RHSA-2019:1350

RHSA-2019:2029

RHSA-2019:2043

https://bugzilla.kernel.org/show_bug.cgi?id=199915

https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit/?h=for-next&id=23fcb3340d033d9f081e21e6c12c2db7eaa541d3

https://github.com/torvalds/linux/commit/23fcb3340d033d9f081e21e6c12c2db7eaa541d3

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4904-1 advisory.

  - The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr     operations that underspecifies removing extended privilege attributes, which allows local users to cause a     denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by     using chown to remove a capability from the ping or Wireshark dumpcap program. (CVE-2015-1350)

  - The time subsystem in the Linux kernel through 4.9.9, when CONFIG_TIMER_STATS is enabled, allows local     users to discover real PID values (as distinguished from PID values inside a PID namespace) by reading the     /proc/timer_list file, related to the print_timer function in kernel/time/timer_list.c and the
    __timer_stats_timer_set_start_info function in kernel/time/timer.c. (CVE-2017-5967)

  - The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11     allows local users to cause a denial of service (improper error handling and system crash) or possibly     have unspecified other impact via a crafted USB device. (CVE-2017-16644)

  - An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of     service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is     in extent format, but has more extents than fit in the inode fork. (CVE-2018-13095)

  - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,     leading to a NULL pointer dereference. (CVE-2019-16231)

  - drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the     alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16232)

  - A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux     kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka     CID-9c0530e898f3. (CVE-2019-19061)

  - A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver     software. The impact of this issue is lessened by the fact that the default permissions on the floppy     device (/dev/fd0) are restricted to root. If the permissions on the device have changed the impact changes     greatly. In the default configuration root (or equivalent) permissions are required to attack this flaw.
    (CVE-2021-20261)

  - An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests to     the PV backend, the driver maps grant references provided by the frontend. In this process, errors may be     encountered. In one case, an error encountered earlier might be discarded by later processing, resulting     in the caller assuming successful mapping, and hence subsequent operations trying to access space that     wasn't mapped. In another case, internal state would be insufficiently updated, preventing safe recovery     from the error. This affects drivers/block/xen-blkback/blkback.c. (CVE-2021-26930)

  - An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI     backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially     being at least under the influence of guests (such as out of memory conditions), it isn't correct to     assume a plain bug. Memory allocations potentially causing such crashes occur only when Linux is running     in PV mode, though. This affects drivers/block/xen-blkback/blkback.c and drivers/xen/xen-scsiback.c.
    (CVE-2021-26931)

  - An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the     netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of     changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior     of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.
    (CVE-2021-28038)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4907-1 advisory.

  - An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of     service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is     in extent format, but has more extents than fit in the inode fork. (CVE-2018-13095)

  - An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.
    (CVE-2021-3347)

  - nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-     free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a     certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900)

* Kernel: page cache side channel attacks (CVE-2019-5489)

* kernel: Buffer overflow in hidp_process_report (CVE-2018-9363)

* kernel: l2tp: Race condition between pppol2tp_session_create() and l2tp_eth_create() (CVE-2018-9517)

* kernel: kvm: guest userspace to guest kernel write (CVE-2018-10853)

* kernel: use-after-free Read in vhost_transport_send_pkt (CVE-2018-14625)

* kernel: use-after-free in ucma_leave_multicast in drivers/infiniband/core/ ucma.c (CVE-2018-14734)

* kernel: Mishandling of indirect calls weakens Spectre mitigation for paravirtual guests (CVE-2018-15594)

* kernel: TLB flush happens too late on mremap (CVE-2018-18281)

* kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459)

* kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460)

* kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882)

* kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599)

* kernel: a NULL pointer dereference in drivers/scsi/megaraid/ megaraid_sas_base.c leading to DoS (CVE-2019-11810)

* kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833)

* kernel: Information exposure in fd_locked_ioctl function in drivers/block/ floppy.c (CVE-2018-7755)

* kernel: Memory leak in drivers/net/wireless/ mac80211_hwsim.c:hwsim_new_radio_nl() can lead to potential denial of service (CVE-2018-8087)

* kernel: HID: debug: Buffer overflow in hid_debug_events_read() in drivers/ hid/hid-debug.c (CVE-2018-9516)

* kernel: Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053)

* kernel: NULL pointer dereference in lookup_slow function (CVE-2018-13093)

* kernel: NULL pointer dereference in xfs_da_shrink_inode function (CVE-2018-13094)

* kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c (CVE-2018-13095)

* kernel: Information leak in cdrom_ioctl_drive_status (CVE-2018-16658)

* kernel: out-of-bound read in memcpy_fromiovecend() (CVE-2018-16885)

* Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Security Fix(es) :

  - Kernel: vhost_net: infinite loop while receiving packets     leads to DoS (CVE-2019-3900)

  - Kernel: page cache side channel attacks (CVE-2019-5489)

  - kernel: Buffer overflow in hidp_process_report     (CVE-2018-9363)

  - kernel: l2tp: Race condition between     pppol2tp_session_create() and l2tp_eth_create()     (CVE-2018-9517)

  - kernel: kvm: guest userspace to guest kernel write     (CVE-2018-10853)

  - kernel: use-after-free Read in vhost_transport_send_pkt     (CVE-2018-14625)

  - kernel: use-after-free in ucma_leave_multicast in     drivers/infiniband/core/ucma.c (CVE-2018-14734)

  - kernel: Mishandling of indirect calls weakens Spectre     mitigation for paravirtual guests (CVE-2018-15594)

  - kernel: TLB flush happens too late on mremap     (CVE-2018-18281)

  - kernel: Heap address information leak while using     L2CAP_GET_CONF_OPT (CVE-2019-3459)

  - kernel: Heap address information leak while using     L2CAP_PARSE_CONF_RSP (CVE-2019-3460)

  - kernel: denial of service vector through vfio DMA     mappings (CVE-2019-3882)

  - kernel: fix race condition between     mmget_not_zero()/get_task_mm() and core dumping     (CVE-2019-11599)

  - kernel: a NULL pointer dereference in     drivers/scsi/megaraid/megaraid_sas_base.c leading to DoS     (CVE-2019-11810)

  - kernel: fs/ext4/extents.c leads to information     disclosure (CVE-2019-11833)

  - kernel: Information exposure in fd_locked_ioctl function     in drivers/block/floppy.c (CVE-2018-7755)

  - kernel: Memory leak in     drivers/net/wireless/mac80211_hwsim.c:hwsim_new_radio_nl     () can lead to potential denial of service     (CVE-2018-8087)

  - kernel: HID: debug: Buffer overflow in     hid_debug_events_read() in drivers/hid/hid-debug.c     (CVE-2018-9516)

  - kernel: Integer overflow in the alarm_timer_nsleep     function (CVE-2018-13053)

  - kernel: NULL pointer dereference in lookup_slow function     (CVE-2018-13093)

  - kernel: NULL pointer dereference in xfs_da_shrink_inode     function (CVE-2018-13094)

  - kernel: NULL pointer dereference in     fs/xfs/libxfs/xfs_inode_buf.c (CVE-2018-13095)

  - kernel: Information leak in cdrom_ioctl_drive_status     (CVE-2018-16658)

  - kernel: out-of-bound read in memcpy_fromiovecend()     (CVE-2018-16885)

  - Kernel: KVM: leak of uninitialized stack contents to     guest (CVE-2019-7222)

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900)

* Kernel: page cache side channel attacks (CVE-2019-5489)

* kernel: Buffer overflow in hidp_process_report (CVE-2018-9363)

* kernel: l2tp: Race condition between pppol2tp_session_create() and l2tp_eth_create() (CVE-2018-9517)

* kernel: kvm: guest userspace to guest kernel write (CVE-2018-10853)

* kernel: use-after-free Read in vhost_transport_send_pkt (CVE-2018-14625)

* kernel: use-after-free in ucma_leave_multicast in drivers/infiniband/core/ ucma.c (CVE-2018-14734)

* kernel: Mishandling of indirect calls weakens Spectre mitigation for paravirtual guests (CVE-2018-15594)

* kernel: TLB flush happens too late on mremap (CVE-2018-18281)

* kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459)

* kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460)

* kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882)

* kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599)

* kernel: a NULL pointer dereference in drivers/scsi/megaraid/ megaraid_sas_base.c leading to DoS (CVE-2019-11810)

* kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833)

* kernel: Information exposure in fd_locked_ioctl function in drivers/block/ floppy.c (CVE-2018-7755)

* kernel: Memory leak in drivers/net/wireless/ mac80211_hwsim.c:hwsim_new_radio_nl() can lead to potential denial of service (CVE-2018-8087)

* kernel: HID: debug: Buffer overflow in hid_debug_events_read() in drivers/ hid/hid-debug.c (CVE-2018-9516)

* kernel: Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053)

* kernel: NULL pointer dereference in lookup_slow function (CVE-2018-13093)

* kernel: NULL pointer dereference in xfs_da_shrink_inode function (CVE-2018-13094)

* kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c (CVE-2018-13095)

* kernel: Information leak in cdrom_ioctl_drive_status (CVE-2018-16658)

* kernel: out-of-bound read in memcpy_fromiovecend() (CVE-2018-16885)

* Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

An update for kernel-alt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section.

The kernel-alt packages provide the Linux kernel version 4.x.

Security Fix(es) :

* kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c (CVE-2018-13095)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) :

* [rhel-alt] Could not remove the function from /sys/kernel/debug/tracing/ kprobe_events (BZ#1677171)

* RHEL-ALT-7.6z: usage of stale vma in do_fault() can lead to a crash (BZ# 1679243)

* RHEL-Alt-7.6 - Backport support for software count cache flush Spectre v2 mitigation (BZ#1692682)

* RHEL-Alt-7.6 - [LTC Test][SR-IOV]: Guest with VF pass-through crashes during reboot operation in a loop. (kvm) (libvirt/kernel) (BZ#1693146)

* RHEL-Alt-7.6 - Tolerate new s390x crypto hardware for migration (BZ# 1695643)

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the USB-MIDI Linux kernel driver: a     double-free error could be triggered for the 'umidi'     object. An attacker with physical access to the system     could use this flaw to escalate their     privileges.(CVE-2016-2384i1/4%0

  - A vulnerability was found in Linux kernel. There is an     information leak in file 'sound/core/timer.c' of the     latest mainline Linux kernel, the stack object     aEURoetreadaEUR has a total size of 32 bytes. It contains a     8-bytes padding, which is not initialized but sent to     user via copy_to_user(), resulting a kernel     leak.(CVE-2016-4569i1/4%0

  - The dgram_recvmsg function in net/ieee802154/dgram.c in     the Linux kernel before 3.12.4 updates a certain length     value without ensuring that an associated data     structure has been initialized, which allows local     users to obtain sensitive information from kernel stack     memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg     system call.(CVE-2013-7281i1/4%0

  - The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel through 4.14.11     allows attackers to cause a denial of service (slab     out-of-bounds write) or possibly have unspecified other     impact via vectors involving TLS.(CVE-2018-5703i1/4%0

  - An issue was discovered in the fd_locked_ioctl function     in drivers/block/floppy.c in the Linux kernel. The     floppy driver will copy a kernel pointer to user memory     in response to the FDGETPRM ioctl. An attacker can send     the FDGETPRM ioctl and use the obtained kernel pointer     to discover the location of kernel code and data and     bypass kernel security protections such as     KASLR.(CVE-2018-7755i1/4%0

  - The usbnet_generic_cdc_bind function in     drivers/net/usb/cdc_ether.c in the Linux kernel through     4.13.11 allows local users to cause a denial of service     (divide-by-zero error and system crash) or possibly     have unspecified other impact via a crafted USB     device.(CVE-2017-16649i1/4%0

  - Heap-based buffer overflow in the wcnss_wlan_write     function in drivers/net/wireless/wcnss/wcnss_wlan.c in     the wcnss_wlan device driver for the Linux kernel 3.x,     as used in Qualcomm Innovation Center (QuIC) Android     contributions for MSM devices and other products,     allows attackers to cause a denial of service or     possibly have unspecified other impact by writing to     /dev/wcnss_wlan with an unexpected amount of     data.(CVE-2016-5342i1/4%0

  - drivers/media/usb/dvb-usb/dib0700_devices.c in the     Linux kernel through 4.13.11 allows local users to     cause a denial of service (BUG and system crash) or     possibly have unspecified other impact via a crafted     USB device.(CVE-2017-16646i1/4%0

  - A flaw was found in the TIPC networking subsystem which     could allow for memory corruption and possible     privilege escalation. The flaw involves a system with     an unusually low MTU (60) on networking devices     configured as bearers for the TIPC protocol. An     attacker could create a packet which will overwrite     memory outside of allocated space and allow for     privilege escalation.(CVE-2016-8632i1/4%0

  - An issue was discovered in the XFS filesystem in     fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel. A     denial of service due to the NULL pointer dereference     can occur for a corrupted xfs image upon encountering     an inode that is in extent format, but has more extents     than fit in the inode fork.(CVE-2018-13095i1/4%0

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization (nVMX) feature     enabled (nested=1), is vulnerable to a crash due to     disabled external interrupts. As L2 guest could access     (r/w) hardware CR8 register of the host(L0). In a     nested visualization setup, L2 guest user could use     this flaw to potentially crash the host(L0) resulting     in DoS.(CVE-2017-12154i1/4%0

  - The do_double_fault function in arch/x86/kernel/traps.c     in the Linux kernel through 3.17.4 does not properly     handle faults associated with the Stack Segment (SS)     segment register, which allows local users to cause a     denial of service (panic) via a modify_ldt system call,     as demonstrated by sigreturn_32 in the     linux-clock-tests test suite.(CVE-2014-9090i1/4%0

  - A race condition flaw was found in the way the Linux     kernel's mac80211 subsystem implementation handled     synchronization between TX and STA wake-up code paths.
    A remote attacker could use this flaw to crash the     system.(CVE-2014-2706i1/4%0

  - The snd_seq_ioctl_remove_events function in     sound/core/seq/seq_clientmgr.c in the Linux kernel     before 4.4.1 does not verify FIFO assignment before     proceeding with FIFO clearing, which allows local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted ioctl call.(CVE-2016-2543i1/4%0

  - The gtco_probe function in drivers/input/tablet/gtco.c     in the Linux kernel through 4.5.2 allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     endpoints value in a USB device     descriptor.(CVE-2016-2187i1/4%0

  - An integer overflow flaw was found in the Linux     kernel's create_elf_tables() function. An unprivileged     local user with access to SUID (or otherwise     privileged) binary could use this flaw to escalate     their privileges on the system.(CVE-2018-14634i1/4%0

  - A use-after-free flaw was found in the Netlink     functionality of the Linux kernel networking subsystem.
    Due to the insufficient cleanup in the mq_notify     function, a local attacker could potentially use this     flaw to escalate their privileges on the     system.(CVE-2017-11176i1/4%0

  - Array index error in the aio_read_events_ring function     in fs/aio.c in the Linux kernel through 3.15.1 allows     local users to obtain sensitive information from kernel     memory via a large head value.(CVE-2014-0206i1/4%0

  - arch/arm/kernel/sys_oabi-compat.c in the Linux kernel     before 4.4 allows local users to gain privileges via a     crafted (1) F_OFD_GETLK, (2) F_OFD_SETLK, or (3)     F_OFD_SETLKW command in an fcntl64 system     call.(CVE-2015-8966i1/4%0

  - An issue was discovered in the Linux kernel through     4.17.2. The filter parsing in     kernel/trace/trace_events_filter.c could be called with     no filter, which is an N=0 case when it expected at     least one line to have been read, thus making the N-1     index invalid. This allows attackers to cause a denial     of service (slab out-of-bounds write) or possibly have     unspecified other impact via crafted perf_event_open     and mmap system calls.(CVE-2018-12714i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The v4.17.5 update contains important fixes across the tree

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-14617: Prevent NULL pointer dereference and panic in hfsplus_lookup() when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bsc#1102870)

CVE-2018-14613: Prevent invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, caused by a lack of block group item validation in check_leaf_item (bsc#1102896).

CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903)

CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001)

CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000)

CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999)

CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922)

CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689)

CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511)

CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509)

CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748)

CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748)

CVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes.

CVE-2018-10853: A flaw was found in the way the KVM hypervisor emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest (bnc#1097104).

CVE-2018-10876: A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image. (bnc#1099811)

CVE-2018-10877: Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image. (bnc#1099846)

CVE-2018-10878: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image. (bnc#1099813)

CVE-2018-10879: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image. (bnc#1099844)

CVE-2018-10880: Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service. (bnc#1099845)

CVE-2018-10881: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.
(bnc#1099864)

CVE-2018-10882: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image. (bnc#1099849)

CVE-2018-10883: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.
(bnc#1099863)

CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation (bnc#1105322).

CVE-2018-10938: A crafted network packet sent remotely by an attacker may force the kernel to enter an infinite loop in the cipso_v4_optptr() function in net/ipv4/cipso_ipv4.c leading to a denial-of-service. A certain non-default configuration of LSM (Linux Security Module) and NetLabel should be set up on a system before an attacker could leverage this flaw (bnc#1106016).

CVE-2018-10940: The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bnc#1092903).

CVE-2018-12896: An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922).

CVE-2018-13093: There is a NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001).

CVE-2018-13094: An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000).

CVE-2018-13095: A denial of service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999).

CVE-2018-14617: There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bnc#1102870).

CVE-2018-14678: The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S did not properly maintain RBX, which allowed local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges (bnc#1102715).

CVE-2018-15572: The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517 bnc#1105296).

CVE-2018-15594: arch/x86/kernel/paravirt.c mishandled certain indirect calls, which made it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests (bnc#1105348).

CVE-2018-16276: Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges (bnc#1106095).

CVE-2018-16658: An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 (bnc#1107689).

CVE-2018-17182: The vmacache_flush_all function in mm/vmacache.c mishandled sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations (bnc#1108399).

CVE-2018-6554: Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509).

CVE-2018-6555: The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511).

CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536).

CVE-2018-9363: A buffer overflow in bluetooth HID report processing could be used by malicious bluetooth devices to crash the kernel or potentially execute code (bnc#1105292). The following security bugs were fixed :

CVE-2018-7480: The blkcg_init_queue function in block/blk-cgroup.c allowed local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure (bnc#1082863).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 azure kernel was updated to 4.4.155 to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001)

CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999)

CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000)

CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922)

CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689)

CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903)

CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511)

CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509)

CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748)

CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748)

CVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016)

CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517)

CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322).

CVE-2018-9363: Prevent buffer overflow in hidp_process_report (bsc#1105292)

CVE-2018-10883: A local user could have caused an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099863)

CVE-2018-10879: A local user could have caused a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844)

CVE-2018-10878: A local user could have caused an out-of-bounds write and a denial of service or unspecified other impact by mounting and operating a crafted ext4 filesystem image (bsc#1099813)

CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image (bsc#1099811)

CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image (bsc#1099846)

CVE-2018-10881: A local user could have caused an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099864)

CVE-2018-10882: A local user could have caused an out-of-bound write, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image (bsc#1099849)

CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could have used this to cause a system crash and a denial of service (bsc#1099845)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.155 to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001).

CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999).

CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000).

CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922).

CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689).

CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511).

CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509).

CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748).

CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748).

CVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016).

CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517).

CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322 1105323).

CVE-2018-9363: Prevent buffer overflow in hidp_process_report (bsc#1105292)

CVE-2018-10883: A local user could have caused an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099863).

CVE-2018-10879: A local user could have caused a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844).

CVE-2018-10878: A local user could have caused an out-of-bounds write and a denial of service or unspecified other impact by mounting and operating a crafted ext4 filesystem image (bsc#1099813).

CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image (bsc#1099811).

CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image (bsc#1099846).

CVE-2018-10881: A local user could have caused an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099864).

CVE-2018-10882: A local user could have caused an out-of-bound write, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image (bsc#1099849).

CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could have used this to cause a system crash and a denial of service (bsc#1099845).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
148498	Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4904-1)	Nessus	Ubuntu Local Security Checks	high
148493	Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4907-1)	Nessus	Ubuntu Local Security Checks	high
128651	CentOS 7 : kernel (CESA-2019:2029)	Nessus	CentOS Local Security Checks	high
128226	Scientific Linux Security Update : kernel on SL7.x x86_64 (20190806)	Nessus	Scientific Linux Local Security Checks	high
127655	RHEL 7 : kernel-rt (RHSA-2019:2043)	Nessus	Red Hat Local Security Checks	high
127650	RHEL 7 : kernel (RHSA-2019:2029)	Nessus	Red Hat Local Security Checks	high
125713	RHEL 7 : kernel-alt (RHSA-2019:1350)	Nessus	Red Hat Local Security Checks	medium
125101	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1513)	Nessus	Huawei Local Security Checks	critical
123329	openSUSE Security Update : the Linux Kernel (openSUSE-2019-769)	Nessus	SuSE Local Security Checks	high
120418	Fedora 28 : kernel (2018-50075276e8)	Nessus	Fedora Local Security Checks	high
120118	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2018:2980-1)	Nessus	SuSE Local Security Checks	high
118034	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:3084-1)	Nessus	SuSE Local Security Checks	high
117988	openSUSE Security Update : the Linux Kernel (openSUSE-2018-1140)	Nessus	SuSE Local Security Checks	high
117800	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2858-1)	Nessus	SuSE Local Security Checks	high
117629	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:2776-1)	Nessus	SuSE Local Security Checks	high
117523	openSUSE Security Update : the Linux Kernel (openSUSE-2018-1016)	Nessus	SuSE Local Security Checks	high
111243	Fedora 27 : kernel (2018-8484550fff)	Nessus	Fedora Local Security Checks	high

CVE-2018-13095

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

medium

critical

high

high

high

high

high

high

high

high

high