http://openwall.com/lists/oss-security/2018/03/29/1

RHSA-2018:2948

https://bugzilla.kernel.org/show_bug.cgi?id=199185

https://bugzilla.redhat.com/show_bug.cgi?id=1560793

https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit/?id=ce3fd194fcc6fbdc00ce095a852f22df97baa401

USN-3695-1

USN-3695-2

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):Use-after-free     vulnerability in driverset/tun.c in the Linux kernel     through 3.11.1 allows local users to gain privileges by     leveraging the CAP_NET_ADMIN capability and providing     an invalid tuntap interface name in a TUNSETIFF ioctl     call.(CVE-2013-4343)It was found that when the gcc     stack protector was enabled, reading the /proc/keys     file could cause a panic in the Linux kernel due to     stack corruption. This happened because an incorrect     buffer size was used to hold a 64-bit timeout value     rendered as weeks.(CVE-2016-7042)A flaw was found in     the Linux kernel that fs/ocfs2/aops.c omits use of a     semaphore and consequently has a race condition for     access to the extent tree during read operations in     DIRECT mode. This allows local users to cause a denial     of service by modifying a certain e_cpos     field.(CVE-2017-18224)The sctp_v6_create_accept_sk     function in net/sctp/ipv6.c in the Linux kernel     mishandles inheritance, which allows local users to     cause a denial of service or possibly have unspecified     other impact via crafted system calls, a related issue     to CVE-2017-8890. An unprivileged local user could use     this flaw to induce kernel memory corruption on the     system, leading to a crash. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9075)In     the function sbusfb_ioctl_helper() in     drivers/video/fbdev/sbuslib.c in the Linux kernel, up     to and including 4.15, an integer signedness error     allows arbitrary information leakage for the     FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC     commands.(CVE-2018-6412)A race condition flaw was found     in the way the Linux kernel's mmap(2), madvise(2), and     fallocate(2) system calls interacted with each other     while operating on virtual memory file system files. A     local user could use this flaw to cause a denial of     service.(CVE-2014-4171)** RESERVED ** This candidate     has been reserved by an organization or individual that     will use it when announcing a new security problem.
    When the candidate has been publicized, the details for     this candidate will be provided.(CVE-2018-1095)A NULL     pointer dereference flaw was found in the way the Linux     kernel's Stream Control Transmission Protocol (SCTP)     implementation handled simultaneous connections between     the same hosts. A remote attacker could use this flaw     to crash the system.(CVE-2014-5077)A vulnerability was     found in the fs/inode.c:inode_init_owner() function     logic of the LInux kernel that allows local users to     create files with an unintended group ownership and     with group execution and SGID permission bits set, in a     scenario where a directory is SGID and belongs to a     certain group and is writable by a user who is not a     member of this group. This can lead to excessive     permissions granted in case when they should     not.(CVE-2018-13405)In the Linux kernel before 4.20.8,     kvm_ioctl_create_device in virt/kvm/kvm_main.c     mishandles reference counting because of a race     condition, leading to a use-after-free.(CVE-2019-6974)A     flaw was found in the way Linux kernel allocates heap     memory to build the scattergather list from a fragment     list(skb_shinfo(skb)-i1/4zfrag_list) in the socket     buffer(skb_buff). The heap overflow occurred if     'MAX_SKB_FRAGS + 1' parameter and 'NETIF_F_FRAGLIST'     feature are both used together. A remote user or     process could use this flaw to potentially escalate     their privilege on a system.(CVE-2017-7477)Multiple     integer overflows in Alchemy LCD frame-buffer drivers     in the Linux kernel before 3.12 allow local users to     create a read-write memory mapping for the entirety of     kernel memory, and consequently gain privileges, via     crafted mmap operations, related to the (1)     au1100fb_fb_mmap function in drivers/video/au1100fb.c     and the (2) au1200fb_fb_mmap function in     drivers/video/au1200fb.c.(CVE-2013-4511)It was found     that in the Linux kernel through v4.14-rc5,     bio_map_user_iov() and bio_unmap_user() in     'block/bio.c' do unbalanced pages refcounting if IO     vector has small consecutive buffers belonging to the     same page. bio_add_pc_page() merges them into one, but     the page reference is never dropped, causing a memory     leak and possible system lockup due to out-of-memory     condition.(CVE-2017-12190)An issue was discovered in     the Linux kernel before 4.19.3. crypto_report_one() and     related functions in crypto/crypto_user.c (the crypto     user configuration API) do not fully initialize     structures that are copied to userspace, potentially     leaking sensitive memory to user programs. NOTE: this     is a CVE-2013-2547 regression but with easier     exploitability because the attacker does not need a     capability (however, the system must have the     CONFIG_CRYPTO_USER kconfig option).(CVE-2018-19854)The     userfaultfd implementation in the Linux kernel before     4.19.7 mishandles access control for certain UFFDIO_     ioctl calls, as demonstrated by allowing local users to     write data into holes in a tmpfs file (if the user has     read-only access to that file, and that file contains     holes), related to fs/userfaultfd.c and     mm/userfaultfd.c.(CVE-2018-18397)The TCP stack in the     Linux kernel through 4.10.6 mishandles the     SCM_TIMESTAMPING_OPT_STATS feature, which allows local     users to obtain sensitive information from the kernel's     internal socket data structures or cause a denial of     service (out-of-bounds read) via crafted system calls,     related to net/core/skbuff.c and     net/socket.c.(CVE-2017-7277)A flaw was found in the way     the Linux kernel's vhost driver treated userspace     provided log file descriptor when processing the     VHOST_SET_LOG_FD ioctl command. The file descriptor was     never released and continued to consume kernel memory.
    A privileged local user with access to the     /dev/vhost-net files could use this flaw to create a     denial-of-service attack.(CVE-2015-6252)A buffer     overflow flaw was found in the way the Linux kernel's     virtio-net subsystem handled certain fraglists when the     GRO (Generic Receive Offload) functionality was enabled     in a bridged network configuration. An attacker on the     local network could potentially use this flaw to crash     the system, or, although unlikely, elevate their     privileges on the system.(CVE-2015-5156)The MSM QDSP6     audio driver (aka sound driver) for the Linux kernel     3.x, as used in Qualcomm Innovation Center (QuIC)     Android contributions for MSM devices and other     products, allows attackers to gain privileges or cause     a denial of service (integer overflow, and buffer     overflow or buffer over-read) via a crafted application     that performs a (1) AUDIO_EFFECTS_WRITE or (2)     AUDIO_EFFECTS_READ operation, aka Qualcomm internal bug     CR1006609.(CVE-2016-2068)The icmp6_send function in     net/ipv6/icmp.c in the Linux kernel through 4.8.12     omits a certain check of the dst data structure which     allows remote attackers to cause a denial of service     (panic) via a fragmented IPv6 packet.(CVE-2016-9919)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel-alt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-alt packages provide the Linux kernel version 4.x.

Security Fix(es) :

* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, aarch64)

* A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.
(CVE-2018-5390)

* A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391)

Space precludes documenting all of the security fixes in this advisory. See the descriptions of the remaining security fixes in the related Knowledge Article :

https://access.redhat.com/articles/3658021

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639; Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390 and CVE-2018-5391; Qualys Research Labs for reporting CVE-2018-1120; David Rientjes (Google) for reporting CVE-2018-1000200;
and Wen Xu for reporting CVE-2018-1092, CVE-2018-1094, and CVE-2018-1095. The CVE-2018-14619 issue was discovered by Florian Weimer (Red Hat) and Ondrej Mosnacek (Red Hat).

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

USN-3695-2 fixed vulnerabilities in the Linux Hardware Enablement Kernel (HWE) kernel for Ubuntu 16.04 LTS. Unfortunately, the fix for CVE-2018-1108 introduced a regression where insufficient early entropy prevented services from starting, leading in some situations to a failure to boot, This update addresses the issue.

We apologize for the inconvenience.

Jann Horn discovered that the Linux kernel's implementation of random seed data reported that it was in a ready state before it had gathered sufficient entropy. An attacker could use this to expose sensitive information. (CVE-2018-1108)

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly initialize the crc32c checksum driver. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1094)

It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-10940)

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly validate xattr sizes. A local attacker could use this to cause a denial of service (system crash).
(CVE-2018-1095)

Jann Horn discovered that the 32 bit adjtimex() syscall implementation for 64 bit Linux kernels did not properly initialize memory returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-11508)

It was discovered that an information leak vulnerability existed in the floppy driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-7755).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3695-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. Unfortunately, the fix for CVE-2018-1108 introduced a regression where insufficient early entropy prevented services from starting, leading in some situations to a failure to boot, This update addresses the issue.

We apologize for the inconvenience.

Jann Horn discovered that the Linux kernel's implementation of random seed data reported that it was in a ready state before it had gathered sufficient entropy. An attacker could use this to expose sensitive information. (CVE-2018-1108)

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly initialize the crc32c checksum driver. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1094)

It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-10940)

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly validate xattr sizes. A local attacker could use this to cause a denial of service (system crash).
(CVE-2018-1095)

Jann Horn discovered that the 32 bit adjtimex() syscall implementation for 64 bit Linux kernels did not properly initialize memory returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-11508)

It was discovered that an information leak vulnerability existed in the floppy driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-7755).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3695-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly initialize the crc32c checksum driver. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1094)

It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-10940)

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly validate xattr sizes. A local attacker could use this to cause a denial of service (system crash).
(CVE-2018-1095)

Jann Horn discovered that the 32 bit adjtimex() syscall implementation for 64 bit Linux kernels did not properly initialize memory returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-11508)

It was discovered that an information leak vulnerability existed in the floppy driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-7755).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly initialize the crc32c checksum driver. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1094)

It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-10940)

Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly validate xattr sizes. A local attacker could use this to cause a denial of service (system crash).
(CVE-2018-1095)

Jann Horn discovered that the 32 bit adjtimex() syscall implementation for 64 bit Linux kernels did not properly initialize memory returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-11508)

It was discovered that an information leak vulnerability existed in the floppy driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-7755).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124984	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1531)	Nessus	Huawei Local Security Checks	high
118513	RHEL 7 : kernel-alt (RHSA-2018:2948) (Spectre)	Nessus	Red Hat Local Security Checks	high
111267	Ubuntu 16.04 LTS : Linux kernel (HWE) regression (USN-3718-2)	Nessus	Ubuntu Local Security Checks	medium
111266	Ubuntu 18.04 LTS : Linux kernel regression (USN-3718-1)	Nessus	Ubuntu Local Security Checks	medium
110895	Ubuntu 16.04 LTS : linux-hwe, linux-azure vulnerabilities (USN-3695-2)	Nessus	Ubuntu Local Security Checks	medium
110894	Ubuntu 18.04 LTS : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem, linux-raspi2 vulnerabilities (USN-3695-1)	Nessus	Ubuntu Local Security Checks	medium

CVE-2018-1095

MEDIUM

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

medium

medium

medium

medium