Debian DSA-4279-1 : linux - security update (Foreshadow)

medium Nessus Plugin ID 111988
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 5.2

Synopsis

The remote Debian host is missing a security-related update.

Description

Multiple researchers have discovered a vulnerability in the way the Intel processor designs have implemented speculative execution of instructions in combination with handling of page-faults. This flaw could allow an attacker controlling an unprivileged process to read memory from arbitrary (non-user controlled) addresses, including from the kernel and all other processes running on the system or cross guest/host boundaries to read host memory.

To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode (only available in Debian non-free). Common server class CPUs are covered in the update released as DSA 4273-1.

Solution

Upgrade the linux packages.

For the stable distribution (stretch), these problems have been fixed in version 4.9.110-3+deb9u3.

See Also

https://security-tracker.debian.org/tracker/source-package/linux

https://packages.debian.org/source/stretch/linux

https://www.debian.org/security/2018/dsa-4279

Plugin Details

Severity: Medium

ID: 111988

File Name: debian_DSA-4279.nasl

Version: 1.5

Type: local

Agent: unix

Published: 8/20/2018

Updated: 7/15/2019

Dependencies: ssh_get_info.nasl

Risk Information

Risk Factor: Medium

VPR Score: 5.2

CVSS v2.0

Base Score: 4.7

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N

CVSS v3.0

Base Score: 5.6

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Vulnerability Information

CPE: cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:linux:*:*:*:*:*:*:*

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 8/20/2018

Vulnerability Publication Date: 8/14/2018

Reference Information

CVE: CVE-2018-3620, CVE-2018-3646

DSA: 4279