SB2017091519 - SUSE Linux update for Linux Kernel Live Patch 26 for SLE 12
Published: September 15, 2017
Security Bulletin ID
SB2017091519
Severity
Medium
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Privilege escalation (CVE-ID: CVE-2017-1000112)
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to race condition in the UDP Fragmentation Offload (UFO) code. A local attacker can send specially crafted UFO packets, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
2) Denial of service (CVE-ID: CVE-2017-7645)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to a flaw in the NFSv2/NFSv3 server in the nfsd subsystem. A remote attacker can use a long RPC reply related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
3) Denial of service (CVE-ID: CVE-2017-9242)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to an error in the __ip6_append_data function when checking whether an overwrite of an skb data structure may occur. A local attacker can use specially crafted system calls and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
Remediation
Install update from vendor's website.