EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1159)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Synopsis :

The remote EulerOS host is missing multiple security updates.

Description :

According to the versions of the kernel packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

- The mq_notify function in the Linux kernel through
4.11.9 does not set the sock pointer to NULL upon entry
into the retry logic. During a user-space close of a
Netlink socket, it allows attackers to cause a denial
of service (use-after-free) or possibly have
unspecified other impact.(CVE-2017-11176)

- The brcmf_cfg80211_mgmt_tx function in
cfg80211.c in the Linux kernel before 4.12.3 allows
local users to cause a denial of service (buffer
overflow and system crash) or possibly gain privileges
via a crafted NL80211_CMD_FRAME Netlink

- The ip6_find_1stfragopt function in
net/ipv6/output_core.c in the Linux kernel through
4.12.3 allows local users to cause a denial of service
(integer overflow and infinite loop) by leveraging the
ability to open a raw socket.(CVE-2017-7542)

- Buffer overflow in the mp_override_legacy_irq()
function in arch/x86/kernel/acpi/boot.c in the Linux
kernel through 4.12.2 allows local users to gain
privileges via a crafted ACPI table.(CVE-2017-11473)

- net/xfrm/xfrm_policy.c in the Linux kernel through
4.12.3, when CONFIG_XFRM_MIGRATE is enabled, does not
ensure that the dir value of xfrm_userpolicy_id is
XFRM_POLICY_MAX or less, which allows local users to
cause a denial of service (out-of-bounds access) or
possibly have unspecified other impact via an
XFRM_MSG_MIGRATE xfrm Netlink message.(CVE-2017-11600)

- It was discovered that root can gain direct access to
an internal keyring, such as '.dns_resolver' in RHEL-7
or '.builtin_trusted_keys' upstream, by joining it as
its session keyring. This allows root to bypass module
signature verification by adding a new public key of
its own devising to the keyring.(CVE-2016-9604)

- A user-controlled buffer is copied into a local buffer
of constant size using strcpy without a length check
which can cause a buffer overflow. This affects the
Linux kernel 4.9-stable tree, 4.12-stable tree,
3.18-stable tree, and 4.4-stable tree.(CVE-2017-12762)

- The Linux Kernel imposes a size restriction on the
arguments and environmental strings passed through
RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does
not take the argument and environment pointers into
account, which allows attackers to bypass this
limitation. This affects Linux Kernel versions 4.11.5
and earlier. It appears that this feature was
introduced in the Linux Kernel version

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

Solution :

Update the affected kernel packages.

Risk factor :

Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 7.4
Public Exploit Available : false

Family: Huawei Local Security Checks

Nessus Plugin ID: 102997 ()

Bugtraq ID:

CVE ID: CVE-2016-9604

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now