Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2018-029)

High Nessus Plugin ID 109801

Synopsis

The remote Virtuozzo host is missing multiple security updates.

Description

According to the versions of the parallels-server-bm-release /
vzkernel / etc packages installed, the Virtuozzo installation on the
remote host is affected by the following vulnerabilities :

- An industry-wide issue was found in the way many modern
microprocessor designs have implemented speculative
execution of instructions (a commonly used performance
optimization). There are three primary variants of the
issue which differ in the way the speculative execution
can be exploited. Variant CVE-2017-5754 relies on the
fact that, on impacted microprocessors, during
speculative execution of instruction permission faults,
exception generation triggered by a faulting access is
suppressed until the retirement of the whole
instruction block. In a combination with the fact that
memory accesses may populate the cache even when the
block is being dropped and never committed (executed),
an unprivileged local attacker could use this flaw to
read privileged (kernel space) memory by conducting
targeted cache side-channel attacks. NOTE: This update
fixes the 32-bit compatibility layer on x86-64
processors, i.e. when 32-bit containers are executed on
64-bit processors.

- A bug in the 32-bit compatibility layer of the ioctl
handling code of the v4l2 video driver in the Linux
kernel has been found. A memory protection mechanism
ensuring that user-provided buffers always point to a
userspace memory were disabled, allowing destination
address to be in a kernel space. This flaw could be
exploited by an attacker to overwrite a kernel memory
from an unprivileged userspace process, leading to
privilege escalation.

- The KEYS subsystem in the Linux kernel omitted an
access-control check when writing a key to the current
task's default keyring, allowing a local user to bypass
security checks to the keyring. This compromises the
validity of the keyring for those who rely on it.

- A flaw was found in the processing of incoming L2CAP
bluetooth commands. Uninitialized stack variables can
be sent to an attacker leaking data in kernel address
space.

- Linux kernel before version 4.16-rc7 is vulnerable to a
null pointer dereference in dccp_write_xmit() function
in net/dccp/output.c in that allows a local user to
cause a denial of service by a number of certain
crafted system calls.

- A flaw was found in the way the Linux kernel handled
exceptions delivered after a stack switch operation via
Mov SS or Pop SS instructions. During the stack switch
operation, the processor did not deliver interrupts and
exceptions, rather they are delivered once the first
instruction after the stack switch is executed. An
unprivileged system user could use this flaw to crash
the system kernel resulting in the denial of service.

- net/netfilter/xt_osf.c in the Linux kernel through
4.14.4 does not require the CAP_NET_ADMIN capability
for add_callback and remove_callback operations. This
allows local users to bypass intended access
restrictions because the xt_osf_fingers data structure
is shared across all network namespaces.

- The futex_requeue function in kernel/futex.c in the
Linux kernel, before 4.14.15, might allow attackers to
cause a denial of service (integer overflow) or
possibly have unspecified other impacts by triggering a
negative wake or requeue value.

Note that Tenable Network Security has extracted the preceding
description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.

Solution

Update the affected parallels-server-bm-release / vzkernel / etc packages.

See Also

https://help.virtuozzo.com/customer/portal/articles/2939247

https://access.redhat.com/errata/RHSA-2018:1319

Plugin Details

Severity: High

ID: 109801

File Name: Virtuozzo_VZA-2018-029.nasl

Version: 1.12

Type: local

Published: 2018/05/15

Modified: 2019/01/14

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSS v3.0

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:virtuozzo:virtuozzo:parallels-server-bm-release, p-cpe:/a:virtuozzo:virtuozzo:vzkernel, p-cpe:/a:virtuozzo:virtuozzo:vzkernel-devel, p-cpe:/a:virtuozzo:virtuozzo:vzkernel-firmware, p-cpe:/a:virtuozzo:virtuozzo:vzmodules, p-cpe:/a:virtuozzo:virtuozzo:vzmodules-devel, cpe:/o:virtuozzo:virtuozzo:6

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2018/05/14

Exploitable With

Metasploit (Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability)

Reference Information

CVE: CVE-2017-1000410, CVE-2017-13166, CVE-2017-17450, CVE-2017-17807, CVE-2017-5754, CVE-2018-1130, CVE-2018-5754, CVE-2018-6927, CVE-2018-8897

IAVA: 2018-A-0019