Amazon Linux AMI : kernel (ALAS-2018-944)

high Nessus Plugin ID 106171
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Amazon Linux AMI host is missing a security update.

Description

Race condition in raw_sendmsg function allows denial-of-service or kernel addresses leak

A flaw was found in the Linux kernel's implementation of raw_sendmsg allowing a local attacker to panic the kernel or possibly leak kernel addresses. A local attacker, with the privilege of creating raw sockets, can abuse a possible race condition when setting the socket option to allow the kernel to automatically create ip header values and thus potentially escalate their privileges. (CVE-2017-17712)

Use-after-free vulnerability in DCCP socket

A use-after-free vulnerability was found in DCCP socket code affecting the Linux kernel since 2.6.16. This vulnerability could allow an attacker to their escalate privileges. (CVE-2017-8824)

Stack-based out-of-bounds read via vmcall instruction

Linux kernel compiled with the KVM virtualization (CONFIG_KVM) support is vulnerable to an out-of-bounds read access issue. It could occur when emulating vmcall instructions invoked by a guest. A guest user/process could use this flaw to disclose kernel memory bytes.
(CVE-2017-17741)

Unchecked capabilities in net/netfilter/xt_osf.c allows for unprivileged modification to systemwide fingerprint list

net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces. (CVE-2017-17450)

Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure

net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces. (CVE-2017-17448)

Solution

Run 'yum update kernel' to update your system. You will need to reboot your system in order for the new kernel to be running.

See Also

https://alas.aws.amazon.com/ALAS-2018-944.html

Plugin Details

Severity: High

ID: 106171

File Name: ala_ALAS-2018-944.nasl

Version: 3.4

Type: local

Agent: unix

Published: 1/19/2018

Updated: 4/5/2019

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:o:amazon:linux:*:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:kernel:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:kernel-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:kernel-debuginfo-common-x86_64:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:kernel-devel:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:kernel-headers:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:kernel-tools:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:kernel-tools-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:kernel-tools-devel:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:perf:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:perf-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:kernel-doc:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:kernel-debuginfo-common-i686:*:*:*:*:*:*:*

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/18/2018

Reference Information

CVE: CVE-2017-17448, CVE-2017-17450, CVE-2017-8824, CVE-2017-17712, CVE-2017-17741

ALAS: 2018-944