Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2017-8824     Mohamed Ghannam discovered that the DCCP implementation     did not correctly manage resources when a socket is     disconnected and reconnected, potentially leading to a     use-after-free. A local user could use this for denial     of service (crash or data corruption) or possibly for     privilege escalation. On systems that do not already     have the dccp module loaded, this can be mitigated by     disabling it:echo >> /etc/modprobe.d/disable-dccp.conf     install dccp false

  - CVE-2017-16538     Andrey Konovalov reported that the dvb-usb-lmedm04 media     driver did not correctly handle some error conditions     during initialisation. A physically present user with a     specially designed USB device can use this to cause a     denial of service (crash).

  - CVE-2017-16644     Andrey Konovalov reported that the hdpvr media driver     did not correctly handle some error conditions during     initialisation. A physically present user with a     specially designed USB device can use this to cause a     denial of service (crash).

  - CVE-2017-16995     Jann Horn discovered that the Extended BPF verifier did     not correctly model the behaviour of 32-bit load     instructions. A local user can use this for privilege     escalation.

  - CVE-2017-17448     Kevin Cernekee discovered that the netfilter subsystem     allowed users with the CAP_NET_ADMIN capability in any     user namespace, not just the root namespace, to enable     and disable connection tracking helpers. This could lead     to denial of service, violation of network security     policy, or have other impact.

  - CVE-2017-17449     Kevin Cernekee discovered that the netlink subsystem     allowed users with the CAP_NET_ADMIN capability in any     user namespace to monitor netlink traffic in all net     namespaces, not just those owned by that user namespace.
    This could lead to exposure of sensitive information.

  - CVE-2017-17450     Kevin Cernekee discovered that the xt_osf module allowed     users with the CAP_NET_ADMIN capability in any user     namespace to modify the global OS fingerprint list.

  - CVE-2017-17558     Andrey Konovalov reported that that USB core did not     correctly handle some error conditions during     initialisation. A physically present user with a     specially designed USB device can use this to cause a     denial of service (crash or memory corruption), or     possibly for privilege escalation.

  - CVE-2017-17712     Mohamed Ghannam discovered a race condition in the IPv4     raw socket implementation. A local user could use this     to obtain sensitive information from the kernel.

  - CVE-2017-17741     Dmitry Vyukov reported that the KVM implementation for     x86 would over-read data from memory when emulating an     MMIO write if the kvm_mmio tracepoint was enabled. A     guest virtual machine might be able to use this to cause     a denial of service (crash).

  - CVE-2017-17805     It was discovered that some implementations of the     Salsa20 block cipher did not correctly handle     zero-length input. A local user could use this to cause     a denial of service (crash) or possibly have other     security impact.

  - CVE-2017-17806     It was discovered that the HMAC implementation could be     used with an underlying hash algorithm that requires a     key, which was not intended. A local user could use this     to cause a denial of service (crash or memory     corruption), or possibly for privilege escalation.

  - CVE-2017-17807     Eric Biggers discovered that the KEYS subsystem lacked a     check for write permission when adding keys to a     process's default keyring. A local user could use this     to cause a denial of service or to obtain sensitive     information.

  - CVE-2017-17862     Alexei Starovoitov discovered that the Extended BPF     verifier ignored unreachable code, even though it would     still be processed by JIT compilers. This could possibly     be used by local users for denial of service. It also     increases the severity of bugs in determining     unreachable code.

  - CVE-2017-17863     Jann Horn discovered that the Extended BPF verifier did     not correctly model pointer arithmetic on the stack     frame pointer. A local user can use this for privilege     escalation.

  - CVE-2017-17864     Jann Horn discovered that the Extended BPF verifier     could fail to detect pointer leaks from conditional     code. A local user could use this to obtain sensitive     information in order to exploit other vulnerabilities.

  - CVE-2017-1000407     Andrew Honig reported that the KVM implementation for     Intel processors allowed direct access to host I/O port     0x80, which is not generally safe. On some systems this     allows a guest VM to cause a denial of service (crash)     of the host.

  - CVE-2017-1000410     Ben Seri reported that the Bluetooth subsystem did not     correctly handle short EFS information elements in L2CAP     messages. An attacker able to communicate over Bluetooth     could use this to obtain sensitive information from the     kernel.

The various problems in the Extended BPF verifier can be mitigated by disabling use of Extended BPF by unprivileged users:sysctl kernel.unprivileged_bpf_disabled=1

Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-17448 can be exploited by any local user.

Detections

Analytics

Debian DSA-4073-1 : linux - security update

high Nessus Plugin ID 105433

Version 3.17