Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2018-041)

high Nessus Plugin ID 110694

Synopsis

The remote Virtuozzo host is missing multiple security updates.

Description

According to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities :

- The do_get_mempolicy() function in 'mm/mempolicy.c' in the Linux kernel allows local users to hit a use-after-free bug via crafted system calls and thus cause a denial of service (DoS) or possibly have unspecified other impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.

- It was found that AIO interface didn't use the proper rw_verify_area() helper function with extended functionality, for example, mandatory locking on the file. Also rw_verify_area() makes extended checks, for example, that the size of the access doesn't cause overflow of the provided offset limits. This integer overflow in fs/aio.c in the Linux kernel before 3.4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec.

- Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec.
NOTE: this vulnerability exists because of a CVE-2012-6701 regression.

- A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key.

- A race condition leading to a NULL pointer dereference was found in the Linux kernel's Link Layer Control implementation. A local attacker with access to ping sockets could use this flaw to crash the system.

- It was found that the original fix for CVE-2016-6786 was incomplete. There exist a race between two concurrent sys_perf_event_open() calls when both try and move the same pre-existing software group into a hardware context.

- Incorrect error handling in the set_mempolicy() and mbind() compat syscalls in 'mm/mempolicy.c' in the Linux kernel allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation.

- The mm subsystem in the Linux kernel through 4.10.10 does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c.

- It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in 'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition.

- The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with
__dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker.

- An error in the '_sctp_make_chunk()' function (net/sctp/sm_make_chunk.c) when handling SCTP, packet length can be exploited by a malicious local user to cause a kernel crash and a DoS.

- Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel allows local users to cause a denial of service (kernel memory exhaustion) via multiple read accesses to files in the /sys/class/sas_phy directory.

Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected parallels-server-bm-release / vzkernel / etc packages.

See Also

https://help.virtuozzo.com/customer/portal/articles/2945474

https://access.redhat.com/errata/RHSA-2018:1854

Plugin Details

Severity: High

ID: 110694

File Name: Virtuozzo_VZA-2018-041.nasl

Version: 1.5

Type: local

Published: 6/26/2018

Updated: 1/4/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 7

Temporal Score: 6.3

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:virtuozzo:virtuozzo:parallels-server-bm-release, p-cpe:/a:virtuozzo:virtuozzo:vzkernel, p-cpe:/a:virtuozzo:virtuozzo:vzkernel-devel, p-cpe:/a:virtuozzo:virtuozzo:vzkernel-firmware, p-cpe:/a:virtuozzo:virtuozzo:vzmodules, p-cpe:/a:virtuozzo:virtuozzo:vzmodules-devel, cpe:/o:virtuozzo:virtuozzo:6

Required KB Items: Host/local_checks_enabled, Host/Virtuozzo/release, Host/Virtuozzo/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/25/2018

Reference Information

CVE: CVE-2012-6701, CVE-2015-8830, CVE-2016-8650, CVE-2017-12190, CVE-2017-18203, CVE-2017-2671, CVE-2017-6001, CVE-2017-7616, CVE-2017-7889, CVE-2018-10675, CVE-2018-5803, CVE-2018-7757