{"bulletinFamily": "scanner", "viewCount": 0, "naslFamily": "Red Hat Local Security Checks", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["2017:0386-01", "https://www.redhat.com/archives/rhsa-announce/2017-March/msg00008.html"], "description": "Check the version of kernel", "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "42b6f4db9e142ff3e146a9b8c10f1122"}, {"key": "cvss", "hash": "cfd16da9581e0c21db590e40dfd9e493"}, {"key": "description", "hash": "e7abf60a84a5ac895309f72a03411643"}, {"key": "href", "hash": "b06677cdcdd77fc11036d5814c4829be"}, {"key": "modified", "hash": "602bced6320cec4ab33d131e0b746b65"}, {"key": "naslFamily", "hash": "b46559ea68ec9a13474c3a7776817cfd"}, {"key": "pluginID", "hash": "d9f45419429e798dbc5e02917b7baa8d"}, {"key": "published", "hash": "9b55e1ae150f0ab2dc3a8c69b504e6f1"}, {"key": "references", "hash": "2e359d7f0f6aba631a0f6c0f33d562fd"}, {"key": "reporter", "hash": "a2323bbbec1269474bb5afba0147298f"}, {"key": "sourceData", "hash": "7910569d79171130542d7baf024fb758"}, {"key": "title", "hash": "1949fe8a5991fcaf65763536128583cf"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871768", "modified": "2017-07-12T00:00:00", "objectVersion": "1.3", "enchantments": {"vulnersScore": 7.2}, "id": "OPENVAS:1361412562310871768", "title": "RedHat Update for kernel RHSA-2017:0386-01", "hash": "bb74d4bc7e3fc16b47693b99be8bd63701d6e6bddecfa6b71dcc70f07d41780e", "edition": 2, "published": "2017-03-03T00:00:00", "type": "openvas", "history": [{"lastseen": "2017-07-02T21:14:31", "bulletin": {"hash": "c5b3361d4326041126a0871b943f9a1868e30fccbf8f405eb181b36d4bfaf19b", "viewCount": 0, "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["2017:0386-01", "https://www.redhat.com/archives/rhsa-announce/2017-March/msg00008.html"], "description": "Check the version of kernel", "hashmap": [{"key": "reporter", "hash": "a2323bbbec1269474bb5afba0147298f"}, {"key": "href", "hash": "b06677cdcdd77fc11036d5814c4829be"}, {"key": "published", "hash": "9b55e1ae150f0ab2dc3a8c69b504e6f1"}, {"key": "sourceData", "hash": "86bc2e0fa070331e722fd6c284c2ef63"}, {"key": "cvss", "hash": "cfd16da9581e0c21db590e40dfd9e493"}, {"key": "description", "hash": "e7abf60a84a5ac895309f72a03411643"}, {"key": "references", "hash": "2e359d7f0f6aba631a0f6c0f33d562fd"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "title", "hash": "1949fe8a5991fcaf65763536128583cf"}, {"key": "pluginID", "hash": "d9f45419429e798dbc5e02917b7baa8d"}, {"key": "modified", "hash": "0404a0b8374966187f59ed4a2b846395"}, {"key": "naslFamily", "hash": "b46559ea68ec9a13474c3a7776817cfd"}, {"key": "cvelist", "hash": "42b6f4db9e142ff3e146a9b8c10f1122"}], "naslFamily": "Red Hat Local Security Checks", "modified": "2017-03-17T00:00:00", "objectVersion": "1.3", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871768", "published": "2017-03-03T00:00:00", "enchantments": {}, "id": "OPENVAS:1361412562310871768", "title": "RedHat Update for kernel RHSA-2017:0386-01", "bulletinFamily": "scanner", "edition": 1, "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2017:0386-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871768\");\n script_version(\"$Revision: 5601 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-17 15:04:50 +0100 (Fri, 17 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-03 05:49:38 +0100 (Fri, 03 Mar 2017)\");\n script_cve_id(\"CVE-2016-8630\", \"CVE-2016-8655\", \"CVE-2016-9083\", \"CVE-2016-9084\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2017:0386-01\");\n script_tag(name: \"summary\", value: \"Check the version of kernel\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"The kernel packages contain the Linux\nkernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM)\nsupport is vulnerable to a null pointer dereference flaw. It could occur on\nx86 platform, when emulating an undefined instruction. An attacker could\nuse this flaw to crash the host kernel resulting in DoS. (CVE-2016-8630,\nImportant)\n\n* A race condition issue leading to a use-after-free flaw was found in the\nway the raw packet sockets implementation in the Linux kernel networking\nsubsystem handled synchronization while creating the TPACKET_V3 ring\nbuffer. A local user able to open a raw packet socket (requires the\nCAP_NET_RAW capability) could use this flaw to elevate their privileges on\nthe system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO. An\nattacker issuing an ioctl can create a situation where memory is corrupted\nand modify memory outside of the expected area. This may overwrite kernel\nmemory and subvert kernel execution. (CVE-2016-9083, Important)\n\n* The use of a kzalloc with an integer multiplication allowed an integer\noverflow condition to be reached in vfio_pci_intrs.c. This combined with\nCVE-2016-9083 may allow an attacker to craft an attack and use unallocated\nmemory, potentially crashing the machine. (CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting CVE-2016-8655.\n\nAdditional Changes:\n\nSpace precludes documenting all of the bug fixes and enhancements included\nin this advisory. To see the complete list of bug fixes and enhancements,\nrefer to the following KnowledgeBase article:\nhttps://access.redhat.com/articles/2940041\");\n script_tag(name: \"affected\", value: \"kernel on\n Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"RHSA\", value: \"2017:0386-01\");\n script_xref(name: \"URL\" , value: \"https://www.redhat.com/archives/rhsa-announce/2017-March/msg00008.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"HostDetails/OS/cpe:/o:redhat:enterprise_linux\", \"login/SSH/success\", \"ssh/login/release\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-debuginfo\", rpm:\"kernel-tools-debuginfo~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf-debuginfo\", rpm:\"python-perf-debuginfo~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "type": "openvas", "history": [], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "lastseen": "2017-07-02T21:14:31", "pluginID": "1361412562310871768"}, "differentElements": ["modified", "sourceData"], "edition": 1}], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "lastseen": "2017-07-27T10:57:13", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2017:0386-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871768\");\n script_version(\"$Revision: 6691 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:51:43 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-03 05:49:38 +0100 (Fri, 03 Mar 2017)\");\n script_cve_id(\"CVE-2016-8630\", \"CVE-2016-8655\", \"CVE-2016-9083\", \"CVE-2016-9084\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2017:0386-01\");\n script_tag(name: \"summary\", value: \"Check the version of kernel\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"The kernel packages contain the Linux\nkernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM)\nsupport is vulnerable to a null pointer dereference flaw. It could occur on\nx86 platform, when emulating an undefined instruction. An attacker could\nuse this flaw to crash the host kernel resulting in DoS. (CVE-2016-8630,\nImportant)\n\n* A race condition issue leading to a use-after-free flaw was found in the\nway the raw packet sockets implementation in the Linux kernel networking\nsubsystem handled synchronization while creating the TPACKET_V3 ring\nbuffer. A local user able to open a raw packet socket (requires the\nCAP_NET_RAW capability) could use this flaw to elevate their privileges on\nthe system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO. An\nattacker issuing an ioctl can create a situation where memory is corrupted\nand modify memory outside of the expected area. This may overwrite kernel\nmemory and subvert kernel execution. (CVE-2016-9083, Important)\n\n* The use of a kzalloc with an integer multiplication allowed an integer\noverflow condition to be reached in vfio_pci_intrs.c. This combined with\nCVE-2016-9083 may allow an attacker to craft an attack and use unallocated\nmemory, potentially crashing the machine. (CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting CVE-2016-8655.\n\nAdditional Changes:\n\nSpace precludes documenting all of the bug fixes and enhancements included\nin this advisory. To see the complete list of bug fixes and enhancements,\nrefer to the following KnowledgeBase article:\nhttps://access.redhat.com/articles/2940041\");\n script_tag(name: \"affected\", value: \"kernel on\n Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"RHSA\", value: \"2017:0386-01\");\n script_xref(name: \"URL\" , value: \"https://www.redhat.com/archives/rhsa-announce/2017-March/msg00008.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-debuginfo\", rpm:\"kernel-tools-debuginfo~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf-debuginfo\", rpm:\"python-perf-debuginfo~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "pluginID": "1361412562310871768"}

{"result": {"cve": [{"id": "CVE-2016-8655", "type": "cve", "title": "CVE-2016-8655", "description": "Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.", "published": "2016-12-08T03:59:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8655", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-05-25T11:00:54"}, {"id": "CVE-2016-9084", "type": "cve", "title": "CVE-2016-9084", "description": "drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11 misuses the kzalloc function, which allows local users to cause a denial of service (integer overflow) or have unspecified other impact by leveraging access to a vfio PCI device file.", "published": "2016-11-27T22:59:12", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9084", "cvelist": ["CVE-2016-9084"], "lastseen": "2018-01-05T11:52:28"}, {"id": "CVE-2016-8630", "type": "cve", "title": "CVE-2016-8630", "description": "The x86_decode_insn function in arch/x86/kvm/emulate.c in the Linux kernel before 4.8.7, when KVM is enabled, allows local users to cause a denial of service (host OS crash) via a certain use of a ModR/M byte in an undefined instruction.", "published": "2016-11-27T22:59:03", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8630", "cvelist": ["CVE-2016-8630"], "lastseen": "2018-01-05T11:52:27"}, {"id": "CVE-2016-9083", "type": "cve", "title": "CVE-2016-9083", "description": "drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a \"state machine confusion bug.\"", "published": "2016-11-27T22:59:11", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9083", "cvelist": ["CVE-2016-9083"], "lastseen": "2018-01-05T11:52:28"}], "f5": [{"id": "F5:K38472857", "type": "f5", "title": "Kernel vulnerability CVE-2016-8655", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.2| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "published": "2016-12-23T00:06:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K38472857", "cvelist": ["CVE-2016-8655"], "lastseen": "2017-09-29T13:55:54"}, {"id": "F5:K44309215", "type": "f5", "title": "Linux kernel vulnerability CVE-2017-1000111", "description": "\nF5 Product Development has assigned ID 710148 (BIG-IP) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H44309215 on the **Diagnostics** > **Identified** > **Medium** page. \n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe) | 13.x | None | Not applicable | Not vulnerable2 | None | None \n12.x | None | Not applicable \n11.x | None | Not applicable \nARX | 6.x | None | Not applicable | Not vulnerable | None | None \nEnterprise Manager | 3.x | None | Not applicable | Not vulnerable | None | None \nBIG-IQ Centralized Management | 5.x | None | Not applicable | Not vulnerable | None | None \n4.x | None | Not applicable \nBIG-IQ Cloud and Orchestration | 1.x | None | Not applicable | Not vulnerable | None | None \nF5 iWorkflow | 2.x | None | Not applicable | Not vulnerable | None | None \nLineRate | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | None | Not applicable | Not vulnerable | None | None \n4.x | None | Not applicable \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\n2 The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "published": "2018-03-14T22:32:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K44309215", "cvelist": ["CVE-2016-8655", "CVE-2017-1000111"], "lastseen": "2018-03-28T01:03:35"}], "seebug": [{"id": "SSV:92567", "type": "seebug", "title": "Linux af_packet.c race condition (local root) (CVE-2016-8655)", "description": "To create AF_PACKET sockets you need CAP_NET_RAW in your network\r\nnamespace, which can be acquired by unprivileged processes on\r\nsystems where unprivileged namespaces are enabled (Ubuntu, Fedora, etc).\r\nIt can be triggered from within containers to compromise the host kernel.\r\nOn Android, processes with gid=3004/AID_NET_RAW are able to create\r\nAF_PACKET sockets (mediaserver) and can trigger the bug.\r\n\r\nI found the bug by reading code paths that have been opened up by the\r\nemergence of unprivileged namespaces, something I think should be\r\noff by default in all Linux distributions given its history of\r\nsecurity vulnerabilities.\r\n\r\nThe problem is inside packet_set_ring() and packet_setsockopt().\r\nWe can reach packet_set_ring() by calling setsockopt() on the socket\r\nusing the PACKET_RX_RING option.\r\n\r\nIf the version of the packet socket is TPACKET_V3, a timer_list\r\nobject will be initialized by packet_set_ring() when it calls\r\ninit_prb_bdqc().\r\n```\r\n...\r\n switch (po->tp_version) {\r\n case TPACKET_V3:\r\n /* Transmit path is not supported. We checked\r\n * it above but just being paranoid\r\n */\r\n if (!tx_ring)\r\n init_prb_bdqc(po, rb, pg_vec, req_u);\r\n break;\r\n default:\r\n break;\r\n }\r\n...\r\n```\r\nThe function flow to set up the timer is:\r\npacket_set_ring()->init_prb_bdqc()->prb_setup_retire_blk_timer()->\r\nprb_init_blk_timer()->prb_init_blk_timer()->init_timer()\r\n\r\nWhen the socket is closed, packet_set_ring() is called again\r\nto free the ring buffer and delete the previously initialized\r\ntimer if the packet version is > TPACKET_V2:\r\n\r\n```\r\n...\r\n if (closing && (po->tp_version > TPACKET_V2)) {\r\n /* Because we don't support block-based V3 on tx-ring */\r\n if (!tx_ring)\r\n prb_shutdown_retire_blk_timer(po, rb_queue);\r\n }\r\n...\r\n```\r\n\r\nThe issue is that we can change the packet version to TPACKET_V1\r\nwith packet_setsockopt() after init_prb_bdqc() has been executed\r\nand before packet_set_ring() has returned.\r\n\r\nThere is an attempt to deny changing socket versions after a ring\r\nbuffer has been initialized, but it is insufficient:\r\n```\r\n...\r\n case PACKET_VERSION:\r\n {\r\n...\r\n if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)\r\n return -EBUSY;\r\n...\r\n```\r\nThere's plenty of room to race this code path between the calls to\r\ninit_prb_bdqc() and swap(rb->pg_vec, pg_vec) in packet_set_ring().\r\n\r\nWhen the socket is closed, packet_set_ring() will not delete the\r\ntimer since the socket version is now TPACKET_V1. The struct\r\ntimer_list that describes the timer object is located inside the\r\nstruct packet_sock for the socket itself however and will be\r\nfreed with a call to kfree().\r\n\r\nWe then have a use-after-free on a timer object that can be\r\nexploited by various poisoning attacks on the SLAB allocator (I find\r\nadd_key() to be the most reliable). This will ultimately lead to the\r\nkernel jumping to a manipulated function pointer when the timer expires.\r\n\r\nThe bug is fixed by taking lock_sock(sk) in packet_setsockopt() when\r\nchanging the packet version while also taking the lock at the start\r\nof packet_set_ring().\r\n\r\nMy exploit defeats SMEP/SMAP and will give a rootshell on Ubuntu 16.04,\r\nI will hold off a day on publishing it so people have some time to update.\r\n\r\nNew Ubuntu kernels are out so please update as soon as possible.\r\n\r\n=*=*=*=*=*=*=*=*= TIMELINE =*=*=*=*=*=*=*=*=\r\n```\r\n2016-11-28: Bug reported to security () kernel org\r\n2016-11-30: Patch submitted to netdev, notification sent to linux-distros\r\n2016-12-02: Patch committed to mainline kernel\r\n2016-12-06: Public announcement\r\n```", "published": "2016-12-07T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-92567", "cvelist": ["CVE-2016-8655"], "lastseen": "2017-11-19T12:02:37"}], "archlinux": [{"id": "ASA-201612-7", "type": "archlinux", "title": "linux-lts: privilege escalation", "description": "Philip Pettersson discovered a race condition in the af_packet\nimplementation in the Linux kernel. A local unprivileged attacker could\nuse this to cause a denial of service (system crash) or run arbitrary\ncode with administrative privileges.", "published": "2016-12-06T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2016-December/000783.html", "cvelist": ["CVE-2016-8655"], "lastseen": "2016-12-06T17:23:12"}, {"id": "ASA-201612-5", "type": "archlinux", "title": "linux-grsec: privilege escalation", "description": "Philip Pettersson discovered a race condition in the af_packet\nimplementation in the Linux kernel. A local unprivileged attacker could\nuse this to cause a denial of service (system crash) or run arbitrary\ncode with administrative privileges.", "published": "2016-12-06T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2016-December/000781.html", "cvelist": ["CVE-2016-8655"], "lastseen": "2016-12-06T17:23:12"}, {"id": "ASA-201612-8", "type": "archlinux", "title": "linux-zen: privilege escalation", "description": "A race condition issue leading to a use-after-free flaw was found in\nthe way the raw packet sockets implementation in the Linux kernel\nnetworking subsystem handled synchronization while creating the\nTPACKET_V3 ring buffer. A local user able to open a raw packet socket\n(requires the CAP_NET_RAW capability) could use this flaw to elevate\ntheir privileges on the system.", "published": "2016-12-07T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2016-December/000784.html", "cvelist": ["CVE-2016-8655"], "lastseen": "2016-12-09T05:23:17"}, {"id": "ASA-201612-6", "type": "archlinux", "title": "linux: privilege escalation", "description": "Philip Pettersson discovered a race condition in the af_packet\nimplementation in the Linux kernel. A local unprivileged attacker could\nuse this to cause a denial of service (system crash) or run arbitrary\ncode with administrative privileges.", "published": "2016-12-06T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2016-December/000782.html", "cvelist": ["CVE-2016-8655"], "lastseen": "2016-12-06T17:23:12"}], "ubuntu": [{"id": "USN-3151-2", "type": "ubuntu", "title": "Linux kernel (Xenial HWE) vulnerability", "description": "USN-3151-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nPhilip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.", "published": "2016-12-05T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3151-2/", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-03-29T18:19:38"}, {"id": "USN-3151-4", "type": "ubuntu", "title": "Linux kernel (Raspberry Pi 2) vulnerability", "description": "Philip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.", "published": "2016-12-05T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3151-4/", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-03-29T18:18:37"}, {"id": "USN-3152-1", "type": "ubuntu", "title": "Linux kernel vulnerability", "description": "Philip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.", "published": "2016-12-05T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3152-1/", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-03-29T18:20:37"}, {"id": "USN-3150-1", "type": "ubuntu", "title": "Linux kernel vulnerability", "description": "Philip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.", "published": "2016-12-05T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3150-1/", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-03-29T18:19:46"}, {"id": "USN-3149-1", "type": "ubuntu", "title": "Linux kernel vulnerability", "description": "Philip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.", "published": "2016-12-05T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3149-1/", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-03-29T18:18:55"}, {"id": "USN-3151-3", "type": "ubuntu", "title": "Linux kernel (Qualcomm Snapdragon) vulnerability", "description": "Philip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.", "published": "2016-12-05T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3151-3/", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-03-29T18:17:16"}, {"id": "USN-3149-2", "type": "ubuntu", "title": "Linux kernel (Trusty HWE) vulnerability", "description": "USN-3149-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.\n\nPhilip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.", "published": "2016-12-05T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3149-2/", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-03-29T18:21:33"}, {"id": "USN-3151-1", "type": "ubuntu", "title": "Linux kernel vulnerability", "description": "Philip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.", "published": "2016-12-05T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3151-1/", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-03-29T18:20:59"}, {"id": "USN-3150-2", "type": "ubuntu", "title": "Linux kernel (OMAP4) vulnerability", "description": "Philip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3150-2/", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-03-29T18:17:50"}, {"id": "USN-3152-2", "type": "ubuntu", "title": "Linux kernel (Raspberry Pi 2) vulnerability", "description": "Philip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3152-2/", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-03-29T18:18:49"}], "threatpost": [{"id": "OLD-LINUX-KERNEL-CODE-EXECUTION-BUG-PATCHED/122336", "type": "threatpost", "title": "Old Linux Kernel Code Execution Bug Patched", "description": "A critical, local code-execution vulnerability in the Linux kernel was patched more than a week ago, continuing a run of serious security issues in the operating system, most of which have been hiding in the code for years.\n\nDetails on the vulnerability were published Tuesday by researcher Philip Pettersson, who said the vulnerable code was introduced in August 2011. A patch was pushed to the mainline Linux kernel Dec. 2, four days after it was privately disclosed. Pettersson has developed a proof-of-concept exploit specifically for Ubuntu distributions, but told Threatpost his attack could be ported to other distros with some changes.\n\n### Related Posts\n\n#### [Buffer Overflow in BSD libc Library Patched](<https://threatpost.com/buffer-overflow-in-bsd-libc-library-patched/122305/> \"Permalink to Buffer Overflow in BSD libc Library Patched\" )\n\nDecember 7, 2016 , 2:55 pm\n\n#### [Critical Vulnerability Patched in Roundcube Webmail](<https://threatpost.com/critical-vulnerability-patched-in-roundcube-webmail/122297/> \"Permalink to Critical Vulnerability Patched in Roundcube Webmail\" )\n\nDecember 7, 2016 , 10:00 am\n\n#### [Dirty Cow Vulnerability Patched in Android Security Bulletin](<https://threatpost.com/dirty-cow-vulnerability-patched-in-android-security-bulletin/122266/> \"Permalink to Dirty Cow Vulnerability Patched in Android Security Bulletin\" )\n\nDecember 5, 2016 , 3:32 pm\n\nThe [vulnerability is a race condition](<http://seclists.org/oss-sec/2016/q4/607>) that was discovered in the af_packet implementation in the Linux kernel, and Pettersson said that a local attacker could exploit the bug to gain kernel code execution from unprivileged processes. He said the bug cannot be exploited remotely.\n\nPettersson\u2019s attack [opens a rootshell on Ubuntu 16.04](<http://seclists.org/oss-sec/2016/q4/621>); the exploit bypasses Supervisor Mode Execution Prevention (SMEP) and Supervisor Mode Access Prevention (SMAP) protections at the kernel level. Both are features of Intel chips and hamper code execution in the kernel from user mode. Pettersson said the bypass happens because his attack does not use any userland memory in the exploitation process.\n\nPettersson provided a technical description of CVE-2016-8655 in an advisory published this week on the oss-sec mailing list:\n\n> \u201cTo create AF_PACKET sockets you need CAP_NET_RAW in your network namespace, which can be acquired by unprivileged processes on systems where unprivileged namespaces are enabled (Ubuntu, Fedora, etc). It can be triggered from within containers to compromise the host kernel. On Android, processes with gid=3004/AID_NET_RAW are able to create AF_PACKET sockets (mediaserver) and can trigger the bug.\u201d\n\n\u201cBasically it\u2019s a bait-and-switch, the bug allows you to trick the kernel into thinking it is working with one kind of object, while you actually switched it to another kind of object before it could react,\u201d Pettersson told Threatpost.\n\nThe vulnerability not only enables local code execution, but can also allow an attacker to crash a server.\n\n\u201cDepends a bit on the scenario, but the most common attack scenarios for local privilege escalations on servers are: 1) A web server gets compromised through a buggy webapp (usually PHP), the attacker gets low-privilege access and escalates his privilege to root using an exploit like this. 2) An attacker steals someone\u2019s login credentials for a server with many users, such as shared hosting server or a big university server,\u201d Pettersson said. \u201cThe attacker then escalates to root and gets access to everyone\u2019s accounts and can pivot further into the network.\u201d\n\nPettersson\u2019s bug is latest critical Linux issue to be addressed in the past few months. In mid-November, a vulnerability in the [cryptsetup utility](<https://threatpost.com/cryptsetup-vulnerability-grants-root-shell-access-on-some-linux-systems/121963/>) used to set up encrypted filesystems on different Linux distributions was found and patched. The cryptsetup vulnerability paved the way for hackers to retrieve a root rescue shell and gain access to data on the hard drive and either modify it or move it off the machine.\n\nWeeks prior, the [Dirty Cow vulnerability](<https://threatpost.com/serious-dirty-cow-linux-vulnerability-under-attack/121448/>) surfaced, a nine-year-old vulnerability in the Linux copy-on-write feature that also enabled root privileges for a local attacker. The kernel was patched Oct. 19 and in major distributions shortly thereafter. Google, however, got around to pushing a fix to handset makers in November and pushed a [patch this week](<https://threatpost.com/dirty-cow-vulnerability-patched-in-android-security-bulletin/122266/>) to its Nexus and Pixel handsets and to the Android Open Source Project.\n\nIn early October, a [systemd vulnerability](<https://threatpost.com/hack-crashes-linux-distros-with-48-characters-of-code/121052/>) was disclosed; it allowed attackers with local access to crash Linux distributions with just 48 characters of code. That flaw, researcher Andrew Ayer said, was introduced two years ago into systemd 209.", "published": "2016-12-08T09:15:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/old-linux-kernel-code-execution-bug-patched/122336/", "cvelist": ["CVE-2016-8655"], "lastseen": "2016-12-08T16:56:56"}], "nessus": [{"id": "UBUNTU_USN-3152-1.NASL", "type": "nessus", "title": "Ubuntu 16.10 : linux vulnerability (USN-3152-1)", "description": "Philip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=95573", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-05-24T03:13:15"}, {"id": "UBUNTU_USN-3151-2.NASL", "type": "nessus", "title": "Ubuntu 14.04 LTS : linux-lts-xenial vulnerability (USN-3151-2)", "description": "USN-3151-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nPhilip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=95570", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-05-24T02:45:58"}, {"id": "SLACKWARE_SSA_2016-347-01.NASL", "type": "nessus", "title": "Slackware 14.2 / current : kernel (SSA:2016-347-01)", "description": "New kernel packages are available for Slackware 14.2 and -current to fix a security issue.", "published": "2016-12-13T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=95723", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-05-24T02:47:35"}, {"id": "UBUNTU_USN-3151-1.NASL", "type": "nessus", "title": "Ubuntu 16.04 LTS : linux vulnerability (USN-3151-1)", "description": "Philip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=95569", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-05-24T02:27:41"}, {"id": "UBUNTU_USN-3151-3.NASL", "type": "nessus", "title": "Ubuntu 16.04 LTS : linux-snapdragon vulnerability (USN-3151-3)", "description": "Philip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=95571", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-05-24T02:38:21"}, {"id": "UBUNTU_USN-3149-1.NASL", "type": "nessus", "title": "Ubuntu 14.04 LTS : linux vulnerability (USN-3149-1)", "description": "Philip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=95566", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-05-24T03:10:44"}, {"id": "UBUNTU_USN-3150-1.NASL", "type": "nessus", "title": "Ubuntu 12.04 LTS : linux vulnerability (USN-3150-1)", "description": "Philip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=95568", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-05-24T02:36:01"}, {"id": "UBUNTU_USN-3152-2.NASL", "type": "nessus", "title": "Ubuntu 16.10 : linux-raspi2 vulnerabilities (USN-3152-2)", "description": "Philip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=95574", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-05-24T02:59:45"}, {"id": "REDHAT-RHSA-2017-0402.NASL", "type": "nessus", "title": "RHEL 6 : kernel-rt (RHSA-2017:0402)", "description": "An update for kernel-rt is now available for Red Hat Enterprise MRG 2.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es) :\n\n* A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2016-8655, Important)\n\nRed Hat would like to thank Philip Pettersson for reporting this issue.\n\nEnhancement(s) :\n\n* Previously, the Broadcom bnx2x driver in the MRG kernel-rt used an incorrect PTP Hardware Clock (PHC) timer divisor value, which broke Precision Time Protocol (PTP) timestamping due to an unstable clock.\nThis update corrects the divisor value, and the PTP timestamping is now accurate, with monotonically increasing timestamp values.\n(BZ#1411139)", "published": "2017-03-03T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=97513", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-05-24T03:15:08"}, {"id": "UBUNTU_USN-3149-2.NASL", "type": "nessus", "title": "Ubuntu 12.04 LTS : linux-lts-trusty vulnerability (USN-3149-2)", "description": "USN-3149-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.\n\nPhilip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=95567", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-05-24T02:52:26"}], "openvas": [{"id": "OPENVAS:1361412562310842984", "type": "openvas", "title": "Ubuntu Update for linux-raspi2 USN-3152-2", "description": "Check the version of linux-raspi2", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842984", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-04-30T14:08:41"}, {"id": "OPENVAS:1361412562310842983", "type": "openvas", "title": "Ubuntu Update for linux-lts-trusty USN-3149-2", "description": "Check the version of linux-lts-trusty", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842983", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-04-30T14:08:31"}, {"id": "OPENVAS:1361412562310842981", "type": "openvas", "title": "Ubuntu Update for linux USN-3151-1", "description": "Check the version of linux", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842981", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-04-30T14:10:47"}, {"id": "OPENVAS:1361412562310842988", "type": "openvas", "title": "Ubuntu Update for linux-ti-omap4 USN-3150-2", "description": "Check the version of linux-ti-omap4", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842988", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-04-30T14:11:26"}, {"id": "OPENVAS:1361412562310842987", "type": "openvas", "title": "Ubuntu Update for linux-raspi2 USN-3151-4", "description": "Check the version of linux-raspi2", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842987", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-04-30T14:07:48"}, {"id": "OPENVAS:1361412562310842982", "type": "openvas", "title": "Ubuntu Update for linux-lts-xenial USN-3151-2", "description": "Check the version of linux-lts-xenial", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842982", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-04-30T14:11:39"}, {"id": "OPENVAS:1361412562310842985", "type": "openvas", "title": "Ubuntu Update for linux USN-3150-1", "description": "Check the version of linux", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842985", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-04-30T14:11:46"}, {"id": "OPENVAS:1361412562310842979", "type": "openvas", "title": "Ubuntu Update for linux USN-3152-1", "description": "Check the version of linux", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842979", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-04-30T14:08:25"}, {"id": "OPENVAS:1361412562310842980", "type": "openvas", "title": "Ubuntu Update for linux USN-3149-1", "description": "Check the version of linux", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842980", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-04-30T14:10:34"}, {"id": "OPENVAS:1361412562310842986", "type": "openvas", "title": "Ubuntu Update for linux-snapdragon USN-3151-3", "description": "Check the version of linux-snapdragon", "published": "2016-12-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842986", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-04-30T14:11:43"}], "zdt": [{"id": "1337DAY-ID-30429", "type": "zdt", "title": "Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation Exploit", "description": "This Metasploit module exploits a race condition and use-after-free in the packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel to execute code as root (CVE-2016-8655). The bug was initially introduced in 2011 and patched in 2016 in version 4.4.0-53.74, potentially affecting a large number of kernels; however this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as Linux Mint. The target system must have unprivileged user namespaces enabled and two or more CPU cores. Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation may crash the kernel. This Metasploit module has been tested successfully on Linux Mint 17.3 (x86_64); Linux Mint 18 (x86_64); and Ubuntu 16.04.2 (x86_64) with kernel versions 4.4.0-45-generic and 4.4.0-51-generic.", "published": "2018-05-23T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://0day.today/exploit/description/30429", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-05-23T02:47:16"}, {"id": "1337DAY-ID-26493", "type": "zdt", "title": "Linux Kernel 4.4.0 AF_PACKET Race Condition / Privilege Escalation Exploit", "description": "Linux AF_PACKET race condition exploit for Ubuntu 16.04 x86_64.", "published": "2016-12-07T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://0day.today/exploit/description/26493", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-04-09T16:54:48"}], "exploitdb": [{"id": "EDB-ID:44696", "type": "exploitdb", "title": "Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit)", "description": "Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit). CVE-2016-8655. Local exploit for Linux platform. Tags: Metasploit Frame...", "published": "2018-05-22T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/44696/", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-05-24T14:24:04"}], "slackware": [{"id": "SSA-2016-347-01", "type": "slackware", "title": "kernel", "description": "New kernel packages are available for Slackware 14.2 and -current to\nfix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/linux-4.4.38/*: Upgraded.\n This kernel fixes a security issue with a race condition in\n net/packet/af_packet.c that can be exploited to gain kernel code execution\n from unprivileged processes.\n Thanks to Philip Pettersson for discovering the bug and providing a patch.\n Be sure to upgrade your initrd after upgrading the kernel packages.\n If you use lilo to boot your machine, be sure lilo.conf points to the correct\n kernel and initrd and run lilo as root to update the bootloader.\n If you use elilo to boot your machine, you should run eliloconfig to copy the\n kernel and initrd to the EFI System Partition.\n For more information, see:\n https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the &quot;Get Slack&quot; section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-firmware-20161211git-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-generic-4.4.38-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-generic-smp-4.4.38_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-headers-4.4.38_smp-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-huge-4.4.38-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-huge-smp-4.4.38_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-modules-4.4.38-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-modules-smp-4.4.38_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-source-4.4.38_smp-noarch-1.txz\n\nUpdated packages for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.38/kernel-firmware-20161211git-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.38/kernel-generic-4.4.38-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.38/kernel-headers-4.4.38-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.38/kernel-huge-4.4.38-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.38/kernel-modules-4.4.38-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.38/kernel-source-4.4.38-noarch-1.txz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-firmware-20161211git-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-generic-4.4.38-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-generic-smp-4.4.38_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-huge-4.4.38-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-huge-smp-4.4.38_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-modules-4.4.38-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-modules-smp-4.4.38_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/kernel-headers-4.4.38_smp-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/k/kernel-source-4.4.38_smp-noarch-1.txz\n\nUpdated packages for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-firmware-20161211git-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-generic-4.4.38-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-huge-4.4.38-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-modules-4.4.38-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/d/kernel-headers-4.4.38-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/k/kernel-source-4.4.38-noarch-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.2 packages:\n6546123d58d7747700d53b50254cd9ee kernel-firmware-20161211git-noarch-1.txz\n6d4ac49bddfe538504d34714e0bc1848 kernel-generic-4.4.38-i586-1.txz\nce4aa55e8c940c300df1ca47215a5df9 kernel-generic-smp-4.4.38_smp-i686-1.txz\nfdc3b1093f566c12733cf0fbdf50e897 kernel-headers-4.4.38_smp-x86-1.txz\n9f6f48199f75edd4d2bcfcbb734cc85f kernel-huge-4.4.38-i586-1.txz\n5ee68030a4e931150311d5a655d76597 kernel-huge-smp-4.4.38_smp-i686-1.txz\n0c21ed8ae016e9b35324269527ce65e3 kernel-modules-4.4.38-i586-1.txz\ne0317d4704c6f3739e255779aca0d71d kernel-modules-smp-4.4.38_smp-i686-1.txz\n3b819ecc1fbaeea79d91dab22d7cde30 kernel-source-4.4.38_smp-noarch-1.txz\n\nSlackware x86_64 14.2 packages:\n6546123d58d7747700d53b50254cd9ee kernel-firmware-20161211git-noarch-1.txz\n9e1f355c9f65488a44becf21f1b931c4 kernel-generic-4.4.38-x86_64-1.txz\n519a1736b1801a1436aacb60dc708e5e kernel-headers-4.4.38-x86-1.txz\n7a4652cae6fc2e705d023185b4a45b9e kernel-huge-4.4.38-x86_64-1.txz\n0b70933f764e704a431da0b19d6f37e8 kernel-modules-4.4.38-x86_64-1.txz\ndc5807d1a834de180c8b2348b9152b7f kernel-source-4.4.38-noarch-1.txz\n\nSlackware -current packages:\n6546123d58d7747700d53b50254cd9ee a/kernel-firmware-20161211git-noarch-1.txz\nbae8845ea023f5c1e851c1f503d59fa6 a/kernel-generic-4.4.38-i586-1.txz\n89d57e431a53d1f64a3dca8bb394411d a/kernel-generic-smp-4.4.38_smp-i686-1.txz\n157fe721649169ee32a845c57f09b243 a/kernel-huge-4.4.38-i586-1.txz\na5865a56c564375a53fa1a67b0d18655 a/kernel-huge-smp-4.4.38_smp-i686-1.txz\n78985fd9803ad187e3313a77a5d5f2ca a/kernel-modules-4.4.38-i586-1.txz\n7f684811388dfd1fc0f07437ad0136b7 a/kernel-modules-smp-4.4.38_smp-i686-1.txz\nf927f4c156198939f4157b03a2c646eb d/kernel-headers-4.4.38_smp-x86-1.txz\n1722ca0eb556fe87fad6ea020df8b32c k/kernel-source-4.4.38_smp-noarch-1.txz\n\nSlackware x86_64 -current packages:\n6546123d58d7747700d53b50254cd9ee a/kernel-firmware-20161211git-noarch-1.txz\n544940654f066dc357f3461cd01c3e50 a/kernel-generic-4.4.38-x86_64-1.txz\n7a5e5636fa10d12757c965a45df62f48 a/kernel-huge-4.4.38-x86_64-1.txz\nb17dcbbd71e810883a51017102be2bbe a/kernel-modules-4.4.38-x86_64-1.txz\n6a99f704b0a41ad060d84d94bc45d6b1 d/kernel-headers-4.4.38-x86-1.txz\n6143c34a575b42851eeae8f889a98a06 k/kernel-source-4.4.38-noarch-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg kernel-*.txz\n\nIf you are using an initrd, you'll need to rebuild it.\n\nFor a 32-bit SMP machine, use this command (substitute the appropriate\nkernel version if you are not running Slackware 14.2):\n > /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 4.4.38-smp | bash\n\nFor a 64-bit machine, or a 32-bit uniprocessor machine, use this command\n(substitute the appropriate kernel version if you are not running\nSlackware 14.2):\n > /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 4.4.38 | bash\n\nPlease note that &quot;uniprocessor&quot; has to do with the kernel you are running,\nnot with the CPU. Most systems should run the SMP kernel (if they can)\nregardless of the number of cores the CPU has. If you aren't sure which\nkernel you are running, run &quot;uname -a&quot;. If you see SMP there, you are\nrunning the SMP kernel and should use the 4.4.38-smp version when running\nmkinitrd_command_generator. Note that this is only for 32-bit -- 64-bit\nsystems should always use 4.4.38 as the version.\n\nIf you are using lilo or elilo to boot the machine, you'll need to ensure\nthat the machine is properly prepared before rebooting.\n\nIf using LILO:\nBy default, lilo.conf contains an image= line that references a symlink\nthat always points to the correct kernel. No editing should be required\nunless your machine uses a custom lilo.conf. If that is the case, be sure\nthat the image= line references the correct kernel file. Either way,\nyou'll need to run &quot;lilo&quot; as root to reinstall the boot loader.\n\nIf using elilo:\nEnsure that the /boot/vmlinuz symlink is pointing to the kernel you wish\nto use, and then run eliloconfig to update the EFI System Partition.", "published": "2016-12-12T15:10:22", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.931787", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-02-02T18:11:33"}], "packetstorm": [{"id": "PACKETSTORM:147727", "type": "packetstorm", "title": "AF_PACKET chocobo_root Privilege Escalation", "description": "", "published": "2018-05-22T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/147727/AF_PACKET-chocobo_root-Privilege-Escalation.html", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-05-22T17:24:44"}], "thn": [{"id": "THN:04F5FC12455795F06BC21F5C803FA77E", "type": "thn", "title": "5-Year-Old Linux Kernel Local Privilege Escalation Flaw Discovered", "description": "[](<https://3.bp.blogspot.com/-SSKEkSYFPlI/WEg1PB5oNjI/AAAAAAAAqe0/GArieXp2QPgbMiiIN0hTVEp7YmTypEnGQCLcB/s1600/linux-kernel-local-root-exploit.png>)\n\nA 5-year-old serious privilege-escalation vulnerability has been discovered in Linux kernel that affects almost every distro of the Linux operating system, including Redhat, and Ubuntu. \n \nOver a month back, a nine-year-old privilege-escalation vulnerability, dubbed \"[Dirty COW](<https://thehackernews.com/2016/10/linux-kernel-exploit.html>),\" was discovered in the Linux kernel that affected every distro of the open-source operating system, including Red Hat, Debian, and Ubuntu. \n \nNow, another Linux kernel vulnerability ([CVE-2016-8655](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655>)) that dates back to 2011 [disclosed](<http://seclists.org/oss-sec/2016/q4/607>) today could allow an unprivileged local user to gain root privileges by exploiting a race condition in the af_packet implementation in the Linux kernel. \n \nPhilip Pettersson, the researcher who discovered the flaw, was able to create an [exploit to gain a root shell](<https://www.exploit-db.com/exploits/40871/>) on an Ubuntu 16.04 LTS system (Linux Kernel 4.4) and also defeated SMEP/SMAP (Supervisor Mode Execution Prevention/Supervisor Mode Access Prevention) protection to gain kernel code execution abilities. \n \nIn other words, a local unprivileged attacker can use this exploit to cause a denial of service (crashing server) or run arbitrary malicious code with administrative privileges on the targeted system. \n\n\n> \"_A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer_,\" Red Hat [security advisory](<https://access.redhat.com/security/cve/cve-2016-8655>) explains. \n\n> \"_A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system._\"\n\nThis threat creates a potential danger for service providers to have their servers crashed or hacked through this Linux kernel vulnerability. \n \n_\"On Android, processes with gid=3004/AID_NET_RAW are able to create AF_PACKET sockets (mediaserver) and can trigger the bug,\" _Pettersson explains. \n \nThe vulnerability was patched in the mainline kernel last week, so users are advised to update their Linux distro as soon as possible.\n", "published": "2016-12-07T04:41:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://thehackernews.com/2016/12/linux-kernel-local-root-exploit.html", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-01-27T09:17:58"}, {"id": "THN:11E7CC33794D9968747131F3F0AE8716", "type": "thn", "title": "11-Year Old Linux Kernel Local Privilege Escalation Flaw Discovered", "description": "[](<https://3.bp.blogspot.com/-MlWxlllb_uQ/WK3ToXZjodI/AAAAAAAArdY/TIkjV9A0VUc-XH40OE8oYELAR8hxzvgLwCLcB/s1600/linux-kernel-local-root-exploit.png>)\n\nAnother privilege-escalation vulnerability has been discovered in Linux kernel that dates back to 2005 and affects major distro of the Linux operating system, including Redhat, Debian, OpenSUSE, and Ubuntu.\n\n \nOver a decade old Linux Kernel bug ([CVE-2017-6074](<https://www.suse.com/support/kb/doc?id=7018645>)) has been discovered by security researcher Andrey Konovalov in the DCCP (Datagram Congestion Control Protocol) implementation using [Syzkaller](<https://github.com/google/syzkaller>), a kernel fuzzing tool released by Google. \n \nThe vulnerability is a use-after-free flaw in the way the Linux kernel's \"DCCP protocol implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket.\" \n \nThe DCCP double-free vulnerability could allow a local unprivileged user to alter the Linux kernel memory, enabling them to cause a denial of service (_system crash_) or escalate privileges to gain administrative access on a system. \n\n\n> \"An attacker can control what object that would be and overwrite its content with arbitrary data by using some of the kernel heap spraying techniques. If the overwritten object has any triggerable function pointers, an attacker gets to execute arbitrary code within the kernel,\" full disclosure [mailing list](<http://seclists.org/oss-sec/2017/q1/471>) about the vulnerability reads.\n\nDCCP is a message-oriented transport layer protocol that minimizes the overhead of packet header size or end-node processing as much as possible and provides the establishment, maintenance and teardown of an unreliable packet flow, and the congestion control of that packet flow. \n \nThis vulnerability does not provide any way for an outsider to break into your system in the first place, as it is not a remote code execution (RCE) flaw and require an attacker to have a local account access on the system to exploit the flaw. \n \nAlmost two months ago, a similar [privilege-escalation vulnerability](<https://thehackernews.com/2016/12/linux-kernel-local-root-exploit.html>) (CVE-2016-8655) was uncovered in Linux kernel that dated back to 2011 and allowed an unprivileged local user to gain root privileges by exploiting a race condition in the af_packet implementation in the Linux kernel. \n \nThe vulnerability has already been patched in the [mainline kernel](<https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4>). So, if you are an advanced Linux user, apply the patch and rebuild kernel yourself. \n \nOR, you can wait for the next kernel update from your distro provider and apply it as soon as possible.\n", "published": "2017-02-22T07:08:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://thehackernews.com/2017/02/linux-kernel-local-root.html", "cvelist": ["CVE-2016-8655", "CVE-2017-6074"], "lastseen": "2018-01-27T09:17:24"}], "metasploit": [{"id": "MSF:EXPLOIT/LINUX/LOCAL/AF_PACKET_CHOCOBO_ROOT_PRIV_ESC", "type": "metasploit", "title": "AF_PACKET chocobo_root Privilege Escalation", "description": "This module exploits a race condition and use-after-free in the packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel to execute code as root (CVE-2016-8655). The bug was initially introduced in 2011 and patched in 2016 in version 4.4.0-53.74, potentially affecting a large number of kernels; however this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 4.4.0 &lt; 4.4.0-53, including Linux distros based on Ubuntu, such as Linux Mint. The target system must have unprivileged user namespaces enabled and two or more CPU cores. Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on Linux Mint 17.3 (x86_64); Linux Mint 18 (x86_64); and Ubuntu 16.04.2 (x86_64) with kernel versions 4.4.0-45-generic and 4.4.0-51-generic.", "published": "2018-05-07T07:11:07", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-05-22T07:22:02"}], "myhack58": [{"id": "MYHACK58:62201682103", "type": "myhack58", "title": "UCloud-201612-002: Linux kernel through kill to mention the right vulnerability Security Alert-vulnerability warning-the black bar safety net", "description": "Dear UCloud users:\n\nThe Linux kernel is proof of the presence of conditions of competition of high-risk vulnerabilities, exploit the vulnerability from low rights processes executing kernel code, harm the serious. Please check you are using the kernel is in the affected range, and timely upgrades.\n\n**Scope of impact**\n\ncentos 5 and 6 are not affected\ncentos 7 default is not affected by the impact of open namespaces after the affected\uff09 \nubuntu 12.04 14.04 affected\nDebian 7, and 8 affected\n\n**Solution**\n\nPlease make a backup of the work, in order to avoid a kernel repair after an accident situation\n1. A self-compiled fix, access repair code, download address: \nhttp://t.cn/RI7nIH3 \n2. Through the package Manager to download the update, after the update you need to restart to take effect: \n1\uff09centos7 upgrade methods: \nOfficial not yet released a Fix Pack\n2\uff09ubuntu: the \nsudo apt-get update \nsudo apt-get install linux-image-generic \nsudo reboot \nuname-a view system version for the following, the description of the upgrade success: \nubuntu 14.04 : 3.13.0-105.152 \nubuntu 12.04 : 3.2.0-118.161 \n3\uff09Debian: the \nThe official website is not yet published update package\n\n**Vulnerability details**\n\nCVE-2016-8655: Linux (net/packet/af_packet. c)the presence of conditions of competition vulnerability that can allow low-privileged process to obtain the kernel code to execute permission. Vulnerability as early as 2011(v3. 2-rc1)version are found in 2016 11 on v4. 9-rc8 version is fixed. \nPOC: the https://www.exploit-db.com/exploits/40871/\n", "published": "2016-12-15T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.myhack58.com/Article/html/3/62/2016/82103.htm", "cvelist": ["CVE-2016-8655"], "lastseen": "2016-12-15T15:16:23"}, {"id": "MYHACK58:62201783692", "type": "myhack58", "title": "Lurking in 11 years of Linux kernel to mention the right vulnerability-exposure-vulnerability warning-the black bar safety net", "description": "Vulnerability number\nCVE-2017-6074 \nVulnerability overview\nThe Linux kernel recently also exposed a privilege escalation vulnerability that can be traced back to 2005, the vulnerabilities affect the Linux operating system major releases, including Redhat, Debian, OpenSUSE and Ubuntu. Using this vulnerability, an attacker can be from a low-rights process for kernel code execution. Currently known affected the old version is 2. 6. 18, 2006 9 months, but the vulnerability could in the previous version already exists, perhaps from the support DCCP begin in 2005 10 on the 2. 6. 14 it has been a problem. \nIn a Seclists. org the release of the vulnerability the author Andrey Konovalov said, will soon release a PoC, this is given during the repair time. \nSecurity researcher Andrey Konovalov recently with Syzkaller fuzzing tools, to discover the DCCP Protocol in the Linux kernel vulnerabilities, exploits the latent time for more than 10 years. \nDCCP Protocol \nDCCP Protocol is a message-oriented Transport Layer Protocol that can minimize packet header overhead and the terminal processing of the engineering amount. The Agreement may be the establishment, maintenance and removal of the unreliable connection of the data stream and unreliable stream congestion control. \nThe DCCP Double-free vulnerability allows local low privileged user to modify the Linux kernel memory, cause a denial of service system crash, or elevated, access the system management access permission. \nVulnerability details\nThis is a UAF vulnerability: in the IPV6_RECVPKTINFO open the case, the kernel parses the DCCP Protocol in the process the judge has received a DCCP_PKT_REQUEST the return package, it will release the parsing process using the SKB address. \u201cThe DCCP protocol implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket.\u201d\uff09 \nAccording to the current implementation, the parsing DCCP Protocol process if dccp_v6_conn_request have a return value, it will by dccp_rcv_state_process in__kfree_skb freed the parsing process, the received DCCP_PKT_REQUEST return packet, the SKB address. However, if the IPV6_RECVPKTINFO open the case compile the kernel, the skb address will be stored in the ireq-&gt;pktopts, and dccp_v6_conn_request the reference count will increase, so the skb it will still be used. Until dccp_rcv_state_process process will be released. \nThe attacker uses some kernel heap spray technique will be able to control any object and use any of the data rewriting its contents. If you override the object contains any can trigger the function pointer, the attacker can be in the kernel to execute arbitrary code. \nThis vulnerability is not a remote code execution vulnerability, so an attacker must have the system local account to exploit the vulnerability. \nTwo months ago, the Linux kernel also exposed a similar to mention the right Vulnerability, CVE-2016-8655, the vulnerability can be traced back to 2011, the low-privileged local user using the Linux kernel af_packet implementation of the race condition, can get root access\n\nSolution\nThe manual repair: call consume_skb, rather than jump discard and call__kfree_skb\u3002 \n! [](/Article/UploadPic/2017-2/201722319322422. png? www. myhack58. com) \n\nA more detailed solution please click here. If you are an advanced Linux user, then you can apply the patch, rebuild the kernel, or wait for the Publisher to publish the update. \n\n", "published": "2017-02-23T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.myhack58.com/Article/html/3/62/2017/83692.htm", "cvelist": ["CVE-2016-8655", "CVE-2017-6074"], "lastseen": "2017-02-24T09:00:32"}, {"id": "MYHACK58:62201682270", "type": "myhack58", "title": "CVE-2016-8655 kernel race condition vulnerability the Debug analysis-vulnerability warning-the black bar safety net", "description": "12 5 March, hilipPettersson published a piece that already exists Linux kernel up to 5 years of local mention the right vulnerability, affecting virtually all Linux mainstream distributions, a time limelight without the two, no less than some time ago of\u201cDirty Cow\u201din. For this black magic vulnerability, and only went into the source code will not be limited, it is derived from the curious, so started the whole vulnerability of the debugging and analysis. \nVulnerability debugging is tedious, it is recommended that everyone in the debugging process, keep calm, the stroke clear step, and gradually expand. \nThank cyg07 the urging and guidance! \nVulnerability technical analysis\n1, the vulnerability described in\nVulnerability author: hilipPettersson\uff08philip.pettersson@gmail.com\uff09 \nVulnerability to hazards: a low-rights user rights to root \nImpact range: Linuxkernel version \nSolution: the Linuxkernel upgrade to the latest version&gt;=4.8.13\uff09 \nOfficial patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0cLinuxkernel(net/packet/af_packet. c)code in the presence of conditions of competition, may be caused by a low-rights user rights to root. Exploit to create raw sockets, you need to have CAP_NET_RAW capability. However, in some particular Linux distribution version of Ubuntu, Fedora, allows unprivileged users to create the network namespace have the ability, can successfully use. \n2, the vulnerability causes\npacket_set_ring function in the Create covered the ring buffer, if the packet version is TPACKET_V3, it will initialize a struct timer_list, as shown below. packet_set_ring function returns before the other thread can invoke the setsockopt function is the packet version is set to TPACKET_V1 it. The previous initialization of the timer is not in the kernel queue is canceled, the timer expires when the trigger struct timer_list in the callback function executes, the formation of UAF vulnerabilities. \nswitch(po-&gt;tp_version){ \ncase TPACKET_V3: \n/* Transmit path isnot supported. We checked \n* it above but justbeing paranoid \n*/ \nif(! tx_ring) \ninit_prb_bdqc(po, rb, pg_vec, req_u); \nbreak; \ndefault: \nbreak; \n} \nWhen the socket is closed, packet_set_ring function will again be invoked, if the packet version is greater than TPACKET_V2, the kernel will be in the queue written off previously this timer, as shown below. \nif(closing &amp;&amp;(po-&gt;tp_version &gt; TPACKET_V2)){ \n/* Because we don't support block-based V3 on tx-ring */ \nif(! tx_ring) \nprb_shutdown_retire_blk_timer(po, rb_queue); \n} \nBut the packet version was changed to TPACKET_V1 after the original execution flow is changed, so that the prb_shutdown_retire_blk_timer()function is not executed, the timer structure is also not in the kernel queue to be written off, once the timer expires, the kernel will perform the appropriate processing function. the timer is of type struct timer_list, defined as follows: \nstruct timer_list { \n/* * All fields that change during normal runtimegrouped to the \n* same cacheline */ \nstruct hlist_node entry; \nunsignedlong expires; \nvoid (*function)(unsignedlong); \nunsignedlong data; \nu32 flags; \nint slack; \n#ifdefCONFIG_TIMER_STATS \nint start_pid; \nvoid *start_site; \nchar start_comm[16]; \n#endif \n#ifdefCONFIG_LOCKDEP \nstruct lockdep_maplockdep_map; \n#endif \n}; \n3, exploits\nExploits the essence of the is triggered by a race condition, so that the kernel does not log off the socket inside the timer, and then use the memory injection method override timer is not before the release of the kernel space, the timer inside the function replace into want to execute a function, once the timer time expires, the kernel will execute the timer expiration handler is actually replaced after the function, so as to achieve the exploit of the object. Trigger race code as follows: \nvoid*vers_switcher(void*arg) \n{ \nint val,x,y; \nwhile(barrier){} \nwhile(1){ \nval = TPACKET_V1; \nx = setsockopt(sfd, SOL_PACKET, PACKET_VERSION,&amp;val,sizeof(val)); \n\n\n**[1] [[2]](<82270_2.htm>) [[3]](<82270_3.htm>) [next](<82270_2.htm>)**\n", "published": "2016-12-20T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://www.myhack58.com/Article/html/3/62/2016/82270.htm", "cvelist": [], "lastseen": "2016-12-20T15:09:48"}], "redhat": [{"id": "RHSA-2017:0402", "type": "redhat", "title": "(RHSA-2017:0402) Important: kernel-rt security, bug fix, and enhancement update", "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2016-8655, Important)\n\nRed Hat would like to thank Philip Pettersson for reporting this issue.\n\nEnhancement(s):\n\n* Previously, the Broadcom bnx2x driver in the MRG kernel-rt used an incorrect PTP Hardware Clock (PHC) timer divisor value, which broke Precision Time Protocol (PTP) timestamping due to an unstable clock. This update corrects the divisor value, and the PTP timestamping is now accurate, with monotonically increasing timestamp values. (BZ#1411139)", "published": "2017-03-02T20:47:05", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2017:0402", "cvelist": ["CVE-2016-8655"], "lastseen": "2018-06-07T05:58:39"}, {"id": "RHSA-2017:0386", "type": "redhat", "title": "(RHSA-2017:0386) Important: kernel security, bug fix, and enhancement update", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to a null pointer dereference flaw. It could occur on x86 platform, when emulating an undefined instruction. An attacker could use this flaw to crash the host kernel resulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO. An attacker issuing an ioctl can create a situation where memory is corrupted and modify memory outside of the expected area. This may overwrite kernel memory and subvert kernel execution. (CVE-2016-9083, Important)\n\n* The use of a kzalloc with an integer multiplication allowed an integer overflow condition to be reached in vfio_pci_intrs.c. This combined with CVE-2016-9083 may allow an attacker to craft an attack and use unallocated memory, potentially crashing the machine. (CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting CVE-2016-8655.\n\nAdditional Changes:\n\nSpace precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/articles/2940041.", "published": "2017-03-02T20:22:31", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2017:0386", "cvelist": ["CVE-2016-8630", "CVE-2016-8655", "CVE-2016-9083", "CVE-2016-9084"], "lastseen": "2018-04-15T18:29:25"}, {"id": "RHSA-2017:0387", "type": "redhat", "title": "(RHSA-2017:0387) Important: kernel-rt security and bug fix update", "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to a null pointer dereference flaw. It could occur on x86 platform, when emulating an undefined instruction. An attacker could use this flaw to crash the host kernel resulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO. An attacker issuing an ioctl can create a situation where memory is corrupted and modify memory outside of the expected area. This may overwrite kernel memory and subvert kernel execution. (CVE-2016-9083, Important)\n\n* The use of a kzalloc with an integer multiplication allowed an integer overflow condition to be reached in vfio_pci_intrs.c. This combined with CVE-2016-9083 may allow an attacker to craft an attack and use unallocated memory, potentially crashing the machine. (CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting CVE-2016-8655.\n\nBug Fix(es):\n\n* Previously, the asynchronous page fault woke code references spinlocks, which were actually sleeping locks in the RT kernel. Because of this, when the code was executed from the exception context, a bug warning appeared on the console. With this update, the regular wait queue and spinlock code in this area has been modified to use simple-wait-queue and raw-spinlocks. This code change enables the asynchronous page fault code to run in a non-preemptable state without bug warnings. (BZ#1418035)", "published": "2017-03-02T20:22:34", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2017:0387", "cvelist": ["CVE-2016-8630", "CVE-2016-8655", "CVE-2016-9083", "CVE-2016-9084"], "lastseen": "2018-03-28T02:40:42"}], "suse": [{"id": "SUSE-SU-2016:3116-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 8 for SLE 12 SP1 (important)", "description": "This update for the Linux Kernel 3.12.62-60_64_8 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-8655: A race condition in the af_packet packet_set_ring\n function could be used by local attackers to crash the kernel or gain\n privileges (bsc#1012759).\n - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in\n the Linux kernel lacks chunk-length checking for the first chunk, which\n allowed remote attackers to cause a denial of service (out-of-bounds\n slab access) or possibly have unspecified other impact via crafted SCTP\n data (bsc#1012183).\n\n", "published": "2016-12-13T17:07:11", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00055.html", "cvelist": ["CVE-2016-8655", "CVE-2016-9555"], "lastseen": "2016-12-13T18:02:36"}, {"id": "SUSE-SU-2016:3183-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 7 for SLE 12 SP1 (important)", "description": "This update for the Linux Kernel 3.12.62-60_62 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-8655: A race condition in the af_packet packet_set_ring\n function could be used by local attackers to crash the kernel or gain\n privileges (bsc#1012759).\n - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in\n the Linux kernel lacks chunk-length checking for the first chunk, which\n allowed remote attackers to cause a denial of service (out-of-bounds\n slab access) or possibly have unspecified other impact via crafted SCTP\n data (bsc#1012183).\n\n", "published": "2016-12-16T19:08:30", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00070.html", "cvelist": ["CVE-2016-8655", "CVE-2016-9555"], "lastseen": "2016-12-16T22:05:29"}, {"id": "SUSE-SU-2016:3205-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 9 for SLE 12 SP1 (important)", "description": "This update for the Linux Kernel 3.12.67-60_64_18 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-8655: A race condition in the af_packet packet_set_ring\n function could be used by local attackers to crash the kernel or gain\n privileges (bsc#1012759).\n - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in\n the Linux kernel lacks chunk-length checking for the first chunk, which\n allowed remote attackers to cause a denial of service (out-of-bounds\n slab access) or possibly have unspecified other impact via crafted SCTP\n data (bsc#1012183).\n\n", "published": "2016-12-21T17:07:27", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00076.html", "cvelist": ["CVE-2016-8655", "CVE-2016-9555"], "lastseen": "2016-12-21T18:05:35"}, {"id": "SUSE-SU-2016:3113-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 14 for SLE 12 (important)", "description": "This update for the Linux Kernel 3.12.60-52_49 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-8655: A race condition in the af_packet packet_set_ring\n function could be used by local attackers to crash the kernel or gain\n privileges (bsc#1012759).\n - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in\n the Linux kernel lacks chunk-length checking for the first chunk, which\n allowed remote attackers to cause a denial of service (out-of-bounds\n slab access) or possibly have unspecified other impact via crafted SCTP\n data (bsc#1012183).\n\n", "published": "2016-12-13T16:10:12", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00054.html", "cvelist": ["CVE-2016-8655", "CVE-2016-9555"], "lastseen": "2016-12-13T18:02:36"}, {"id": "SUSE-SU-2016:3206-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 1 for SLE 12 SP2 (important)", "description": "This update for the Linux Kernel 4.4.21-81 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-8655: A race condition in the af_packet packet_set_ring\n function could be used by local attackers to crash the kernel or gain\n privileges (bsc#1012759).\n - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in\n the Linux kernel lacks chunk-length checking for the first chunk, which\n allowed remote attackers to cause a denial of service (out-of-bounds\n slab access) or possibly have unspecified other impact via crafted SCTP\n data (bsc#1012183).\n\n", "published": "2016-12-21T17:08:06", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00077.html", "cvelist": ["CVE-2016-8655", "CVE-2016-9555"], "lastseen": "2016-12-21T18:05:35"}, {"id": "SUSE-SU-2016:3096-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 6 for SLE 12 SP1 (important)", "description": "This update for the Linux Kernel 3.12.59-60_45 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-8655: A race condition in the af_packet packet_set_ring\n function could be used by local attackers to crash the kernel or gain\n privileges (bsc#1012759).\n - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in\n the Linux kernel lacks chunk-length checking for the first chunk, which\n allowed remote attackers to cause a denial of service (out-of-bounds\n slab access) or possibly have unspecified other impact via crafted SCTP\n data (bsc#1012183).\n\n", "published": "2016-12-12T19:09:44", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00044.html", "cvelist": ["CVE-2016-8655", "CVE-2016-9555"], "lastseen": "2016-12-12T22:02:33"}, {"id": "SUSE-SU-2016:3197-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 15 for SLE 12 (important)", "description": "This update for the Linux Kernel 3.12.60-52_54 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-8655: A race condition in the af_packet packet_set_ring\n function could be used by local attackers to crash the kernel or gain\n privileges (bsc#1012759).\n - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in\n the Linux kernel lacks chunk-length checking for the first chunk, which\n allowed remote attackers to cause a denial of service (out-of-bounds\n slab access) or possibly have unspecified other impact via crafted SCTP\n data (bsc#1012183).\n\n", "published": "2016-12-20T16:07:37", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00073.html", "cvelist": ["CVE-2016-8655", "CVE-2016-9555"], "lastseen": "2016-12-20T18:05:35"}, {"id": "SUSE-SU-2016:3169-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 0 for SLE 12 SP2 (important)", "description": "This update for the Linux Kernel 4.4.21-69 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-8655: A race condition in the af_packet packet_set_ring\n function could be used by local attackers to crash the kernel or gain\n privileges (bsc#1012759).\n - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in\n the Linux kernel lacks chunk-length checking for the first chunk, which\n allowed remote attackers to cause a denial of service (out-of-bounds\n slab access) or possibly have unspecified other impact via crafted SCTP\n data (bsc#1012183).\n - A stability issue in the btrfs module was fixed (bsc#1008284)\n\n", "published": "2016-12-16T03:06:54", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00067.html", "cvelist": ["CVE-2016-8655", "CVE-2016-9555"], "lastseen": "2016-12-16T06:05:37"}, {"id": "SUSE-SU-2016:3117-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 5 for SLE 12 SP1 (important)", "description": "This update for the Linux Kernel 3.12.59-60_41 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-8655: A race condition in the af_packet packet_set_ring\n function could be used by local attackers to crash the kernel or gain\n privileges (bsc#1012759).\n - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in\n the Linux kernel lacks chunk-length checking for the first chunk, which\n allowed remote attackers to cause a denial of service (out-of-bounds\n slab access) or possibly have unspecified other impact via crafted SCTP\n data (bsc#1012183).\n\n", "published": "2016-12-13T17:07:45", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00056.html", "cvelist": ["CVE-2016-8655", "CVE-2016-9555"], "lastseen": "2016-12-13T18:02:36"}, {"id": "SUSE-SU-2016:3247-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 16 for SLE 12 (important)", "description": "This update for the Linux Kernel 3.12.60-52_57 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-8655: A race condition in the af_packet packet_set_ring\n function could be used by local attackers to crash the kernel or gain\n privileges (bsc#1012759).\n - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in\n the Linux kernel lacks chunk-length checking for the first chunk, which\n allowed remote attackers to cause a denial of service (out-of-bounds\n slab access) or possibly have unspecified other impact via crafted SCTP\n data (bsc#1012183).\n\n", "published": "2016-12-22T18:08:35", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00087.html", "cvelist": ["CVE-2016-8655", "CVE-2016-9555"], "lastseen": "2016-12-22T18:04:54"}], "oraclelinux": [{"id": "ELSA-2017-0386", "type": "oraclelinux", "title": "kernel security, bug fix, and enhancement update", "description": "- [3.10.0-514.10.2.OL7]\n- Oracle Linux certificates (Alexey Petrenko)\n- Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petrenko@oracle.com)\n- Update x509.genkey [bug 24817676]\n[3.10.0-514.10.2]\n- [net] dccp: fix freeing skb too early for IPV6_RECVPKTINFO (Hannes Frederic Sowa) [1423462 1423463]\n[3.10.0-514.10.1]\n- [block] blk-mq: Fix NULL pointer updating nr_requests (David Milburn) [1416133 1384066]\n- [scsi] cxlflash: Fix crash in cxlflash_restore_luntable() (Gustavo Duarte) [1415146 1400524]\n- [scsi] cxlflash: Improve context_reset() logic (Gustavo Duarte) [1415146 1400524]\n- [scsi] cxlflash: Avoid command room violation (Gustavo Duarte) [1415146 1400524]\n- [x86] Mark Kaby Lake with Kaby Lake PCH as supported (David Arcari) [1415094 1391219]\n- [scsi] be2iscsi: Add checks to validate completions (Maurizio Lombardi) [1414687 1324918]\n- [scsi] be2iscsi: Fix bad WRB index error (Maurizio Lombardi) [1414687 1324918]\n- [scsi] be2iscsi: Add lock to protect WRB alloc and free (Maurizio Lombardi) [1414687 1324918]\n- [mm] meminit: initialise more memory for inode/dentry hash tables in early boot (Yasuaki Ishimatsu) [1413623 1404584]\n- [s390] mem_detect: Revert 'add DAT sanity check' (Hendrik Brueckner) [1413600 1391540]\n- [cpufreq] intel_pstate: Fix code ordering in intel_pstate_set_policy() (Prarit Bhargava) [1411818 1398072]\n- [scsi] cxlflash: Improve EEH recovery time (Steve Best) [1402442 1397588]\n- [scsi] cxlflash: Fix to avoid EEH and host reset collisions (Steve Best) [1402442 1397588]\n- [scsi] cxlflash: Remove the device cleanly in the system shutdown path (Steve Best) [1402442 1397588]\n- [scsi] cxlflash: Scan host only after the port is ready for I/O (Steve Best) [1402442 1397588]\n- [x86] kvm: x86: Check memopp before dereference (Mateusz Guzik) [1395805 1395806] {CVE-2016-8630}\n- [vfio] pci: Fix integer overflows, bitmask check (Mateusz Guzik) [1394627 1394991 1394628 1394992] {CVE-2016-9083 CVE-2016-9084}\n- [acpi] acpi / scan: use platform bus type by default for _HID enumeration (Tony Camuso) [1393727 1383505]\n- [acpi] acpi / scan: introduce platform_id device PNP type flag (Tony Camuso) [1393727 1383505]\n- [char] ipmi: Convert the IPMI SI ACPI handling to a platform device (Tony Camuso) [1393727 1383505]\n- [acpi] acpi / ipmi: Cleanup coding styles (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Cleanup some inclusion codes (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Cleanup some initialization codes (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Cleanup several acpi_ipmi_device members (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Add reference counting for ACPI IPMI transfers (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Use global IPMI operation region handler (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Fix race caused by the unprotected ACPI IPMI user (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Fix race caused by the timed out ACPI IPMI transfers (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Fix race caused by the unprotected ACPI IPMI transfers (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Fix potential response buffer overflow (David Arcari) [1393725 1373703]\n[3.10.0-514.9.1]\n- [drm] i915/kbl: Remove preliminary_hw_support protection from KBL. (Rob Clark) [1413092 1305702]\n- [netdrv] slip: Fix deadlock in write_wakeup (Steve Best) [1412225 1403497]\n- [netdrv] slip: fix spinlock variant (Steve Best) [1412225 1403497]\n- [kernel] kmod: use system_unbound_wq instead of khelper (Luiz Capitulino) [1411816 1395860]\n- [nvme] switch abort to blk_execute_rq_nowait (David Milburn) [1411669 1392923]\n- [netdrv] ibmveth: calculate gso_segs for large packets (Gustavo Duarte) [1411382 1361958]\n- [netdrv] ibmveth: set correct gso_size and gso_type (Gustavo Duarte) [1411382 1361958]\n- [netdrv] allow macvlans to move to net namespace (Jarod Wilson) [1409829 1368830]\n- [pci] Set Read Completion Boundary to 128 iff Root Port supports it (_HPX) (Myron Stowe) [1406290 1387674]\n- [pci] Export pcie_find_root_port() (Myron Stowe) [1406290 1387674]\n- [rtc] cmos: Initialize hpet timer before irq is registered (Pratyush Anand) [1404184 1299001]\n- [x86] amd: Fix cpu_llc_id for AMD Fam17h systems (Suravee Suthikulpanit) [1402444 1395399]\n- [powerpc] powernv: Fix stale PE primary bus (Steve Best) [1402440 1395275]\n- [misc] cxl: Fix coredump generation when cxl_get_fd() is used (Gustavo Duarte) [1402439 1397943]\n- [pci] cxl: use pcibios_free_controller_deferred() when removing vPHBs (Gustavo Duarte) [1402438 1395323]\n- [scsi] qla2xxx: do not abort all commands in the adapter during EEH recovery (Gustavo Duarte) [1402436 1393254]\n- [scsi] qla2xxx: fix invalid DMA access after command aborts in PCI device remove (Gustavo Duarte) [1402436 1393254]\n- [scsi] qla2xxx: do not queue commands when unloading (Gustavo Duarte) [1402436 1393254]\n- [net] packet: fix race condition in packet_set_ring (Hangbin Liu) [1401852 1401853] {CVE-2016-8655}\n[3.10.0-514.8.1]\n- [netdrv] i40e: Fix corruption when transferring large files (Stefan Assmann) [1413101 1404060]\n[3.10.0-514.7.1]\n- [kernel] printk: avoid livelock if another CPU printks continuously (Denys Vlasenko) [1402314 1294066]", "published": "2017-03-02T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2017-0386.html", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "lastseen": "2017-03-03T01:23:40"}, {"id": "ELSA-2017-0386-1", "type": "oraclelinux", "title": "1 ", "description": "- [3.10.0-514.6.10.0.1.el7]\n- [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug 22552377]\n- Oracle Linux certificates (Alexey Petrenko)\n- Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petrenko@oracle.com)\n- Update x509.genkey [bug 24817676]", "published": "2017-03-03T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2017-0386-1.html", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "lastseen": "2017-08-22T10:02:27"}, {"id": "ELSA-2017-3509", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "description": "kernel-uek\n[3.8.13-118.16.2]\n- net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (Eric Dumazet) [Orabug: 25203623] {CVE-2016-9793}\n[3.8.13-118.16.1]\n- nvme: Limit command retries (Ashok Vairavan) [Orabug: 25374794] \n- tcp: fix use after free in tcp_xmit_retransmit_queue() (Eric Dumazet) [Orabug: 25374371] {CVE-2016-6828}\n- logging errors that get masked to EIO inside drivers/block/loop.c (Manjunath Patil) [Orabug: 22505535] \n- ALSA: pcm : Call kill_fasync() in stream lock (Takashi Iwai) [Orabug: 25203963] {CVE-2016-9794}\n- packet: fix race condition in packet_set_ring (Philip Pettersson) [Orabug: 25217756] {CVE-2016-8655}\n- x86: kvmclock: zero initialize pvclock shared memory area (Igor Mammedov) [Orabug: 25218431] \n- KEYS: Fix short sprintf buffer in /proc/keys show function (David Howells) [Orabug: 25306373] {CVE-2016-7042}", "published": "2017-01-12T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2017-3509.html", "cvelist": ["CVE-2016-9794", "CVE-2016-8655", "CVE-2016-9793", "CVE-2016-6828", "CVE-2016-7042"], "lastseen": "2017-01-13T01:33:50"}, {"id": "ELSA-2017-3508", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "description": "kernel-uek\n[4.1.12-61.1.25]\n- KEYS: Fix short sprintf buffer in /proc/keys show function (David Howells) [Orabug: 25306361] {CVE-2016-7042}\n- nvme: Limit command retries (Keith Busch) [Orabug: 25374751] \n- fs/proc/task_mmu.c: fix mm_access() mode parameter in pagemap_read() (Kenny Keslar) [Orabug: 25374977] \n- tcp: fix use after free in tcp_xmit_retransmit_queue() (Eric Dumazet) [Orabug: 25374364] {CVE-2016-6828}\n- tunnels: Don't apply GRO to multiple layers of encapsulation. (Jesse Gross) [Orabug: 25036352] {CVE-2016-8666}\n- i40e: Don't notify client(s) for DCB changes on all VSIs (Neerav Parikh) [Orabug: 25046290] \n- packet: fix race condition in packet_set_ring (Philip Pettersson) [Orabug: 25231617] {CVE-2016-8655}\n- netlink: Fix dump skb leak/double free (Herbert Xu) [Orabug: 25231692] {CVE-2016-9806}\n- ALSA: pcm : Call kill_fasync() in stream lock (Takashi Iwai) [Orabug: 25231720] {CVE-2016-9794}\n- net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (Eric Dumazet) [Orabug: 25231751] {CVE-2016-9793}\n[4.1.12-61.1.24]\n- rebuild bumping release", "published": "2017-01-12T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2017-3508.html", "cvelist": ["CVE-2016-9806", "CVE-2016-9794", "CVE-2016-8655", "CVE-2016-9793", "CVE-2016-8666", "CVE-2016-6828", "CVE-2016-7042"], "lastseen": "2017-01-13T01:33:23"}, {"id": "ELSA-2017-3514", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "description": "kernel-uek\n[4.1.12-61.1.27]\n- vfio/pci: Fix integer overflows, bitmask check (Vlad Tsyrklevich) [Orabug: 25164094] {CVE-2016-9083} {CVE-2016-9084}\n- Don't feed anything but regular iovec's to blk_rq_map_user_iov (Linus Torvalds) [Orabug: 25231931] {CVE-2016-9576}\n- kvm: x86: Check memopp before dereference (CVE-2016-8630) (Owen Hofmann) [Orabug: 25417387] {CVE-2016-8630}\n- crypto: algif_hash - Only export and import on sockets with data (Herbert Xu) [Orabug: 25417799] {CVE-2016-8646}\n- USB: usbfs: fix potential infoleak in devio (Kangjie Lu) [Orabug: 25462755] {CVE-2016-4482}\n- net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462799] {CVE-2016-4485}\n[4.1.12-61.1.26]\n- xen-netback: fix extra_info handling in xenvif_tx_err() (Paul Durrant) [Orabug: 25445336] \n- net: Documentation: Fix default value tcp_limit_output_bytes (Niklas Cassel) [Orabug: 25458076] \n- tcp: double default TSQ output bytes limit (Wei Liu) [Orabug: 25458076] \n- xenbus: fix deadlock on writes to /proc/xen/xenbus (David Vrabel) [Orabug: 25430143]", "published": "2017-02-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2017-3514.html", "cvelist": ["CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083", "CVE-2016-4485", "CVE-2016-4482", "CVE-2016-9576", "CVE-2016-8646"], "lastseen": "2017-02-07T05:00:46"}], "centos": [{"id": "CESA-2017:0386", "type": "centos", "title": "kernel, perf, python security update", "description": "**CentOS Errata and Security Advisory** CESA-2017:0386\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to a null pointer dereference flaw. It could occur on x86 platform, when emulating an undefined instruction. An attacker could use this flaw to crash the host kernel resulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO. An attacker issuing an ioctl can create a situation where memory is corrupted and modify memory outside of the expected area. This may overwrite kernel memory and subvert kernel execution. (CVE-2016-9083, Important)\n\n* The use of a kzalloc with an integer multiplication allowed an integer overflow condition to be reached in vfio_pci_intrs.c. This combined with CVE-2016-9083 may allow an attacker to craft an attack and use unallocated memory, potentially crashing the machine. (CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting CVE-2016-8655.\n\nAdditional Changes:\n\nSpace precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/articles/2940041.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-March/022324.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-tools\nkernel-tools-libs\nkernel-tools-libs-devel\nperf\npython-perf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2017-0386.html", "published": "2017-03-06T15:04:15", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2017-March/022324.html", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "lastseen": "2017-10-03T18:25:56"}], "amazon": [{"id": "ALAS-2016-772", "type": "amazon", "title": "Important: kernel", "description": "**Issue Overview:**\n\n[CVE-2016-8645 __](<https://access.redhat.com/security/cve/CVE-2016-8645>) kernel: a BUG() statement can be hit in net/ipv4/tcp_input.c \nIt was discovered that the Linux kernel since 3.6-rc1 with net.ipv4.tcp_fastopen; set to 1 can hit BUG() statement in tcp_collapse() function after making a number of certain syscalls leading to a possible system crash.\n\n[CVE-2016-8655 __](<https://access.redhat.com/security/cve/CVE-2016-8655>) kernel: Race condition in packet_set_ring leads to use after free \nA race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.\n\n[CVE-2016-9083 __](<https://access.redhat.com/security/cve/CVE-2016-9083>) kernel: State machine confusion bug in vfio driver leading to memory corruption \nA flaw was discovered in the Linux kernel's implementation of VFIO. An attacker issuing an ioctl can create a situation where memory is corrupted and modify memory outside of the expected area. This may overwrite kernel memory and subvert kernel execution.\n\n[CVE-2016-9084 __](<https://access.redhat.com/security/cve/CVE-2016-9084>) kernel: Integer overflow when using kzalloc in vfio driver \nThe use of a kzalloc with an integer multiplication allowed an integer overflow condition to be reached in vfio_pci_intrs.c. This combined with [CVE-2016-9083 __](<https://access.redhat.com/security/cve/CVE-2016-9083>) may allow an attacker to craft an attack and use unallocated memory, potentially crashing the machine.\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. \n\n\n \n**New Packages:**\n \n \n i686: \n kernel-debuginfo-common-i686-4.4.35-33.55.amzn1.i686 \n perf-debuginfo-4.4.35-33.55.amzn1.i686 \n kernel-tools-4.4.35-33.55.amzn1.i686 \n perf-4.4.35-33.55.amzn1.i686 \n kernel-4.4.35-33.55.amzn1.i686 \n kernel-tools-debuginfo-4.4.35-33.55.amzn1.i686 \n kernel-headers-4.4.35-33.55.amzn1.i686 \n kernel-debuginfo-4.4.35-33.55.amzn1.i686 \n kernel-tools-devel-4.4.35-33.55.amzn1.i686 \n kernel-devel-4.4.35-33.55.amzn1.i686 \n \n noarch: \n kernel-doc-4.4.35-33.55.amzn1.noarch \n \n src: \n kernel-4.4.35-33.55.amzn1.src \n \n x86_64: \n kernel-tools-4.4.35-33.55.amzn1.x86_64 \n perf-debuginfo-4.4.35-33.55.amzn1.x86_64 \n kernel-headers-4.4.35-33.55.amzn1.x86_64 \n kernel-tools-devel-4.4.35-33.55.amzn1.x86_64 \n perf-4.4.35-33.55.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-4.4.35-33.55.amzn1.x86_64 \n kernel-4.4.35-33.55.amzn1.x86_64 \n kernel-devel-4.4.35-33.55.amzn1.x86_64 \n kernel-debuginfo-4.4.35-33.55.amzn1.x86_64 \n kernel-tools-debuginfo-4.4.35-33.55.amzn1.x86_64 \n \n \n", "published": "2016-12-06T23:44:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2016-772.html", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-9083", "CVE-2016-8645"], "lastseen": "2016-12-07T20:42:49"}], "cloudfoundry": [{"id": "CFOUNDRY:357A3D675E310E16A6C343FB03145CD4", "type": "cloudfoundry", "title": "USN-3312-2: Linux kernel (Xenial HWE) vulnerabilities - Cloud Foundry", "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3312-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nIt was discovered that the netfilter netlink implementation in the Linux kernel did not properly validate batch messages. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information or cause a denial of service. ([CVE-2016-7917](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7917>))\n\nQian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() function in the Linux kernel. A local attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. ([CVE-2016-8632](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8632>))\n\nIt was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. ([CVE-2016-9604](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9604>))\n\nIt was discovered that a buffer overflow existed in the trace subsystem in the Linux kernel. A privileged local attacker could use this to execute arbitrary code. ([CVE-2017-0605](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-0605>))\n\nDmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. ([CVE-2017-2596](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-2596>))\n\nDaniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). ([CVE-2017-2671](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-2671>))\n\nDi Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. ([CVE-2017-6001](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6001>))\n\nEric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). ([CVE-2017-7472](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7472>))\n\nSabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). ([CVE-2017-7618](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7618>))\n\nTuomas Haanp\u00e4\u00e4 and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). ([CVE-2017-7645](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7645>))\n\nTommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. ([CVE-2017-7889](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7889>))\n\nTuomas Haanp\u00e4\u00e4 and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2017-7895](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7895>))\n\nIt was discovered that a use-after-free vulnerability existed in the device driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2016-7913](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7913>))\n\nVlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2016-9083](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9083>), [CVE-2016-9084](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9084>))\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * 3263.x versions prior to 3263.28\n * 3312.x versions prior to 3312.29\n * 3363.x versions prior to 3363.26\n * 3421.x versions prior to 3421.9\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH stemcells: \n * Upgrade 3263.x versions prior to 3263.28\n * Upgrade 3312.x versions prior to 3312.29\n * Upgrade 3363.x versions prior to 3363.26\n * Upgrade 3421.x versions prior to 3421.9\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io>).\n\n# References\n\n * [USN-3312-2](<http://www.ubuntu.com/usn/usn-3312-2/>)\n * [CVE-2016-7917](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7917>)\n * [CVE-2016-8632](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8632>)\n * [CVE-2016-9604](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9604>)\n * [CVE-2017-0605](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-0605>)\n * [CVE-2017-2596](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-2596>)\n * [CVE-2017-2671](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-2671>)\n * [CVE-2017-6001](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6001>)\n * [CVE-2017-7472](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7472>)\n * [CVE-2017-7618](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7618>)\n * [CVE-2017-7645](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7645>)\n * [CVE-2017-7889](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7889>)\n * [CVE-2017-7895](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7895>)\n * [CVE-2016-7913](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7913>)\n * [CVE-2016-9083](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9083>)\n * [CVE-2016-9084](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9084>)\n", "published": "2017-06-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.cloudfoundry.org/blog/usn-3312-2/", "cvelist": ["CVE-2017-7472", "CVE-2016-9604", "CVE-2017-7895", "CVE-2016-9084", "CVE-2016-7917", "CVE-2017-7889", "CVE-2017-6001", "CVE-2017-7618", "CVE-2017-7645", "CVE-2016-8632", "CVE-2017-0605", "CVE-2017-2671", "CVE-2016-9083", "CVE-2016-7913", "CVE-2017-2596"], "lastseen": "2018-01-12T14:52:53"}, {"id": "CFOUNDRY:43A3634884E6DDA3AD9EFD6221BBEE90", "type": "cloudfoundry", "title": "USN-3161-2: Linux kernel (Xenial HWE) vulnerabilities - Cloud Foundry", "description": "# \n\n# **Severity**\n\nMedium\n\n# **Vendor**\n\nUbuntu\n\n# **Versions Affected**\n\n * Ubuntu 14.04 LTS\n\n# **Description**\n\nTilman Schmidt and Sasha Levin discovered a use-after-free condition in the TTY implementation in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). ([CVE-2015-8964](<https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8964.html>)) \n \nIt was discovered that the Video For Linux Two (v4l2) implementation in the Linux kernel did not properly handle multiple planes when processing aVIDIOC_DQBUF ioctl(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2016-4568](<https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4568.html>)) \n \nCAI Qian discovered that shared bind mounts in a mount name space exponentially added entries without restriction to the Linux kernel\u2019s mount table. A local attacker could use this to cause a denial of service (system crash). ([CVE-2016-6213](<https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6213.html>)) \n \nIt was discovered that the KVM implementation for x86/x86_64 in the Linux kernel could dereference a null pointer. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the KVM host. ([CVE-2016-8630](<https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8630.html>)) \n \nEyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation in the Linux kernel contained a buffer overflow when handling fragmented packets. A remote attacker could use this to possibly execute arbitrary code with administrative privileges. ([CVE-2016-8633](<https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8633.html>)) \n \nMarco Grassi discovered that the TCP implementation in the Linux kernel mishandles socket buffer (skb) truncation. A local attacker could use this to cause a denial of service (system crash). ([CVE-2016-8645](<https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8645.html>)) \n \nAndrey Konovalov discovered that the SCTP implementation in the Linux kernel improperly handled validation of incoming data. A remote attacker could use this to cause a denial of service (system crash). ([CVE-2016-9555](<https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9555.html>))\n\n# **Affected Products and Versions**\n\nSeverity is medium unless otherwise noted.\n\n * Cloud Foundry BOSH stemcells are vulnerable, including:\n * 3151.x versions prior to 3151.7\n * 3233.x versions prior to 3233.10\n * 3263.x versions prior to 3263.15\n * 3312.x versions prior to 3312.17\n\n# **Mitigation**\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry team recommends upgrading to the following BOSH stemcells:\n * Upgrade all lower versions of 3151.x to version 3151.7\n * Upgrade all lower versions of 3233.x to version 3233.10\n * Upgrade all lower versions of 3263.x to version 3263.15\n * Upgrade all lower versions of 3312.x to 3312.17\n\n# **Credit**\n\nTilman Schmidt, Sasha Levin, CAI Qian, Eyal Itkin, Marco Grassi, Andrey Konovalov\n\n# **References**\n\n * [https://www.ubuntu.com/usn/usn-3161-2/](<https://www.ubuntu.com/usn/usn-3161-2/>)\n * [https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8964.html](<https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8964.html>)\n * [https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4568.html](<https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4568.html>)\n * [https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6213.html](<https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6213.html>)\n * [https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8630.html](<https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8630.html>)\n * [https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8633.html](<https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8633.html>)\n * [https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8645.html](<https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8645.html>)\n * [https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9555.html](<https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9555.html>)\n\n# **History**\n\n2016-12-20: Initial vulnerability report published\n", "published": "2017-01-31T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.cloudfoundry.org/blog/usn-3161-2/", "cvelist": ["CVE-2016-8633", "CVE-2016-6213", "CVE-2016-4568", "CVE-2015-8964", "CVE-2016-9555", "CVE-2016-8630", "CVE-2016-8645"], "lastseen": "2018-01-12T14:52:52"}]}}