Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-076)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Synopsis :

The remote Virtuozzo host is missing multiple security updates.

Description :

According to the versions of the parallels-server-bm-release /
vzkernel / etc packages installed, the Virtuozzo installation on the
remote host is affected by the following vulnerabilities :

- An integer overflow vulnerability in
ip6_find_1stfragopt() function was found. A local
attacker that has privileges (of CAP_NET_RAW) to open
raw socket can cause an infinite loop inside the
ip6_find_1stfragopt() function.

- Race condition in fs/timerfd.c in the Linux kernel
before 4.10.15 allows local users to gain privileges or
cause a denial of service (list corruption or
use-after-free) via simultaneous file-descriptor
operations that leverage improper might_cancel

- A race condition issue leading to a use-after-free flaw
was found in the way the raw packet sockets are
implemented in the Linux kernel networking subsystem
handling synchronization. A local user able to open a
raw packet socket (requires the CAP_NET_RAW capability)
could use this flaw to elevate their privileges on the

- Andrey Konovalov discovered a race condition in the UDP
Fragmentation Offload (UFO) code in the Linux kernel. A
local attacker could use this to cause a denial of
service or execute arbitrary code.

- Kernel memory corruption due to a buffer overflow was
found in brcmf_cfg80211_mgmt_tx() function in Linux
kernels from v3.9-rc1 to v4.13-rc1. The vulnerability
can be triggered by sending a crafted NL80211_CMD_FRAME
packet via netlink. This flaw is unlikely to be
triggered remotely as certain userspace code is needed
for this. An unprivileged local user could use this
flaw to induce kernel memory corruption on the system,
leading to a crash. Due to the nature of the flaw,
privilege escalation cannot be fully ruled out,
although we believe it is unlikely.

- The mq_notify function in the Linux kernel through
4.11.9 does not set the sock pointer to NULL upon entry
into the retry logic. During a user-space close of a
Netlink socket, it allows attackers to possibly cause a
situation where a value may be used after being freed
(use after free) which may lead to memory corruption or
other unspecified other impact.

- The tcp_disconnect function in net/ipv4/tcp.c in the
Linux kernel before 4.12 allows local users to cause a
denial of service (__tcp_select_window divide-by-zero
error and system crash) by triggering a disconnect
within a certain tcp_recvmsg code path.

Note that Tenable Network Security has extracted the preceding
description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.

See also :

Solution :

Update the affected parallels-server-bm-release / vzkernel / etc packages.

Risk factor :

Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 7.8
Public Exploit Available : true

Family: Virtuozzo Local Security Checks

Nessus Plugin ID: 102922 ()

Bugtraq ID:

CVE ID: CVE-2017-1000111

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now