http://openwall.com/lists/oss-security/2018/03/29/1

RHSA-2018:2948

https://bugzilla.kernel.org/show_bug.cgi?id=199185

https://bugzilla.redhat.com/show_bug.cgi?id=1560793

https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit/?id=ce3fd194fcc6fbdc00ce095a852f22df97baa401

USN-3695-1

USN-3695-2

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - Use-after-free vulnerability in drivers/net/tun.c in     the Linux kernel through 3.11.1 allows local users to     gain privileges by leveraging the CAP_NET_ADMIN     capability and providing an invalid tuntap interface     name in a TUNSETIFF ioctl call.(CVE-2013-4343)

  - It was found that when the gcc stack protector was     enabled, reading the /proc/keys file could cause a     panic in the Linux kernel due to stack corruption. This     happened because an incorrect buffer size was used to     hold a 64-bit timeout value rendered as     weeks.(CVE-2016-7042)

  - A flaw was found in the Linux kernel that     fs/ocfs2/aops.c omits use of a semaphore and     consequently has a race condition for access to the     extent tree during read operations in DIRECT mode. This     allows local users to cause a denial of service by     modifying a certain e_cpos field.(CVE-2017-18224)

  - The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel mishandles     inheritance, which allows local users to cause a denial     of service or possibly have unspecified other impact     via crafted system calls, a related issue to     CVE-2017-8890. An unprivileged local user could use     this flaw to induce kernel memory corruption on the     system, leading to a crash. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9075)

  - In the function sbusfb_ioctl_helper() in     drivers/video/fbdev/sbuslib.c in the Linux kernel, up     to and including 4.15, an integer signedness error     allows arbitrary information leakage for the     FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC     commands.(CVE-2018-6412)

  - A race condition flaw was found in the way the Linux     kernel's mmap(2), madvise(2), and fallocate(2) system     calls interacted with each other while operating on     virtual memory file system files. A local user could     use this flaw to cause a denial of     service.(CVE-2014-4171)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2018-1095)

  - A NULL pointer dereference flaw was found in the way     the Linux kernel's Stream Control Transmission Protocol     (SCTP) implementation handled simultaneous connections     between the same hosts. A remote attacker could use     this flaw to crash the system.(CVE-2014-5077)

  - A vulnerability was found in the     fs/inode.c:inode_init_owner() function logic of the     LInux kernel that allows local users to create files     with an unintended group ownership and with group     execution and SGID permission bits set, in a scenario     where a directory is SGID and belongs to a certain     group and is writable by a user who is not a member of     this group. This can lead to excessive permissions     granted in case when they should not.(CVE-2018-13405)

  - In the Linux kernel before 4.20.8,     kvm_ioctl_create_device in virt/kvm/kvm_main.c     mishandles reference counting because of a race     condition, leading to a use-after-free.(CVE-2019-6974)

  - A flaw was found in the way Linux kernel allocates heap     memory to build the scattergather list from a fragment     list(skb_shinfo(skb)->frag_list) in the socket     buffer(skb_buff). The heap overflow occurred if     'MAX_SKB_FRAGS + 1' parameter and 'NETIF_F_FRAGLIST'     feature are both used together. A remote user or     process could use this flaw to potentially escalate     their privilege on a system.(CVE-2017-7477)

  - Multiple integer overflows in Alchemy LCD frame-buffer     drivers in the Linux kernel before 3.12 allow local     users to create a read-write memory mapping for the     entirety of kernel memory, and consequently gain     privileges, via crafted mmap operations, related to the     (1) au1100fb_fb_mmap function in     drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap     function in drivers/video/au1200fb.c.(CVE-2013-4511)

  - It was found that in the Linux kernel through     v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in     'block/bio.c' do unbalanced pages refcounting if IO     vector has small consecutive buffers belonging to the     same page. bio_add_pc_page() merges them into one, but     the page reference is never dropped, causing a memory     leak and possible system lockup due to out-of-memory     condition.(CVE-2017-12190)

  - An issue was discovered in the Linux kernel before     4.19.3. crypto_report_one() and related functions in     crypto/crypto_user.c (the crypto user configuration     API) do not fully initialize structures that are copied     to userspace, potentially leaking sensitive memory to     user programs. NOTE: this is a CVE-2013-2547 regression     but with easier exploitability because the attacker     does not need a capability (however, the system must     have the CONFIG_CRYPTO_USER kconfig     option).(CVE-2018-19854)

  - The userfaultfd implementation in the Linux kernel     before 4.19.7 mishandles access control for certain     UFFDIO_ ioctl calls, as demonstrated by allowing local     users to write data into holes in a tmpfs file (if the     user has read-only access to that file, and that file     contains holes), related to fs/userfaultfd.c and     mm/userfaultfd.c.(CVE-2018-18397)

  - The TCP stack in the Linux kernel through 4.10.6     mishandles the SCM_TIMESTAMPING_OPT_STATS feature,     which allows local users to obtain sensitive     information from the kernel's internal socket data     structures or cause a denial of service (out-of-bounds     read) via crafted system calls, related to     net/core/skbuff.c and net/socket.c.(CVE-2017-7277)

  - A flaw was found in the way the Linux kernel's vhost     driver treated userspace provided log file descriptor     when processing the VHOST_SET_LOG_FD ioctl command. The     file descriptor was never released and continued to     consume kernel memory. A privileged local user with     access to the /dev/vhost-net files could use this flaw     to create a denial-of-service attack.(CVE-2015-6252)

  - A buffer overflow flaw was found in the way the Linux     kernel's virtio-net subsystem handled certain fraglists     when the GRO (Generic Receive Offload) functionality     was enabled in a bridged network configuration. An     attacker on the local network could potentially use     this flaw to crash the system, or, although unlikely,     elevate their privileges on the system.(CVE-2015-5156)

  - The MSM QDSP6 audio driver (aka sound driver) for the     Linux kernel 3.x, as used in Qualcomm Innovation Center     (QuIC) Android contributions for MSM devices and other     products, allows attackers to gain privileges or cause     a denial of service (integer overflow, and buffer     overflow or buffer over-read) via a crafted application     that performs a (1) AUDIO_EFFECTS_WRITE or (2)     AUDIO_EFFECTS_READ operation, aka Qualcomm internal bug     CR1006609.(CVE-2016-2068)

  - The icmp6_send function in net/ipv6/icmp.c in the Linux     kernel through 4.8.12 omits a certain check of the dst     data structure which allows remote attackers to cause a     denial of service (panic) via a fragmented IPv6     packet.(CVE-2016-9919)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel-alt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-alt packages provide the Linux kernel version 4.x.

Security Fix(es) :

* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, aarch64)

* A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.
(CVE-2018-5390)

* A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391)

Space precludes documenting all of the security fixes in this advisory. See the descriptions of the remaining security fixes in the related Knowledge Article :

https://access.redhat.com/articles/3658021

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639; Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390 and CVE-2018-5391; Qualys Research Labs for reporting CVE-2018-1120; David Rientjes (Google) for reporting CVE-2018-1000200;
and Wen Xu for reporting CVE-2018-1092, CVE-2018-1094, and CVE-2018-1095. The CVE-2018-14619 issue was discovered by Florian Weimer (Red Hat) and Ondrej Mosnacek (Red Hat).

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

USN-3695-2 fixed vulnerabilities in the Linux Hardware Enablement Kernel (HWE) kernel for Ubuntu 16.04 LTS. Unfortunately, the fix for CVE-2018-1108 introduced a regression where insufficient early entropy prevented services from starting, leading in some situations to a failure to boot, This update addresses the issue.

We apologize for the inconvenience.

Original advisory details :

Jann Horn discovered that the Linux kernel's implementation of random seed data reported that it was in a ready state before it had gathered sufficient entropy. An attacker could use this to expose sensitive information. (CVE-2018-1108)

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly initialize the crc32c checksum driver. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1094)

It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory).
(CVE-2018-10940)

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly validate xattr sizes. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1095)

Jann Horn discovered that the 32 bit adjtimex() syscall implementation for 64 bit Linux kernels did not properly initialize memory returned to user space in some situations.
A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-11508)

It was discovered that an information leak vulnerability existed in the floppy driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-7755).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3695-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. Unfortunately, the fix for CVE-2018-1108 introduced a regression where insufficient early entropy prevented services from starting, leading in some situations to a failure to boot, This update addresses the issue.

We apologize for the inconvenience.

Original advisory details :

Jann Horn discovered that the Linux kernel's implementation of random seed data reported that it was in a ready state before it had gathered sufficient entropy. An attacker could use this to expose sensitive information. (CVE-2018-1108)

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly initialize the crc32c checksum driver. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1094)

It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory).
(CVE-2018-10940)

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly validate xattr sizes. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1095)

Jann Horn discovered that the 32 bit adjtimex() syscall implementation for 64 bit Linux kernels did not properly initialize memory returned to user space in some situations.
A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-11508)

It was discovered that an information leak vulnerability existed in the floppy driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-7755).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3695-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly initialize the crc32c checksum driver. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1094)

It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-10940)

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly validate xattr sizes. A local attacker could use this to cause a denial of service (system crash).
(CVE-2018-1095)

Jann Horn discovered that the 32 bit adjtimex() syscall implementation for 64 bit Linux kernels did not properly initialize memory returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-11508)

It was discovered that an information leak vulnerability existed in the floppy driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-7755).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly initialize the crc32c checksum driver. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1094)

It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-10940)

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly validate xattr sizes. A local attacker could use this to cause a denial of service (system crash).
(CVE-2018-1095)

Jann Horn discovered that the 32 bit adjtimex() syscall implementation for 64 bit Linux kernels did not properly initialize memory returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-11508)

It was discovered that an information leak vulnerability existed in the floppy driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-7755).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124984	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1531)	Nessus	Huawei Local Security Checks	high
118513	RHEL 7 : kernel-alt (RHSA-2018:2948) (Spectre)	Nessus	Red Hat Local Security Checks	high
111267	Ubuntu 16.04 LTS : linux-hwe, linux-azure, linux-gcp regression (USN-3718-2)	Nessus	Ubuntu Local Security Checks	high
111266	Ubuntu 18.04 LTS : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem regression (USN-3718-1)	Nessus	Ubuntu Local Security Checks	high
110895	Ubuntu 16.04 LTS : linux-hwe, linux-azure vulnerabilities (USN-3695-2)	Nessus	Ubuntu Local Security Checks	high
110894	Ubuntu 18.04 LTS : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem, linux-raspi2 vulnerabilities (USN-3695-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2018-1095

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins