ESB-2018.1359 - [Debian] kernel: Multiple vulnerabilities 2018-05-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1359
                           linux security update
                                3 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Root Compromise                 -- Existing Account      
                   Access Privileged Data          -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000199 CVE-2018-1000004 CVE-2018-8822
                   CVE-2018-8781 CVE-2018-7995 CVE-2018-7757
                   CVE-2018-7740 CVE-2018-7566 CVE-2018-7492
                   CVE-2018-6927 CVE-2018-5803 CVE-2018-5750
                   CVE-2018-5333 CVE-2018-5332 CVE-2018-1092
                   CVE-2018-1068 CVE-2017-18216 CVE-2017-18203
                   CVE-2017-18017 CVE-2017-16914 CVE-2017-16913
                   CVE-2017-16912 CVE-2017-16911 CVE-2017-16526
                   CVE-2017-13166 CVE-2017-5753 CVE-2017-5715
                   CVE-2017-1691 CVE-2017-0861 

Reference:         ESB-2018.1335
                   ESB-2018.1336
                   ESB-2017.2855

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/05/msg00000.html

- --------------------------BEGIN INCLUDED TEXT--------------------

[SECURITY] [DLA 1369-1] linux security update

Package        : linux
Version        : 3.2.101-1
CVE ID         : CVE-2017-0861 CVE-2017-5715 CVE-2017-13166 CVE-2017-16526
                 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914
                 CVE-2017-18017 CVE-2017-18203 CVE-2017-18216 CVE-2018-1068
                 CVE-2018-1092 CVE-2018-5332 CVE-2018-5333 CVE-2018-5750
                 CVE-2018-5803 CVE-2018-6927 CVE-2018-7492 CVE-2018-7566
                 CVE-2018-7740 CVE-2018-7757 CVE-2018-7995 CVE-2018-8781
                 CVE-2018-8822 CVE-2018-1000004 CVE-2018-1000199
Debian Bug     : 887106

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2017-0861

    Robb Glasser reported a potential use-after-free in the ALSA (sound)
    PCM core.  We believe this was not possible in practice.

CVE-2017-5715

    Multiple researchers have discovered a vulnerability in various
    processors supporting speculative execution, enabling an attacker
    controlling an unprivileged process to read memory from arbitrary
    addresses, including from the kernel and all other processes
    running on the system.

    This specific attack has been named Spectre variant 2 (branch
    target injection) and is mitigated for the x86 architecture (amd64
    and i386) by using the "retpoline" compiler feature which allows
    indirect branches to be isolated from speculative execution.

CVE-2017-13166

    A bug in the 32-bit compatibility layer of the v4l2 ioctl handling
    code has been found.  Memory protections ensuring user-provided
    buffers always point to userland memory were disabled, allowing
    destination addresses to be in kernel space.  On a 64-bit kernel
    (amd64 flavour) a local user with access to a suitable video
    device can exploit this to overwrite kernel memory, leading to
    privilege escalation.

CVE-2017-16526

    Andrey Konovalov reported that the UWB subsystem may dereference
    an invalid pointer in an error case.  A local user might be able
    to use this for denial of service.

CVE-2017-16911

    Secunia Research reported that the USB/IP vhci_hcd driver exposed
    kernel heap addresses to local users.  This information could aid the
    exploitation of other vulnerabilities.

CVE-2017-16912

    Secunia Research reported that the USB/IP stub driver failed to
    perform a range check on a received packet header field, leading
    to an out-of-bounds read.  A remote user able to connect to the
    USB/IP server could use this for denial of service.

CVE-2017-16913

    Secunia Research reported that the USB/IP stub driver failed to
    perform a range check on a received packet header field, leading
    to excessive memory allocation.  A remote user able to connect to
    the USB/IP server could use this for denial of service.

CVE-2017-16914

    Secunia Research reported that the USB/IP stub driver failed to
    check for an invalid combination of fields in a recieved packet,
    leading to a null pointer dereference.  A remote user able to
    connect to the USB/IP server could use this for denial of service.

CVE-2017-18017

    Denys Fedoryshchenko reported that the netfilter xt_TCPMSS module
    failed to validate TCP header lengths, potentially leading to a
    use-after-free.  If this module is loaded, it could be used by a
    remote attacker for denial of service or possibly for code
    execution.

CVE-2017-18203

    Hou Tao reported that there was a race condition in creation and
    deletion of device-mapper (DM) devices.  A local user could
    potentially use this for denial of service.

CVE-2017-18216

    Alex Chen reported that the OCFS2 filesystem failed to hold a
    necessary lock during nodemanager sysfs file operations,
    potentially leading to a null pointer dereference.  A local user
    could use this for denial of service.

CVE-2018-1068

    The syzkaller tool found that the 32-bit compatibility layer of
    ebtables did not sufficiently validate offset values.  On a 64-bit
    kernel (amd64 flavour), a local user with the CAP_NET_ADMIN
    capability could use this to overwrite kernel memory, possibly
    leading to privilege escalation.

CVE-2018-1092

    Wen Xu reported that a crafted ext4 filesystem image would
    trigger a null dereference when mounted.  A local user able
    to mount arbitrary filesystems could use this for denial of
    service.

CVE-2018-5332

    Mohamed Ghannam reported that the RDS protocol did not
    sufficiently validate RDMA requests, leading to an out-of-bounds
    write.  A local attacker on a system with the rds module loaded
    could use this for denial of service or possibly for privilege
    escalation.

CVE-2018-5333

    Mohamed Ghannam reported that the RDS protocol did not properly
    handle an error case, leading to a null pointer dereference.  A
    local attacker on a system with the rds module loaded could
    possibly use this for denial of service.

CVE-2018-5750

    Wang Qize reported that the ACPI sbshc driver logged a kernel heap
    address.  This information could aid the exploitation of other
    vulnerabilities.

CVE-2018-5803

    Alexey Kodanev reported that the SCTP protocol did not range-check
    the length of chunks to be created.  A local or remote user could
    use this to cause a denial of service.

CVE-2018-6927

    Li Jinyue reported that the FUTEX_REQUEUE operation on futexes did
    not check for negative parameter values, which might lead to a
    denial of service or other security impact.

CVE-2018-7492

    The syzkaller tool found that the RDS protocol was lacking a null
    pointer check.  A local attacker on a system with the rds module
    loaded could use this for denial of service.

CVE-2018-7566

    Fan LongFei reported a race condition in the ALSA (sound)
    sequencer core, between write and ioctl operations.  This could
    lead to an out-of-bounds access or use-after-free.  A local user
    with access to a sequencer device could use this for denial of
    service or possibly for privilege escalation.

CVE-2018-7740

    Nic Losby reported that the hugetlbfs filesystem's mmap operation
    did not properly range-check the file offset.  A local user with
    access to files on a hugetlbfs filesystem could use this to cause
    a denial of service.

CVE-2018-7757

    Jason Yan reported a memory leak in the SAS (Serial-Attached
    SCSI) subsystem.  A local user on a system with SAS devices
    could use this to cause a denial of service.

CVE-2018-7995

    Seunghun Han reported a race condition in the x86 MCE
    (Machine Check Exception) driver.  This is unlikely to have
    any security impact.

CVE-2018-8781

    Eyal Itkin reported that the udl (DisplayLink) driver's mmap
    operation did not properly range-check the file offset.  A local
    user with access to a udl framebuffer device could exploit this to
    overwrite kernel memory, leading to privilege escalation.

CVE-2018-8822

    Dr Silvio Cesare of InfoSect reported that the ncpfs client
    implementation did not validate reply lengths from the server.  An
    ncpfs server could use this to cause a denial of service or
    remote code execution in the client.

CVE-2018-1000004

    Luo Quan reported a race condition in the ALSA (sound) sequencer
    core, between multiple ioctl operations.  This could lead to a
    deadlock or use-after-free.  A local user with access to a
    sequencer device could use this for denial of service or possibly
    for privilege escalation.

CVE-2018-1000199

    Andy Lutomirski discovered that the ptrace subsystem did not
    sufficiently validate hardware breakpoint settings.  Local users
    can use this to cause a denial of service, or possibly for
    privilege escalation, on x86 (amd64 and i386) and possibly other
    architectures.

Additionally, some mitigations for CVE-2017-5753 are included in this
release:

CVE-2017-5753

    Multiple researchers have discovered a vulnerability in various
    processors supporting speculative execution, enabling an attacker
    controlling an unprivileged process to read memory from arbitrary
    addresses, including from the kernel and all other processes
    running on the system.

    This specific attack has been named Spectre variant 1
    (bounds-check bypass) and is mitigated by identifying vulnerable
    code sections (array bounds checking followed by array access) and
    replacing the array access with the speculation-safe
    array_index_nospec() function.

    More use sites will be added over time.

For Debian 7 "Wheezy", these problems have been fixed in version
3.2.101-1.  This version also includes bug fixes from upstream versions
up to and including 3.2.101.  It also fixes a regression in the
procfs hidepid option in the previous version (Debian bug #887106).

We recommend that you upgrade your linux packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -- 
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWuubaIx+lLeg9Ub1AQgWlRAAjsZnTu32nkBMYOvbGYq3kXRcwX2tB3HF
MbUQoQ+LAuo+UEilpFsgJflpl8bOk4fu6JwvFPEF9nFsOYrxRUzdW49Cr7qRNwJF
YXO86z0UxMQQn4PaPbDnUl0QawA4yhj1TdfpphvGhN8c6Z05Ngq0oO/TUf4rcmnq
YAkmLJP33E3c0KwtmmOOem5jaPI7yF/HfL+3UTf5GsdCIJFMaH6kI1+h4//4qnKh
ZFqWrbgj4CblrVFKKoxN9jqiCAzr8U8co+KTFJzYs3VZlWq4i10T01QEfgSSFksZ
zA88gTH1qaR8oSb8TOYqis5rth48MV7jpsDy/KIEY4ctWBO+YpEXW1KCXPeY7t16
athWFLxNnHA0eMcBreesS3kBL5W6IFx2G909NlbH4fr3MUW9XWKTBeuRz13N4zG1
Qywt490lLsqYt3sHfVz9skQbBCai1/neM+Y8EBdOqbchJdqKOzKxL8jQr7MXmKVa
9O+7anXvxIz+VLUb9Vae9KeuJX6m7PhGOB6Y8+nOHWDCowkXuZJQFCCSUJWka//T
usVF1XD4IwnVnURpVLuQYOs/t1fANjUkTKYM+flcup1Q2aoxLipLArH8MXzdCN6G
sKI4B5zn5tsI6p1fr7sywCEib4OmySxxlrrN4BZeipGSMdhMGov41ROxo3I7+Fxh
mvygZf5X+VI=
=Qo5B
-----END PGP SIGNATURE-----

« Back to bulletins