SUSE Linux update for the Linux Kernel

1) Resource management errors

EUVDB-ID: #VU11764

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-18075

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a local attacker to cause DoS condition on the target system.

The weakness exists in crypto/pcrypt.c due to mishandling freeing instances. A local attacker can gain access to the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT), execute a crafted sequence of system calls and cause the service to crash (kfree of an incorrect pointer).

Mitigation

Update the affected packages.

Vulnerable software versions

Linux kernel: 4.10 - 4.14.12

CPE2.3

• cpe:2.3:o:linux_foundation:linux_kernel:4.10:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:4.10.0:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:4.10.1:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:4.10.2:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:4.10.3:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:4.10.4:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:4.10.5:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:4.10.6:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:4.10.7:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:4.10.8:*:*:*:*:*:*:*

External links

https://lists.opensuse.org/opensuse-security-announce/2018-03/msg00007.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.