ID RHSA-2017:2799 Type redhat Reporter RedHat Modified 2017-09-26T19:23:27
Description
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security Fix(es):
A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. (CVE-2017-1000253, Important)
Red Hat would like to thank Qualys Research Labs for reporting this issue.
{"cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "viewCount": 1, "reporter": "RedHat", "references": [], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. (CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "href": "https://access.redhat.com/errata/RHSA-2017:2799", "modified": "2017-09-26T19:23:27", "objectVersion": "1.4", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "enchantments": {"vulnersScore": 7.2}, "id": "RHSA-2017:2799", "title": "(RHSA-2017:2799) Important: kernel security update", "bulletinFamily": "unix", "published": "2017-09-26T19:03:48", "enchantments_done": [], "type": "redhat", "_object_type": "robots.models.redhat.RedHatBulletin", "history": [{"differentElements": ["cvss"], "bulletin": {"published": "2017-09-26T19:03:48", "enchantments": {}, "id": "RHSA-2017:2799", "objectVersion": "1.4", "title": "(RHSA-2017:2799) Important: kernel security update", "affectedPackage": [{"packageFilename": "kernel-2.6.32-358.84.1.el6.src.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "src"}, {"packageFilename": "kernel-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "kernel-debug-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-debug", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "kernel-debug-debuginfo-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-debug-debuginfo", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "kernel-debug-devel-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-debug-devel", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "kernel-debuginfo-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-debuginfo", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "kernel-debuginfo-common-x86_64-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-debuginfo-common-x86_64", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "kernel-devel-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-devel", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "kernel-doc-2.6.32-358.84.1.el6.noarch.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-doc", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "noarch"}, {"packageFilename": "kernel-firmware-2.6.32-358.84.1.el6.noarch.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-firmware", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "noarch"}, {"packageFilename": "kernel-headers-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-headers", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "perf-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "perf", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "perf-debuginfo-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "perf-debuginfo", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "python-perf-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "python-perf", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "python-perf-debuginfo-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "python-perf-debuginfo", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}], "bulletinFamily": "unix", "viewCount": 0, "reporter": "RedHat", "references": [], "type": "redhat", "history": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. (CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "cvelist": ["CVE-2017-1000253"], "href": "https://access.redhat.com/errata/RHSA-2017:2799", "modified": "2017-09-26T19:23:27", "lastseen": "2017-09-29T11:22:12"}, "lastseen": "2017-09-29T11:22:12", "edition": 1}], "affectedPackage": [{"packageFilename": "kernel-2.6.32-358.84.1.el6.src.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "src"}, {"packageFilename": "kernel-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "kernel-debug-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-debug", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "kernel-debug-debuginfo-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-debug-debuginfo", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "kernel-debug-devel-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-debug-devel", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "kernel-debuginfo-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-debuginfo", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "kernel-debuginfo-common-x86_64-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-debuginfo-common-x86_64", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "kernel-devel-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-devel", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "kernel-doc-2.6.32-358.84.1.el6.noarch.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-doc", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "noarch"}, {"packageFilename": "kernel-firmware-2.6.32-358.84.1.el6.noarch.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-firmware", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "noarch"}, {"packageFilename": "kernel-headers-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "kernel-headers", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "perf-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "perf", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "perf-debuginfo-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "perf-debuginfo", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "python-perf-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "python-perf", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}, {"packageFilename": "python-perf-debuginfo-2.6.32-358.84.1.el6.x86_64.rpm", "OS": "RedHat", "OSVersion": "6", "packageName": "python-perf-debuginfo", "operator": "lt", "packageVersion": "2.6.32-358.84.1.el6", "arch": "x86_64"}], "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-22T19:33:54"}
{"result": {"cve": [{"id": "CVE-2017-1000253", "type": "cve", "title": "CVE-2017-1000253", "description": "Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the \"gap\" between the stack and the binary.", "published": "2017-10-04T21:29:04", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000253", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-12-09T12:13:14"}], "f5": [{"id": "F5:K22340570", "type": "f5", "title": "Linux kernel vulnerability CVE-2017-1000253", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | CVSSv3 score | Vulnerable component or feature \n---|---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP AAM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 | Not vulnerable | None | None \nBIG-IP AFM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 | Not vulnerable | None | None \nBIG-IP Analytics | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP APM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP ASM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.2 | Not vulnerable | None | None \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable | None | None \nBIG-IP GTM | None | 11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP Link Controller | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 | Not vulnerable | None | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable | None | None \nF5 WebSafe | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.2 | Not vulnerable | None | None \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None | None \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable | None | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable | None | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable | None | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.3.0 \n4.6.0 | Not vulnerable | None | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None | None \nF5 iWorkflow | None | 2.0.0 - 2.3.0 | Not vulnerable | None | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None | None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "published": "2017-10-27T19:46:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K22340570", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-27T20:33:13"}], "myhack58": [{"id": "MYHACK58:62201789498", "type": "myhack58", "title": "Linux PIE/stack memory corruption vulnerability flaws bug alert(CVE\u20132017\u20131000253)number-vulnerability warning-the black bar safety net", "description": "2015 4 on 14 September, Michael Davidson found PIE\uff08Position Independent Executable mechanism to allow the part of the application of the French data segment is placed across the reserved memory area to form memory bounds, and thus incur the mention of the right to, and in the Linux Source Tree on the submitted patch a87938b2e246b81b4fb713edb371a9fa3c5c3c86 it. \nThe same year, 5 months, Linux 3.10.77 updated version of the patch, what, then and no to the question of the importance of making a precise evaluation, it is a lot of published version for a long time did not update the patch, leading to flaws vulnerability bug kept there. \n2017 9 May 26, OSS-SEC mailing list announced with the flaws vulnerability bug coherent information, and the performance of the flaws the vulnerability bug number CVE-2017-1000253 it. At the same time, the coherence of the affected Linux published version is also announced the flaws vulnerability bug coherent Update Patch the. \nBritain at the end 360CERT evaluation, the flaws vulnerability bug can be the use of dangerous high-level, can be used for the Linux operating system vicious thoughts its mention of the right root, the initiative of the affected user, as soon as possible to achieve response update. \n0x01 confound the impact \nImpact grade \nFlaws vulnerability bug dangerous goods was high, affecting a wide range. \nImpact version \n2017 09 month 13 days before the publication of CentOS 7 full version version 1708. \n2017 08 months 01 days before the publication of the Red Hat Enterprise Linux 7 full version for version 7. 4 before \nAll version of CentOS 6 and Red Hat Enterprise Linux 6 \nFix version \nKernel 3.10.0-693 and later \nDetail of the printed edition: \nDebian wheezy 3.2.71-1 \nDebian jessie 3.16.7-ckt11-1 \nDebian (unstable) 4.0.2-1 \nSUSE Linux Enterprise Desktop 12 SP2 \nSUSE Linux Enterprise Desktop 12 SP3 \nSUSE Linux Enterprise Server 12 GA \nSUSE Linux Enterprise Server 12 SP1 \nSUSE Linux Enterprise Server 12 SP2 \nSUSE Linux Enterprise Server 12 SP3 \nRed Hat Enterprise MRG 2 3.10.0-693.2.1. rt56. 585. el6rt \nRed Hat Enteprise Linux for Realtime 3.10.0-693. rt56. 617 \n0x02 flaws vulnerability bug information \nLinux case, if the application of French when compiling with\u201c-pie\u201dcompile option, the load_elf_binary()will assign a segment of memory space, but load_elf_ binary()is not considered to apply to all French dispatch plenty of space, incurring a PT_LOAD segment across a mm->mmap_base it. In x86_64, if the cross-border across the 128MB, you will be enveloped into French of the stack, and then be able to incur permission to promotion. Civil supply of the memory bounds of the outcomes map: \n! [](/Article/UploadPic/2017-9/201792843129772. jpg? www. myhack58. com) \nCivil patch supplied way is figuring out and supplied to the application of the French space needed size to avoid memory bounds. \n0x03 repair plan \nIntense initiatives to all affected users, in real-time to stop the network security updates, optional method, the following: \nCoherent Linux published version once the supply of the network security updates, via the process yum or apt-get in the situation to stop the network security update. \nCustom kernel users, please download the corresponding source code patch to stop the network security update. \nPatch location: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a87938b2e246b81b4fb713edb371a9fa3c5c3c86 \n0x04 time line \n2015-04-14 Michael Davidson submitted to the flaws vulnerability bug patch, and is received \n2017-09-26 OSS-SEC mailing list promulgated flaws vulnerability bug information \n2017-09-27 360CERT announced warning notices \n0x05 references \nhttps://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt \nhttps://access.redhat.com/security/vulnerabilities/3189592 \nhttps://security-tracker.debian.org/tracker/CVE-2017-1000253 \nhttps://www.suse.com/security/cve/CVE-2017-1000253/ \nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a87938b2e246b81b4fb713edb371a9fa3c5c3c86\n", "published": "2017-09-28T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://www.myhack58.com/Article/html/3/62/2017/89498.htm", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-09-29T14:08:51"}], "redhat": [{"id": "RHSA-2017:2794", "type": "redhat", "title": "(RHSA-2017:2794) Important: kernel security update", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. (CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-26T19:03:20", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2017:2794", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-22T19:34:57"}, {"id": "RHSA-2017:2796", "type": "redhat", "title": "(RHSA-2017:2796) Important: kernel security update", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. (CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-26T19:03:41", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2017:2796", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-22T19:34:01"}, {"id": "RHSA-2017:2795", "type": "redhat", "title": "(RHSA-2017:2795) Important: kernel security update", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. (CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-26T19:03:23", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2017:2795", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-22T19:34:17"}, {"id": "RHSA-2017:2801", "type": "redhat", "title": "(RHSA-2017:2801) Important: kernel security update", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. (CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-26T19:04:39", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2017:2801", "cvelist": ["CVE-2017-1000253"], "lastseen": "2018-02-09T16:09:35"}, {"id": "RHSA-2017:2798", "type": "redhat", "title": "(RHSA-2017:2798) Important: kernel security update", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. (CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-26T19:03:15", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2017:2798", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-22T19:34:17"}, {"id": "RHSA-2017:2797", "type": "redhat", "title": "(RHSA-2017:2797) Important: kernel security update", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. (CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-26T19:03:43", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2017:2797", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-22T19:34:07"}, {"id": "RHSA-2017:2793", "type": "redhat", "title": "(RHSA-2017:2793) Important: kernel security update", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. (CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-26T19:03:17", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2017:2793", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-22T19:34:21"}, {"id": "RHSA-2017:2802", "type": "redhat", "title": "(RHSA-2017:2802) Important: kernel security update", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. (CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-26T19:04:56", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2017:2802", "cvelist": ["CVE-2017-1000253"], "lastseen": "2018-02-09T16:10:05"}, {"id": "RHSA-2017:2800", "type": "redhat", "title": "(RHSA-2017:2800) Important: kernel security update", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. (CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-26T19:04:23", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2017:2800", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-22T19:34:37"}], "suse": [{"id": "SUSE-SU-2017:2723-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "description": "The SUSE Linux Enterprise 11 SP4 kernel was updated to fix the following\n issues:\n\n - Stack corruption could have lead to local privilege escalation\n (bsc#1059525, CVE-2017-1000253).\n\n", "published": "2017-10-13T15:10:01", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00016.html", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-13T17:55:29"}, {"id": "SUSE-SU-2017:2725-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "description": "The SUSE Linux Enterprise 11 SP3 kernel was updated to fix the following\n issues:\n\n - Stack corruption could have lead to local privilege escalation\n (bsc#1059525, CVE-2017-1000253).\n\n", "published": "2017-10-14T21:09:20", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00017.html", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-14T23:54:50"}, {"id": "SUSE-SU-2017:3165-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "description": "The SUSE Linux Enterprise 11 SP4 Realtime kernel was updated to receive\n various security and bugfixes.\n\n\n The following security bugs were fixed:\n\n - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed\n reinstallation of the Group Temporal Key (GTK) during the group key\n handshake, allowing an attacker within radio range to replay frames from\n access points to clients (bnc#1063667).\n - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not\n consider the case of a NULL payload in conjunction with a nonzero length\n value, which allowed local users to cause a denial of service (NULL\n pointer dereference and OOPS) via a crafted add_key or keyctl system\n call, a different vulnerability than CVE-2017-12192 (bnc#1045327).\n - CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel\n allowed local users to cause a denial of service (use-after-free) or\n possibly have unspecified other impact via crafted /dev/snd/seq ioctl\n calls, related to sound/core/seq/seq_clientmgr.c and\n sound/core/seq/seq_ports.c (bnc#1062520).\n - CVE-2017-14489: The iscsi_if_rx function in\n drivers/scsi/scsi_transport_iscsi.c in the Linux kernel allowed local\n users to cause a denial of service (panic) by leveraging incorrect\n length validation (bnc#1059051).\n - CVE-2017-1000253: Setuid root PIE binaries could still be exploited to\n gain local root access due missing overlapping memory checking in the\n ELF loader in the Linux Kernel. (bnc#1059525).\n\n The following non-security bugs were fixed:\n\n - blacklist.conf: blacklist bfedb589252c ("mm: Add a user_ns owner to\n mm_struct and fix ptrace permission checks") (bnc#1044228)\n - bnx2x: prevent crash when accessing PTP with interface down\n (bsc#1060665).\n - drm/mgag200: Fixes for G200eH3. (bnc#1062842)\n - fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length\n mappings (bnc#1059525).\n - getcwd: Close race with d_move called by lustre (bsc#1052593).\n - hid: usbhid: Add HID_QUIRK_NOGET for Aten CS-1758 KVM switch\n (bnc#1022967).\n - i40e: Initialize 64-bit statistics TX ring seqcount (bsc#909484\n FATE#317397).\n - kvm: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready"\n exceptions simultaneously (bsc#1061017).\n - kvm: SVM: Add a missing 'break' statement (bsc#1061017).\n - lustre: Fix "getcwd: Close race with d_move called by lustre" for -rt\n Convert added spin_lock/unlock() of ->d_lock to seqlock variants.\n - md/bitmap: disable bitmap_resize for file-backed bitmaps (bsc#1061180).\n - netback: coalesce (guest) RX SKBs as needed (bsc#1056504).\n - nfs: Remove asserts from the NFS XDR code (bsc#1063544).\n - powerpc: Fix the corrupt r3 error during MCE handling (bnc#1056230).\n - powerpc: Make sure IPI handlers see data written by IPI senders\n (bnc#1056230).\n - powerpc/xics: Harden xics hypervisor backend (bnc#1056230).\n - s390/cpcmd,vmcp: avoid GFP_DMA allocations (bnc#1060245, LTC#159112).\n - s390/qdio: avoid reschedule of outbound tasklet once killed\n (bnc#1063301, LTC#159885).\n - s390/topology: alternative topology for topology-less machines\n (bnc#1060245, LTC#159177).\n - s390/topology: enable / disable topology dynamically (bnc#1060245,\n LTC#159177).\n - scsi: qla2xxx: Get mutex lock before checking optrom_state (bsc#1053317).\n - scsi: reset wait for IO completion (bsc#996376).\n - scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace\n records (bnc#1060245, LTC#158494).\n - scsi: zfcp: fix missing trace records for early returns in TMF eh\n handlers (bnc#1060245, LTC#158494).\n - scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with\n HBA (bnc#1060245, LTC#158494).\n - scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records\n (bnc#1060245, LTC#158494).\n - scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled\n (bnc#1060245, LTC#158493).\n - scsi: zfcp: trace HBA FSF response by default on dismiss or timedout\n late response (bnc#1060245, LTC#158494).\n - Update config files. (bsc#1057796) The CONFIG_MODULE_SIG_UEFI should be\n enabled on x86_64/xen architecture because xen can work with shim on\n x86_64. Enabling the following kernel config to load certificate from\n db/mok: +CONFIG_MODULE_SIG_BLACKLIST=y +CONFIG_MODULE_SIG_UEFI=y\n - virtio_scsi: do not call virtqueue_add_sgs(... GFP_NOIO) holding\n spinlock (bsc#1036286).\n\n", "published": "2017-11-30T21:08:12", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2017-11/msg00082.html", "cvelist": ["CVE-2017-13080", "CVE-2017-14489", "CVE-2017-15274", "CVE-2017-15265", "CVE-2017-1000253", "CVE-2017-12192"], "lastseen": "2017-12-01T01:22:40"}], "nessus": [{"id": "REDHAT-RHSA-2017-2795.NASL", "type": "nessus", "title": "RHEL 6 : kernel (RHSA-2017:2795)", "description": "An update for kernel is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\n* A flaw was found in the way the Linux kernel loaded ELF executables.\nProvided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.\n(CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-27T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=103494", "cvelist": ["CVE-2017-1000253"], "lastseen": "2018-01-30T01:12:10"}, {"id": "VIRTUOZZO_VZA-2017-090.NASL", "type": "nessus", "title": "Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-090)", "description": "According to the version of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerability :\n\n - A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2017-10-02T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=103571", "cvelist": ["CVE-2017-1000253"], "lastseen": "2018-02-01T01:16:17"}, {"id": "ORACLELINUX_ELSA-2017-3626.NASL", "type": "nessus", "title": "Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3626)", "description": "Description of changes:\n\n[2.6.39-400.297.9.el6uek]\n- fs/binfmt_elf.c: fix bug in loading of PIE binaries (Michael Davidson) [Orabug: 26870958] {CVE-2017-1000253}", "published": "2017-09-29T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=103560", "cvelist": ["CVE-2017-1000253"], "lastseen": "2018-02-04T10:56:32"}, {"id": "REDHAT-RHSA-2017-2800.NASL", "type": "nessus", "title": "RHEL 6 : kernel (RHSA-2017:2800)", "description": "An update for kernel is now available for Red Hat Enterprise Linux 6.2 Advanced Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\n* A flaw was found in the way the Linux kernel loaded ELF executables.\nProvided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.\n(CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-27T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=103499", "cvelist": ["CVE-2017-1000253"], "lastseen": "2018-01-30T00:59:20"}, {"id": "REDHAT-RHSA-2017-2799.NASL", "type": "nessus", "title": "RHEL 6 : kernel (RHSA-2017:2799)", "description": "An update for kernel is now available for Red Hat Enterprise Linux 6.4 Advanced Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\n* A flaw was found in the way the Linux kernel loaded ELF executables.\nProvided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.\n(CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-27T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=103498", "cvelist": ["CVE-2017-1000253"], "lastseen": "2018-01-30T01:04:28"}, {"id": "CENTOS_RHSA-2017-2795.NASL", "type": "nessus", "title": "CentOS 6 : kernel (CESA-2017:2795)", "description": "An update for kernel is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\n* A flaw was found in the way the Linux kernel loaded ELF executables.\nProvided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.\n(CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-28T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=103517", "cvelist": ["CVE-2017-1000253"], "lastseen": "2018-01-30T01:05:20"}, {"id": "REDHAT-RHSA-2017-2793.NASL", "type": "nessus", "title": "RHEL 7 : kernel (RHSA-2017:2793)", "description": "An update for kernel is now available for Red Hat Enterprise Linux 7.3 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\n* A flaw was found in the way the Linux kernel loaded ELF executables.\nProvided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.\n(CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-27T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=103492", "cvelist": ["CVE-2017-1000253"], "lastseen": "2018-01-30T01:08:00"}, {"id": "REDHAT-RHSA-2017-2796.NASL", "type": "nessus", "title": "RHEL 6 : kernel (RHSA-2017:2796)", "description": "An update for kernel is now available for Red Hat Enterprise Linux 6.7 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\n* A flaw was found in the way the Linux kernel loaded ELF executables.\nProvided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.\n(CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-27T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=103495", "cvelist": ["CVE-2017-1000253"], "lastseen": "2018-01-30T01:12:41"}, {"id": "REDHAT-RHSA-2017-2797.NASL", "type": "nessus", "title": "RHEL 6 : kernel (RHSA-2017:2797)", "description": "An update for kernel is now available for Red Hat Enterprise Linux 6.6 Advanced Update Support and Red Hat Enterprise Linux 6.6 Telco Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\n* A flaw was found in the way the Linux kernel loaded ELF executables.\nProvided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.\n(CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "published": "2017-09-27T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=103496", "cvelist": ["CVE-2017-1000253"], "lastseen": "2018-01-30T01:11:17"}, {"id": "SUSE_SU-2017-2725-1.NASL", "type": "nessus", "title": "SUSE SLES11 Security Update : kernel (SUSE-SU-2017:2725-1)", "description": "The SUSE Linux Enterprise 11 SP3 kernel was updated to fix the following issues :\n\n - Stack corruption could have lead to local privilege escalation (bsc#1059525, CVE-2017-1000253).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2017-10-16T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=103853", "cvelist": ["CVE-2017-1000253"], "lastseen": "2018-02-02T07:10:51"}], "openvas": [{"id": "OPENVAS:1361412562310882775", "type": "openvas", "title": "CentOS Update for kernel CESA-2017:2795 centos6 ", "description": "Check the version of kernel", "published": "2017-10-05T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882775", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-25T14:48:01"}, {"id": "OPENVAS:1361412562310812001", "type": "openvas", "title": "RedHat Update for kernel RHSA-2017:2795-01", "description": "Check the version of kernel", "published": "2017-10-05T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812001", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-25T14:47:53"}], "oraclelinux": [{"id": "ELSA-2017-2795", "type": "oraclelinux", "title": "kernel security update", "description": "[2.6.32-696.10.3.OL6]\n- Update genkey [bug 25599697]\n[2.6.32-696.10.3]\n- [fs] binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings (Petr Matousek) [1492959 1492961] {CVE-2017-1000253}\n- [fs] binfmt_elf.c: fix bug in loading of PIE binaries (Petr Matousek) [1492959 1492961] {CVE-2017-1000253}", "published": "2017-09-27T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2017-2795.html", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-22T22:41:22"}, {"id": "ELSA-2017-3626", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "description": "[2.6.39-400.297.9]\n- fs/binfmt_elf.c: fix bug in loading of PIE binaries (Michael Davidson) [Orabug: 26870958] {CVE-2017-1000253}", "published": "2017-09-28T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2017-3626.html", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-22T22:34:28"}, {"id": "ELSA-2018-4036", "type": "oraclelinux", "title": "kernel security update", "description": "kernel\n[2.6.18-419.0.0.0.5]\n- [fs] fix kernel panic on boot on ia64 guests (Honglei Wang) [orabug 26934100]\n[2.6.18-419.0.0.0.4]\n- [fs] fix bug in loading of PIE binaries (Michael Davidson) [orabug 26916951] {CVE-2017-1000253}", "published": "2018-02-21T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2018-4036.html", "cvelist": ["CVE-2017-1000253"], "lastseen": "2018-02-21T21:30:42"}, {"id": "ELSA-2017-2801", "type": "oraclelinux", "title": "kernel security update", "description": "kernel\n- 2.6.18-419.0.0.0.4\n- [fs] fix bug in loading of PIE binaries (Michael Davidson) [orabug 26916951] {CVE-2017-1000253}\n- 2.6.18-419.0.0.0.3\n- nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) [orabug 26586706] {CVE-2017-7895}", "published": "2017-10-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2017-2801.html", "cvelist": ["CVE-2017-7895", "CVE-2017-1000253"], "lastseen": "2017-10-07T00:03:19"}, {"id": "ELSA-2017-2863", "type": "oraclelinux", "title": "kernel security and bug fix update", "description": "[2.6.32-696.13.2.OL6]\n- Update genkey [bug 25599697]\n[2.6.32-696.13.2]\n- [net] l2cap: prevent stack overflow on incoming bluetooth packet (Neil Horman) [1490060 1490062] {CVE-2017-1000251}\n- [fs] binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings (Petr Matousek) [1492959 1492961] {CVE-2017-1000253}\n- [fs] binfmt_elf.c: fix bug in loading of PIE binaries (Petr Matousek) [1492959 1492961] {CVE-2017-1000253}\n[2.6.32-696.13.1]\n- [netdv] brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (Stanislaw Gruszka) [1474783 1474782] {CVE-2017-7541}\n- [x86] fix /proc/mtrr with base/size more than 44bits (Jerome Marchand) [1482855 1466530]\n[2.6.32-696.12.1]\n- [fs] gfs2: clear gl_object when deleting an inode in gfs2_delete_inode (Robert S Peterson) [1479397 1464541]\n- [fs] gfs2: clear gl_object if gfs2_create_inode fails (Robert S Peterson) [1479397 1464541]\n- [fs] gfs2: set gl_object in inode lookup only after block type check (Robert S Peterson) [1479397 1464541]\n- [fs] gfs2: introduce helpers for setting and clearing gl_object (Robert S Peterson) [1479397 1464541]\n[2.6.32-696.11.1]\n- [scsi] Add STARGET_CREATED_REMOVE state to scsi_target_state (Ewan Milne) [1472127 1452358]", "published": "2017-10-06T00:00:00", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2017-2863.html", "cvelist": ["CVE-2017-1000251", "CVE-2017-1000253", "CVE-2017-7541"], "lastseen": "2017-10-06T09:56:21"}, {"id": "ELSA-2017-3200", "type": "oraclelinux", "title": "kernel security and bug fix update", "description": "[2.6.32-696.16.1.OL6]\n- Update genkey [bug 25599697]\n[2.6.32-696.16.1]\n- [net] packet: fix tp_reserve race in packet_set_ring (Stefano Brivio) [1481941 1481943] {CVE-2017-1000111}\n- [net] packet: fix overflow in check for tp_frame_nr (Stefano Brivio) [1481941 1481943] {CVE-2017-1000111}\n- [net] packet: fix overflow in check for tp_reserve (Stefano Brivio) [1481941 1481943] {CVE-2017-1000111}\n- [netdrv] sfc: tx ring can only have 2048 entries for all EF10 NICs (Jarod Wilson) [1498019 1441773]\n- [fs] sunrpc: always treat the invalid cache as unexpired (Thiago Becker) [1497976 1477288]\n- [fs] sunrpc: xpt_auth_cache should be ignored when expired (Thiago Becker) [1497976 1477288]\n- [net] tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Davide Caratti) [1488344 1488340] {CVE-2017-14106}\n- [net] tcp: fix 0 divide in __tcp_select_window() (Davide Caratti) [1488344 1488340] {CVE-2017-14106}\n- [scsi] lpfc: fix 'integer constant too large' error on 32bit archs (Maurizio Lombardi) [1487220 1441169]\n- [scsi] lpfc: version 11.0.1.6 is 11.0.0.6 with no_hba_reset patches (Maurizio Lombardi) [1487220 1441169]\n- [scsi] lpfc: Vport creation is failing with 'Link Down' error (Maurizio Lombardi) [1487220 1441169]\n- [scsi] lpfc: Fix panic on BFS configuration (Maurizio Lombardi) [1487220 1441169]\n- [scsi] lpfc: Fix eh_deadline setting for sli3 adapters (Maurizio Lombardi) [1487220 1441169]\n- [scsi] lpfc: Correct panics with eh_timeout and eh_deadline (Maurizio Lombardi) [1487220 1441169]\n- [net] udp: consistently apply ufo or fragmentation (Davide Caratti) [1481532 1481529] {CVE-2017-1000112}\n- [net] ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output (Davide Caratti) [1481532 1481529] {CVE-2017-1000112}\n- [net] ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output (Davide Caratti) [1481532 1481529] {CVE-2017-1000112}\n[2.6.32-696.15.1]\n- [fs] binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings (Petr Matousek) [1492959 1492961] {CVE-2017-1000253}\n- [fs] binfmt_elf.c: fix bug in loading of PIE binaries (Petr Matousek) [1492959 1492961] {CVE-2017-1000253}\n[2.6.32-696.14.1]\n- [fs] nfs: don't disconnect open-owner on NFS4ERR_BAD_SEQID (Dave Wysochanski) [1491123 1459636]\n- [net] l2cap: prevent stack overflow on incoming bluetooth packet (Neil Horman) [1490060 1490062] {CVE-2017-1000251}", "published": "2017-11-15T00:00:00", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2017-3200.html", "cvelist": ["CVE-2017-1000111", "CVE-2017-14106", "CVE-2017-1000251", "CVE-2017-1000253", "CVE-2017-1000112"], "lastseen": "2017-11-16T06:42:03"}, {"id": "ELSA-2017-3658", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "description": "[2.6.39-400.298.1]\n- ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei) [Orabug: 23320090] \n- tty: Fix race in pty_write() leading to NULL deref (Todd Vierling) [Orabug: 24337879] \n- xen-netfront: cast grant table reference first to type int (Dongli Zhang) [Orabug: 25102637] \n- xen-netfront: do not cast grant table reference to signed short (Dongli Zhang) [Orabug: 25102637] \n- RDS: Print failed rdma op details if failure is remote access error (Rama Nichanamatlu) [Orabug: 25440316] \n- ping: implement proper locking (Eric Dumazet) [Orabug: 26540288] {CVE-2017-2671}\n- KEYS: fix dereferencing NULL payload with nonzero length (Eric Biggers) [Orabug: 26592013] \n- oracleasm: Copy the integrity descriptor (Martin K. Petersen) [Orabug: 26650039] \n- mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook) [Orabug: 26675934] {CVE-2017-7889}\n- fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE (Abhi Das) [Orabug: 26797307] \n- xscore: add dma address check (Zhu Yanjun) [Orabug: 27058559] \n- more bio_map_user_iov() leak fixes (Al Viro) [Orabug: 27069045] {CVE-2017-12190}\n- fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh) [Orabug: 27069045] {CVE-2017-12190}\n- xsigo: [backport] Fix race in freeing aged Forwarding tables (Pradeep Gopanapalli) [Orabug: 24823234] \n- ocfs2: fix deadlock issue when taking inode lock at vfs entry points (Eric Ren) [Orabug: 25671723] \n- ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (Eric Ren) [Orabug: 25671723] \n- net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143563] {CVE-2017-7308}\n- net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143563] {CVE-2017-7308}\n- char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) [Orabug: 26403941] {CVE-2017-1000363}\n- ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380}\n- ALSA: timer: Fix race between read and ioctl (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380}\n- ALSA: timer: fix NULL pointer dereference in read()/ioctl() race (Vegard Nossum) [Orabug: 26403958] {CVE-2017-1000380}\n- ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380}\n- ALSA: timer: Fix race at concurrent reads (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380}\n- ALSA: timer: Fix race among timer ioctls (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380}\n- ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben Hutchings) [Orabug: 26403974] {CVE-2017-9074}\n- ipv6: Check ip6_find_1stfragopt() return value properly. (David S. Miller) [Orabug: 26403974] {CVE-2017-9074}\n- ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) [Orabug: 26403974] {CVE-2017-9074}\n- ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) [Orabug: 26404007] {CVE-2017-9077}\n- aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug: 26643601] {CVE-2016-10044}\n- vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman) [Orabug: 26643601] {CVE-2016-10044}\n- vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo) [Orabug: 26643601] {CVE-2016-10044}\n- x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han) [Orabug: 26643652] {CVE-2017-11473}\n- sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) [Orabug: 26650889] {CVE-2017-9075}\n- saa7164: fix double fetch PCIe access condition (Steven Toth) [Orabug: 26675148] {CVE-2017-8831}\n- saa7164: fix sparse warnings (Hans Verkuil) [Orabug: 26675148] {CVE-2017-8831}\n- saa7164: get rid of warning: no previous prototype (Mauro Carvalho Chehab) [Orabug: 26675148] {CVE-2017-8831}\n- [scsi] lpfc 8.3.44: Fix kernel panics from corrupted ndlp (James Smart) [Orabug: 26765341] \n- timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899791] {CVE-2017-10661}\n- scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (Xin Long) [Orabug: 26988628] {CVE-2017-14489}\n- mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang) [Orabug: 26643562] {CVE-2017-11176}\n- ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27011278] {CVE-2017-7542}\n- packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) [Orabug: 27002453] {CVE-2017-1000111}\n- mlx4_core: calculate log_mtt based on total system memory (Wei Lin Guay) [Orabug: 26867355] \n- xen/x86: Add interface for querying amount of host memory (Boris Ostrovsky) [Orabug: 26867355] \n- fs/binfmt_elf.c: fix bug in loading of PIE binaries (Michael Davidson) [Orabug: 26870958] {CVE-2017-1000253}\n- Bluetooth: Properly check L2CAP config option output buffer length (Ben Seri) [Orabug: 26796428] {CVE-2017-1000251}\n- xen: fix bio vec merging (Roger Pau Monne) [Orabug: 26645562] {CVE-2017-12134}\n- fs/exec.c: account for argv/envp pointers (Kees Cook) [Orabug: 26638926] {CVE-2017-1000365} {CVE-2017-1000365}\n- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume Nault) [Orabug: 26586050] {CVE-2016-10200}\n- xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz Guzik) [Orabug: 26586024] {CVE-2016-9685}\n- KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (David Howells) [Orabug: 26586002] {CVE-2016-9604}\n- ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) [Orabug: 26578202] {CVE-2017-9242}\n- selinux: quiet the filesystem labeling behavior message (Paul Moore) [Orabug: 25721485] \n- RDS/IB: active bonding port state fix for intfs added late (Mukesh Kacker) [Orabug: 25875426] \n- HID: hid-cypress: validate length of report (Greg Kroah-Hartman) [Orabug: 25891914] {CVE-2017-7273}\n- udf: Remove repeated loads blocksize (Jan Kara) [Orabug: 25905722] {CVE-2015-4167}\n- udf: Check length of extended attributes and allocation descriptors (Jan Kara) [Orabug: 25905722] {CVE-2015-4167}\n- udf: Verify i_size when loading inode (Jan Kara) [Orabug: 25905722] {CVE-2015-4167}\n- btrfs: drop unused parameter from btrfs_item_nr (Ross Kirk) [Orabug: 25948102] {CVE-2014-9710}\n- Btrfs: cleanup of function where fixup_low_keys() is called (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710}\n- Btrfs: remove unused argument of fixup_low_keys() (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710}\n- Btrfs: remove unused argument of btrfs_extend_item() (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710}\n- Btrfs: add support for asserts (Josef Bacik) [Orabug: 25948102] {CVE-2014-9710}\n- Btrfs: make xattr replace operations atomic (Filipe Manana) [Orabug: 25948102] {CVE-2014-9710}\n- net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom (Al Viro) [Orabug: 25948149] {CVE-2015-2686}\n- xsigo: Compute node crash on FC failover (Joe Jin) [Orabug: 25965445] \n- PCI: Prevent VPD access for QLogic ISP2722 (Ethan Zhao) [Orabug: 25975513] \n- PCI: Prevent VPD access for buggy devices (Babu Moger) [Orabug: 25975513] \n- ipv4: try to cache dst_entries which would cause a redirect (Hannes Frederic Sowa) [Orabug: 26032377] {CVE-2015-1465}\n- mm: larger stack guard gap, between vmas (Hugh Dickins) [Orabug: 26326145] {CVE-2017-1000364}\n- nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields) [Orabug: 26366024] {CVE-2017-7645}\n- dm mpath: allow ioctls to trigger pg init (Mikulas Patocka) [Orabug: 25645229] \n- xen/manage: Always freeze/thaw processes when suspend/resuming (Ross Lagerwall) [Orabug: 25795530] \n- lpfc cannot establish connection with targets that send PRLI under P2P mode (Joe Jin) [Orabug: 25955028]", "published": "2017-12-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2017-3658.html", "cvelist": ["CVE-2016-9604", "CVE-2017-11176", "CVE-2017-1000380", "CVE-2017-1000111", "CVE-2017-14489", "CVE-2017-7889", "CVE-2017-9074", "CVE-2017-7645", "CVE-2017-9242", "CVE-2017-7273", "CVE-2016-10200", "CVE-2017-8831", "CVE-2017-2671", "CVE-2015-1465", "CVE-2017-11473", "CVE-2017-9075", "CVE-2017-10661", "CVE-2016-9685", "CVE-2017-1000251", "CVE-2017-1000253", "CVE-2017-1000364", "CVE-2017-7308", "CVE-2017-12134", "CVE-2015-2686", "CVE-2017-1000363", "CVE-2014-9710", "CVE-2015-4167", "CVE-2017-9077", "CVE-2017-7542", "CVE-2017-1000365", "CVE-2016-10044", "CVE-2017-12190"], "lastseen": "2017-12-08T19:47:34"}], "centos": [{"id": "CESA-2017:2795", "type": "centos", "title": "kernel, perf, python security update", "description": "**CentOS Errata and Security Advisory** CESA-2017:2795\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. (CVE-2017-1000253, Important)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-September/022548.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-firmware\nkernel-headers\nperf\npython-perf\n\n**Upstream details at:**\n", "published": "2017-09-27T16:35:50", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2017-September/022548.html", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-10-22T22:41:56"}], "thn": [{"id": "THN:6C4ABDA8F3CFB01CC2944D8B8B3D0B72", "type": "thn", "title": "2-Year-Old Linux Kernel Issue Resurfaces As High-Risk Flaw", "description": "[](<https://2.bp.blogspot.com/-_qjuUEOHSN0/Wcylifgam_I/AAAAAAAAARU/FuaqLZglwpY_NCrT7jegFjTx6xO9g41ngCLcBGAs/s1600/linux-kernel-hacking.png>)\n\nA bug in Linux kernel that was discovered two years ago, but was not considered a security threat at that time, has now been recognised as a potential local privilege escalation flaw. \n \nIdentified as CVE-2017-1000253, the bug was initially [discovered](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a87938b2e246b81b4fb713edb371a9fa3c5c3c86>) by Google researcher Michael Davidson in April 2015. \n \nSince it was not recognised as a serious bug at that time, the patch for this kernel flaw was not backported to long-term Linux distributions in kernel 3.10.77. \n \nHowever, researchers at Qualys Research Labs has now found that this vulnerability could be exploited to escalate privileges and it affects all major Linux distributions, including Red Hat, Debian, and CentOS. \n \nThe vulnerability left \"all versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable,\" Qualys said in an [advisory](<https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt>) published yesterday. \n \nThe vulnerability, which has been given a CVSS3 Base Score of 7.8 out of 10, resides in the way Linux kernel loads ELF executables, which potentially results in memory corruption. \n \nResearchers find that an unprivileged local user with access to SUID (or otherwise privileged) Position Independent Executable (PIE) binary could use this vulnerability to escalate their privileges on the affected system. \n \nIn order to mitigate this issue, users can switch to the legacy mmap layout by setting vm.legacy_va_layout to 1, which will effectively disable the exploitation of this security flaw. \n \nSince the mmap allocations start much lower in the process address space and follow the bottom-up allocation model, \"the initial PIE executable mapping is far from the reserved stack area and cannot interfere with the stack.\" \n \nQualys says this flaw is not limited to the PIEs whose read-write segment is larger than 128MB, which is the minimum distance between the mmap_base and the highest address of the stack, not the lowest address of the stack. \n \nSo, when passing 1.5GB of argument strings to execve(), any PIE can be mapped directly below the stack and trigger the vulnerability. \n \nLinux distributions, including [Red Hat](<https://access.redhat.com/security/cve/CVE-2017-1000253>), [Debian](<https://security-tracker.debian.org/tracker/CVE-2017-1000253>), and [CentOS](<https://lists.centos.org/pipermail/centos-announce/2017-September/022532.html>), have released security updates to address the vulnerability. \n \nThe Qualys team has promised to publish a proof-of-concept soon exploit that works on CentOS-7 kernel versions \"3.10.0-514.21.2.el7.x86_64\" and \"3.10.0-514.26.1.el7.x86_64,\" once a maximum number of users have had time to patch their systems against the flaw. \n\n\n \n\n\n \nStay Tuned!\n", "published": "2017-09-27T20:52:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://thehackernews.com/2017/09/linux-kernel-hacking.html", "cvelist": ["CVE-2017-1000253"], "lastseen": "2017-09-29T13:59:16"}, {"id": "THN:004E66289E140230A54AEB25D3223C13", "type": "thn", "title": "2-Year-Old Linux Kernel Issue Resurfaces As High-Risk Flaw", "description": "[](<https://2.bp.blogspot.com/-_qjuUEOHSN0/Wcylifgam_I/AAAAAAAAARU/FuaqLZglwpY_NCrT7jegFjTx6xO9g41ngCLcBGAs/s1600/linux-kernel-hacking.png>)\n\nA bug in Linux kernel that was discovered two years ago, but was not considered a security threat at that time, has now been recognised as a potential local privilege escalation flaw. \n \nIdentified as CVE-2017-1000253, the bug was initially [discovered](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a87938b2e246b81b4fb713edb371a9fa3c5c3c86>) by Google researcher Michael Davidson in April 2015. \n \nSince it was not recognised as a serious bug at that time, the patch for this kernel flaw was not backported to long-term Linux distributions in kernel 3.10.77. \n \nHowever, researchers at Qualys Research Labs has now found that this vulnerability could be exploited to escalate privileges and it affects all major Linux distributions, including Red Hat, Debian, and CentOS. \n \nThe vulnerability left \"all versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable,\" Qualys said in an [advisory](<https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt>) published yesterday. \n \nThe vulnerability, which has been given a CVSS3 Base Score of 7.8 out of 10, resides in the way Linux kernel loads ELF executables, which potentially results in memory corruption. \n \nResearchers find that an unprivileged local user with access to SUID (or otherwise privileged) Position Independent Executable (PIE) binary could use this vulnerability to escalate their privileges on the affected system. \n \nIn order to mitigate this issue, users can switch to the legacy mmap layout by setting vm.legacy_va_layout to 1, which will effectively disable the exploitation of this security flaw. \n \nSince the mmap allocations start much lower in the process address space and follow the bottom-up allocation model, \"the initial PIE executable mapping is far from the reserved stack area and cannot interfere with the stack.\" \n \nQualys says this flaw is not limited to the PIEs whose read-write segment is larger than 128MB, which is the minimum distance between the mmap_base and the highest address of the stack, not the lowest address of the stack. \n \nSo, when passing 1.5GB of argument strings to execve(), any PIE can be mapped directly below the stack and trigger the vulnerability. \n \nLinux distributions, including [Red Hat](<https://access.redhat.com/security/cve/CVE-2017-1000253>), [Debian](<https://security-tracker.debian.org/tracker/CVE-2017-1000253>), and [CentOS](<https://lists.centos.org/pipermail/centos-announce/2017-September/022532.html>), have released security updates to address the vulnerability. \n \nThe Qualys team has promised to publish a proof-of-concept soon exploit that works on CentOS-7 kernel versions \"3.10.0-514.21.2.el7.x86_64\" and \"3.10.0-514.26.1.el7.x86_64,\" once a maximum number of users have had time to patch their systems against the flaw. \n\n\n \n\n\n \nStay Tuned!\n", "published": "2017-09-27T20:52:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://thehackernews.com/2017/09/linux-kernel-hacking.html", "cvelist": ["CVE-2017-1000253"], "lastseen": "2018-01-27T09:17:54"}]}}
