ESB-2017.2401 - [Debian] kernel: Multiple vulnerabilities 2017-09-21

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2401
                    Debian Security Advisory DSA-3981-1
                             21 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
Impact/Access:     Root Compromise        -- Remote/Unauthenticated
                   Access Privileged Data -- Existing Account      
                   Denial of Service      -- Remote/Unauthenticated
                   Reduced Security       -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-1000380 CVE-2017-1000371 CVE-2017-1000370
                   CVE-2017-1000252 CVE-2017-1000251 CVE-2017-1000112
                   CVE-2017-1000111 CVE-2017-14497 CVE-2017-14489
                   CVE-2017-14340 CVE-2017-14156 CVE-2017-14140
                   CVE-2017-14106 CVE-2017-12154 CVE-2017-12153
                   CVE-2017-12146 CVE-2017-12134 CVE-2017-11600
                   CVE-2017-10661 CVE-2017-7558 CVE-2017-7518

Reference:         ESB-2017.2298
                   ESB-2017.0038
                   ASB-2017.0141

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3981

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3981-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 20, 2017                    https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2017-7518 CVE-2017-7558 CVE-2017-10661 CVE-2017-11600
                 CVE-2017-12134 CVE-2017-12146 CVE-2017-12153 CVE-2017-12154
                 CVE-2017-14106 CVE-2017-14140 CVE-2017-14156 CVE-2017-14340
                 CVE-2017-14489 CVE-2017-14497 CVE-2017-1000111 CVE-2017-1000112
                 CVE-2017-1000251 CVE-2017-1000252 CVE-2017-1000370 CVE-2017-1000371
                 CVE-2017-1000380
Debian Bug     : 866511 875881

Several vulnerabilities have been discovered in the Linux kernel that
may lead to privilege escalation, denial of service or information
leaks.

CVE-2017-7518

    Andy Lutomirski discovered that KVM is prone to an incorrect debug
    exception (#DB) error occurring while emulating a syscall
    instruction. A process inside a guest can take advantage of this
    flaw for privilege escalation inside a guest.

CVE-2017-7558 (stretch only)

    Stefano Brivio of Red Hat discovered that the SCTP subsystem is
    prone to a data leak vulnerability due to an out-of-bounds read
    flaw, allowing to leak up to 100 uninitialized bytes to userspace.

CVE-2017-10661 (jessie only)

    Dmitry Vyukov of Google reported that the timerfd facility does
    not properly handle certain concurrent operations on a single file
    descriptor.  This allows a local attacker to cause a denial of
    service or potentially execute arbitrary code.

CVE-2017-11600

    Bo Zhang reported that the xfrm subsystem does not properly
    validate one of the parameters to a netlink message. Local users
    with the CAP_NET_ADMIN capability can use this to cause a denial
    of service or potentially to execute arbitrary code.

CVE-2017-12134 / #866511 / XSA-229

    Jan H. Schoenherr of Amazon discovered that when Linux is running
    in a Xen PV domain on an x86 system, it may incorrectly merge
    block I/O requests.  A buggy or malicious guest may trigger this
    bug in dom0 or a PV driver domain, causing a denial of service or
    potentially execution of arbitrary code.

    This issue can be mitigated by disabling merges on the underlying
    back-end block devices, e.g.:
        echo 2 > /sys/block/nvme0n1/queue/nomerges

CVE-2017-12146 (stretch only)

    Adrian Salido of Google reported a race condition in access to the
    "driver_override" attribute for platform devices in sysfs. If
    unprivileged users are permitted to access this attribute, this
    might allow them to gain privileges.

CVE-2017-12153

    bo Zhang reported that the cfg80211 (wifi) subsystem does not
    properly validate the parameters to a netlink message. Local users
    with the CAP_NET_ADMIN capability (in any user namespace with a
    wifi device) can use this to cause a denial of service.

CVE-2017-12154

    Jim Mattson of Google reported that the KVM implementation for
    Intel x86 processors did not correctly handle certain nested
    hypervisor configurations. A malicious guest (or nested guest in a
    suitable L1 hypervisor) could use this for denial of service.

CVE-2017-14106

    Andrey Konovalov discovered that a user-triggerable division by
    zero in the tcp_disconnect() function could result in local denial
    of service.

CVE-2017-14140

    Otto Ebeling reported that the move_pages() system call performed
    insufficient validation of the UIDs of the calling and target
    processes, resulting in a partial ASLR bypass. This made it easier
    for local users to exploit vulnerabilities in programs installed
    with the set-UID permission bit set.

CVE-2017-14156

    "sohu0106" reported an information leak in the atyfb video driver.
    A local user with access to a framebuffer device handled by this
    driver could use this to obtain sensitive information.

CVE-2017-14340

    Richard Wareing discovered that the XFS implementation allows the
    creation of files with the "realtime" flag on a filesystem with no
    realtime device, which can result in a crash (oops). A local user
    with access to an XFS filesystem that does not have a realtime
    device can use this for denial of service.

CVE-2017-14489

    ChunYu Wang of Red Hat discovered that the iSCSI subsystem does not
    properly validate the length of a netlink message, leading to
    memory corruption. A local user with permission to manage iSCSI
    devices can use this for denial of service or possibly to execute
    arbitrary code.

CVE-2017-14497 (stretch only)

    Benjamin Poirier of SUSE reported that vnet headers are not
    properly handled within the tpacket_rcv() function in the raw
    packet (af_packet) feature. A local user with the CAP_NET_RAW
    capability can take advantage of this flaw to cause a denial of
    service (buffer overflow, and disk and memory corruption) or have
    other impact.

CVE-2017-1000111

    Andrey Konovalov of Google reported a race condition in the raw
    packet (af_packet) feature. Local users with the CAP_NET_RAW
    capability can use this for denial of service or possibly to
    execute arbitrary code.

CVE-2017-1000112

    Andrey Konovalov of Google reported a race condition flaw in the
    UDP Fragmentation Offload (UFO) code. A local user can use this
    flaw for denial of service or possibly to execute arbitrary code.

CVE-2017-1000251 / #875881

    Armis Labs discovered that the Bluetooth subsystem does not
    properly validate L2CAP configuration responses, leading to a
    stack buffer overflow. This is one of several vulnerabilities
    dubbed "Blueborne". A nearby attacker can use this to cause a
    denial of service or possibly to execute arbitrary code on a
    system with Bluetooth enabled.

CVE-2017-1000252 (stretch only)

    Jan H. Schoenherr of Amazon reported that the KVM implementation
    for Intel x86 processors did not correctly validate interrupt
    injection requests. A local user with permission to use KVM could
    use this for denial of service.

CVE-2017-1000370

    The Qualys Research Labs reported that a large argument or
    environment list can result in ASLR bypass for 32-bit PIE binaries.

CVE-2017-1000371

    The Qualys Research Labs reported that a large argument
    orenvironment list can result in a stack/heap clash for 32-bit
    PIE binaries.

CVE-2017-1000380

    Alexander Potapenko of Google reported a race condition in the ALSA
    (sound) timer driver, leading to an information leak. A local user
    with permission to access sound devices could use this to obtain
    sensitive information.

Debian disables unprivileged user namespaces by default, but if they
are enabled (via the kernel.unprivileged_userns_clone sysctl) then
CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited
by any local user.

For the oldstable distribution (jessie), these problems have been fixed
in version 3.16.43-2+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.30-2+deb9u5.

We recommend that you upgrade your linux packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnC3oNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TV4A//YKPZIGwx784py9DEwJuPApBQD0OKxbry0Rvz16bvE+Oi4iVlLsjXb1WP
thCzf9CiCHPIM0pBjMUWYGWyoRFcjDtvXOSSYG8SpiwpK7jVRlqgZz1CzSoJhEaC
a/twAzmT/+AHMNwCmryk29qGHr/TqbKe8hsHcuiBo9TWjqsZWalsUvau1mGhMGXd
U0gDBqy3lS1YsLwGpkeF0zY3x6As7D6W4cB4R7nn2dWzObb8fEItn+4ZO/3wpgiR
iTPF2MtdfjLIWwsDcXmmCt6mlhr8dztpYKxKWce33rnwVV4SfTidJNcXm2xsfS7Y
yprrFX7FUV/MHvdsvnVWI+SardVgP7KCcB2S+j1WzBtuKJ5YnSDqwDowDJ9mZia3
MrOXAr/NaBmQxTDNB0O6s8knNXIOvfSl+TNMAVVTN2o1bBg+dVg/Enu0C6I1Ui9c
9JbbEd1n4dOxbHE+9XSeAK8F9sDdAxmy1xpPFd6h+eFNFC7dQ6XYrjArSsEOcSEv
Yi3TOtdveFWLHCjgpkfEaqWYGZ1tiBjaVqyN5ItNjy3Kn4beyUcWOg2w7PwoK/lc
wgF5z+hjEZ9ottwTddRlwqb1HdjCYA4SOa6ojF7euCwCM9hq1gv2PMlXSHGYjo3d
F5Ua2VpPcCc+hmGN6mm56zeAZ+boFwIqxiCIOTGfjrusseJBmkY=
=EuYF
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWcREeYx+lLeg9Ub1AQjfQA/+J6JOSFzhixFy2Mf08BKw3G7Z3GGIM/O6
Myl9JhN5tLMEuFmfw69Bev+rsVdl77IR244zD6Q62Gr9cD+9cmS4ZsohJWId2U4D
a7YgPc3z2j3cgfh1cv0SnIIf0YDyw3omlvopwPxUaG9aW9dO8GHITA/3i2rM0R5E
4AZrT40Mr+ncwlCWAhvz+k6aEhWiYaK8X4Tjo6jdoYkYe+wKADoHxbg5FeTF5M9Q
RJjpZJG1CrvFBN8E6s/PDDYhgKWHQVuGOYksczH5Y5W22OLiEQosgbT9XfQQC/Xb
vX249J5rzQMs7wFtiTd1783JD2hXgbe508DTSdhvB5S0iHhWRbaaEuK2iylRJOaR
lFkeCPN4zTQITVFJpX/Ek9tZc0paRgprBBCwgQaZTbAETGEhAV4gCqH0M2J1dd+q
rb9IZMJbIX5qKJjuFY+Jh8YQ2LPZPja2dmLdgMiZY4swDxlFTn0ZKqsCP8CMjsgm
tf1ZRCXXl7+8LT1k1ZhM/KGqDGPxpg65LnMiqoQi9y+VdYmKavu+22asMtzw60yz
9MLrd4funSz1tvMe4ISTSwOQpN3a6X2vWrj7vNdpGZkmN3lutH+WUgTV/rwy+Ey1
DCkpLBm3BT9IumK9yq9S5zLHMoRHmagZHpOt5cAFhA2NQU7sR4clf0X4jPqPi+hq
StEwu5HTbog=
=NXXb
-----END PGP SIGNATURE-----

« Back to bulletins