SB2018041047 - Red Hat update for kernel
Published: April 10, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 28 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2016-3672)
The vulnerability allows a local attacker to bypass security restrictions on the target system.The weakness exists in the arch_pick_mmap_layout function in arch/x86/mm/mmap.c due to improper randomizing of the legacy base address. A local attacker can disable stack-consumption resource limits, defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag and bypass the ASLR protection mechanism for a setuid or setgid program.
2) Use-after-free error (CVE-ID: CVE-2016-7913)
The vulnerability allows a local attacker to cause DoS condition or gain elevated privileges on the target system.The weakness exists in the xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c due to use-after-free error. A local attacker can trigger memory corruption via vectors involving omission of the firmware name from a certain data structure, cause the service to crash or gain root privileges.
3) Configuration error (CVE-ID: CVE-2016-8633)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists in drivers/firewire/net.c due to using certain unusual hardware configurations. A remote attacker can execute arbitrary code via specially crafted fragmented packets.
Successful exploitation of the vulnerability may result in system compromise.
4) Memory corruption (CVE-ID: CVE-2017-7294)
The vulnerability allows a local attacker to cause DoS condition or gain elevated privileges on the target system.The weakness exists in the vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c due to missing validation of addition of certain levels data. A local attacker can trigger integer overflow and out-of-bounds write, cause the service to crash or possibly gain root privileges via a crafted ioctl call for a /dev/dri/renderD* device.
5) Use-after-free error (CVE-ID: CVE-2017-8824)
The vulnerability allows a local attacker to gain elevated privileges or cause DoS condition on the target system.The weakness exists due to an error in the dccp_disconnect function in net/dccp/proto.c in the Linux kernel. A local attacker can make specially crafted AF_UNSPEC connect system call during the DCCP_LISTEN state, trigger use-after-free error and gain root privileges or cause the system to crash.
6) Uncontrolled memory allocation (CVE-ID: CVE-2017-9725)
The vulnerability allows a local attacker to case DoS condition or gain elevated privileges on the target system.The weakness exists in all Qualcomm products with Android releases from CAF during DMA allocation due to wrong data type of size allocation size gets truncated which makes allocation succeed when it should fail. A local attacker can cause the service to crash or gain root privileges.
7) Improper privilege management (CVE-ID: CVE-2017-12154)
The vulnerability allows a local user to perform a denial of service (DoS) attack.The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that the "CR8-load exiting" and "CR8-store exiting" L0 vmcs02 controls exist in cases where L1 omits the "use TPR shadow" vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the hardware CR8 register.
8) Memory leak (CVE-ID: CVE-2017-12190)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to an out-of-memory condition. A local attacker can cause a memory leak and possible system lock up.
9) Privilege escalation (CVE-ID: CVE-2017-13166)
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists in the V4L2 video driver component of the Google Android kernel due to insufficient validation of user-supplied input. A local attacker can use a specially crafted application and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
10) Information disclosure (CVE-ID: CVE-2017-14140)
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.The weakness exists in mm/migrate.c due to improper check of the effective UID. A local attacker can learn the memory layout of a setuid executable despite ASLR and expose sensitive information.
11) NULL pointer dereference (CVE-ID: CVE-2017-15116)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists in the rngapi_reset function in crypto/rng.c due to NULL pointer dereference. A local attacker can cause the service to crash.
12) Improper input validation (CVE-ID: CVE-2017-15121)
The vulnerability allows a local unauthenticated attacker to cause DoS condition on the target system.The weakness exists due to an application punches a hole in a file that does not end aligned to a page boundary. A local attacker can mount a fuse filesystem and cause the service to crash.
13) Use-after-free error (CVE-ID: CVE-2017-15126)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists in fs/userfaultfd.c due to the handling of fork failure when dealing with event messages. Failure to fork correctly can lead to a situation where a fork event will be removed from an already freed list of events with userfaultfd_ctx_put(). A remote attacker can trigger use-after-free error and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
14) Data handling (CVE-ID: CVE-2017-15127)
The vulnerability allows a local attacker to cause DOS condition on the target system.The weakness exists in the hugetlb_mcopy_atomic_pte function in mm/hugetlb.c due to a superfluous implicit page unlock for VM_SHARED hugetlbfs mapping. A local attacker can cause the service to crash.
15) Memory corruption (CVE-ID: CVE-2017-15129)
The vulnerability allows a local unprivileged attacker to cause DoS condition no the target system.The weakness exists due to the function get_net_ns_by_id() in net/core/net_namespace.c does not check for the net::count value after it has found a peer network in netns_ids idr. A local attacker can induce kernel memory corruption, trigger use-after-free and double free error in network namespaces code to cause the system to crash.
16) Use-after-free (CVE-ID: CVE-2017-15265)
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to use-after-free error in the ALSA sequencer interface (/dev/snd/seq). A local attacker can run a specially crafted application, trigger memory corruption and execute arbitrary code with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
17) Security restrictions bypass (CVE-ID: CVE-2017-17448)
The vulnerability allows a local attacker to bypass security restrictions on the target system.The weakness exists due to net/netfilter/nfnetlink_cthelper.c in the Linux kernel does not require the CAP_NET_ADMIN capability for new, get, and del operations. A local attacker can bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces.
18) Information disclosure (CVE-ID: CVE-2017-17449)
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.The weakness exists due to the __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel, when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace. A local attacker can leverage the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system and read arbitrary files.
19) Out-of-bounds write (CVE-ID: CVE-2017-17558)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to the usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel does not consider the maximum number of configurations and interfaces before attempting to release resources. A local attacker can supply specially crafted USB device, trigger out-of-bounds write access and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
20) Use-after-free error (CVE-ID: CVE-2017-18017)
The vulnerability allows a remote attacker to cause DoS condition no the target system.The weakness exists in the tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel due to use-after-free error. A remote attacker can leverage the presence of xt_TCPMSS in an iptables action, trigger memory corruption and cause the system to crash.
21) Race condition (CVE-ID: CVE-2017-18203)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists in the dm_get_from_kobject function due to race condition. A local attacker can cause the service to crash.
22) Assertion failure (CVE-ID: CVE-2017-1000252)
The vulnerability allows a local user to perform a denial of service (DoS) attack.The KVM subsystem in the Linux kernel through 4.13.3 allows guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c.
23) Resource management error (CVE-ID: CVE-2017-1000407)
The vulnerability allows a local user to perform a denial of service attack.The vulnerability exists due to the possibility of flooding the diagnostic port 0x80. A local user can trigger an exception and cause a kernel panic.
24) Information disclosure (CVE-ID: CVE-2017-1000410)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to a flaw when processing the incoming of L2CAP commands, ConfigRequest and ConfigResponse messages. A remote attacker can manipulate the code flows that precede the handling of the configuration messages and read important data.
25) Privilege escalation (CVE-ID: CVE-2018-5750)
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to a flaw in the acpi_smbus_hc_add() function in 'drivers/acpi/sbshc.c'. A local attacker can submit a specially crafted SBS HC printk system call to obtain potentially sensitive address information and potentially bypass kernel address space layout randomization (KASLR) security protection.
26) Integer overflow (CVE-ID: CVE-2018-6927)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists in the futex_requeue function due to integer overflow. A local attacker can trigger a negative wake or requeue value and cause the service to crash.
27) Race condition (CVE-ID: CVE-2018-1000004)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to race condition in the sound system. A remote attacker can trigger deadlock and cause the system to crash.
28) Information disclosure (CVE-ID: CVE-2017-5754)
The vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists in Intel CPU hardware due to side-channel attacks, which are also referred to as Meltdown attacks. A local attacker can execute arbitrary code, perform a side-channel analysis of the data cache and gain access to sensitive information including memory from the CPU cache.
Remediation
Install update from vendor's website.