OpenSUSE Linux update for the Linux Kernel

1) Stack-based buffer overflow

EUVDB-ID: #VU8329

Risk: Low

CVSSv3.1: 8.6 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-1000251

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: Yes

Description

The vulnerability allows an adjacent attacker to execute arbitrary code on the host system.

The weakness exists due to a stack-based buffer overflow in the processing of L2CAP configuration. An adjacent attacker can submit a specially crafted Bluetooth protocol, trigger memory corruption in the Bluetooth stack and execute arbitrary code in kernel space.

Successful exploitation of the vulnerability may result in host system compromise.

Mitigation

Update the affected packages.

Vulnerable software versions

Linux kernel: 3.3 - 4.13.1

linux_kernel (Debian package): 4.6.4-1 - 4.7.2-1

External links

http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00057.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Improper access control

EUVDB-ID: #VU11763

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-11472

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information and bypass security restrictions on the target system.

The weakness exists in the acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c due to it does not flush the operand cache and causes a kernel stack dump. A local attacker can submit a specially crafted ACPI table, gain access to potentially sensitive information from kernel memory and bypass the KASLR protection mechanism.

Mitigation

Update the affected packages.

Vulnerable software versions

Linux kernel: 4.10.0 - 4.11.12

External links

http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00057.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Privilege escalation

EUVDB-ID: #VU7952

Risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-12134

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local attacker on a Linux-based guest system to gain elevated privileges on the host system.

The weakness exists due to aa flaw in merging adjacent block IO requests. A local attacker on the guest system can incorrectly access memory during block stream processing to obtain potentially sensitive information or gain elevated privileges on the host system.

Mitigation

Update the affected packages.

Vulnerable software versions

Xen: 4.6.0 - 4.9.0

External links

http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00057.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Integer overflow

EUVDB-ID: #VU10715

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-14051

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a local attacker to cause DoS condition on the target system.

The weakness exists in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.ct due to an integer overflow. A local attacker can gain root access and cause the service to crash.

Mitigation

Update the affected packages.

Vulnerable software versions

Linux kernel: 4.12.1 - 4.12.10

External links

http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00057.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Divide by zero

EUVDB-ID: #VU8922

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-14106

CWE-ID: CWE-369 - Divide By Zero

Exploit availability: No

Description

The vulnerability allows a local attacker to cause DoS condition on the target system.

The weakness exists due to divide-by-zero error in the tcp_disconnect() function in net/ipv4/tcp.c. A local attacker can trigger a disconnect within a certain tcp_recvmsg code path and cause kernel panic.

Successful exploitation of the vulnerability results in denial of service.

Mitigation

Update the affected packages.

Vulnerable software versions

Linux kernel: 4.0.1 - 4.11.12

linux_kernel (Debian package): 4.6.4-1 - 4.7.2-1

External links

http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00057.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.