[manjaro-security] [ASA-201801-3] linux-zen: multiple issues

Levente Polyak anthraxx at archlinux.org
Fri Jan 5 18:53:55 CET 2018


Arch Linux Security Advisory ASA-201801-3
=========================================

Severity: High
Date    : 2018-01-05
CVE-ID  : CVE-2017-16995 CVE-2017-16996 CVE-2017-17449 CVE-2017-17558
          CVE-2017-17712 CVE-2017-17805 CVE-2017-17806 CVE-2017-17852
          CVE-2017-17853 CVE-2017-17854 CVE-2017-17855 CVE-2017-17856
          CVE-2017-17857 CVE-2017-17862 CVE-2017-17863 CVE-2017-17864
          CVE-2017-5754 CVE-2017-8824
Package : linux-zen
Type    : multiple issues
Remote  : No
Link    : https://security.archlinux.org/AVG-571

Summary
=======

The package linux-zen before version 4.14.11-1 is vulnerable to
multiple issues including access restriction bypass, denial of service,
privilege escalation and information disclosure.

Resolution
==========

Upgrade to 4.14.11-1.

# pacman -Syu "linux-zen>=4.14.11-1"

The problems have been fixed upstream in version 4.14.11.

Workaround
==========

BPF related issues can be circumvented by disabling unprivileged BPF:

    sysctl -w kernel.unprivileged_bpf_disabled=1

On systems that do not already have the dccp module loaded,
CVE-2017-8824 can be mitigated by disabling it:

    echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

Description
===========

- CVE-2017-16995 (privilege escalation)

An arbitrary memory r/w access issue was found in the Linux kernel
before 4.14.9, 4.9.72 compiled with the eBPF bpf(2) system call
(CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation
errors in the eBPF verifier module, triggered by user supplied
malicious BPF program. An unprivileged user could use this flaw to
escalate their privileges on a system. Setting parameter
"kernel.unprivileged_bpf_disabled=1" prevents such privilege escalation
by restricting access to bpf(2) call.

- CVE-2017-16996 (privilege escalation)

An arbitrary memory r/w access issue was found in the Linux kernel
before 4.14.9 compiled with the eBPF bpf(2) system call
(CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation
errors in the eBPF verifier module, triggered by user supplied
malicious BPF program. An unprivileged user could use this flaw to
escalate their privileges on a system. Setting parameter
"kernel.unprivileged_bpf_disabled=1" prevents such privilege escalation
by restricting access to bpf(2) call.

- CVE-2017-17449 (information disclosure)

The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in
the Linux kernel before 4.14.11, 4.9.74, 4.4.109, 3.18.91 and 3.16.52
when CONFIG_NLMON is enabled, does not restrict observations of Netlink
messages to a single net namespace, which allows local users to obtain
sensitive information by leveraging the CAP_NET_ADMIN capability to
sniff an nlmon interface for all Netlink activity on the system.

- CVE-2017-17558 (denial of service)

The usb_destroy_configuration function in drivers/usb/core/config.c in
the USB core subsystem in the Linux kernel before 4.14.8, 4.9.71,
4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not consider the maximum
number of configurations and interfaces before attempting to release
resources, which allows local users to cause a denial of service (out-
of-bounds write access) or possibly have unspecified other impact via a
crafted USB device.

- CVE-2017-17712 (privilege escalation)

A flaw was found in the Linux kernel's implementation of raw_sendmsg
before 4.14.11, 4.4.109 and 4.9.74 allowing a local attacker to panic
the kernel or possibly leak kernel addresses. A local attacker, with
the privilege of creating raw sockets, can abuse a possible race
condition when setting the socket option to allow the kernel to
automatically create ip header values and thus potentially escalate
their privileges.

- CVE-2017-17805 (denial of service)

The Salsa20 encryption algorithm in the Linux kernel before 4.14.8,
4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not correctly handle
zero-length inputs, allowing a local attacker able to use the AF_ALG-
based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a
denial of service (uninitialized-memory free and kernel crash) or have
unspecified other impact by executing a crafted sequence of system
calls that use the blkcipher_walk API. Both the generic implementation
(crypto/salsa20_generic.c) and x86 implementation
(arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.

- CVE-2017-17806 (denial of service)

The HMAC implementation (crypto/hmac.c) in the Linux kernel before
4.14.8, 4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not validate
that the underlying cryptographic hash algorithm is unkeyed, allowing a
local attacker able to use the AF_ALG-based hash interface
(CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm
(CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by
executing a crafted sequence of system calls that encounter a missing
SHA-3 initialization.

- CVE-2017-17852 (denial of service)

It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 allows local users to cause a denial of service (memory
corruption) or possibly have unspecified other impact by leveraging
mishandling of 32-bit ALU ops.

- CVE-2017-17853 (denial of service)

It has been discovered kernel/bpf/verifier.c in the Linux kernel before
4.14.9 allows local users to cause a denial of service (memory
corruption) or possibly have unspecified other impact by leveraging
incorrect BPF_RSH signed bounds calculations.

- CVE-2017-17854 (denial of service)

It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 allows local users to cause a denial of service (integer
overflow and memory corruption) or possibly have unspecified other
impact by leveraging unrestricted integer values for pointer
arithmetic.

- CVE-2017-17855 (denial of service)

It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 allows local users to cause a denial of service (memory
corruption) or possibly have unspecified other impact by leveraging
improper use of pointers in place of scalars.

- CVE-2017-17856 (denial of service)

It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 allows local users to cause a denial of service (memory
corruption) or possibly have unspecified other impact by leveraging the
lack of stack-pointer alignment enforcement.

- CVE-2017-17857 (denial of service)

The check_stack_boundary function in kernel/bpf/verifier.c in the Linux
kernel before 4.14.9 allows local users to cause a denial of service
(memory corruption) or possibly have unspecified other impact by
leveraging mishandling of invalid variable stack read operations.

- CVE-2017-17862 (denial of service)

It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 and 4.9.72 ignore unreachable code, even though it would
still be processed by JIT compilers. This behavior, also considered an
improper branch-pruning logic issue, could possibly be used by local
users for denial of service.

- CVE-2017-17863 (denial of service)

It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 and 4.9.72 does not check the relationship between
pointer values and the BPF stack, which allows local users to cause a
denial of service (integer overflow or invalid memory access) or
possibly have unspecified other impact.

- CVE-2017-17864 (information disclosure)

It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 and 4.9.73 mishandles states_equal comparisons between
the pointer data type and the UNKNOWN_VALUE data type, which allows
local users to obtain potentially sensitive address information, aka a
"pointer leak."

- CVE-2017-5754 (access restriction bypass)

An industry-wide issue was found in the way many modern microprocessor
designs have implemented speculative execution of instructions (a
commonly used performance optimization).
This variant ("Rogue Data Load") relies on the fact that, on impacted
microprocessors, during speculative execution of instruction permission
faults, exception generation triggered by a faulting access is
suppressed until the retirement of the whole instruction block. In a
combination with the fact that memory accesses may populate the cache
even when the block is being dropped and never committed (executed), an
unprivileged local attacker could use this flaw to read memory from
arbitrary addresses, including privileged (kernel space) and all other
processes running on the system by conducting targeted cache side-
channel attacks.

- CVE-2017-8824 (privilege escalation)

A use-after-free vulnerability was found in DCCP socket code affecting
the Linux kernel since 2.6.16. The dccp_disconnect function in
net/dccp/proto.c allows local users to gain privileges or cause a
denial of service via an AF_UNSPEC connect system call during the
DCCP_LISTEN state.

Impact
======

A local unprivileged attacker is able to escalate privileges, crash the
system, read memory from arbitrary addresses including from the kernel
and all other processes running on the system or obtain sensitive
information by sniffing an nlmon interface for all Netlink activity on
the system.

References
==========

https://bugs.archlinux.org/task/56832
https://bugs.chromium.org/p/project-zero/issues/detail?id=1454
http://www.openwall.com/lists/oss-security/2017/12/21/2
https://git.kernel.org/linus/95a762e2c8c942780948091f8f2a4f32fce1ac6f
https://git.kernel.org/linus/0c17d1d2c61936401f4702e1846e2c19b200f958
https://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291
https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md
https://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7
http://openwall.com/lists/oss-security/2017/12/12/7
https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483
https://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e
https://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1
https://git.kernel.org/linus/468f6eafa6c44cb2c5d8aad35e12f06c240a812a
https://git.kernel.org/linus/4374f256ce8182019353c0c639bb8d0695b4c941
https://git.kernel.org/linus/bb7f0f989ca7de1153bd128a40a71709e339fa03
https://git.kernel.org/linus/179d1c5602997fef5a940c6ddcf31212cbfebd14
https://git.kernel.org/linus/a5ec6ae161d72f01411169a938fa5f8baea16e8f
https://git.kernel.org/linus/ea25f914dc164c8d56b36147ecc86bc65f83c469
https://git.kernel.org/linus/c131187db2d3fa2f8bf32fdf4e9a4ef805168467
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=d75d3ee237cee9068022117e059b64bbab617f3d
https://git.kernel.org/linus/de31796c052e47c99b1bb342bc70aa826733e862
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=37435f7e80ef9adc32a69013c18f135e3f434244
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
https://meltdownattack.com
https://xenbits.xen.org/xsa/advisory-254.html
http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html
https://git.kernel.org/linus/5aa90a84589282b87666f92b6c3c917c8080a9bf
https://git.kernel.org/linus/00a5ae218d57741088068799b810416ac249a9ce
https://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76
https://security.archlinux.org/CVE-2017-16995
https://security.archlinux.org/CVE-2017-16996
https://security.archlinux.org/CVE-2017-17449
https://security.archlinux.org/CVE-2017-17558
https://security.archlinux.org/CVE-2017-17712
https://security.archlinux.org/CVE-2017-17805
https://security.archlinux.org/CVE-2017-17806
https://security.archlinux.org/CVE-2017-17852
https://security.archlinux.org/CVE-2017-17853
https://security.archlinux.org/CVE-2017-17854
https://security.archlinux.org/CVE-2017-17855
https://security.archlinux.org/CVE-2017-17856
https://security.archlinux.org/CVE-2017-17857
https://security.archlinux.org/CVE-2017-17862
https://security.archlinux.org/CVE-2017-17863
https://security.archlinux.org/CVE-2017-17864
https://security.archlinux.org/CVE-2017-5754
https://security.archlinux.org/CVE-2017-8824

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20180105/222a0a61/attachment-0001.sig>


More information about the manjaro-security mailing list