ESB-2018.1575 - [Ubuntu] linux kernel: Multiple vulnerabilities 2018-05-23

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1575
                    Linux kernel (HWE) vulnerabilities
                                23 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           linux-hwe
                   linux-azure
                   linux-gcp
                   linux-oem
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-8822 CVE-2018-3639 CVE-2017-18208
                   CVE-2017-18203 CVE-2017-17975 CVE-2017-17449

Reference:         ASB-2018.0121
                   ESB-2018.1573
                   ESB-2018.1571
                   ESB-2018.1570

Original Bulletin: 
   http://www.ubuntu.com/usn/usn-3653-2

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-3653-2: Linux kernel (HWE) vulnerabilities

22 May 2018

linux-hwe, linux-azure, linux-gcp, linux-oem vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  o Ubuntu 16.04 LTS

Summary

Several security issues were addressed in the Linux kernel.

Software Description

  o linux-azure - Linux kernel for Microsoft Azure Cloud systems
  o linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  o linux-hwe - Linux hardware enablement (HWE) kernel
  o linux-oem - Linux kernel for OEM processors

Details

USN-3653-1 fixed vulnerabilities and added mitigations in the Linux kernel for
Ubuntu 17.10. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS.

Jann Horn and Ken Johnson discovered that microprocessors utilizing speculative
execution of a memory read may allow unauthorized memory reads via a
sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker
could use this to expose sensitive information, including kernel memory.
(CVE-2018-3639)

It was discovered that the netlink subsystem in the Linux kernel did not
properly restrict observations of netlink messages to the appropriate net
namespace. A local attacker could use this to expose sensitive information
(kernel netlink traffic). (CVE-2017-17449)

Tuba Yavuz discovered that a double-free error existed in the USBTV007 driver
of the Linux kernel. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2017-17975)

It was discovered that a race condition existed in the Device Mapper component
of the Linux kernel. A local attacker could use this to cause a denial of
service (system crash). (CVE-2017-18203)

It was discovered that an infinite loop could occur in the madvise(2)
implementation in the Linux kernel in certain circumstances. A local attacker
could use this to cause a denial of service (system hang). (CVE-2017-18208)

Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation
in the Linux kernel. A remote attacker controlling a malicious NCPFS server
could use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2018-8822)

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 16.04 LTS
    linux-image-4.13.0-1017-gcp - 4.13.0-1017.21
    linux-image-4.13.0-1018-azure - 4.13.0-1018.21
    linux-image-4.13.0-1028-oem - 4.13.0-1028.31
    linux-image-4.13.0-43-generic - 4.13.0-43.48~16.04.1
    linux-image-4.13.0-43-generic-lpae - 4.13.0-43.48~16.04.1
    linux-image-4.13.0-43-lowlatency - 4.13.0-43.48~16.04.1
    linux-image-azure - 4.13.0.1018.19
    linux-image-gcp - 4.13.0.1017.19
    linux-image-generic-hwe-16.04 - 4.13.0.43.62
    linux-image-generic-lpae-hwe-16.04 - 4.13.0.43.62
    linux-image-gke - 4.13.0.1017.19
    linux-image-lowlatency-hwe-16.04 - 4.13.0.43.62
    linux-image-oem - 4.13.0.1028.33

To update your system, please follow these instructions: https://
wiki.ubuntu.com/Security/Upgrades.

Please note that fully mitigating CVE-2018-3639 (Spectre Variant 4) may require
corresponding processor microcode/firmware updates or, in virtual environments,
hypervisor updates. On i386 and amd64 architectures, the SSBD feature is
required to enable the kernel mitigations. BIOS vendors will be making updates
available for Intel processors that implement SSBD and Ubuntu is working with
Intel to provide future microcode updates. Ubuntu users with a processor from a
different vendor should contact the vendor to identify necessary firmware
updates. Ubuntu provided corresponding QEMU updates for users of self-hosted
virtual environments in USN 3651-1. Ubuntu users in cloud environments should
contact the cloud provider to confirm that the hypervisor has been updated to
expose the new CPU features to virtual machines.

References

  o USN-3653-1
  o CVE-2017-17449
  o CVE-2017-17975
  o CVE-2017-18203
  o CVE-2017-18208
  o CVE-2018-3639
  o CVE-2018-8822
  o https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWwUDCYx+lLeg9Ub1AQjAVhAAiC2yPmgk7o5KEPi/0ZJEDNoYCcm+WFAg
MP0Ze780gXJbYrXQbrUtZhTqSo9j7BxLLOhy3Q/+A262mwvm1KccKNuqzRBWvLic
k6l+KaeBdZMjMoV8YFSTjzDi9dlF6s789VuwDv0rwMQtsLxaWM3SBJJWuFCn7Ilo
WzTKktad9oP9qjBkzDCWZXSF2oURKIbyHSPZLrK81h05jX3ZGLL1X103itgQfxhN
yDtpVqf63Nheeq39Vyyanj3TIbTYVFZYy+50vd1rzTP1SKVoSw+xTmFyH/ETfx6f
bdKZ9N2wPP+zL+4BGuKqkaGyxwkadDYNfEOVm0Y7ZGESYzTjqO42OlwlOS41v5wh
0VKM4egAPDwDXYfwT4lkUMm0N5/YDm/HUBvo+zKMjQsYHig8pFhrcRnUb73wT9hH
wExaQT0aHPG6slNKfo0q8gcw2EouGyC2dZkJ2bFrLfsozYuqd35gDUIyEVZfYJDK
Il3Iiejw/koD8tejV6avxpRN3cqh/F++uRs8J4HOu2QElJS/LFkhfVQShXiVbB6W
4pVDSeEMK4utpRIRT09XS1T1KKUnV/fKSMydb7wCPh2OpUStbubHMequqIaTRyIX
b4SV43NT4HXQ54CCgHL7occfrhbB8a1P5Bv69+YGNOeKUtALVlLu2Q80wmuk5VL7
3Fg/wiSET1I=
=RKWT
-----END PGP SIGNATURE-----

« Back to bulletins