SB2017112135 - Ubuntu update for Linux kernel
Published: November 21, 2017
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 20 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2017-12188)
The vulnerability allows an adjacent attacker to cause DoS condition or execute arbitrary code on the target system.The weakness exists in arch/x86/kvm/mmu.c due to improper traversal of guest pagetable entries to resolve a guest virtual address when nested virtualisation is used. An adjacent attacker can cause the service to crash or execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
2) Memory corruption (CVE-ID: CVE-2017-1000255)
The vulnerability allows a local user to execute arbitrary code with escalated privileges.The vulnerability exists due to a boundary error in the Linux kernel's when handling signal frame on PowerPC systems. A malicious local user process could craft a signal frame allowing an attacker to corrupt memory and execute arbitrary code on the target system with escalated privileges.
3) NULL pointer dereference (CVE-ID: CVE-2017-12153)
The vulnerability allows a local user to perform a denial of service (DoS) attack.A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel through 4.13.3. This function does not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash.
4) Improper privilege management (CVE-ID: CVE-2017-12154)
The vulnerability allows a local user to perform a denial of service (DoS) attack.The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that the "CR8-load exiting" and "CR8-store exiting" L0 vmcs02 controls exist in cases where L1 omits the "use TPR shadow" vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the hardware CR8 register.
5) Memory leak (CVE-ID: CVE-2017-12190)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to an out-of-memory condition. A local attacker can cause a memory leak and possible system lock up.
6) NULL pointer dereference (CVE-ID: CVE-2017-12192)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists in the Key Management sub component of the Linux kernel when trying to issue a KEYTCL_READ on a negative key due to a NULL pointer dereference. A local attacker can cause the kernel and service to crash.
7) Information disclosure (CVE-ID: CVE-2017-14156)
The vulnerability allows a local attacker to obtain sensitive information on the target system.The weakness exists in the drivers/video/fbdev/aty/atyfb_base.c due to improper initialization of a certain data structure. A local attacker can read locations associated with padding bytes and obtain sensitive information from kernel stack memory.
8) Denial of service (CVE-ID: CVE-2017-14489)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists in the drivers/scsi/scsi_transport_iscsi.c due to leveraging incorrect length validation. A local attacker can cause a denial of service.
9) Information disclosure (CVE-ID: CVE-2017-14954)
The vulnerability allows a local user to obtain potentially sensitive information.
The vulnerability exists due to an error in waitid implementation in kernel/exit.c in the Linux kernel through 4.13.4. A local user can accesses rusage data structures in unintended cases, which allows local users to obtain sensitive information, and bypass the KASLR protection mechanism, via a crafted system call.
10) Use-after-free (CVE-ID: CVE-2017-15265)
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to use-after-free error in the ALSA sequencer interface (/dev/snd/seq). A local attacker can run a specially crafted application, trigger memory corruption and execute arbitrary code with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
11) Information disclosure (CVE-ID: CVE-2017-15537)
The vulnerability allows a local attacker to obtain potentially sensitive information.
The weakness exists in the x86/fpu (Floating Point Unit) subsystem due to incorrect handling of attempts to set reserved bits in the xstate header via the ptrace() or rt_sigreturn() system call when a processor supports the xsave feature but not the xsaves feature. A local attacker can read the FPU registers of other processes on the system, related to arch/x86/kernel/fpu/regset.c and arch/x86/kernel/fpu/signal.c.
12) Privilege escalation (CVE-ID: CVE-2017-15649)
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists in net/packet/af_packet.c due to race condition (involving fanout_add and packet_do_bind. A local attacker can supply specially crafted system calls, trigger mishandling of packet_fanout data structures, trigger use-after-free error and gain root privileges.
13) Use-after-free error (CVE-ID: CVE-2017-16525)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to use-after-free error in usb_serial_console_disconnect function in drivers/usb/serial/console.c. A local attacker can use a specially crafted USB device and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
14) Denial of service (CVE-ID: CVE-2017-16526)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to a flaw in drivers/uwb/uwbd.c. A local attacker can use a specially crafted USB device and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
15) Use-after-free error (CVE-ID: CVE-2017-16527)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to use-after-free error in sound/usb/mixer.c. A local attacker can use a specially crafted USB device and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
16) Out-of-bounds read (CVE-ID: CVE-2017-16529)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to out-of-bounds read in the snd_usb_create_streams function in sound/usb/card.c. A local attacker can use a specially crafted USB device and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
17) Out-of-bounds read (CVE-ID: CVE-2017-16530)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to out-of-bounds read in the drivers/usb/storage/uas-detect.h and drivers/usb/storage/uas.c. A local attacker can use a specially crafted USB device and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
18) Out-of-bounds read (CVE-ID: CVE-2017-16531)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to out-of-bounds read in the drivers/usb/core/config.c. A local attacker can use a specially crafted USB device and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
19) Out-of-bounds read (CVE-ID: CVE-2017-16533)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to out-of-bounds read in the usbhid_parse function in drivers/hid/usbhid/hid-core.c. A local attacker can use a specially crafted USB device and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
20) Out-of-bounds read (CVE-ID: CVE-2017-16534)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to out-of-bounds read in the cdc_parse_cdc_header function in drivers/usb/core/message.c. A local attacker can use a specially crafted USB device and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
Remediation
Install update from vendor's website.