RHEL 7 : kernel-rt (RHSA-2017:1616) (Stack Clash)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

An update for kernel-rt is now available for Red Hat Enterprise Linux

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which
enables fine-tuning for systems with extremely high determinism

Security Fix(es) :

* A flaw was found in the way memory was being allocated on the stack
for user space binaries. If heap (or different memory region) and
stack memory regions were adjacent to each other, an attacker could
use this flaw to jump over the stack guard gap, cause controlled
memory corruption on process stack or the adjacent memory region, and
thus increase their privileges on the system. This is a kernel-side
mitigation which increases the stack guard gap size from one page to 1
MiB to make successful exploitation of this issue more difficult.
(CVE-2017-1000364, Important)

* A flaw was found in the way Linux kernel allocates heap memory to
build the scattergather list from a fragment
list(skb_shinfo(skb)->frag_list) in the socket buffer(skb_buff). The
heap overflow occurred if 'MAX_SKB_FRAGS + 1' parameter and
'NETIF_F_FRAGLIST' feature are both used together. A remote user or
process could use this flaw to potentially escalate their privilege on
a system. (CVE-2017-7477, Important)

* The NFS2/3 RPC client could send long arguments to the NFS server.
These encoded arguments are stored in an array of memory pages, and
accessed using pointer variables. Arbitrarily long arguments could
make these pointers point outside the array and cause an out-of-bounds
memory access. A remote user or program could use this flaw to crash
the kernel, resulting in denial of service. (CVE-2017-7645, Important)

* The NFSv2 and NFSv3 server implementations in the Linux kernel
through 4.10.13 lacked certain checks for the end of a buffer. A
remote attacker could trigger a pointer-arithmetic error or possibly
cause other unspecified impacts using crafted requests related to
fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c. (CVE-2017-7895, Important)

* Linux kernel built with the Kernel-based Virtual Machine
(CONFIG_KVM) support was vulnerable to an incorrect segment
selector(SS) value error. The error could occur while loading values
into the SS register in long mode. A user or process inside a guest
could use this flaw to crash the guest, resulting in DoS or
potentially escalate their privileges inside the guest.
(CVE-2017-2583, Moderate)

* A flaw was found in the Linux kernel's handling of packets with the
URG flag. Applications using the splice() and tcp_splice_read()
functionality could allow a remote attacker to force the kernel to
enter a condition in which it could loop indefinitely. (CVE-2017-6214,

Red Hat would like to thank Qualys Research Labs for reporting
CVE-2017-1000364; Ari Kauppi for reporting CVE-2017-7895; and Xiaohan
Zhang (Huawei Inc.) for reporting CVE-2017-2583.

Bug Fix(es) :

* The kernel-rt packages have been upgraded to the 3.10.0-514.25.2
source tree, which provides a number of bug fixes over the previous
version. (BZ#1452742)

* Previously, a local lock acquisition around the
ip_send_unicast_reply() function was incorrectly terminated.
Consequently, a list corruption occurred that led to a kernel panic.
This update adds locking functions around calls to
ip_send_unicast_reply(). As a result, neither list corruption nor
kernel panic occur under the described circumstances. (BZ#1455239)

See also :


Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 8.3
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 101102 ()

Bugtraq ID:

CVE ID: CVE-2017-1000364

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now