ESB-2018.2056 - [Debian] Linux kernel: Multiple vulnerabilities 2018-07-16

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2056
                           linux security update
                               16 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Linux kernel
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Access Privileged Data          -- Existing Account            
                   Denial of Service               -- Remote with User Interaction
                   Execute Arbitrary Code/Commands -- Existing Account            
                   Increased Privileges            -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000204 CVE-2018-12233 CVE-2018-11506
                   CVE-2018-10940 CVE-2018-10853 CVE-2018-9422
                   CVE-2018-5814 CVE-2018-3665 CVE-2018-1223
                   CVE-2018-1130 CVE-2018-1093 CVE-2018-1066
                   CVE-2017-5753 CVE-2017-5715 

Reference:         ASB-2018.0145
                   ASB-2018.0116
                   ESB-2018.0044
                   ESB-2018.0042.2

Original Bulletin: 
   https://security-tracker.debian.org/tracker/DLA-1422-1
   https://security-tracker.debian.org/tracker/DLA-1422-2

Comment: This bulletin contains two (2) Debian security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Package        : linux
Version        : 3.16.57-1
CVE ID         : CVE-2017-5715 CVE-2017-5753 CVE-2018-1066 CVE-2018-1093
                 CVE-2018-1130 CVE-2018-3665 CVE-2018-5814 CVE-2018-9422
                 CVE-2018-10853 CVE-2018-10940 CVE-2018-11506 CVE-2018-12233
                 CVE-2018-1000204
Debian Bug     : 898165

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

This update is not yet available for the armhf (ARM EABI hard-float)
architecture.

CVE-2017-5715

    Multiple researchers have discovered a vulnerability in various
    processors supporting speculative execution, enabling an attacker
    controlling an unprivileged process to read memory from arbitrary
    addresses, including from the kernel and all other processes
    running on the system.

    This specific attack has been named Spectre variant 2 (branch
    target injection) and is mitigated for the x86 architecture (amd64
    and i386) by using new microcoded features.

    This mitigation requires an update to the processor's microcode,
    which is non-free.  For recent Intel processors, this is included
    in the intel-microcode package from version 3.20180425.1~deb8u1.
    For other processors, it may be included in an update to the
    system BIOS or UEFI firmware, or in a later update to the
    amd64-microcode package.

    This vulnerability was already mitigated for the x86 architecture
    by the "retpoline" feature.

CVE-2017-5753

    Further instances of code that was vulnerable to Spectre variant 1
    (bounds-check bypass) have been mitigated.

CVE-2018-1066

    Dan Aloni reported to Red Hat that the CIFS client implementation
    would dereference a null pointer if the server sent an invalid
    response during NTLMSSP setup negotiation. This could be used by a
    malicious server for denial of service.

    The previously applied mitigation for this issue was not
    appropriate for Linux 3.16 and has been replaced by an alternate
    fix.

CVE-2018-1093

    Wen Xu reported that a crafted ext4 filesystem image could trigger
    an out-of-bounds read in the ext4_valid_block_bitmap() function. A
    local user able to mount arbitrary filesystems could use this for
    denial of service.

CVE-2018-1130

    The syzbot software found that the DCCP implementation of
    sendmsg() does not check the socket state, potentially leading
    to a null pointer dereference.  A local user could use this to
    cause a denial of service (crash).

CVE-2018-3665

    Multiple researchers have discovered that some Intel x86
    processors can speculatively read floating-point and vector
    registers even when access to those registers is disabled.  The
    Linux kernel's "lazy FPU" feature relies on that access control to
    avoid saving and restoring those registers for tasks that do not
    use them, and was enabled by default on x86 processors that do
    not support the XSAVEOPT instruction.

    If "lazy FPU" is enabled on one of the affected processors, an
    attacker controlling an unprivileged process may be able to read
    sensitive information from other users' processes or the kernel.
    This specifically affects processors based on the "Nehalem" and
    "Westemere" core designs.

    This issue has been mitigated by disabling "lazy FPU" by default
    on all x86 processors that support the FXSAVE and FXRSTOR
    instructions, which includes all processors known to be affected
    and most processors that perform speculative execution.  It can
    also be mitigated by adding the kernel parameter: eagerfpu=on

CVE-2018-5814

    Jakub Jirasek reported race conditions in the USB/IP host driver.
    A malicious client could use this to cause a denial of service
    (crash or memory corruption), and possibly to execute code, on a
    USB/IP server.

CVE-2018-9422

    It was reported that the futex() system call could be used by an
    unprivileged user for privilege escalation.

CVE-2018-10853

    Andy Lutomirski and Mika Penttil reported that KVM for x86
    processors did not perform a necessary privilege check when
    emulating certain instructions.  This could be used by an
    unprivileged user in a guest VM to escalate their privileges
    within the guest.

CVE-2018-10940

    Dan Carpenter reported that the optical disc driver (cdrom) does
    not correctly validate the parameter to the CDROM_MEDIA_CHANGED
    ioctl.  A user with access to a cdrom device could use this to
    cause a denial of service (crash).

CVE-2018-11506

    Piotr Gabriel Kosinski and Daniel Shapira reported that the
    SCSI optical disc driver (sr) did not allocate a sufficiently
    large buffer for sense data.  A user with access to a SCSI
    optical disc device that can produce more than 64 bytes of
    sense data could use this to cause a denial of service (crash
    or memory corruption), and possibly for privilege escalation.

CVE-2018-12233

    Shankara Pailoor reported that a crafted JFS filesystem image
    could trigger a denial of service (memory corruption).  This
    could possibly also be used for privilege escalation.

CVE-2018-1000204

    The syzbot software found that the SCSI generic driver (sg) would
    in some circumstances allow reading data from uninitialised
    buffers, which could include sensitive information from the kernel
    or other tasks.  However, only privileged users with the
    CAP_SYS_ADMIN or CAP_SYS_RAWIO capability were allowed to do this,
    so this has little or no security impact.

For Debian 8 "Jessie", these problems have been fixed in version
3.16.57-1.  This update additionally fixes Debian bug #898165, and
includes many more bug fixes from stable update 3.16.57.

We recommend that you upgrade your linux packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -------------------------------------------------------------------------------

Subject:	[SECURITY] [DLA 1422-2] linux security update
From:	Ben Hutchings <benh@debian.org>
Reply-To:	debian-lts@lists.debian.org
Date:	Sun, 15 Jul 2018 04:01:36 +0100
To:	debian-lts-announce@lists.debian.org



Package        : linux
Version        : 3.16.57-2
CVE ID         : CVE-2017-5715 CVE-2017-5753 CVE-2018-1066 CVE-2018-1093
                 CVE-2018-1130 CVE-2018-3665 CVE-2018-5814 CVE-2018-9422
                 CVE-2018-10853 CVE-2018-10940 CVE-2018-11506 CVE-2018-12233
                 CVE-2018-1000204
Debian Bug     : 898165

The previous update to linux failed to build for the armhf (ARM EABI
hard-float) architecture.  This update corrects that.  For all other
architectures, there is no need to upgrade or reboot again.  For
reference, the relevant part of the original advisory text follows.

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2017-5715

    Multiple researchers have discovered a vulnerability in various
    processors supporting speculative execution, enabling an attacker
    controlling an unprivileged process to read memory from arbitrary
    addresses, including from the kernel and all other processes
    running on the system.

    This specific attack has been named Spectre variant 2 (branch
    target injection) and is mitigated for the x86 architecture (amd64
    and i386) by using new microcoded features.

    This mitigation requires an update to the processor's microcode,
    which is non-free.  For recent Intel processors, this is included
    in the intel-microcode package from version 3.20180425.1~deb8u1.
    For other processors, it may be included in an update to the
    system BIOS or UEFI firmware, or in a later update to the
    amd64-microcode package.

    This vulnerability was already mitigated for the x86 architecture
    by the "retpoline" feature.

CVE-2017-5753

    Further instances of code that was vulnerable to Spectre variant 1
    (bounds-check bypass) have been mitigated.

CVE-2018-1066

    Dan Aloni reported to Red Hat that the CIFS client implementation
    would dereference a null pointer if the server sent an invalid
    response during NTLMSSP setup negotiation. This could be used by a
    malicious server for denial of service.

    The previously applied mitigation for this issue was not
    appropriate for Linux 3.16 and has been replaced by an alternate
    fix.

CVE-2018-1093

    Wen Xu reported that a crafted ext4 filesystem image could trigger
    an out-of-bounds read in the ext4_valid_block_bitmap() function. A
    local user able to mount arbitrary filesystems could use this for
    denial of service.

CVE-2018-1130

    The syzbot software found that the DCCP implementation of
    sendmsg() does not check the socket state, potentially leading
    to a null pointer dereference.  A local user could use this to
    cause a denial of service (crash).    

CVE-2018-3665

    Multiple researchers have discovered that some Intel x86
    processors can speculatively read floating-point and vector
    registers even when access to those registers is disabled.  The
    Linux kernel's "lazy FPU" feature relies on that access control to
    avoid saving and restoring those registers for tasks that do not
    use them, and was enabled by default on x86 processors that do
    not support the XSAVEOPT instruction.

    If "lazy FPU" is enabled on one of the affected processors, an
    attacker controlling an unprivileged process may be able to read
    sensitive information from other users' processes or the kernel.
    This specifically affects processors based on the "Nehalem" and
    "Westemere" core designs.
    
    This issue has been mitigated by disabling "lazy FPU" by default
    on all x86 processors that support the FXSAVE and FXRSTOR
    instructions, which includes all processors known to be affected
    and most processors that perform speculative execution.  It can
    also be mitigated by adding the kernel parameter: eagerfpu=on

CVE-2018-5814

    Jakub Jirasek reported race conditions in the USB/IP host driver.
    A malicious client could use this to cause a denial of service
    (crash or memory corruption), and possibly to execute code, on a
    USB/IP server.

CVE-2018-9422

    It was reported that the futex() system call could be used by an
    unprivileged user for privilege escalation.

CVE-2018-10853

    Andy Lutomirski and Mika Penttilä reported that KVM for x86
    processors did not perform a necessary privilege check when
    emulating certain instructions.  This could be used by an
    unprivileged user in a guest VM to escalate their privileges
    within the guest.

CVE-2018-10940

    Dan Carpenter reported that the optical disc driver (cdrom) does
    not correctly validate the parameter to the CDROM_MEDIA_CHANGED
    ioctl.  A user with access to a cdrom device could use this to
    cause a denial of service (crash).

CVE-2018-11506

    Piotr Gabriel Kosinski and Daniel Shapira reported that the
    SCSI optical disc driver (sr) did not allocate a sufficiently
    large buffer for sense data.  A user with access to a SCSI
    optical disc device that can produce more than 64 bytes of
    sense data could use this to cause a denial of service (crash
    or memory corruption), and possibly for privilege escalation.

CVE-2018-12233

    Shankara Pailoor reported that a crafted JFS filesystem image
    could trigger a denial of service (memory corruption).  This
    could possibly also be used for privilege escalation.

CVE-2018-1000204

    The syzbot software found that the SCSI generic driver (sg) would
    in some circumstances allow reading data from uninitialised
    buffers, which could include sensitive information from the kernel
    or other tasks.  However, only privileged users with the
    CAP_SYS_ADMIN or CAP_SYS_RAWIO capability were allowed to do this,
    so this has little or no security impact.

For Debian 8 "Jessie", these problems have been fixed in version
3.16.57-1.  This update additionally fixes Debian bug #898165, and
includes many more bug fixes from stable update 3.16.57.

We recommend that you upgrade your linux packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -- 
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW0wOpGaOgq3Tt24GAQhiSw//dUG05ob0LszJrmTFulUlG2VxhsmrR3TZ
c5D1wVitPd/FRWAIjeictxX/322IVQPQ+9Ryb36rCdjy3QZiNHdfnRx/h2Q1OtFL
VTtFePcYs+9XJba5Vskf7XGcF0SXS4GhTSFPnvvMe9kcoFfT2VDF+Ij37UKUfDOX
CFiUJ3U7ZfOyTxRGDl3Vxy610q0hD37Gut94HRYcc5rYFoz0+FAmSkZN+zK0KD/w
2/d900nPnSXA6yhsOdTYAkqSsfPdhnDqoWLh6LVAuGZNLVhAPz4ou5i/+0sWfI75
eZLIiQyZjjkYkfX+G7kDBht/B6b7EvJbUlqQtlK5vLdS6aCTtf8cGOTVRt2SJ1fE
0T6Xn5JPRUbu6a8VQLh5/pceqzDhl+7+eWsxJ3P8yFfWmJwLN+WgHg8tIR8deTvr
tBF/anjUmQGdmM3HNrE9LXoFz9UWKHSGuATB5r6qW9b/4SGD+gRKxy2gSykwRJPA
s2J4nVbaaOcry6YdXcak9QAON/Xmx4JlB8ceiWXOfPvjbqfDRHAFF41ow83AOv+Q
yxSNA/7phg7YOfuyiZjYKgyuUpmDsPqBDVryu9cQNLu2umX5Ds1OHkLiIzVTH+Jb
h6GZG5wv03j5DFyXcq3rfQx9ST5434rmYECoMAuQDRK41h2wxm/NTPzTT+2WcGr1
/HEsdlWQhH8=
=pxoQ
-----END PGP SIGNATURE-----

« Back to bulletins