ESB-2019.0594 - [Win][Linux] IBM System x iDataplex Solution: Multiple vulnerabilities 2019-02-27

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0594
   IBM Security Bulletin: Multiple vulnerabilities affect Intel Manycore
        Platform Software Stack (Intel MPSS) for Linux and Windows
                             27 February 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM System x iDataplex Solution
Publisher:         IBM
Operating System:  Windows
                   Linux variants
Impact/Access:     Root Compromise          -- Existing Account      
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-18521 CVE-2018-18520 CVE-2018-18310
                   CVE-2018-16403 CVE-2018-16402 CVE-2018-16062
                   CVE-2018-7995 CVE-2018-6927 CVE-2018-5344
                   CVE-2018-5333 CVE-2018-5332 CVE-2018-1066
                   CVE-2017-18216 CVE-2017-18208 CVE-2017-18203
                   CVE-2017-18075 CVE-2017-16994 CVE-2017-15116
                   CVE-2017-14140 CVE-2017-8779 CVE-2015-9261

Reference:         ESB-2019.0324
                   ESB-2018.3904
                   ESB-2018.3373
                   ESB-2018.1923

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10872832

- --------------------------BEGIN INCLUDED TEXT--------------------

Multiple vulnerabilities affect Intel Manycore Platform Software Stack (Intel
MPSS) for Linux and Windows

Product:             System x iDataplex Solution

Reference #:         0872832

Security Bulletin

Summary

Intel Manycore Platform Software Stack (Intel MPSS) for Linux and Windows have
addressed the following vulnerabilities.

Vulnerability Details

CVEID: CVE-2015-9261
DESCRIPTION: BusyBox is vulnerable to a denial of service, caused by a flaw in
the huft_build in archival/libarchive/decompress_gunzip.c. By persuading a
victim to open a specially-crafted ZIP file, a remote attacker could exploit
this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
147643 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-18208
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
flaw in the madvise_willneed function in mm/madvise.c. By triggering use of
MADVISE_WILLNEED for a DAX mapping, a local attacker could exploit this
vulnerability to cause a denial of service.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139764 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-18075
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
mishandling of freeing instances by crypto/pcrypt.c. By executing a
specially-crafted sequence of system calls, a local authenticated attacker
could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
138237 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-18216
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
NULL pointer dereference flaw in fs/ocfs2/cluster/nodemanager.c. By sending a
specially-crafted request, a local attacker could exploit this vulnerability to
cause a denial of service condition.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139923 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-18203
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
flaw in the dm_get_from_kobject function in drivers/md/dm.c. By leveraging a
race condition with __dm_destroy during creation and removal of DM devices, a
local attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139759 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-15116
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by NULL
pointer dereference in the rngapi_reset function in crypto/rng.c. By sending a
specially-crafted packet, a remote attacker could exploit this vulnerability to
cause a denial of service condition.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
135735 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-16994
DESCRIPTION: Linux Kernel could allow a local attacker to obtain sensitive
information, caused by a flaw in the walk_hugetlb_range function in mm/
pagewalk.c. By using a specially-crafted system call, an attacker could exploit
this vulnerability to obtain sensitive information.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
135497 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-8779
DESCRIPTION: rpcbind, LIBTIRPC, and NTIRPC are vulnerable to a denial of
service, caused by improper validation of XDR strings in memory allocation. By
sending a specially-crafted UDP packet, a remote attacker could exploit this
vulnerability to cause memory consumption.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
125753 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-14140
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to obtain
sensitive information, caused by improper validation of effective uid of the
target process in the move_pages system call in mm/migrate.c. By sending a
specially-crafted request, a local attacker could exploit this vulnerability to
learn the memory layout of a setuid executable despite ASLR.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
131413 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-18310
DESCRIPTION: elfutils is vulnerable to a denial of service, caused by an
invalid memory address dereference in dwfl_segment_report_module.c in libdwfl.
By persuading a victim to open a specially-crafted file, a remote attacker
could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151273 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-18521
DESCRIPTION: elfutils is vulnerable to a denial of service, caused by a
divide-by-zero flaw in the function arlib_add_symbols() in arlib.c. By
persuading a victim to open a specially-crafted file, a remote attacker could
exploit this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151750 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-18520
DESCRIPTION: elfutils is vulnerable to a denial of service, caused by an
invalid memory address dereference exists in the function elf_end in libelf. By
persuading a victim to open a specially-crafted file, a remote attacker could
exploit this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151751 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-16402
DESCRIPTION: elfutils is vulnerable to a denial of service, caused by a double
free in the libelf/elf_end.c. By persuading a victim to open a
specially-crafted file, a remote attacker could exploit this vulnerability to
cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
149340 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-16403
DESCRIPTION: elfutils is vulnerable to a denial of service, caused by a
heap-based buffer overflow in the dwarf_getabbrev in dwarf_getabbrev.c and
dwarf_hasattr in dwarf_hasattr.c. By persuading a victim to open a
specially-crafted file, a remote attacker could exploit this vulnerability to
cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
149339 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-16062
DESCRIPTION: Elfutils is vulnerable to a denial of service, caused by a
heap-based buffer over-read in /elfutils/libdw/dwarf_getaranges.c. By
persuading a victim to open a specially crafted file, a remote attacker could
exploit this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
149133 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-7995
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
race condition in the store_int_with_restart function in arch/x86/kernel/cpu/
mcheck/mce.c. By leveraging root access to write to the check_interval file, a
local attacker could exploit this vulnerability to cause the system to panic.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
140100 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-6927
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
integer overflow in the futex_requeue function in kernel/futex.c. By triggering
a negative wake or requeue value, a remote attacker could exploit this
vulnerability to cause a denial of service condition.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139067 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1066
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
NULL pointer dereference in the fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp()
function. An attacker controlling a CIFS server could exploit this
vulnerability to cause a kernel panic.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139836 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-5333
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
rds_atomic_free_op NULL pointer dereference in the rds_cmsg_atomic function in
net/rds/rdma.c. A local attacker could exploit this vulnerability to cause the
system to crash.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137567 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-5332
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
heap-based out-of-bounds write in the rds_rdma_extra_size function in net/rds/
rdma.c. A local attacker could exploit this vulnerability to cause the system
to crash.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137569 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-5344
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
use-after-free in the drivers/block/loop.c. A local attacker could exploit this
vulnerability to cause the system to crash.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137649 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

The following products used with Intel Xeon Phi PCI-Express cards (Intel Xeon
Phi 3120A, Intel Xeon Phi 5110P, Intel Xeon Phi 7120A, and Intel Xeon Phi
7210P) on the System x systems:

  o iDataPlex dx360 M4
  o NeXtScale nx360 M4
  o PureFlex x220 M4 / x240 M4 / x240 M5
  o x3850 X6 / x3950 X6

Product                                                             Affected Version

Intel Manycore Platform Software Stack (MPSS) for Linux & Windows   3.8



Remediation/Fixes

IBM recommends that you update the affected versions of Intel MPSS that are
used with Intel Xeon Phi cards supported in IBM System x Servers to MPSS
version 3.8.5 or later.

Instructions on how to download and apply the update are available at: https://
software.intel.com/en-us/articles/intel-manycore-platform-software-stack-mpss


Product                                                             Fixed Version

Intel Manycore Platform Software Stack (MPSS) for Linux & Windows   3.8.5

Workarounds and Mitigations

None

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Lenovo Product Security Advisories

Change History

25 February 2019: Initial version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Applicable countries and regions

  o Worldwide

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXHX3eGaOgq3Tt24GAQgMuRAAq1p1ZyYpwKY11lQBNjNjxyI/GHed3pLY
Rs1S+XujXhzmWZLybesnLUQT1dQ/bFISUmGYPQj6SQUlmHP3cOFlaaYPs9Jnqu96
xhenhqoUraREO2KG7KN4TwcG+9j+OfTt4dmvwsySn7Gep2LLCzbrEFj+6uYyaHd5
MtGyxyTB6qlb9CGlzUMbXNlqenSlMxX+D0cR/lFRYg/IPXayLiHnPBDfREGSEP1C
GJGnj4nt0YfH4F+vURa7fllDcvfUScCHHrdkcqxn7X9gTCh0BTo1r0nCIZwpBVyk
4VHwm3+oQDORI+22/ZuC4Cp8g9/pLXLHGEdhyGazJAMd49Vvjn0Jsfh879R6c19i
WJlshY6DpErGjAX5LkekrMsIr0di2henjEqKU5KVfiDgfVm8wapqmQATvtsfi5gk
WVat6dq2OZmAc2Yh9Pwi0Evrdp5Hv0+XW4d3CzoLGkEYonzR72hYC+OP/XPwe/Wz
fpU6UEu9U3CR3yzWCoWmsA003ycmbZ/vZn2VVqbndSDG+jcTjAOLVrmtElCpkm8H
LR7gd9RnfHZLeJWpAZylE1GX1jnt8Sw+3QBF8IkH+ZOLJbJrLwRhbueoAmRn3sQ2
Yj4ogGkiJrHCeknJO9HKl4jODci3zFwWchlLoO1TeAMYNptH0V0RlSUauWmtEzLL
+Y5rFFO4NpE=
=fGC4
-----END PGP SIGNATURE-----

« Back to bulletins