http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=966031f340185eddd05affcf72b740549f056348

https://bugzilla.suse.com/show_bug.cgi?id=1094825

https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.11

https://github.com/torvalds/linux/commit/966031f340185eddd05affcf72b740549f056348

USN-3849-1

USN-3849-2

The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743).

CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946).

CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).

CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319).

CVE-2018-16862: A security flaw was found in a way that the cleancache subsystem clears an inode after the final file truncation (removal).
The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one (bnc#1117186).

CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).

CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).

CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2018-9516: In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check.
This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
(bnc#1108498).

CVE-2019-3459, CVE-2019-3460: The Blutooth stack suffered from two remote information leak vulnerabilities in the code that handles incoming L2cap configuration packets (bsc#1120758).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bounds write and a     denial of service or unspecified other impact is     possible by mounting and operating a crafted ext4     filesystem image.(CVE-2018-10878)

  - An issue was discovered in can_can_gw_rcv in     net/can/gw.c in the Linux kernel through 4.19.13. The     CAN frame modification rules allow bitwise logical     operations that can be also applied to the can_dlc     field. Because of a missing check, the CAN drivers may     write arbitrary content beyond the data registers in     the CAN controller's I/O memory when processing can-gw     manipulated outgoing frames. This is related to     cgw_csum_xor_rel. An unprivileged user can trigger a     system crash (general protection fault).(CVE-2019-3701)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bound access in     ext4_get_group_info function, a denial of service, and     a system crash by mounting and operating on a crafted     ext4 filesystem image.(CVE-2018-10881)

  - A flaw was found in the Linux kernel's ext4 filesystem     code. A stack-out-of-bounds write in     ext4_update_inline_data() is possible when mounting and     writing to a crafted ext4 image. An attacker could use     this to cause a system crash and a denial of     service.(CVE-2018-10880)

  - The crypto API in the Linux kernel through 3.9-rc8 does     not initialize certain length variables, which allows     local users to obtain sensitive information from kernel     stack memory via a crafted recvmsg or recvfrom system     call, related to the hash_recvmsg function in     crypto/algif_hash.c and the skcipher_recvmsg function     in crypto/algif_skcipher.c.(CVE-2013-3076)

  - weakness was found in the Linux kernel's implementation     of random seed data. Programs, early in the boot     sequence, could use the data allocated for the seed     before it was sufficiently generated.(CVE-2018-1108)

  - An issue was discovered in the proc_pid_stack function     in fs/proc/base.c in the Linux kernel. An attacker with     a local account can trick the stack unwinder code to     leak stack contents to userspace. The fix allows only     root to inspect the kernel stack of an arbitrary     task.(CVE-2018-17972)

  - A security flaw was found in the     chap_server_compute_md5() function in the ISCSI target     code in the Linux kernel in a way an authentication     request from an ISCSI initiator is processed. An     unauthenticated remote attacker can cause a stack     buffer overflow and smash up to 17 bytes of the stack.
    The attack requires the iSCSI target to be enabled on     the victim host. Depending on how the target's code was     built (i.e. depending on a compiler, compile flags and     hardware architecture) an attack may lead to a system     crash and thus to a denial of service or possibly to a     non-authorized access to data exported by an iSCSI     target. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is highly unlikely.(CVE-2018-14633)

  - An issue was discovered in the Linux kernel before     4.18.6. An information leak in cdrom_ioctl_drive_status     in drivers/cdrom/cdrom.c could be used by local     attackers to read kernel memory because a cast from     unsigned long to int interferes with bounds     checking.(CVE-2018-16658)

  - In the Linux kernel before 4.17, a local attacker able     to set attributes on an xfs filesystem could make this     filesystem non-operational until the next mount by     triggering an unchecked error condition during an xfs     attribute change, because xfs_attr_shortform_addname in     fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE     operations with conversion of an attr from short to     long form.(CVE-2018-18690)

  - A security flaw was found in the Linux kernel in     drivers/tty/n_tty.c which allows local attackers (ones     who are able to access pseudo terminals) to lock them     up and block further usage of any pseudo terminal     devices due to an EXTPROC versus ICANON confusion in     TIOCINQ handler.(CVE-2018-18386)

  - The Linux kernel was found to be vulnerable to a NULL     pointer dereference bug in the __netlink_ns_capable()     function in the net/netlink/af_netlink.c file. A local     attacker could exploit this when a net namespace with a     netnsid is assigned to cause a kernel panic and a     denial of service.(CVE-2018-14646)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in the Linux kernel before     4.18.6. An information leak in cdrom_ioctl_drive_status     in drivers/cdrom/cdrom.c could be used by local     attackers to read kernel memory because a cast from     unsigned long to int interferes with bounds     checking.(CVE-2018-16658)

  - In the Linux kernel before 4.17, a local attacker able     to set attributes on an xfs filesystem could make this     filesystem non-operational until the next mount by     triggering an unchecked error condition during an xfs     attribute change, because xfs_attr_shortform_addname in     fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE     operations with conversion of an attr from short to     long form.(CVE-2018-18690)

  - A security flaw was found in the Linux kernel in     drivers/tty/n_tty.c which allows local attackers (ones     who are able to access pseudo terminals) to lock them     up and block further usage of any pseudo terminal     devices due to an EXTPROC versus ICANON confusion in     TIOCINQ handler.(CVE-2018-18386)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 kernel was updated to 3.0.101 to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-9516: In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check.
This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1108498).

CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841).

CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743).

CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).

CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1118319).

CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).

CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused (bnc#1113769).

CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2017-7273: The cp_report_fixup function in drivers/hid/hid-cypress.c allowed physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report (bnc#1031240).

CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

CVE-2017-1000407: Fixed a denial of service, which was caused by flooding the diagnostic port 0x80 an exception leading to a kernel panic (bnc#1071021).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 Azure kernel was updated to 4.4.162 to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).

CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2018-9516: In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check.
This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
(bnc#1108498).

CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack-based buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. (bnc#1107829).

CVE-2018-17182: The vmacache_flush_all function in mm/vmacache.c mishandled sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations (bnc#1108399).

CVE-2018-16597: Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem (bnc#1106512).

CVE-2018-14613: There is an invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item validation in check_leaf_item in fs/btrfs/tree-checker.c (bnc#1102896).

CVE-2018-14617: There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bnc#1102870).

CVE-2018-16276: Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges (bnc#1106095 bnc#1115593).

CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1087209).

CVE-2018-7480: The blkcg_init_queue function in block/blk-cgroup.c allowed local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure (bnc#1082863).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-18445: A faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandled 32-bit right shifts (bnc#1112372).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2017-18224: fs/ocfs2/aops.c omits use of a semaphore and consequently has a race condition for access to the extent tree during read operations in DIRECT mode, which allowed local users to cause a denial of service (BUG) by modifying a certain e_cpos field (bnc#1084831).

CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In the Linux Kernel before version 4.15.8, 4.14.25,     4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the     '_sctp_make_chunk()' function     (net/sctp/sm_make_chunk.c) when handling SCTP packets     length can be exploited to cause a kernel     crash.(CVE-2018-5803)

  - Linux Linux kernel version at least v4.8 onwards,     probably well before contains a Insufficient input     validation vulnerability in bnx2x network card driver     that can result in DoS: Network card firmware assertion     takes card off-line. This attack appear to be     exploitable via An attacker on a must pass a very     large, specially crafted packet to the bnx2x card. This     can be done from an untrusted guest     VM.(CVE-2018-1000026)

  - The Linux kernel is vulnerable to a NULL pointer     dereference in the     ext4/mballoc.c:ext4_process_freed_data() function. An     attacker could trick a legitimate user or a privileged     attacker could exploit this by mounting a crafted ext4     image to cause a kernel panic.(CVE-2018-1092)

  - In the function wmi_set_ie() in the Linux kernel the     length validation code does not handle unsigned integer     overflow properly. As a result, a large value of the     'ie_len' argument can cause a buffer overflow and thus     a memory corruption leading to a system crash or other     or unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2018-5848)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bound access in     ext4_get_group_info function, a denial of service, and     a system crash by mounting and operating on a crafted     ext4 filesystem image.(CVE-2018-10881)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bounds write and a     denial of service or unspecified other impact is     possible by mounting and operating a crafted ext4     filesystem image.(CVE-2018-10878)

  - A security flaw was found in the     chap_server_compute_md5() function in the ISCSI target     code in the Linux kernel in a way an authentication     request from an ISCSI initiator is processed. An     unauthenticated remote attacker can cause a stack     buffer overflow and smash up to 17 bytes of the stack.
    The attack requires the iSCSI target to be enabled on     the victim host. Depending on how the target's code was     built (i.e. depending on a compiler, compile flags and     hardware architecture) an attack may lead to a system     crash and thus to a denial of service or possibly to a     non-authorized access to data exported by an iSCSI     target. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is highly unlikely.(CVE-2018-14633)

  - An issue was discovered in the Linux kernel before     4.18.6. An information leak in cdrom_ioctl_drive_status     in drivers/cdrom/cdrom.c could be used by local     attackers to read kernel memory because a cast from     unsigned long to int interferes with bounds     checking.(CVE-2018-16658)

  - In the Linux kernel before 4.17, a local attacker able     to set attributes on an xfs filesystem could make this     filesystem non-operational until the next mount by     triggering an unchecked error condition during an xfs     attribute change, because xfs_attr_shortform_addname in     fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE     operations with conversion of an attr from short to     long form.(CVE-2018-18690)

  - It was found that paravirt_patch_call/jump() functions     in the arch/x86/kernel/paravirt.c in the Linux kernel     mishandles certain indirect calls, which makes it     easier for attackers to conduct Spectre-v2 attacks     against paravirtualized guests.(CVE-2018-15594)

  - A security flaw was found in the Linux kernel in     drivers/tty/n_tty.c which allows local attackers (ones     who are able to access pseudo terminals) to lock them     up and block further usage of any pseudo terminal     devices due to an EXTPROC versus ICANON confusion in     TIOCINQ handler.(CVE-2018-18386)

  - An out-of-bounds access issue was discovered in     yurex_read() in drivers/usb/misc/yurex.c in the Linux     kernel. A local attacker could use user access     read/writes with incorrect bounds checking in the yurex     USB driver to crash the kernel or potentially escalate     privileges.(CVE-2018-16276)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a NULL pointer dereference existed in the keyring subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2647)

It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the Infiniband implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did not properly restrict user space reads or writes. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-16276)

Tetsuo Handa discovered a logic error in the TTY subsystem of the Linux kernel. A local attacker with access to pseudo terminal devices could use this to cause a denial of service. (CVE-2018-18386)

Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).

CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removed entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry could remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).

CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-18445: Faulty computation of numeric bounds in the BPF verifier permitted out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandled 32-bit right shifts (bnc#1112372).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2017-18224: fs/ocfs2/aops.c omitted use of a semaphore and consequently had a race condition for access to the extent tree during read operations in DIRECT mode, which allowed local users to cause a denial of service (BUG) by modifying a certain e_cpos field (bnc#1084831).

CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Description of changes:

[4.1.12-124.23.2.el7uek]
- n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) (Linus Torvalds)  [Orabug: 28855335]  {CVE-2018-18386}
- nfs: Don't take a reference on fl->fl_file for LOCK operation (Benjamin Coddington)  [Orabug: 28887442]
- x86/topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across CPU hotplug operations (Samuel Neves)  [Orabug: 28933009]
- ALSA: seq: Fix regression by incorrect ioctl_mutex usages (Takashi Iwai)  [Orabug: 29005188]  {CVE-2018-1000004}
- net: phy: mdio-bcm-unimac: fix potential NULL dereference in unimac_mdio_probe() (Wei Yongjun)  [Orabug: 29012346]  {CVE-2018-8043}

The SUSE Linux Enterprise 12 SP4 kernel for Azure was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-18445: Faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandled 32-bit right shifts (bnc#1112372).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2017-18224: fs/ocfs2/aops.c omits use of a semaphore and consequently has a race condition for access to the extent tree during read operations in DIRECT mode, which allowed local users to cause a denial of service (BUG) by modifying a certain e_cpos field (bnc#1084831).

CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for the Linux Kernel 4.4.103-92_56 fixes several issues.

The following security issues were fixed :

CVE-2018-5391: Fixed a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may have caused a denial of service condition by sending specially crafted IP fragments. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size (bsc#1103098).

CVE-2018-18386: The drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bsc#1112039).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for the Linux Kernel 3.12.74-60_64_107 fixes one issue.

The following security issue was fixed :

CVE-2018-18386: The drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bsc#1112039).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP4 kernel was updated to 3.0.101-108.81 to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-18281: An issue was discovered in the Linux kernel, the mremap() syscall performs TLB flushes after dropping pagetable locks.
If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused (bnc#1113769).

CVE-2018-18710: An issue was discovered in the Linux kernel, an information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-18386: drivers/tty/n_tty.c in the Linux kernel allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2017-7273: The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux kernel 4.x allowed physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report (bnc#1031240).

CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

CVE-2017-1000407: An denial of service issue was discovered in the Linux kernel, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic (bnc#1071021).

CVE-2018-9516: An issue was discovered in the Linux kernel, the copy_to_user() inside the HID code does not correctly check the length before executing (bsc#1108498).

CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host.
Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely (bnc#1107829).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.162 to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack-based buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. (bnc#1107829).

CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025).

CVE-2018-18710: An issue was discovered in the Linux kernel An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-9516: A lack of certain checks in the hid_debug_events_read() function in the drivers/hid/hid-debug.c file might have resulted in receiving userspace buffer overflow and an out-of-bounds write or to the infinite loop. (bnc#1108498).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
122343	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:0439-1)	Nessus	SuSE Local Security Checks	high
122201	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-1028)	Nessus	Huawei Local Security Checks	high
122174	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-1027)	Nessus	Huawei Local Security Checks	medium
121468	SUSE SLES11 Security Update : kernel (SUSE-SU-2019:13937-1)	Nessus	SuSE Local Security Checks	high
121208	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:0095-1)	Nessus	SuSE Local Security Checks	high
120151	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2018:3589-1)	Nessus	SuSE Local Security Checks	high
119921	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2018-1432)	Nessus	Huawei Local Security Checks	high
119832	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3849-1)	Nessus	Ubuntu Local Security Checks	high
119647	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:4069-1)	Nessus	SuSE Local Security Checks	high
119639	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4307)	Nessus	Oracle Linux Local Security Checks	high
119286	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:3934-1)	Nessus	SuSE Local Security Checks	high
119077	openSUSE Security Update : the Linux Kernel (openSUSE-2018-1427)	Nessus	SuSE Local Security Checks	high
119033	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:3787-1)	Nessus	SuSE Local Security Checks	high
119013	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:3772-1)	Nessus	SuSE Local Security Checks	low
118952	SUSE SLES11 Security Update : kernel (SUSE-SU-2018:3746-1)	Nessus	SuSE Local Security Checks	high
118882	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:3689-1)	Nessus	SuSE Local Security Checks	high
118818	openSUSE Security Update : the Linux Kernel (openSUSE-2018-1342)	Nessus	SuSE Local Security Checks	high

CVE-2018-18386

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins