105200

RHSA-2018:2948

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14619

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b32a7dc8aef1882fbf983eb354837488cc9d54dc

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0013

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The atalk_recvmsg function in net/appletalk/ddp.c in     the Linux kernel before 3.12.4 updates a certain length     value without ensuring that an associated data     structure has been initialized, which allows local     users to obtain sensitive information from kernel     memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg     system call.(CVE-2013-7267i1/4%0

  - fs/f2fs/segment.c in the Linux kernel allows local     users to cause a denial of service (NULL pointer     dereference and panic) by using a noflush_merge option     that triggers a NULL value for a flush_cmd_control data     structure.(CVE-2017-18241i1/4%0

  - fs/pnode.c in the Linux kernel before 4.5.4 does not     properly traverse a mount propagation tree in a certain     case involving a slave mount, which allows local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted series of mount system     calls.(CVE-2016-4581i1/4%0

  - drivers/vhost/net.c in the Linux kernel before 3.13.10,     when mergeable buffers are disabled, does not properly     validate packet lengths, which allows guest OS users to     cause a denial of service (memory corruption and host     OS crash) or possibly gain privileges on the host OS     via crafted packets, related to the handle_rx and     get_rx_bufs functions.(CVE-2014-0077i1/4%0

  - It was found that the fix for CVE-2016-9576 was     incomplete: the Linux kernel's sg implementation did     not properly restrict write operations in situations     where the KERNEL_DS option is set. A local attacker to     read or write to arbitrary kernel memory locations or     cause a denial of service (use-after-free) by     leveraging write access to a /dev/sg     device.(CVE-2016-10088i1/4%0

  - ** DISPUTED ** An issue was discovered in the Linux     kernel through 4.17.2. Since the page allocator does     not yield CPU resources to the owner of the oom_lock     mutex, a local unprivileged user can trivially lock up     the system forever by wasting CPU resources from the     page allocator (e.g., via concurrent page fault events)     when the global OOM killer is invoked. NOTE: the     software maintainer has not accepted certain proposed     patches, in part because of a viewpoint that 'the     underlying problem is non-trivial to     handle.'(CVE-2016-10723i1/4%0

  - A flaw was found in the way the Linux kernel's ASN.1     DER decoder processed certain certificate files with     tags of indefinite length. A local, unprivileged user     could use a specially crafted X.509 certificate DER     file to crash the system or, potentially, escalate     their privileges on the system.(CVE-2016-0758i1/4%0

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled the association's output queue. A remote     attacker could send specially crafted packets that     would cause the system to use an excessive amount of     memory, leading to a denial of     service.(CVE-2014-3688i1/4%0

  - A use-after-free flaw was found in the way the     ping_init_sock() function of the Linux kernel handled     the group_info reference counter. A local, unprivileged     user could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-2851i1/4%0

  - The compat_get_timex function in kernel/compat.c in the     Linux kernel before 4.16.9 allows local users to obtain     sensitive information from kernel memory via     adjtimex.(CVE-2018-11508i1/4%0

  - The cdc_parse_cdc_header() function in     'drivers/usb/core/message.c' in the Linux kernel,     before 4.13.6, allows local users to cause a denial of     service (out-of-bounds read and system crash) or     possibly have unspecified other impact via a crafted     USB device. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely.(CVE-2017-16534i1/4%0

  - A flaw was found in the crypto subsystem of the Linux     kernel before version kernel-4.15-rc4. The 'null     skcipher' was being dropped when each af_alg_ctx was     freed instead of when the aead_tfm was freed. This can     cause the null skcipher to be freed while it is still     in use leading to a local user being able to crash the     system or possibly escalate     privileges.(CVE-2018-14619i1/4%0

  - The crypto_skcipher_init_tfm function in     crypto/skcipher.c in the Linux kernel through 4.11.2     relies on a setkey function that lacks a key-size     check, which allows local users to cause a denial of     service (NULL pointer dereference) via a crafted     application.(CVE-2017-9211i1/4%0

  - kernel/events/core.c in the performance subsystem in     the Linux kernel before 4.0 mismanages locks during     certain migrations, which allows local users to gain     privileges via a crafted application, aka Android     internal bug 30955111.(CVE-2016-6786i1/4%0

  - The KEYS subsystem in the Linux kernel omitted an     access-control check when writing a key to the current     task's default keyring, allowing a local user to bypass     security checks to the keyring. This compromises the     validity of the keyring for those who rely on     it.(CVE-2017-17807i1/4%0

  - A use-after-free flaw was found in the way the Linux     kernel's SCTP implementation handled authentication key     reference counting during INIT collisions. A remote     attacker could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2015-1421i1/4%0

  - The waitid implementation in kernel/exit.c in the Linux     kernel through 4.13.4 accesses rusage data structures     in unintended cases. This can allow local users to     obtain sensitive information and bypass the KASLR     protection mechanism via a crafted system     call.(CVE-2017-14954i1/4%0

  - It was found that the Linux kernel's keyring     implementation would leak memory when adding a key to a     keyring via the add_key() function. A local attacker     could use this flaw to exhaust all available memory on     the system.(CVE-2015-1333i1/4%0

  - The msm_ipc_router_close function in     net/ipc_router/ipc_router_socket.c in the ipc_router     component for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allow attackers to cause a     denial of service (NULL pointer dereference) or     possibly have unspecified other impact by triggering     failure of an accept system call for an AF_MSM_IPC     socket.(CVE-2016-5870i1/4%0

  - A reachable assertion failure flaw was found in the     Linux kernel built with KVM virtualisation(CONFIG_KVM)     support with Virtual Function I/O feature (CONFIG_VFIO)     enabled. This failure could occur if a malicious guest     device sent a virtual interrupt (guest IRQ) with a     larger (i1/4z1024) index value.(CVE-2017-1000252i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel-alt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-alt packages provide the Linux kernel version 4.x.

Security Fix(es) :

* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, aarch64)

* A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.
(CVE-2018-5390)

* A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391)

Space precludes documenting all of the security fixes in this advisory. See the descriptions of the remaining security fixes in the related Knowledge Article :

https://access.redhat.com/articles/3658021

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639; Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390 and CVE-2018-5391; Qualys Research Labs for reporting CVE-2018-1120; David Rientjes (Google) for reporting CVE-2018-1000200;
and Wen Xu for reporting CVE-2018-1092, CVE-2018-1094, and CVE-2018-1095. The CVE-2018-14619 issue was discovered by Florian Weimer (Red Hat) and Ondrej Mosnacek (Red Hat).

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

ID	Name	Product	Family	Severity
124987	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1534)	Nessus	Huawei Local Security Checks	critical
118513	RHEL 7 : kernel-alt (RHSA-2018:2948) (Spectre)	Nessus	Red Hat Local Security Checks	high

CVE-2018-14619

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins