Virtuozzo 7 : readykernel-patch (VZA-2017-032)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Virtuozzo host is missing a security update.

Description :

According to the version of the vzkernel package and the
readykernel-patch installed, the Virtuozzo installation on the remote
host is affected by the following vulnerabilities :

- A vulnerability was found in the Linux kernel where
having malicious IP options present would cause the
ipv4_pktinfo_prepare() function to drop/free the dst.
This could result in a system crash or possible
privilege escalation.

- A vulnerability was found in the implementation of SCTP
protocol in the Linux kernel. If the sctp module was
loaded on the host, a privileged user inside a
container could cause a kernel crash by triggering
use-after-free in the __sctp_connect() function with a
specially crafted sequence of system calls.

Note that Tenable Network Security has extracted the preceding
description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.

See also :

https://help.virtuozzo.com/customer/portal/articles/2796925
http://www.nessus.org/u?f67e555b
http://www.nessus.org/u?e35a0d51
http://www.nessus.org/u?e718308f

Solution :

Update the readykernel patch.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 3.7
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Virtuozzo Local Security Checks

Nessus Plugin ID: 99732 ()

Bugtraq ID:

CVE ID: CVE-2017-5970

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now