SB2018022308 - Ubuntu update for Linux kernel
Published: February 23, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 25 secuirty vulnerabilities.
1) Privilege escalation (CVE-ID: CVE-2017-0750)
The vulnerability allows a local attacker to cause a DoS condition on the target system.The weakness exists in the Flash-Friendly File System (f2fs) in the Linux kernel due to an out-of-bounds write error. A local attacker can construct a malicious file system that, when mounted, cause a denial of service (system crash) or possibly execute arbitrary code.
2) Use-after-free (CVE-ID: CVE-2017-0861)
The vulnerability allows a local user to perform a denial of service attack.The vulnerability exists due to a use-after-free error in snd_pcm_info() function in the ALSA subsystem. A local user can perform a denial of service attack.
3) Resource management error (CVE-ID: CVE-2017-1000407)
The vulnerability allows a local user to perform a denial of service attack.The vulnerability exists due to the possibility of flooding the diagnostic port 0x80. A local user can trigger an exception and cause a kernel panic.
4) NULL pointer dereference (CVE-ID: CVE-2017-12153)
The vulnerability allows a local user to perform a denial of service (DoS) attack.A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel through 4.13.3. This function does not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash.
5) Memory leak (CVE-ID: CVE-2017-12190)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to an out-of-memory condition. A local attacker can cause a memory leak and possible system lock up.
6) NULL pointer dereference (CVE-ID: CVE-2017-12192)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists in the Key Management sub component of the Linux kernel when trying to issue a KEYTCL_READ on a negative key due to a NULL pointer dereference. A local attacker can cause the kernel and service to crash.
7) Integer overflow (CVE-ID: CVE-2017-14051)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.ct due to an integer overflow. A local attacker can gain root access and cause the service to crash.
8) Information disclosure (CVE-ID: CVE-2017-14140)
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.The weakness exists in mm/migrate.c due to improper check of the effective UID. A local attacker can learn the memory layout of a setuid executable despite ASLR and expose sensitive information.
9) Information disclosure (CVE-ID: CVE-2017-14156)
The vulnerability allows a local attacker to obtain sensitive information on the target system.The weakness exists in the drivers/video/fbdev/aty/atyfb_base.c due to improper initialization of a certain data structure. A local attacker can read locations associated with padding bytes and obtain sensitive information from kernel stack memory.
10) Denial of service (CVE-ID: CVE-2017-14489)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists in the drivers/scsi/scsi_transport_iscsi.c due to leveraging incorrect length validation. A local attacker can cause a denial of service.
11) NULL pointer dereference (CVE-ID: CVE-2017-15102)
The vulnerability allows a local user to escalate privileges.The vulnerability exists due to a race condition and a NULL pointer dereference within tower_probe() function in drivers/usb/misc/legousbtower.c in Linux kernel before 4.8.1. A local user with physical access to the computer and ability to insert USB flash drive can execute arbitrary code with escalated privileges. The USB device would have to delay the control message in tower_probe and accept the control urb in tower_open whilst guest code initiated a write to the device file as tower_delete is called from the error in tower_probe.
According to vendor this security issue exists since 2003.
12) Use-after-free error (CVE-ID: CVE-2017-15115)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to the sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel does not check whether the intended netns is used in a peel-off action. A local attacker can make specially crafted system calls, trigger use-after-free error and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
13) NULL pointer dereference (CVE-ID: CVE-2017-15274)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists in he security/keys/keyctl.c due to a NULL pointer dereference. A local attacker can create a specially crafted add_key or keyctl system call and cause a denial of service.
14) Privilege escalation (CVE-ID: CVE-2017-15868)
The vulnerability allows a local user to elevate privileges on the system.The vulnerability exists due to abet check of l2cap socket availability in the bnep_add_connection() function in net/bluetooth/bnep/core.c. A local user can execute arbitrary code with elevated privileges.
15) Use-after-free error (CVE-ID: CVE-2017-16525)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to use-after-free error in usb_serial_console_disconnect function in drivers/usb/serial/console.c. A local attacker can use a specially crafted USB device and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
16) Security restrictions bypass (CVE-ID: CVE-2017-17450)
The vulnerability allows a local attacker to bypass security restrictions on the target system.The weakness exists due to net/netfilter/xt_osf.c in the Linux kernel through does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations. A local attacker can bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces.
17) Stack-based buffer overflow (CVE-ID: CVE-2017-17806)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to the HMAC implementation (crypto/hmac.c) in the Linux kernel does not validate that the underlying cryptographic hash algorithm is unkeyed. A local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) can execute a specially crafted sequence of system calls that encounter a missing SHA-3 initialization, trigger kernel stack buffer overflow and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
18) Use-after-free error (CVE-ID: CVE-2017-18017)
The vulnerability allows a remote attacker to cause DoS condition no the target system.The weakness exists in the tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel due to use-after-free error. A remote attacker can leverage the presence of xt_TCPMSS in an iptables action, trigger memory corruption and cause the system to crash.
19) Security restrictions bypass (CVE-ID: CVE-2017-5669)
The vulnerability allows a local attacker to bypass security restriction on the target system.The weakness exists in the do_shmat function in ipc/shm.c due to improper restriction of the address calculated by a certain rounding operation. A local attacker can map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context.
20) Denial of service (CVE-ID: CVE-2017-7542)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists in the ip6_find_1stfragopt function in net/ipv6/output_core.c due to leveraging the ability to open a raw socket. A local attacker can trigger integer overflow and infinite loop and cause a denial of service.
21) Information disclosure (CVE-ID: CVE-2017-7889)
The vulnerability allows a local attacker to gain access to potentially sensitive information.The weakness exists in the CONFIG_STRICT_DEVMEM protection mechanism due to an improper enforcement. A local attacker can read or write to kernel memory locations in the first megabyte and bypass slab-allocation access restrictions.
22) Use-after-free error (CVE-ID: CVE-2017-8824)
The vulnerability allows a local attacker to gain elevated privileges or cause DoS condition on the target system.The weakness exists due to an error in the dccp_disconnect function in net/dccp/proto.c in the Linux kernel. A local attacker can make specially crafted AF_UNSPEC connect system call during the DCCP_LISTEN state, trigger use-after-free error and gain root privileges or cause the system to crash.
23) Null pointer dereference (CVE-ID: CVE-2018-5333)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists in the rds_cmsg_atomic function due to insufficient handling of user-supplied input. A remote attacker can send a specially crafted HTTP request, trigger NULL pointer dereference and cause the system to crash.
24) Use-after-free error (CVE-ID: CVE-2018-5344)
The vulnerability allows a local attacker to cause a DoS condition on the target system.The weakness exists in the drivers/block/loop.c mishandles lo_release serialization due to use-after-free error. A local attacker can trigger memory corruption and cause the service to crash or execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
25) Information disclosure (CVE-ID: CVE-2017-5754)
The vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists in Intel CPU hardware due to side-channel attacks, which are also referred to as Meltdown attacks. A local attacker can execute arbitrary code, perform a side-channel analysis of the data cache and gain access to sensitive information including memory from the CPU cache.
Remediation
Install update from vendor's website.