ESB-2018.0558 - [Ubuntu] kernel: Multiple vulnerabilities 2018-02-26

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0558
                 Linux kernel (Trusty HWE) vulnerabilities
                             26 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Root Compromise        -- Existing Account
                   Access Privileged Data -- Existing Account
                   Denial of Service      -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-5344 CVE-2018-5333 CVE-2017-1000407
                   CVE-2017-18017 CVE-2017-17806 CVE-2017-17450
                   CVE-2017-16525 CVE-2017-15868 CVE-2017-15274
                   CVE-2017-15115 CVE-2017-15102 CVE-2017-14489
                   CVE-2017-14156 CVE-2017-14140 CVE-2017-14051
                   CVE-2017-12192 CVE-2017-12190 CVE-2017-12153
                   CVE-2017-8824 CVE-2017-7889 CVE-2017-7542
                   CVE-2017-5669 CVE-2017-0861 CVE-2017-0750

Reference:         ASB-2017.0127
                   ESB-2017.1808
                   ESB-2017.0614

Original Bulletin: 
   http://www.ubuntu.com/usn/usn-3583-2

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-3583-2: Linux kernel (Trusty HWE) vulnerabilities

Ubuntu Security Notice USN-3583-2

23rd February, 2018

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

    Ubuntu 12.04 LTS


Summary

Several security issues were fixed in the Linux kernel.


Software description

    linux-lts-trusty - Linux hardware enablement kernel from Trusty for Precise
    ESM


Details

USN-3583-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This
update provides the corresponding updates for the Linux Hardware Enablement
(HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM.

It was discovered that an out-of-bounds write vulnerability existed in the
Flash-Friendly File System (f2fs) in the Linux kernel. An attacker could
construct a malicious file system that, when mounted, could cause a denial of
service (system crash) or possibly execute arbitrary code.  (CVE-2017-0750)

It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-0861)

It was discovered that the KVM implementation in the Linux kernel allowed
passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use
this to cause a denial of service (system crash) in the host OS.
(CVE-2017-1000407)

Bo Zhang discovered that the netlink wireless configuration interface in the
Linux kernel did not properly validate attributes when handling certain
requests. A local attacker with the CAP_NET_ADMIN could use this to cause a
denial of service (system crash). (CVE-2017-12153)

Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux kernel did not
properly track reference counts when merging buffers. A local attacker could use
this to cause a denial of service (memory exhaustion).  (CVE-2017-12190)

It was discovered that the key management subsystem in the Linux kernel did not
properly restrict key reads on negatively instantiated keys. A local attacker
could use this to cause a denial of service (system crash).  (CVE-2017-12192)

It was discovered that an integer overflow existed in the sysfs interface for
the QLogic 24xx+ series SCSI driver in the Linux kernel. A local privileged
attacker could use this to cause a denial of service (system crash).
(CVE-2017-14051)

Otto Ebeling discovered that the memory manager in the Linux kernel did not
properly check the effective UID in some situations. A local attacker could use
this to expose sensitive information. (CVE-2017-14140)

It was discovered that the ATI Radeon framebuffer driver in the Linux kernel did
not properly initialize a data structure returned to user space.  A local
attacker could use this to expose sensitive information (kernel memory).
(CVE-2017-14156)

ChunYu Wang discovered that the iSCSI transport implementation in the Linux
kernel did not properly validate data structures. A local attacker could use
this to cause a denial of service (system crash). (CVE-2017-14489)

James Patrick-Evans discovered a race condition in the LEGO USB Infrared Tower
driver in the Linux kernel. A physically proximate attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-15102)

ChunYu Wang discovered that a use-after-free vulnerability existed in the SCTP
protocol implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary code,
(CVE-2017-15115)

It was discovered that the key management subsystem in the Linux kernel did not
properly handle NULL payloads with non-zero length values. A local attacker
could use this to cause a denial of service (system crash).  (CVE-2017-15274)

It was discovered that the Bluebooth Network Encapsulation Protocol (BNEP)
implementation in the Linux kernel did not validate the type of socket passed in
the BNEPCONNADD ioctl(). A local attacker with the CAP_NET_ADMIN privilege could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-15868)

Andrey Konovalov discovered a use-after-free vulnerability in the USB serial
console driver in the Linux kernel. A physically proximate attacker could use
this to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-16525)

It was discovered that the netfilter passive OS fingerprinting (xt_osf) module
did not properly perform access control checks. A local attacker could
improperly modify the systemwide OS fingerprint list.  (CVE-2017-17450)

It was discovered that the HMAC implementation did not validate the state of the
underlying cryptographic hash algorithm. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-17806)

Denys Fedoryshchenko discovered a use-after-free vulnerability in the netfilter
xt_TCPMSS filter of the Linux kernel. A remote attacker could use this to cause
a denial of service (system crash). (CVE-2017-18017)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not
properly restrict mapping page zero. A local privileged attacker could use this
to execute arbitrary code. (CVE-2017-5669)

It was discovered that an integer overflow vulnerability existing in the IPv6
implementation in the Linux kernel. A local attacker could use this to cause a
denial of service (infinite loop). (CVE-2017-7542)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux
kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A
local attacker with access to /dev/mem could use this to expose sensitive
information or possibly execute arbitrary code.  (CVE-2017-7889)

Mohamed Ghannam discovered a use-after-free vulnerability in the DCCP protocol
implementation in the Linux kernel. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-8824)

Mohamed Ghannam discovered a null pointer dereference in the RDS (Reliable
Datagram Sockets) protocol implementation of the Linux kernel. A local attacker
could use this to cause a denial of service (system crash).  (CVE-2018-5333)

\u8303\u9f99\u98de discovered that a race condition existed in loop block
device implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-5344)


Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
    linux-image-3.13.0-142-generic 3.13.0-142.191~precise1
    linux-image-generic-lpae-lts-trusty 3.13.0.142.133
    linux-image-3.13.0-142-generic-lpae 3.13.0-142.191~precise1
    linux-image-generic-lts-trusty 3.13.0.142.133

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the
necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a
new version number, which requires you to recompile and reinstall all third
party kernel modules you might have installed.  Unless you manually uninstalled
the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE,
linux-virtual, linux-powerpc), a standard system upgrade will automatically
perform this as well.


References

CVE-2017-0750, CVE-2017-0861, CVE-2017-1000407, CVE-2017-12153, CVE-2017-12190,
CVE-2017-12192, CVE-2017-14051, CVE-2017-14140, CVE-2017-14156, CVE-2017-14489,
CVE-2017-15102, CVE-2017-15115, CVE-2017-15274, CVE-2017-15868, CVE-2017-16525,
CVE-2017-17450, CVE-2017-17806, CVE-2017-18017, CVE-2017-5669, CVE-2017-7542,
CVE-2017-7889, CVE-2017-8824, CVE-2018-5333, CVE-2018-5344

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWpOE14x+lLeg9Ub1AQgisA/+L7UBap8iYyrG607/lezBsYsObr7BAfBR
FujvXlMGAKNz0m0D+TIx0jpQ9jRH1tP9ZEPU8+yu92wuM+UcYlqDhkeK+ixcaPbI
ZOIo3kKGU88nic+GItDmObUbKVoq8zD67NrLvsKUn2tACkERcxU2swdHE6tMcyJ6
irndZP6AnnGw/C6IWxl+aX0AuaTQTwN19J22ELppxdyS0x3CMPX9DWJqKajbFDG8
L+vTs9kMCZLSozW47syxLq1BfMMfGzomRIi1VIHvTED63LUdeYJ7IKGZv+cHboyV
kY0in4Ta45OZ1XVYXPpkSsRKRbWQdh+xuAOhQ4k9ogtG6uzwkRGpqXwqfaSW1a2y
dQ3qDWrQFUpblq7bYDWicuoKweJncLJf/kc3J0xLgSLPvJ6CixTtSIsOALiSFP1v
OrEBtdiBlqij30SdulufLKN+ayy+LfAsXiOrfR9IowmCYNP4eRGmDOXCPzp9Z6ok
uzubvR/4kfL2+4o71dZ2S6qgGIaJwJUjAqv44wxvOJ/EtSo6PdxvakkQx10cVjv9
IzffgbIKdxkeyHN3el1SYm/9FRvYbjmJHGkEi55bvSqZj0VJzJn0LPS29NkV+Wly
0n2xzMQ+JTf/hVDf24j+CocKk7zN+/KBZo1dRSrF3fqSlTNVZ3lLBmB03lF/tJYp
KpJ9xc/wf1U=
=if+x
-----END PGP SIGNATURE-----

« Back to bulletins