sock.c. The possibility of     local escalation of privileges cannot be fully ruled out     for a local unprivileged attacker. (CVE-2018-9568)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions past bounds check. The flaw     relies on the presence of a precisely-defined     instruction sequence in the privileged code and the     fact that memory writes occur to an address which     depends on the untrusted value. Such writes cause an     update into the microprocessor's data cache even for     speculatively executed instructions that never actually     commit (retire). As a result, an unprivileged attacker     could use this flaw to influence speculative execution     and/or read privileged memory by conducting targeted     cache side-channel attacks.(CVE-2018-3693)

  - A flaw named SegmentSmack was found in the way the     Linux kernel handled specially crafted TCP packets. A     remote attacker could use this flaw to trigger time and     calculation expensive calls to tcp_collapse_ofo_queue()     and tcp_prune_ofo_queue() functions by sending     specially modified packets within ongoing TCP sessions     which could lead to a CPU saturation and hence a denial     of service on the system. Maintaining the denial of     service condition requires continuous two-way TCP     sessions to a reachable open port, thus the attacks     cannot be performed using spoofed IP     addresses.(CVE-2018-5390)

  - It was found that the raw midi kernel driver does not     protect against concurrent access which leads to a     double realloc (double free) in     snd_rawmidi_input_params() and     snd_rawmidi_output_status() which are part of     snd_rawmidi_ioctl() handler in rawmidi.c file. A     malicious local attacker could possibly use this for     privilege escalation.(CVE-2018-10902)

  - Integer overflow in the aio_setup_single_vector     function in fs/aio.c in the Linux kernel 4.0 allows     local users to cause a denial of service or possibly     have unspecified other impact via a large AIO iovec.
    NOTE: this vulnerability exists because of a     CVE-2012-6701 regression.(CVE-2015-8830)

  - A flaw was found in the Linux networking subsystem     where a local attacker with CAP_NET_ADMIN capabilities     could cause an out-of-bounds memory access by creating     a smaller-than-expected ICMP header and sending to its     destination via sendto().(CVE-2016-8399)

  - Out-of-bounds kernel heap access vulnerability was     found in xfrm, kernel's IP framework for transforming     packets. An error dealing with netlink messages from an     unprivileged user leads to arbitrary read/write and     privilege escalation.(CVE-2017-7184)

  - The Linux kernel was found to be vulnerable to a NULL     pointer dereference bug in the __netlink_ns_capable()     function in the net/netlink/af_netlink.c file. A local     attacker could exploit this when a net namespace with a     netnsid is assigned to cause a kernel panic and a     denial of service.i1/4^CVE-2018-14646i1/4%0

  - A flaw was found where the kernel truncated the value     used to indicate the size of a buffer which it would     later become zero using an untruncated value. This can     corrupt memory outside of the original     allocation.(CVE-2017-9725)

  - A bug in the 32-bit compatibility layer of the ioctl     handling code of the v4l2 video driver in the Linux     kernel has been found. A memory protection mechanism     ensuring that user-provided buffers always point to a     userspace memory were disabled, allowing destination     address to be in a kernel space. This flaw could be     exploited by an attacker to overwrite a kernel memory     from an unprivileged userspace process, leading to     privilege escalation.(CVE-2017-13166)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions (a commonly used performance     optimization). There are three primary variants of the     issue which differ in the way the speculative execution     can be exploited. Variant CVE-2017-5754 relies on the     fact that, on impacted microprocessors, during     speculative execution of instruction permission faults,     exception generation triggered by a faulting access is     suppressed until the retirement of the whole     instruction block. In a combination with the fact that     memory accesses may populate the cache even when the     block is being dropped and never committed (executed),     an unprivileged local attacker could use this flaw to     read privileged (kernel space) memory by conducting     targeted cache side-channel attacks. Note:
    CVE-2017-5754 affects Intel x86-64 microprocessors. AMD     x86-64 microprocessors are not affected by this     issue.(CVE-2017-5754)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions (a commonly used performance     optimization). There are three primary variants of the     issue which differ in the way the speculative execution     can be exploited. Variant CVE-2017-5753 triggers the     speculative execution by performing a bounds-check     bypass. It relies on the presence of a     precisely-defined instruction sequence in the     privileged code as well as the fact that memory     accesses may cause allocation into the microprocessor's     data cache even for speculatively executed instructions     that never actually commit (retire). As a result, an     unprivileged attacker could use this flaw to cross the     syscall boundary and read privileged memory by     conducting targeted cache side-channel     attacks.(CVE-2017-5753)

  - A flaw was found in the Linux kernel's skcipher     component, which affects the skcipher_recvmsg function.
    Attackers using a specific input can lead to a     privilege escalation.i1/4^CVE-2017-13215i1/4%0

  - The tcpmss_mangle_packet function in     net/netfilter/xt_TCPMSS.c in the Linux kernel before     4.11, and 4.9.x before 4.9.36, allows remote attackers     to cause a denial of service (use-after-free and memory     corruption) or possibly have unspecified other impact     by leveraging the presence of xt_TCPMSS in an iptables     action. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely.i1/4^CVE-2017-18017i1/4%0

  - A kernel data leak due to an out-of-bound read was     found in the Linux kernel in     inet_diag_msg_sctp{,l}addr_fill() and     sctp_get_sctp_info() functions present since version     4.7-rc1 through version 4.13. A data leak happens when     these functions fill in sockaddr data structures used     to export socket's diagnostic information. As a result,     up to 100 bytes of the slab data could be leaked to a     userspace.i1/4^CVE-2017-7558i1/4%0

  - Use-after-free vulnerability in the snd_pcm_info()     function in the ALSA subsystem in the Linux kernel     allows attackers to induce a kernel memory corruption     and possibly crash or lock up a system. Due to the     nature of the flaw, a privilege escalation cannot be     fully ruled out, although we believe it is     unlikely.i1/4^CVE-2017-0861i1/4%0

  - Improper validation in the bnx2x network card driver of     the Linux kernel version 4.15 can allow for denial of     service (DoS) attacks via a packet with a gso_size     larger than ~9700 bytes. Untrusted guest VMs can     exploit this vulnerability in the host machine, causing     a crash in the network card.i1/4^CVE-2018-1000026i1/4%0

  - An error in the '_sctp_make_chunk()' function     (net/sctp/sm_make_chunk.c) when handling SCTP, packet     length can be exploited by a malicious local user to     cause a kernel crash and a DoS.i1/4^CVE-2018-5803i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found where the kernel truncated the value     used to indicate the size of a buffer which it would     later become zero using an untruncated value. This can     corrupt memory outside of the original     allocation.(CVE-2017-9725)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions (a commonly used performance     optimization). There are three primary variants of the     issue which differ in the way the speculative execution     can be exploited. Variant CVE-2017-5753 triggers the     speculative execution by performing a bounds-check     bypass. It relies on the presence of a     precisely-defined instruction sequence in the     privileged code as well as the fact that memory     accesses may cause allocation into the microprocessor's     data cache even for speculatively executed instructions     that never actually commit (retire). As a result, an     unprivileged attacker could use this flaw to cross the     syscall boundary and read privileged memory by     conducting targeted cache side-channel     attacks.(CVE-2017-5753)

  - A buffer overflow was found in the Linux kernel's     isdn_net_newslave() function in the     /drivers/isdn/i4l/isdn_net.c file. An overflow happens     when the user-controlled buffer is copied into a local     buffer of constant size using strcpy() without a length     check.(CVE-2017-12762)

  - Modern operating systems implement virtualization of     physical memory to efficiently use available system     resources and provide inter-domain protection through     access control and isolation. The L1TF issue was found     in the way the x86 microprocessor designs have     implemented speculative execution of instructions (a     commonly used performance optimization) in combination     with handling of page-faults caused by terminated     virtual to physical address resolving process. As a     result, an unprivileged attacker could use this flaw to     read privileged memory of the kernel or other processes     and/or cross guest/host boundaries to read host memory     by conducting targeted cache side-channel     attacks.(CVE-2018-3646)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions (a commonly used performance     optimization). There are three primary variants of the     issue which differ in the way the speculative execution     can be exploited. Variant CVE-2017-5715 triggers the     speculative execution by utilizing branch target     injection. It relies on the presence of a     precisely-defined instruction sequence in the     privileged code as well as the fact that memory     accesses may cause allocation into the microprocessor's     data cache even for speculatively executed instructions     that never actually commit (retire). As a result, an     unprivileged attacker could use this flaw to cross the     syscall and guest/host boundaries and read privileged     memory by conducting targeted cache side-channel     attacks.(CVE-2017-5715)

  - Modern operating systems implement virtualization of     physical memory to efficiently use available system     resources and provide inter-domain protection through     access control and isolation. The L1TF issue was found     in the way the x86 microprocessor designs have     implemented speculative execution of instructions (a     commonly used performance optimization) in combination     with handling of page-faults caused by terminated     virtual to physical address resolving process. As a     result, an unprivileged attacker could use this flaw to     read privileged memory of the kernel or other processes     and/or cross guest/host boundaries to read host memory     by conducting targeted cache side-channel     attacks.(CVE-2018-3620)

  - In hid_debug_events_read of drivers/hid/hid-debug.c,     there is a possible out of bounds write due to a     missing bounds check. This could lead to local     escalation of privilege with System execution     privileges needed. User interaction is not needed for     exploitation. Product: Android Versions: Android kernel     Android ID: A-71361580.(CVE-2018-9516)

  - Systems with microprocessors utilizing speculative     execution and speculative execution of memory reads     before the addresses of all prior memory writes are     known may allow unauthorized disclosure of information     to an attacker with local user access via a     side-channel analysis, aka Speculative Store Bypass     (SSB), Variant 4.(CVE-2018-3639)

  - It was found that the Linux kernel memory resource     controller's (memcg) handling of OOM (out of memory)     conditions could lead to deadlocks. An attacker able to     continuously spawn new processes within a single     memory-constrained cgroup during an OOM event could use     this flaw to lock up the system.(CVE-2014-8171)

  - In sk_clone_lock of sock.c, there is a possible memory     corruption due to type confusion. This could lead to     local escalation of privilege with no additional     execution privileges needed. User interaction is not     needed for exploitation. Product: Android. Versions:
    Android kernel. Android ID: A-113509306. References:
    Upstream kernel.(CVE-2018-9568)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - rds: congestion updates can be missed when kernel low on     memory (Mukesh Kacker) [Orabug: 28425811]

  - net/rds: ib: Fix endless RNR Retries caused by memory     allocation failures (Venkat Venkatsubra) [Orabug:
    28127993]

  - net: rds: fix excess initialization of the recv SGEs     (Zhu Yanjun) [Orabug: 29004503]

  - xhci: fix usb2 resume timing and races. (Mathias Nyman)     [Orabug: 29028940]

  - xhci: Fix a race in usb2 LPM resume, blocking U3 for     usb2 devices (Mathias Nyman) [Orabug: 29028940]

  - userfaultfd: check VM_MAYWRITE was set after verifying     the uffd is registered (Andrea Arcangeli) [Orabug:
    29163750] (CVE-2018-18397)

  - userfaultfd: shmem/hugetlbfs: only allow to register     VM_MAYWRITE vmas (Andrea Arcangeli) [Orabug: 29163750]     (CVE-2018-18397)

  - x86/apic/x2apic: set affinity of a single interrupt to     one cpu (Jianchao Wang) [Orabug: 29196396]

  - xen/blkback: rework validate_io_op (Dongli Zhang)     [Orabug: 29199843]

  - xen/blkback: optimize validate_io_op to filter     BLKIF_OP_RESERVED_1 operation (Dongli Zhang) [Orabug:
    29199843]

  - xen/blkback: do not BUG for invalid blkif_request from     frontend (Dongli Zhang) [Orabug: 29199843]

  - net/rds: WARNING: at net/rds/recv.c:222     rds_recv_hs_exthdrs+0xf8/0x1e0 (Venkat Venkatsubra)     [Orabug: 29201779]

  - xen-netback: wake up xenvif_dealloc_kthread when it     should stop (Dongli Zhang) [Orabug: 29217927]

  - Revert 'xfs: remove nonblocking mode from     xfs_vm_writepage' (Wengang Wang) [Orabug: 29279692]

  - Revert 'xfs: remove xfs_cancel_ioend' (Wengang Wang)     [Orabug: 29279692]

  - Revert 'xfs: Introduce writeback context for writepages'     (Wengang Wang) [Orabug: 29279692]

  - Revert 'xfs: xfs_cluster_write is redundant' (Wengang     Wang) [Orabug: 29279692]

  - Revert 'xfs: factor mapping out of xfs_do_writepage'     (Wengang Wang) [Orabug: 29279692]

  - Revert 'xfs: don't chain ioends during writepage     submission' (Wengang Wang) [Orabug: 29279692]

  - mstflint: Fix coding style issues - left with     LINUX_VERSION_CODE (Idan Mehalel) [Orabug: 28878697]

  - mstflint: Fix coding-style issues (Idan Mehalel)     [Orabug: 28878697]

  - mstflint: Fix errors found with checkpatch script (Idan     Mehalel) [Orabug: 28878697]

  - Added support for 5th Gen devices in Secure Boot module     and mtcr (Adham Masarwah) [Orabug: 28878697]

  - Fix typos in mst_kernel (Adham Masarwah) [Orabug:
    28878697]

  - bnxt_en: Report PCIe link properties with     pcie_print_link_status (Brian Maly) [Orabug: 28942099]

  - selinux: Perform both commoncap and selinux xattr checks     (Eric W. Biederman) [Orabug: 28951521]

  - Introduce v3 namespaced file capabilities (Serge E.
    Hallyn) [Orabug: 28951521]

  - rds: ib: Use a delay when reconnecting to the very same     IP address (H&aring kon Bugge) [Orabug: 29138813]

  - Change mincore to count 'mapped' pages rather than     'cached' pages (Linus Torvalds) [Orabug: 29187415]     (CVE-2019-5489)

  - NFSD: Set the attributes used to store the verifier for     EXCLUSIVE4_1 (Kinglong Mee) [Orabug: 29204157]

  - ext4: update i_disksize when new eof exceeds it (Shan     Hai) [Orabug: 28940828]

  - ext4: update i_disksize if direct write past ondisk size     (Eryu Guan) [Orabug: 28940828]

  - ext4: protect i_disksize update by i_data_sem in direct     write path (Eryu Guan) [Orabug: 28940828]

  - ALSA: usb-audio: Fix UAF decrement if card has no live     interfaces in card.c (Hui Peng) [Orabug: 29042981]     (CVE-2018-19824)

  - ALSA: usb-audio: Replace probing flag with active     refcount (Takashi Iwai) [Orabug: 29042981]     (CVE-2018-19824)

  - ALSA: usb-audio: Avoid nested autoresume calls (Takashi     Iwai) [Orabug: 29042981] (CVE-2018-19824)

  - ext4: validate that metadata blocks do not overlap     superblock (Theodore Ts'o) [Orabug: 29114440]     (CVE-2018-1094)

  - ext4: update inline int ext4_has_metadata_csum(struct     super_block *sb) (John Donnelly) [Orabug: 29114440]     (CVE-2018-1094)

  - ext4: always initialize the crc32c checksum driver     (Theodore Ts'o) [Orabug: 29114440] (CVE-2018-1094)     (CVE-2018-1094)

  - Revert 'bnxt_en: Reduce default rings on multi-port     cards.' (Brian Maly) [Orabug: 28687746]

  - mlx4_core: Disable P_Key Violation Traps (H&aring kon     Bugge) [Orabug: 27693633]

  - rds: RDS connection does not reconnect after CQ access     violation error (Venkat Venkatsubra) [Orabug: 28733324]

  - KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL     (KarimAllah Ahmed) [Orabug: 28069548]

  - KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL -     reloaded (Mihai Carabas) [Orabug: 28069548]

  - KVM/x86: Add IBPB support (Ashok Raj) [Orabug: 28069548]

  - KVM: x86: pass host_initiated to functions that read     MSRs (Paolo Bonzini) [Orabug: 28069548]

  - KVM: VMX: make MSR bitmaps per-VCPU (Paolo Bonzini)     [Orabug: 28069548]

  - KVM: VMX: introduce alloc_loaded_vmcs (Paolo Bonzini)     [Orabug: 28069548]

  - KVM: nVMX: Eliminate vmcs02 pool (Jim Mattson) [Orabug:
    28069548]

  - KVM: nVMX: fix msr bitmaps to prevent L2 from accessing     L0 x2APIC (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
    28069548]

  - ocfs2: don't clear bh uptodate for block read (Junxiao     Bi) [Orabug: 28762940]

  - ocfs2: clear journal dirty flag after shutdown journal     (Junxiao Bi) [Orabug: 28924775]

  - ocfs2: fix panic due to unrecovered local alloc (Junxiao     Bi) [Orabug: 28924775]

  - net: rds: fix rds_ib_sysctl_max_recv_allocation error     (Zhu Yanjun) [Orabug: 28947481]

  - x86/speculation: Always disable IBRS in     disable_ibrs_and_friends (Alejandro Jimenez) [Orabug:
    29139710]

  - pinctrl: amd: Use devm_pinctrl_register for pinctrl     registration (Laxman Dewangan) [Orabug: 27539246]     (CVE-2017-18174)

  - mlock: fix mlock count can not decrease in race     condition (Yisheng Xie) [Orabug: 27677611]     (CVE-2017-18221)

  - perf/core: Fix the perf_cpu_time_max_percent check (Tan     Xiaojun) [Orabug: 27823815] (CVE-2017-18255)

  - x86/microcode/intel: Fix a wrong assignment of revision     in _save_mc (Zhenzhong Duan) [Orabug: 28190263]

  - mm: cma: fix incorrect type conversion for size during     dma allocation (Rohit Vaswani) [Orabug: 28407826]     (CVE-2017-9725)

  - x86/speculation: Make enhanced IBRS the default spectre     v2 mitigation (Alejandro Jimenez) [Orabug: 28474851]

  - x86/speculation: Enable enhanced IBRS usage (Alejandro     Jimenez) [Orabug: 28474851]

  - x86/speculation: functions for supporting enhanced IBRS     (Alejandro Jimenez) [Orabug: 28474851]

  - xen/blkback: fix disconnect while I/Os in flight     (Juergen Gross) [Orabug: 28744234]

  - mlx4_vnic: use the mlid while calling ib_detach_mcast     (aru kolappan) [Orabug: 29029705]

  - ext4: fail ext4_iget for root directory if unallocated     (Theodore Ts'o) [Orabug: 29048557] (CVE-2018-1092)     (CVE-2018-1092)

  - Bluetooth: hidp: buffer overflow in hidp_process_report     (Mark Salyzyn) [Orabug: 29121215] (CVE-2018-9363)     (CVE-2018-9363)

  - HID: debug: check length before copy_to_user (Daniel     Rosenberg) [Orabug: 29128165] (CVE-2018-9516)

  - x86/MCE: Serialize sysfs changes (Seunghun Han) [Orabug:
    29149888] (CVE-2018-7995)

  - Input: i8042 - fix crash at boot time (Chen Hong)     [Orabug: 29152328] (CVE-2017-18079)

  - base/memory, hotplug: fix a kernel oops in     show_valid_zones (Toshi Kani) [Orabug: 29050538]

  - mm/memory_hotplug.c: check start_pfn in     test_pages_in_a_zone (Toshi Kani) [Orabug: 29050538]

  - drivers/base/memory.c: prohibit offlining of memory     blocks with missing sections (Seth Jennings) [Orabug:
    29050538]

  - mm: Check if section present during memory block     (un)registering (Yinghai Lu) [Orabug: 29050538]

  - hugetlb: take PMD sharing into account when flushing     tlb/caches (Mike Kravetz) [Orabug: 28951854]

  - mm: migration: fix migration of huge PMD shared pages     (Mike Kravetz) [Orabug: 28951854]

  - hugetlbfs: use truncate mutex to prevent pmd sharing     race (Mike Kravetz) [Orabug: 28896255]

  - rds: ib: Improve tracing during failover/back     (H&aring kon Bugge) [Orabug: 28860366]

  - rds: ib: Remove superfluous add of address on fail-back     device (H&aring kon Bugge) [Orabug: 28860366]

  - libiscsi: Fix NULL pointer dereference in     iscsi_eh_session_reset (Fred Herard) [Orabug: 28946207]

  - wil6210: missing length check in wmi_set_ie (Lior David)     [Orabug: 28951265] (CVE-2018-5848)

  - netfilter: xt_osf: Add missing permission checks (Kevin     Cernekee) [Orabug: 29037831] (CVE-2017-17450)

  - x86/speculation: Fix bad argument to rdmsrl in     cpu_set_bug_bits (Alejandro Jimenez) [Orabug: 29044805]

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-4315 advisory.    - In all Qualcomm products with Android releases from CAF using the Linux kernel, during DMA allocation, due     to wrong data type of size, allocation size gets truncated which makes allocation succeed when it should     fail. (CVE-2017-9725)    - The ext4_iget function in fs/ext4/inode.c in the Linux kernel through 4.15.15 mishandles the case of a     root directory with a zero i_links_count, which allows attackers to cause a denial of service     (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image. (CVE-2018-1092)    - drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows attackers to cause a denial of     service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the     port->exists value can change after it is validated. (CVE-2017-18079)    - In the Linux kernel before 4.7, the amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the     pinctrl_unregister function, leading to a double free. (CVE-2017-18174)    - The __munlock_pagevec function in mm/mlock.c in the Linux kernel before 4.11.4 allows local users to cause     a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system     calls.
(CVE-2017-18221)    - The perf_cpu_time_max_percent_handler function in kernel/events/core.c in the Linux kernel before 4.11     allows local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation. (CVE-2017-18255)    - ** DISPUTED ** Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c     in the Linux kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging     root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck directory. NOTE: a third party has indicated that this report is not security relevant.     (CVE-2018-7995)    - In the hidp_process_report in bluetooth, there is an integer overflow. This could lead to an out of bounds     write with no additional execution privileges needed. User interaction is not needed for exploitation.     Product: Android Versions: Android kernel Android ID: A-65853588 References: Upstream kernel.     (CVE-2018-9363)    - In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a     missing bounds check. This could lead to local escalation of privilege with System execution privileges     needed. User interaction is not needed for exploitation. Product: Android Versions:
Android kernel Android     ID: A-71361580. (CVE-2018-9516)  Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Security Fix(es) :

  - hw: cpu: speculative execution permission faults     handling (CVE-2017-5754, Important, KVM for Power)

  - kernel: Buffer overflow in firewire driver via crafted     incoming packets (CVE-2016-8633, Important)

  - kernel: Use-after-free vulnerability in DCCP socket     (CVE-2017-8824, Important)

  - Kernel: kvm: nVMX: L2 guest could access hardware(L0)     CR8 register (CVE-2017-12154, Important)

  - kernel: v4l2: disabled memory access protection     mechanism allowing privilege escalation (CVE-2017-13166,     Important)

  - kernel: media: use-after-free in [tuner-xc2028] media     driver (CVE-2016-7913, Moderate)

  - kernel: drm/vmwgfx: fix integer overflow in     vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

  - kernel: Incorrect type conversion for size during dma     allocation (CVE-2017-9725, Moderate)

  - kernel: memory leak when merging buffers in SCSI IO     vectors (CVE-2017-12190, Moderate)

  - kernel: vfs: BUG in truncate_inode_pages_range() and     fuse client (CVE-2017-15121, Moderate)

  - kernel: Use-after-free in     userfaultfd_event_wait_completion function in     userfaultfd.c (CVE-2017-15126, Moderate)

  - kernel: net: double-free and memory corruption in     get_net_ns_by_id() (CVE-2017-15129, Moderate)

  - kernel: Use-after-free in snd_seq_ioctl_create_port()     (CVE-2017-15265, Moderate)

  - kernel: Missing capabilities check in     net/netfilter/nfnetlink_cthelper.c allows for     unprivileged access to systemwide nfnl_cthelper_list     structure (CVE-2017-17448, Moderate)

  - kernel: Missing namespace check in     net/netlink/af_netlink.c allows for network monitors to     observe systemwide activity (CVE-2017-17449, Moderate)

  - kernel: Unallocated memory access by malicious USB     device via bNumInterfaces overflow (CVE-2017-17558,     Moderate)

  - kernel: netfilter: use-after-free in     tcpmss_mangle_packet function in     net/netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

  - kernel: Race condition in     drivers/md/dm.c:dm_get_from_kobject() allows local users     to cause a denial of service (CVE-2017-18203, Moderate)

  - kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ     (CVE-2017-1000252, Moderate)

  - Kernel: KVM: DoS via write flood to I/O port 0x80     (CVE-2017-1000407, Moderate)

  - kernel: Stack information leak in the EFS element     (CVE-2017-1000410, Moderate)

  - kernel: Kernel address information leak in     drivers/acpi/sbshc.c:acpi_smbus_hc_add() function     potentially allowing KASLR bypass (CVE-2018-5750,     Moderate)

  - kernel: Race condition in sound system can lead to     denial of service (CVE-2018-1000004, Moderate)

  - kernel: multiple Low security impact security issues     (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116,     CVE-2017-15127, CVE-2018-6927, Low)

Additional Changes :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power)

* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

* kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate)

* kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low)

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

An update for kernel-rt is now available for Red Hat Enterprise MRG 2.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Mohamed Ghannam for reporting CVE-2017-8824 and Armis Labs for reporting CVE-2017-1000410.

Bug Fix(es) :

* The kernel-rt packages have been upgraded to version 3.10.0-693.25.2.rt56.612, which provides a number of security and bug fixes over the previous version. (BZ#1549731)

* Intel Core X-Series (Skylake) processors use a hard-coded Time Stamp Counter (TSC) frequency of 25 MHz. In some cases this can be imprecise and lead to timing-related problems such as time drift, timers being triggered early, or TSC clock instability. This update mitigates these problems by no longer using the 'native_calibrate_tsc()' function to define the TSC frequency. Refined calibration is now used to update the clock rate accordingly in these cases. (BZ#1547854)

An update for kernel is now available for Red Hat Enterprise Linux 7.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Mohamed Ghannam for reporting CVE-2017-8824; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410.

Bug Fix(es) :

These updated kernel packages include also numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. See the bug fix descriptions in the related Knowledge Article:
https://access.redhat.com/articles/3411331

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2018-1062 advisory.

  - drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations,     allows remote attackers to execute arbitrary code via crafted fragmented packets. (CVE-2016-8633)

  - The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not     properly randomize the legacy base address, which makes it easier for local users to defeat the intended     restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or     setgid program, by disabling stack-consumption resource limits. (CVE-2016-3672)

  - The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that     the CR8-load exiting and CR8-store exiting L0 vmcs02 controls exist in cases where L1 omits the use     TPR shadow vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the     hardware CR8 register. (CVE-2017-12154)

  - The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do     unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page.
    The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a     memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk     is passed through to a virtual machine) due to an out-of-memory condition. (CVE-2017-12190)

  - The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port     0x80 an exception can be triggered leading to a kernel panic. (CVE-2017-1000407)

  - The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to     gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during     the DCCP_LISTEN state. (CVE-2017-8824)

  - The move_pages system call in mm/migrate.c in the Linux kernel before 4.12.9 doesn't check the effective     uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable     despite ASLR. (CVE-2017-14140)

  - The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel     through 4.10.6 does not validate addition of certain levels data, which allows local users to trigger an     integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly     gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device. (CVE-2017-7294)

  - In all Qualcomm products with Android releases from CAF using the Linux kernel, during DMA allocation, due     to wrong data type of size, allocation size gets truncated which makes allocation succeed when it should     fail. (CVE-2017-9725)

  - A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetlb.c in the Linux kernel before 4.13.
    A superfluous implicit page unlock for VM_SHARED hugetlbfs mapping could trigger a local denial of service     (BUG). (CVE-2017-15127)

  - A use-after-free vulnerability was found in network namespaces code affecting the Linux kernel before     4.14.11. The function get_net_ns_by_id() in net/core/net_namespace.c does not check for the net::count     value after it has found a peer network in netns_ids idr, which could lead to double free and memory     corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption     on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully     ruled out, although it is thought to be unlikely. (CVE-2017-15129)

  - Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a     denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq     ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c. (CVE-2017-15265)

  - The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4,     when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net     namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN     capability to sniff an nlmon interface for all Netlink activity on the system. (CVE-2017-17449)

  - The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux     kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before     attempting to release resources, which allows local users to cause a denial of service (out-of-bounds     write access) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-17558)

  - The Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of     incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of     uninitialized stack variables that may be returned to an attacker in their uninitialized state. By     manipulating the code flows that precede the handling of these configuration messages, an attacker can     also gain some control over which data will be held in the uninitialized stack variables. This can allow     him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in     this manner. Combining this vulnerability (for example) with the previously disclosed RCE vulnerability in     L2CAP configuration parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE against kernels     which were built with the above mitigations. These are the specifics of this vulnerability: In the     function l2cap_parse_conf_rsp and in the function l2cap_parse_conf_req the following variable is declared     without initialization: struct l2cap_conf_efs efs; In addition, when parsing input configuration     parameters in both of these functions, the switch case for handling EFS elements may skip the memcpy call     that will write to the efs variable: ... case L2CAP_CONF_EFS: if (olen == sizeof(efs)) memcpy(&efs;, (void
    *)val, olen); ... The olen in the above if is attacker controlled, and regardless of that if, in both of     these functions the efs variable would eventually be added to the outgoing configuration request that is     being built: l2cap_add_conf_opt(&ptr;, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs;); So by sending a     configuration request, or response, that contains an L2CAP_CONF_EFS element, but with an element length     that is not sizeof(efs) - the memcpy to the uninitialized efs variable can be avoided, and the     uninitialized variable would be returned to the attacker (16 bytes). (CVE-2017-1000410)

  - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local     users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.
    (CVE-2018-5750)

  - The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6     allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving     omission of the firmware name from a certain data structure. (CVE-2016-7913)

  - An elevation of privilege vulnerability in the kernel v4l2 video driver. Product: Android. Versions:
    Android kernel. Android ID A-34624167. (CVE-2017-13166)

  - The rngapi_reset function in crypto/rng.c in the Linux kernel before 4.2 allows attackers to cause a     denial of service (NULL pointer dereference). (CVE-2017-15116)

  - A non-privileged user is able to mount a fuse filesystem on RHEL 6 or 7 and crash a system if an     application punches a hole in a file that does not end aligned to a page boundary. (CVE-2017-15121)

  - A use-after-free flaw was found in fs/userfaultfd.c in the Linux kernel before 4.13.6. The issue is     related to the handling of fork failure when dealing with event messages. Failure to fork correctly can     lead to a situation where a fork event will be removed from an already freed list of events with     userfaultfd_ctx_put(). (CVE-2017-15126)

  - net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN     capability for new, get, and del operations, which allows local users to bypass intended access     restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces.
    (CVE-2017-17448)

  - The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x     before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption)     or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action.
    (CVE-2017-18017)

  - The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to     cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and     removal of DM devices. (CVE-2017-18203)

  - The KVM subsystem in the Linux kernel through 4.13.3 allows guest OS users to cause a denial of service     (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to     arch/x86/kvm/vmx.c and virt/kvm/eventfd.c. (CVE-2017-1000252)

  - The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to     cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a     negative wake or requeue value. (CVE-2018-6927)

  - In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in     the sound system, this can lead to a deadlock and denial of service condition. (CVE-2018-1000004)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Incorrect handling in arch/x86/include/asm/ mmu_context.h:init_new_context function allowing use-after-free (CVE-2017-17053, Moderate)

* kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

* kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate)

* kernel: unlimiting the stack disables ASLR (CVE-2016-3672, Low)

* kernel: Missing permission check in move_pages system call (CVE-2017-14140, Low)

* kernel: NULL pointer dereference in rngapi_reset function (CVE-2017-15116, Low)

* kernel: Improper error handling of VM_SHARED hugetlbfs mapping in mm/ hugetlb.c (CVE-2017-15127, Low)

* kernel: Integer overflow in futex.c:futux_requeue can lead to denial of service or unspecified impact (CVE-2018-6927, Low)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H.
Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

Additional Changes :

See the Red Hat Enterprise Linux 7.5 Release Notes linked from References.

ID	Name	Product	Family	Severity
154404	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2021-2588)	Nessus	Huawei Local Security Checks	high
153271	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2021-2392)	Nessus	Huawei Local Security Checks	high
127281	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0074)	Nessus	NewStart CGSL Local Security Checks	critical
127272	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0070)	Nessus	NewStart CGSL Local Security Checks	critical
124992	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1539)	Nessus	Huawei Local Security Checks	critical
124836	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1515)	Nessus	Huawei Local Security Checks	critical
121605	OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0002)	Nessus	OracleVM Local Security Checks	high
120976	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4315)	Nessus	Oracle Linux Local Security Checks	high
109449	Scientific Linux Security Update : kernel on SL7.x x86_64 (20180410) (Meltdown)	Nessus	Scientific Linux Local Security Checks	critical
109380	CentOS 7 : kernel (CESA-2018:1062)	Nessus	CentOS Local Security Checks	critical
109335	RHEL 6 : MRG (RHSA-2018:1170)	Nessus	Red Hat Local Security Checks	critical
109116	RHEL 7 : kernel (RHSA-2018:1130)	Nessus	Red Hat Local Security Checks	critical
109113	Oracle Linux 7 : kernel (ELSA-2018-1062)	Nessus	Oracle Linux Local Security Checks	critical
108997	RHEL 7 : kernel (RHSA-2018:1062)	Nessus	Red Hat Local Security Checks	critical
108984	RHEL 7 : kernel-rt (RHSA-2018:0676)	Nessus	Red Hat Local Security Checks	critical

CVE-2017-9725

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

critical

critical

critical

critical

high

high

critical

critical

critical

critical

critical

critical

critical