104924

1041397

[debian-lts-announce] 20181003 [SECURITY] [DLA 1531-1] linux-4.9 security update

USN-3931-1

USN-3931-2

DSA-4308

https://xenbits.xen.org/xsa/advisory-274.html

USN-3931-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS and for the Linux Azure kernel for Ubuntu 14.04 LTS.

M. Vefa Bicakci and Andy Lutomirski discovered that the kernel did not properly set up all arguments to an error handler callback used when running as a paravirtualized guest. An unprivileged attacker in a paravirtualized guest VM could use this to cause a denial of service (guest VM crash). (CVE-2018-14678)

It was discovered that the KVM implementation in the Linux kernel on ARM 64bit processors did not properly handle some ioctls. An attacker with the privilege to create KVM-based virtual machines could use this to cause a denial of service (host system crash) or execute arbitrary code in the host. (CVE-2018-18021)

Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19824)

Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel.
An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460)

Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974)

Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221)

Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM).
(CVE-2019-7222)

Jann Horn discovered that the eBPF implementation in the Linux kernel was insufficiently hardened against Spectre V1 attacks. A local attacker could use this to expose sensitive information.
(CVE-2019-7308)

It was discovered that a use-after-free vulnerability existed in the user- space API for crypto (af_alg) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8912)

It was discovered that the Linux kernel did not properly deallocate memory when handling certain errors while reading files. A local attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2019-8980)

Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

M. Vefa Bicakci and Andy Lutomirski discovered that the kernel did not properly set up all arguments to an error handler callback used when running as a paravirtualized guest. An unprivileged attacker in a paravirtualized guest VM could use this to cause a denial of service (guest VM crash). (CVE-2018-14678)

It was discovered that the KVM implementation in the Linux kernel on ARM 64bit processors did not properly handle some ioctls. An attacker with the privilege to create KVM-based virtual machines could use this to cause a denial of service (host system crash) or execute arbitrary code in the host. (CVE-2018-18021)

Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19824)

Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel.
An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460)

Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974)

Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221)

Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM).
(CVE-2019-7222)

Jann Horn discovered that the eBPF implementation in the Linux kernel was insufficiently hardened against Spectre V1 attacks. A local attacker could use this to expose sensitive information.
(CVE-2019-7308)

It was discovered that a use-after-free vulnerability existed in the user- space API for crypto (af_alg) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8912)

It was discovered that the Linux kernel did not properly deallocate memory when handling certain errors while reading files. A local attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2019-8980)

Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 4.17.11 stable update contains a number of important fixes across the tree. Also of note, starting with this release, kernel-headers is built from a different srpm. The contents should be the same, but there were some benefits to breaking it from the kernel build.

----

The 4.17.10 stable kernel update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Description of changes:

[4.14.35-1818.3.3.el7uek]
- net: net_failover: fix typo in net_failover_slave_register() (Liran Alon)  [Orabug: 28122110]
- virtio_net: Extend virtio to use VF datapath when available (Sridhar Samudrala)  [Orabug: 28122110]
- virtio_net: Introduce VIRTIO_NET_F_STANDBY feature bit (Sridhar Samudrala)  [Orabug: 28122110]
- net: Introduce net_failover driver (Sridhar Samudrala)  [Orabug: 28122110]
- net: Introduce generic failover module (Sridhar Samudrala)  [Orabug: 28122110]
- IB/ipoib: Improve filtering log message (Yuval Shaia)  [Orabug: 28655435]
- IB/ipoib: Fix wrong update of arp_blocked counter (Yuval Shaia) [Orabug: 28655435]
- IB/ipoib: Update RX counters after ACL filtering (Yuval Shaia) [Orabug: 28655435]
- IB/ipoib: Filter RX packets before adding pseudo header (Yuval Shaia) [Orabug: 28655435]
- dm crypt: add middle-endian variant of plain64 IV (Konrad Rzeszutek Wilk)  [Orabug: 28604629]
- uek-rpm: Disable deprecated CONFIG_ACPI_PROCFS_POWER (Victor Erminpour)  [Orabug: 28644322]
- net/rds: Fix call to sleeping function in a non-sleeping context (H&aring kon Bugge)  [Orabug: 28657397]
- cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (Scott Bauer)  [Orabug: 28664499]  {CVE-2018-16658}
- ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c (Seunghun Han)  [Orabug: 28664576]  {CVE-2017-13695}
- usb: xhci: do not create and register shared_hcd when USB3.0 is disabled (Tung Nguyen)  [Orabug: 28677854]

[4.14.35-1818.3.2.el7uek]
- hwmon: (k10temp) Display both Tctl and Tdie (Guenter Roeck)  [Orabug: 28143470]
- hwmon: (k10temp) Use API function to access System Management Network (Guenter Roeck)  [Orabug: 28143470]
- hwmon: (k10temp) Fix reading critical temperature register (Guenter Roeck)  [Orabug: 28143470]
- hwmon: (k10temp) Add temperature offset for Ryzen 2700X (Guenter Roeck)  [Orabug: 28143470]
- hwmon: (k10temp) Add support for temperature offsets (Guenter Roeck) [Orabug: 28143470]
- hwmon: (k10temp) Add support for family 17h (Guenter Roeck)  [Orabug: 28143470]
- hwmon: (k10temp) Move chip specific code into probe function (Guenter Roeck)  [Orabug: 28143470]
- net/rds: make the source code clean (Zhu Yanjun)  [Orabug: 28607913]
- net/rds: Use rdma_read_gids to get connection SGID/DGID in IPv6 (Zhu Yanjun)  [Orabug: 28607913]
- net/rds: Use rdma_read_gids to read connection GIDs (Parav Pandit) [Orabug: 28607913]
- posix-timers: Sanitize overrun handling (Thomas Gleixner)  [Orabug: 28642970]  {CVE-2018-12896}
- crypto: ccp - Add support for new CCP/PSP device ID (Tom Lendacky) [Orabug: 28584386]
- crypto: ccp - Support register differences between PSP devices (Tom Lendacky)  [Orabug: 28584386]
- crypto: ccp - Remove unused #defines (Tom Lendacky)  [Orabug: 28584386]
- crypto: ccp - Add psp enabled message when initialization succeeds (Tom Lendacky)  [Orabug: 28584386]
- crypto: ccp - Fix command completion detection race (Tom Lendacky) [Orabug: 28584386]
- iommu/amd: Add support for IOMMU XT mode (Suravee Suthikulpanit) [Orabug: 28584386]
- iommu/amd: Add support for higher 64-bit IOMMU Control Register (Suravee Suthikulpanit)  [Orabug: 28584386]
- x86: irq_remapping: Move irq remapping mode enum (Suravee Suthikulpanit)  [Orabug: 28584386]
- x86/CPU/AMD: Fix LLC ID bit-shift calculation (Suravee Suthikulpanit) [Orabug: 28584386]
- x86/CPU/AMD: Derive CPU topology from CPUID function 0xB when available (Suravee Suthikulpanit)  [Orabug: 28584386]
- x86/CPU/AMD: Calculate last level cache ID from number of sharing threads (Suravee Suthikulpanit)  [Orabug: 28584386]
- x86/CPU: Rename intel_cacheinfo.c to cacheinfo.c (Borislav Petkov) [Orabug: 28584386]
- perf/events/amd/uncore: Fix amd_uncore_llc ID to use pre-defined cpu_llc_id (Suravee Suthikulpanit)  [Orabug: 28584386]
- x86/CPU/AMD: Have smp_num_siblings and cpu_llc_id always be present (Borislav Petkov)  [Orabug: 28584386]

[4.14.35-1818.3.1.el7uek]
- arm64: vdso: fix clock_getres for 4GiB-aligned res (Mark Rutland) [Orabug: 28603375]
- locking/qrwlock: Prevent slowpath writers getting held up by fastpath (Will Deacon)  [Orabug: 28605196]
- locking/qrwlock, arm64: Move rwlock implementation over to qrwlocks (Will Deacon)  [Orabug: 28605196]
- locking/qrwlock: Use atomic_cond_read_acquire() when spinning in qrwlock (Will Deacon)  [Orabug: 28605196]
- locking/atomic: Add atomic_cond_read_acquire() (Will Deacon)  [Orabug: 28605196]
- rds: CVE-2018-7492: Fix NULL pointer dereference in __rds_rdma_map (H&aring kon Bugge)  [Orabug: 28565429]  {CVE-2018-7492}
- irqchip/irq-bcm2836: Add support for DT interrupt polarity (Stefan Wahren)  [Orabug: 28596168]
- dt-bindings/bcm2836-l1-intc: Add interrupt polarity support (Stefan Wahren)  [Orabug: 28596168]
- dt-bindings/bcm283x: Define polarity of per-cpu interrupts (Stefan Wahren)  [Orabug: 28596168]
- x86/spec_ctrl: Only set SPEC_CTRL_IBRS_FIRMWARE if IBRS is actually in use (Patrick Colp)  [Orabug: 28610695]

[4.14.35-1818.2.2.el7uek]
- x86/xen: Calculate __max_logical_packages on PV domains (Prarit Bhargava)  [Orabug: 28476586]
- x86/entry/64: Remove %ebx handling from error_entry/exit (Andy Lutomirski)  [Orabug: 28402921]  {CVE-2018-14678}
- x86/pti: Don't report XenPV as vulnerable (Jiri Kosina)  [Orabug: 28476680]
- x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (Andi Kleen)  [Orabug: 28488807]  {CVE-2018-3620}
- x86/speculation/l1tf: Suggest what to do on systems with too much RAM (Vlastimil Babka)  [Orabug: 28488807]  {CVE-2018-3620}
- x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (Vlastimil Babka)  [Orabug: 28488807]  {CVE-2018-3620}
- x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (Vlastimil Babka)  [Orabug: 28488807]  {CVE-2018-3620}
- x86/speculation/l1tf: Exempt zeroed PTEs from inversion (Sean Christopherson)  [Orabug: 28488807]  {CVE-2018-3620}
- x86/l1tf: Fix build error seen if CONFIG_KVM_INTEL is disabled (Guenter Roeck)  [Orabug: 28488807]  {CVE-2018-3620}
- x86/spectre: Add missing family 6 check to microcode check (Andi Kleen)  [Orabug: 28488807]  {CVE-2018-3620}
- KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled (Thomas Gleixner)  [Orabug: 28488807]  {CVE-2018-3646}
- x86/microcode: Allow late microcode loading with SMT disabled (Josh Poimboeuf)  [Orabug: 28488807]  {CVE-2018-3620}
- PCI: Add ACS quirk for Ampere root ports (Feng Kan)  [Orabug: 28525940]
- xfs: don't fail when converting shortform attr to long form during ATTR_REPLACE (Darrick J. Wong)  [Orabug: 28573020]
- uek-rpm: Disable F2FS in the UEK5 config (Victor Erminpour)  [Orabug: 28577123]

The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes.

CVE-2018-10853: A flaw was found in the way the KVM hypervisor emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest (bnc#1097104).

CVE-2018-10876: A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image. (bnc#1099811)

CVE-2018-10877: Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image. (bnc#1099846)

CVE-2018-10878: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image. (bnc#1099813)

CVE-2018-10879: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image. (bnc#1099844)

CVE-2018-10880: Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service. (bnc#1099845)

CVE-2018-10881: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.
(bnc#1099864)

CVE-2018-10882: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image. (bnc#1099849)

CVE-2018-10883: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.
(bnc#1099863)

CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation (bnc#1105322).

CVE-2018-10938: A crafted network packet sent remotely by an attacker may force the kernel to enter an infinite loop in the cipso_v4_optptr() function in net/ipv4/cipso_ipv4.c leading to a denial-of-service. A certain non-default configuration of LSM (Linux Security Module) and NetLabel should be set up on a system before an attacker could leverage this flaw (bnc#1106016).

CVE-2018-10940: The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bnc#1092903).

CVE-2018-12896: An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922).

CVE-2018-13093: There is a NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001).

CVE-2018-13094: An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000).

CVE-2018-13095: A denial of service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999).

CVE-2018-14617: There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bnc#1102870).

CVE-2018-14678: The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S did not properly maintain RBX, which allowed local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges (bnc#1102715).

CVE-2018-15572: The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517 bnc#1105296).

CVE-2018-15594: arch/x86/kernel/paravirt.c mishandled certain indirect calls, which made it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests (bnc#1105348).

CVE-2018-16276: Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges (bnc#1106095).

CVE-2018-16658: An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 (bnc#1107689).

CVE-2018-17182: The vmacache_flush_all function in mm/vmacache.c mishandled sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations (bnc#1108399).

CVE-2018-6554: Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509).

CVE-2018-6555: The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511).

CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536).

CVE-2018-9363: A buffer overflow in bluetooth HID report processing could be used by malicious bluetooth devices to crash the kernel or potentially execute code (bnc#1105292). The following security bugs were fixed :

CVE-2018-7480: The blkcg_init_queue function in block/blk-cgroup.c allowed local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure (bnc#1082863).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2018-6554

A memory leak in the irda_bind function in the irda subsystem was discovered. A local user can take advantage of this flaw to cause a denial of service (memory consumption).

CVE-2018-6555

A flaw was discovered in the irda_setsockopt function in the irda subsystem, allowing a local user to cause a denial of service (use-after-free and system crash).

CVE-2018-7755

Brian Belleville discovered a flaw in the fd_locked_ioctl function in the floppy driver in the Linux kernel. The floppy driver copies a kernel pointer to user memory in response to the FDGETPRM ioctl. A local user with access to a floppy drive device can take advantage of this flaw to discover the location kernel code and data.

CVE-2018-9363

It was discovered that the Bluetooth HIDP implementation did not correctly check the length of received report messages. A paired HIDP device could use this to cause a buffer overflow, leading to denial of service (memory corruption or crash) or potentially remote code execution.

CVE-2018-9516

It was discovered that the HID events interface in debugfs did not correctly limit the length of copies to user buffers. A local user with access to these files could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.
However, by default debugfs is only accessible by the root user.

CVE-2018-10902

It was discovered that the rawmidi kernel driver does not protect against concurrent access which leads to a double-realloc (double free) flaw. A local attacker can take advantage of this issue for privilege escalation.

CVE-2018-10938

Yves Younan from Cisco reported that the Cipso IPv4 module did not correctly check the length of IPv4 options. On custom kernels with CONFIG_NETLABEL enabled, a remote attacker could use this to cause a denial of service (hang).

CVE-2018-13099

Wen Xu from SSLab at Gatech reported a use-after-free bug in the F2FS implementation. An attacker able to mount a crafted F2FS volume could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2018-14609

Wen Xu from SSLab at Gatech reported a potential NULL pointer dereference in the F2FS implementation. An attacker able to mount arbitrary F2FS volumes could use this to cause a denial of service (crash).

CVE-2018-14617

Wen Xu from SSLab at Gatech reported a potential NULL pointer dereference in the HFS+ implementation. An attacker able to mount arbitrary HFS+ volumes could use this to cause a denial of service (crash).

CVE-2018-14633

Vincent Pelletier discovered a stack-based buffer overflow flaw in the chap_server_compute_md5() function in the iSCSI target code. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service or possibly to get a non-authorized access to data exported by an iSCSI target.

CVE-2018-14678

M. Vefa Bicakci and Andy Lutomirski discovered a flaw in the kernel exit code used on amd64 systems running as Xen PV guests. A local user could use this to cause a denial of service (crash).

CVE-2018-14734

A use-after-free bug was discovered in the InfiniBand communication manager. A local user could use this to cause a denial of service (crash or memory corruption) or possible for privilege escalation.

CVE-2018-15572

Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh, from University of California, Riverside, reported a variant of Spectre variant 2, dubbed SpectreRSB. A local user may be able to use this to read sensitive information from processes owned by other users.

CVE-2018-15594

Nadav Amit reported that some indirect function calls used in paravirtualised guests were vulnerable to Spectre variant 2. A local user may be able to use this to read sensitive information from the kernel.

CVE-2018-16276

Jann Horn discovered that the yurex driver did not correctly limit the length of copies to user buffers. A local user with access to a yurex device node could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2018-16658

It was discovered that the cdrom driver does not correctly validate the parameter to the CDROM_DRIVE_STATUS ioctl. A user with access to a cdrom device could use this to read sensitive information from the kernel or to cause a denial of service (crash).

CVE-2018-17182

Jann Horn discovered that the vmacache_flush_all function mishandles sequence number overflows. A local user can take advantage of this flaw to trigger a use-after-free, causing a denial of service (crash or memory corruption) or privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 4.9.110-3+deb9u5~deb8u1.

We recommend that you upgrade your linux-4.9 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2018-6554     A memory leak in the irda_bind function in the irda     subsystem was discovered. A local user can take     advantage of this flaw to cause a denial of service     (memory consumption).

  - CVE-2018-6555     A flaw was discovered in the irda_setsockopt function in     the irda subsystem, allowing a local user to cause a     denial of service (use-after-free and system crash).

  - CVE-2018-7755     Brian Belleville discovered a flaw in the     fd_locked_ioctl function in the floppy driver in the     Linux kernel. The floppy driver copies a kernel pointer     to user memory in response to the FDGETPRM ioctl. A     local user with access to a floppy drive device can take     advantage of this flaw to discover the location kernel     code and data.

  - CVE-2018-9363     It was discovered that the Bluetooth HIDP implementation     did not correctly check the length of received report     messages. A paired HIDP device could use this to cause a     buffer overflow, leading to denial of service (memory     corruption or crash) or potentially remote code     execution.

  - CVE-2018-9516     It was discovered that the HID events interface in     debugfs did not correctly limit the length of copies to     user buffers. A local user with access to these files     could use this to cause a denial of service (memory     corruption or crash) or possibly for privilege     escalation. However, by default debugfs is only     accessible by the root user.

  - CVE-2018-10902     It was discovered that the rawmidi kernel driver does     not protect against concurrent access which leads to a     double-realloc (double free) flaw. A local attacker can     take advantage of this issue for privilege escalation.

  - CVE-2018-10938     Yves Younan from Cisco reported that the Cipso IPv4     module did not correctly check the length of IPv4     options. On custom kernels with CONFIG_NETLABEL enabled,     a remote attacker could use this to cause a denial of     service (hang).

  - CVE-2018-13099     Wen Xu from SSLab at Gatech reported a use-after-free     bug in the F2FS implementation. An attacker able to     mount a crafted F2FS volume could use this to cause a     denial of service (crash or memory corruption) or     possibly for privilege escalation.

  - CVE-2018-14609     Wen Xu from SSLab at Gatech reported a potential NULL     pointer dereference in the F2FS implementation. An     attacker able to mount a crafted F2FS volume could use     this to cause a denial of service (crash).

  - CVE-2018-14617     Wen Xu from SSLab at Gatech reported a potential NULL     pointer dereference in the HFS+ implementation. An     attacker able to mount a crafted HFS+ volume could use     this to cause a denial of service (crash).

  - CVE-2018-14633     Vincent Pelletier discovered a stack-based buffer     overflow flaw in the chap_server_compute_md5() function     in the iSCSI target code. An unauthenticated remote     attacker can take advantage of this flaw to cause a     denial of service or possibly to get a non-authorized     access to data exported by an iSCSI target.

  - CVE-2018-14678     M. Vefa Bicakci and Andy Lutomirski discovered a flaw in     the kernel exit code used on amd64 systems running as     Xen PV guests. A local user could use this to cause a     denial of service (crash).

  - CVE-2018-14734     A use-after-free bug was discovered in the InfiniBand     communication manager. A local user could use this to     cause a denial of service (crash or memory corruption)     or possible for privilege escalation.

  - CVE-2018-15572     Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu     Song, and Nael Abu-Ghazaleh, from University of     California, Riverside, reported a variant of Spectre     variant 2, dubbed SpectreRSB. A local user may be able     to use this to read sensitive information from processes     owned by other users.

  - CVE-2018-15594     Nadav Amit reported that some indirect function calls     used in paravirtualised guests were vulnerable to     Spectre variant 2. A local user may be able to use this     to read sensitive information from the kernel.

  - CVE-2018-16276     Jann Horn discovered that the yurex driver did not     correctly limit the length of copies to user buffers. A     local user with access to a yurex device node could use     this to cause a denial of service (memory corruption or     crash) or possibly for privilege escalation.

  - CVE-2018-16658     It was discovered that the cdrom driver does not     correctly validate the parameter to the     CDROM_DRIVE_STATUS ioctl. A user with access to a cdrom     device could use this to read sensitive information from     the kernel or to cause a denial of service (crash).

  - CVE-2018-17182     Jann Horn discovered that the vmacache_flush_all     function mishandles sequence number overflows. A local     user can take advantage of this flaw to trigger a     use-after-free, causing a denial of service (crash or     memory corruption) or privilege escalation.

Description of changes:

[4.1.12-124.19.1.el7uek]
- x86/entry/64: Ensure %ebx handling correct in xen_failsafe_callback (George Kennedy)  [Orabug: 28402927]  {CVE-2018-14678}
- x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (Andi Kleen)  [Orabug: 28488808]  {CVE-2018-3620}
- x86/speculation/l1tf: Suggest what to do on systems with too much RAM (Vlastimil Babka)  [Orabug: 28488808]  {CVE-2018-3620}
- x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (Vlastimil Babka)  [Orabug: 28488808]  {CVE-2018-3620}
- x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (Vlastimil Babka)  [Orabug: 28488808]  {CVE-2018-3620}
- x86/speculation/l1tf: Exempt zeroed PTEs from inversion (Sean Christopherson)  [Orabug: 28488808]  {CVE-2018-3620}
- x86/l1tf: Fix build error seen if CONFIG_KVM_INTEL is disabled (Guenter Roeck)  [Orabug: 28488808]  {CVE-2018-3620}
- x86/spectre: Add missing family 6 check to microcode check (Andi Kleen)  [Orabug: 28488808]  {CVE-2018-3620}
- KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled (Thomas Gleixner)  [Orabug: 28488808]  {CVE-2018-3646}
- x86/microcode: Allow late microcode loading with SMT disabled (Josh Poimboeuf)  [Orabug: 28488808]  {CVE-2018-3620}
- x86/microcode: Do not upload microcode if CPUs are offline (Ashok Raj)   [Orabug: 28488808]  {CVE-2018-3620}

The remote OracleVM system is missing necessary patches to address critical security updates :

Oracle VM Security Advisory OVMSA-2018-0254

The following updated rpms for Oracle VM 3.4 have been uploaded to the Unbreakable Linux Network :

x86_64: kernel-uek-4.1.12-124.19.1.el6uek.x86_64.rpm kernel-uek-firmware-4.1.12-124.19.1.el6uek.noarch.rpm

SRPMS :

Description of changes :

  - x86/entry/64: Ensure %ebx handling correct in     xen_failsafe_callback (George Kennedy) [Orabug:
    28402927] (CVE-2018-14678)

  - x86/speculation/l1tf: Increase l1tf memory limit for     Nehalem+ (Andi Kleen) [Orabug: 28488808] (CVE-2018-3620)

  - x86/speculation/l1tf: Suggest what to do on systems with     too much RAM (Vlastimil Babka) [Orabug: 28488808]     (CVE-2018-3620)

  - x86/speculation/l1tf: Fix off-by-one error when warning     that system has too much RAM (Vlastimil Babka) [Orabug:
    28488808] (CVE-2018-3620)

  - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit on     32bit (Vlastimil Babka) [Orabug: 28488808]     (CVE-2018-3620)

  - x86/speculation/l1tf: Exempt zeroed PTEs from inversion     (Sean Christopherson) [Orabug: 28488808] (CVE-2018-3620)

  - x86/l1tf: Fix build error seen if CONFIG_KVM_INTEL is     disabled (Guenter Roeck) [Orabug: 28488808]     (CVE-2018-3620)

  - x86/spectre: Add missing family 6 check to microcode     check (Andi Kleen) [Orabug: 28488808] (CVE-2018-3620)

  - KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host with     interrupts disabled (Thomas Gleixner) [Orabug: 28488808]     (CVE-2018-3646)

  - x86/microcode: Allow late microcode loading with SMT     disabled (Josh Poimboeuf) [Orabug: 28488808]     (CVE-2018-3620)

  - x86/microcode: Do not upload microcode if CPUs are     offline (Ashok Raj) [Orabug: 28488808] (CVE-2018-3620)

ID	Name	Product	Family	Severity
123679	Ubuntu 14.04 LTS / 16.04 LTS : linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle (USN-3931-2)	Nessus	Ubuntu Local Security Checks	high
123678	Ubuntu 18.04 LTS : linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-oracle, (USN-3931-1)	Nessus	Ubuntu Local Security Checks	high
120794	Fedora 28 : kernel / kernel-headers (2018-cc812838fb)	Nessus	Fedora Local Security Checks	high
118053	Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4242) (Foreshadow)	Nessus	Oracle Linux Local Security Checks	high
118034	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:3084-1)	Nessus	SuSE Local Security Checks	high
117908	Debian DLA-1531-1 : linux-4.9 security update	Nessus	Debian Local Security Checks	high
117862	Debian DSA-4308-1 : linux - security update	Nessus	Debian Local Security Checks	high
117378	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4210) (Foreshadow)	Nessus	Oracle Linux Local Security Checks	high
117377	OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0254) (Foreshadow)	Nessus	OracleVM Local Security Checks	high
111539	Fedora 27 : kernel / kernel-headers (2018-49bda79bd5)	Nessus	Fedora Local Security Checks	high

CVE-2018-14678

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins