ESB-2018.3020 - [Debian] linux kernel: Multiple vulnerabilities 2018-10-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3020
                           linux security update
                              5 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           linux kernel
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Root Compromise        -- Existing Account      
                   Access Privileged Data -- Existing Account      
                   Denial of Service      -- Remote/Unauthenticated
                   Unauthorised Access    -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-17182 CVE-2018-16658 CVE-2018-16276
                   CVE-2018-15594 CVE-2018-15572 CVE-2018-14734
                   CVE-2018-14678 CVE-2018-14634 CVE-2018-14633
                   CVE-2018-14617 CVE-2018-14609 CVE-2018-13406
                   CVE-2018-13405 CVE-2018-13094 CVE-2018-13093
                   CVE-2018-10902 CVE-2018-10883 CVE-2018-10882
                   CVE-2018-10881 CVE-2018-10880 CVE-2018-10879
                   CVE-2018-10878 CVE-2018-10877 CVE-2018-10876
                   CVE-2018-10323 CVE-2018-10021 CVE-2018-9516
                   CVE-2018-9363 CVE-2018-7755 CVE-2018-6555
                   CVE-2018-6554 CVE-2018-5391 CVE-2018-3646
                   CVE-2018-3639 CVE-2018-3620 CVE-2018-1627
                   CVE-2018-1467 CVE-2018-1460 CVE-2018-1309
                   CVE-2018-1088 CVE-2018-1087 

Reference:         ASB-2018.0204
                   ESB-2018.2981
                   ESB-2018.2974
                   ESB-2018.2887

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/10/msg00005.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Package        : linux
Version        : 3.16.59-1
CVE ID         : CVE-2018-3620 CVE-2018-3639 CVE-2018-5391 CVE-2018-6554
                 CVE-2018-6555 CVE-2018-7755 CVE-2018-9363 CVE-2018-9516
                 CVE-2018-10021 CVE-2018-10323 CVE-2018-10876 CVE-2018-10877
                 CVE-2018-10878 CVE-2018-10879 CVE-2018-10880 CVE-2018-10881
                 CVE-2018-10882 CVE-2018-10883 CVE-2018-10902 CVE-2018-13093
                 CVE-2018-13094 CVE-2018-13405 CVE-2018-13406 CVE-2018-14609
                 CVE-2018-14617 CVE-2018-14633 CVE-2018-14634 CVE-2018-14678
                 CVE-2018-14734 CVE-2018-15572 CVE-2018-15594 CVE-2018-16276
                 CVE-2018-16658 CVE-2018-17182
Debian Bug     : 898137

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2018-3620

    Multiple researchers have discovered a vulnerability in the way
    the Intel processor designs have implemented speculative execution
    of instructions in combination with handling of page-faults. This
    flaw could allow an attacker controlling an unprivileged process
    to read memory from arbitrary (non-user controlled) addresses,
    including from the kernel and all other processes running on the
    system or cross guest/host boundaries to read host memory.

    This issue covers only attackers running normal processes. A
    related issue (CVE-2018-3646) exists with KVM guests, and is not
    yet fixed.

CVE-2018-3639

    Multiple researchers have discovered that Speculative Store Bypass
    (SSB), a feature implemented in many processors, could be used to
    read sensitive information from another context.  In particular,
    code in a software sandbox may be able to read sensitive
    information from outside the sandbox.  This issue is also known as
    Spectre variant 4.

    This update allows the issue to be mitigated on some x86
    processors by disabling SSB.  This requires an update to the
    processor's microcode, which is non-free.  DLA 1446-1 and DLA
    1506-1 provided this for some Intel processors.  For other
    processors, it may be included in an update to the system BIOS or
    UEFI firmware, or in a future update to the intel-microcode or
    amd64-microcode packages.

    Disabling SSB can reduce performance significantly, so by default
    it is only done in tasks that use the seccomp feature.
    Applications that require this mitigation should request it
    explicitly through the prctl() system call.  Users can control
    where the mitigation is enabled with the spec_store_bypass_disable
    kernel parameter.

CVE-2018-5391 (FragmentSmack)

    Juha-Matti Tilli discovered a flaw in the way the Linux kernel
    handled reassembly of fragmented IPv4 and IPv6 packets. A remote
    attacker can take advantage of this flaw to trigger time and
    calculation expensive fragment reassembly algorithms by sending
    specially crafted packets, leading to remote denial of service.

    This is mitigated by reducing the default limits on memory usage
    for incomplete fragmented packets. The same mitigation can be
    achieved without the need to reboot, by setting the sysctls:

    net.ipv4.ipfrag_low_thresh =3D 196608
    net.ipv6.ip6frag_low_thresh =3D 196608
    net.ipv4.ipfrag_high_thresh =3D 262144
    net.ipv6.ip6frag_high_thresh =3D 262144

    The default values may still be increased by local configuration
    if necessary.

CVE-2018-6554

    A memory leak in the irda_bind function in the irda subsystem was
    discovered. A local user can take advantage of this flaw to cause a
    denial of service (memory consumption).

CVE-2018-6555

    A flaw was discovered in the irda_setsockopt function in the irda
    subsystem, allowing a local user to cause a denial of service
    (use-after-free and system crash).

CVE-2018-7755

    Brian Belleville discovered a flaw in the fd_locked_ioctl function
    in the floppy driver in the Linux kernel. The floppy driver copies a
    kernel pointer to user memory in response to the FDGETPRM ioctl. A
    local user with access to a floppy drive device can take advantage
    of this flaw to discover the location kernel code and data.

CVE-2018-9363

    It was discovered that the Bluetooth HIDP implementation did not
    correctly check the length of received report messages. A paired
    HIDP device could use this to cause a buffer overflow, leading to
    denial of service (memory corruption or crash) or potentially
    remote code execution.

CVE-2018-9516

    It was discovered that the HID events interface in debugfs did not
    correctly limit the length of copies to user buffers.  A local
    user with access to these files could use this to cause a
    denial of service (memory corruption or crash) or possibly for
    privilege escalation.  However, by default debugfs is only
    accessible by the root user.

CVE-2018-10021

    A physically present attacker who unplugs a SAS cable can cause a
    denial of service (memory leak and WARN).

CVE-2018-10323, CVE-2018-13093, CVE-2018-13094

    Wen Xu from SSLab at Gatech reported several NULL pointer
    dereference flaws that may be triggered when mounting and
    operating a crafted XFS volume.  An attacker able to mount
    arbitrary XFS volumes could use this to cause a denial of service
    (crash).

CVE-2018-10876, CVE-2018-10877, CVE-2018-10878, CVE-2018-10879,
CVE-2018-10880, CVE-2018-10881, CVE-2018-10882, CVE-2018-10883

    Wen Xu from SSLab at Gatech reported that crafted ext4 volumes
    could trigger a crash or memory corruption.  An attacker able to
    mount arbitrary ext4 volumes could use this for denial of service
    or possibly for privilege escalation.

CVE-2018-10902

    It was discovered that the rawmidi kernel driver does not protect
    against concurrent access which leads to a double-realloc (double
    free) flaw. A local attacker can take advantage of this issue for
    privilege escalation.

CVE-2018-13405

    Jann Horn discovered that the inode_init_owner function in
    fs/inode.c in the Linux kernel allows local users to create files
    with an unintended group ownership allowing attackers to escalate
    privileges by making a plain file executable and SGID.

CVE-2018-13406

    Dr Silvio Cesare of InfoSect reported a potential integer overflow
    in the uvesafb driver.  A local user with permission to access
    such a device might be able to use this for denial of service or
    privilege escalation.

CVE-2018-14609

    Wen Xu from SSLab at Gatech reported a potential null pointer
    dereference in the F2FS implementation. An attacker able to mount
    arbitrary F2FS volumes could use this to cause a denial of service
    (crash).

CVE-2018-14617

    Wen Xu from SSLab at Gatech reported a potential null pointer
    dereference in the HFS+ implementation. An attacker able to mount
    arbitrary HFS+ volumes could use this to cause a denial of service
    (crash).

CVE-2018-14633

    Vincent Pelletier discovered a stack-based buffer overflow flaw in
    the chap_server_compute_md5() function in the iSCSI target code. An
    unauthenticated remote attacker can take advantage of this flaw to
    cause a denial of service or possibly to get a non-authorized access
    to data exported by an iSCSI target.

CVE-2018-14634

    Qualys reported an integer overflow in the initialisation of the
    stack for ELF executables, which can cause the stack to overlap
    the argument or environment strings. A local user may use this to
    defeat environment variable filtering in setuid programs, leading
    to privilege escalation.

CVE-2018-14678

    M. Vefa Bicakci and Andy Lutomirski discovered a flaw in the
    kernel exit code used on amd64 systems running as Xen PV guests.
    A local user could use this to cause a denial of service (crash).

CVE-2018-14734

    A use-after-free bug was discovered in the InfiniBand
    communication manager. A local user could use this to cause a
    denial of service (crash or memory corruption) or possible for
    privilege escalation.

CVE-2018-15572

    Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Song, and
    Nael Abu-Ghazaleh, from University of California, Riverside,
    reported a variant of Spectre variant 2, dubbed SpectreRSB. A
    local user may be able to use this to read sensitive information
    from processes owned by other users.

CVE-2018-15594

    Nadav Amit reported that some indirect function calls used in
    paravirtualised guests were vulnerable to Spectre variant 2.  A
    local user may be able to use this to read sensitive information
    from the kernel.

CVE-2018-16276

    Jann Horn discovered that the yurex driver did not correctly limit
    the length of copies to user buffers.  A local user with access to
    a yurex device node could use this to cause a denial of service
    (memory corruption or crash) or possibly for privilege escalation.

CVE-2018-16658

    It was discovered that the cdrom driver does not correctly
    validate the parameter to the CDROM_DRIVE_STATUS ioctl.  A user
    with access to a cdrom device could use this to read sensitive
    information from the kernel or to cause a denial of service
    (crash).

CVE-2018-17182

    Jann Horn discovered that the vmacache_flush_all function mishandles
    sequence number overflows. A local user can take advantage of this
    flaw to trigger a use-after-free, causing a denial of service
    (crash or memory corruption) or privilege escalation.

For Debian 8 "Jessie", these problems have been fixed in version
3.16.59-1.  This version also includes a fix for bug #898137 and
several other fixes included in upstream stable updates.

We recommend that you upgrade your linux packages.  Since the kernel
ABI and binary package names have changed, you will need to use an
upgrade command that installs new dependencies, such as "apt upgrade"
or "apt-get upgrade --with-new-pkgs".

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Ben Hutchings - Debian developer, member of kernel, installer and LTS teams

- -----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlu2WpEACgkQ57/I7JWG
EQnr5xAAzQ1QN9R/63FZi8OXHyKoAaWBxdBgGGaMpITzm+OVUY20/5nKbGkLITei
8fhDKRvGo7hOsZJMyU5LVu9kmUMjkPhmteRHtDclM8qxcLCnYazH0YKqtdo4R6HL
Xpzv54TcvZApcTm1eSDxnSO4EpRlR/SJP91xvk5uHarSw4OwzZyDWVyMHjW0LrmG
H7fGe+WHzS0X6iw/QCd6eex52PGp7dSCBbsU1Ddb4rynmNsKKD/JgNwqlr6JmbbR
HDO+tBK9qL3RLQwJzcwyXcS4hIU/TOob2z7QeLLEnvFA+cq0g/Y1F2FwQc5qyA1y
jl0ONHeGsYFca9F+R2VJxV1KVO3KN0joK8rlqcD3QM53a62yDJHrb6BGLwAm0PqL
gjTuimcAMNwZ1uBP6ow8xivC8v7R+KLVYZvcqpjp2A6oJZ1t6xv8Z+6zpgoUqSNs
+uGzhWuNjkGYKgHcmG9MOAjZDwKnhwvzE7KNwmWC+fXa7q2wlZPYq/2/I5s6VQRM
dp2jELEcTM9gIgX2/sL9ildjV+aA5mUyc633+E/QMqwMQUw3aPcNifrkmrAaHSif
4r0BN6NPU/bD5kavEV/ZtoDEqtYtsBIb97W+4tyD2Egx4neGiFti9nOP1Bd3uymr
2OBY5enC2RmetGms6JThbH9C6YOyghdUddn/gW85PJW2tweUozQ=
=K/uH
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW7byA2aOgq3Tt24GAQiFlQ//Rraf5YOjKb5vrntfU9pHj7FAY6rVgzHz
CMrQ5bCR6McLJEGraRkQXhQPYx0WXHDYMLQ/i1aORXJzMLvWloA+MpqwruHLFpIv
G+6dLpFQqkzpaUi23yKARBJ4eU6iGvd485GupeLwCYbW/piRrSgA5DT3wr+Jc4AR
LUTuibLxLdm4ajAiPNoVo0iLd//mC3DWTLY9k91wXFYBh+c81uZ/BvpraCSNXurM
9sPPc92bXgV86KkS2IAxnpCvnA5sxopEbw2KPAZiCMyKVM1mj8yb/vV+yEIFlcJY
+T2avs7W9zefInwM/ewT0SnuKnHsPSsWhPTb2dfqRrRAGoqVH4KVsJq5zYFRBHM4
RmjOU6jhpQrHXqDnhyy62t42umm/QzmmvaNmwgIPaxQFlldK77eeLeadBZ2yFODq
edZJXuRSdZIhJ0WnaaGL91Z5jkAjy6ooAgFDHmhPFu7yCARkl6jVFxmiB1w0w2ir
47AYCpuZPXeK9kuS3KdUhUz+HcueLtSiK+GEH4fABXz0vRN0Xg7Avzl82uyfsLti
x+INrl8noUSSK7tSXtqsgy6W630jpEzT1v+MNJoYZpnmu57WZyfKPyln2j6VEHPw
L1WQ5yHRYDFTcoxshSajYfA0M104VXmLLnSIP5AhZUB1hlzQF/JDoBUioLE9GH9k
mK31ZLOO930=
=9HYw
-----END PGP SIGNATURE-----

« Back to bulletins