Arch Linux Security Advisory ASA-201801-2
=========================================
Severity: High
Date : 2018-01-05
CVE-ID : CVE-2017-16995 CVE-2017-17449 CVE-2017-17558 CVE-2017-17712
CVE-2017-17805 CVE-2017-17806 CVE-2017-17862 CVE-2017-17863
CVE-2017-17864
Package : linux-lts
Type : multiple issues
Remote : No
Link : https://security.archlinux.org/AVG-561
Summary
=======
The package linux-lts before version 4.9.74-1 is vulnerable to multiple
issues including denial of service, privilege escalation and
information disclosure.
Resolution
==========
Upgrade to 4.9.74-1.
# pacman -Syu "linux-lts>=4.9.74-1"
The problems have been fixed upstream in version 4.9.74.
Workaround
==========
BPF related issues can be circumvented by disabling unprivileged BPF:
sysctl -w kernel.unprivileged_bpf_disabled=1
Description
===========
- CVE-2017-16995 (privilege escalation)
An arbitrary memory r/w access issue was found in the Linux kernel
before 4.14.9, 4.9.72 compiled with the eBPF bpf(2) system call
(CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation
errors in the eBPF verifier module, triggered by user supplied
malicious BPF program. An unprivileged user could use this flaw to
escalate their privileges on a system. Setting parameter
"kernel.unprivileged_bpf_disabled=1" prevents such privilege escalation
by restricting access to bpf(2) call.
- CVE-2017-17449 (information disclosure)
The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in
the Linux kernel before 4.14.11, 4.9.74, 4.4.109, 3.18.91 and 3.16.52
when CONFIG_NLMON is enabled, does not restrict observations of Netlink
messages to a single net namespace, which allows local users to obtain
sensitive information by leveraging the CAP_NET_ADMIN capability to
sniff an nlmon interface for all Netlink activity on the system.
- CVE-2017-17558 (denial of service)
The usb_destroy_configuration function in drivers/usb/core/config.c in
the USB core subsystem in the Linux kernel before 4.14.8, 4.9.71,
4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not consider the maximum
number of configurations and interfaces before attempting to release
resources, which allows local users to cause a denial of service (out-
of-bounds write access) or possibly have unspecified other impact via a
crafted USB device.
- CVE-2017-17712 (privilege escalation)
A flaw was found in the Linux kernel's implementation of raw_sendmsg
before 4.14.11, 4.4.109 and 4.9.74 allowing a local attacker to panic
the kernel or possibly leak kernel addresses. A local attacker, with
the privilege of creating raw sockets, can abuse a possible race
condition when setting the socket option to allow the kernel to
automatically create ip header values and thus potentially escalate
their privileges.
- CVE-2017-17805 (denial of service)
The Salsa20 encryption algorithm in the Linux kernel before 4.14.8,
4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not correctly handle
zero-length inputs, allowing a local attacker able to use the AF_ALG-
based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a
denial of service (uninitialized-memory free and kernel crash) or have
unspecified other impact by executing a crafted sequence of system
calls that use the blkcipher_walk API. Both the generic implementation
(crypto/salsa20_generic.c) and x86 implementation
(arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.
- CVE-2017-17806 (denial of service)
The HMAC implementation (crypto/hmac.c) in the Linux kernel before
4.14.8, 4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not validate
that the underlying cryptographic hash algorithm is unkeyed, allowing a
local attacker able to use the AF_ALG-based hash interface
(CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm
(CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by
executing a crafted sequence of system calls that encounter a missing
SHA-3 initialization.
- CVE-2017-17862 (denial of service)
It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 and 4.9.72 ignore unreachable code, even though it would
still be processed by JIT compilers. This behavior, also considered an
improper branch-pruning logic issue, could possibly be used by local
users for denial of service.
- CVE-2017-17863 (denial of service)
It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 and 4.9.72 does not check the relationship between
pointer values and the BPF stack, which allows local users to cause a
denial of service (integer overflow or invalid memory access) or
possibly have unspecified other impact.
- CVE-2017-17864 (information disclosure)
It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 and 4.9.73 mishandles states_equal comparisons between
the pointer data type and the UNKNOWN_VALUE data type, which allows
local users to obtain potentially sensitive address information, aka a
"pointer leak."
Impact
======
A local unprivileged attacker is able to escalate privileges, crash the
system or obtain sensitive information by sniffing an nlmon interface
for all Netlink activity on the system.
References
==========
https://bugs.chromium.org/p/project-zero/issues/detail?id=1454http://www.openwall.com/lists/oss-security/2017/12/21/2https://git.kernel.org/linus/95a762e2c8c942780948091f8f2a4f32fce1ac6fhttps://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.mdhttps://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7http://openwall.com/lists/oss-security/2017/12/12/7https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483https://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500ehttps://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1https://git.kernel.org/linus/c131187db2d3fa2f8bf32fdf4e9a4ef805168467https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/com…https://git.kernel.org/linus/de31796c052e47c99b1bb342bc70aa826733e862https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/com…https://security.archlinux.org/CVE-2017-16995https://security.archlinux.org/CVE-2017-17449https://security.archlinux.org/CVE-2017-17558https://security.archlinux.org/CVE-2017-17712https://security.archlinux.org/CVE-2017-17805https://security.archlinux.org/CVE-2017-17806https://security.archlinux.org/CVE-2017-17862https://security.archlinux.org/CVE-2017-17863https://security.archlinux.org/CVE-2017-17864
Arch Linux Security Advisory ASA-201801-1
=========================================
Severity: High
Date : 2018-01-05
CVE-ID : CVE-2017-16995 CVE-2017-16996 CVE-2017-17449 CVE-2017-17558
CVE-2017-17712 CVE-2017-17805 CVE-2017-17806 CVE-2017-17852
CVE-2017-17853 CVE-2017-17854 CVE-2017-17855 CVE-2017-17856
CVE-2017-17857 CVE-2017-17862 CVE-2017-17863 CVE-2017-17864
CVE-2017-5754 CVE-2017-8824
Package : linux
Type : multiple issues
Remote : No
Link : https://security.archlinux.org/AVG-552
Summary
=======
The package linux before version 4.14.11-1 is vulnerable to multiple
issues including access restriction bypass, denial of service,
privilege escalation and information disclosure.
Resolution
==========
Upgrade to 4.14.11-1.
# pacman -Syu "linux>=4.14.11-1"
The problems have been fixed upstream in version 4.14.11.
Workaround
==========
BPF related issues can be circumvented by disabling unprivileged BPF:
sysctl -w kernel.unprivileged_bpf_disabled=1
On systems that do not already have the dccp module loaded,
CVE-2017-8824 can be mitigated by disabling it:
echo >> /etc/modprobe.d/disable-dccp.conf install dccp false
Description
===========
- CVE-2017-16995 (privilege escalation)
An arbitrary memory r/w access issue was found in the Linux kernel
before 4.14.9, 4.9.72 compiled with the eBPF bpf(2) system call
(CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation
errors in the eBPF verifier module, triggered by user supplied
malicious BPF program. An unprivileged user could use this flaw to
escalate their privileges on a system. Setting parameter
"kernel.unprivileged_bpf_disabled=1" prevents such privilege escalation
by restricting access to bpf(2) call.
- CVE-2017-16996 (privilege escalation)
An arbitrary memory r/w access issue was found in the Linux kernel
before 4.14.9 compiled with the eBPF bpf(2) system call
(CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation
errors in the eBPF verifier module, triggered by user supplied
malicious BPF program. An unprivileged user could use this flaw to
escalate their privileges on a system. Setting parameter
"kernel.unprivileged_bpf_disabled=1" prevents such privilege escalation
by restricting access to bpf(2) call.
- CVE-2017-17449 (information disclosure)
The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in
the Linux kernel before 4.14.11, 4.9.74, 4.4.109, 3.18.91 and 3.16.52
when CONFIG_NLMON is enabled, does not restrict observations of Netlink
messages to a single net namespace, which allows local users to obtain
sensitive information by leveraging the CAP_NET_ADMIN capability to
sniff an nlmon interface for all Netlink activity on the system.
- CVE-2017-17558 (denial of service)
The usb_destroy_configuration function in drivers/usb/core/config.c in
the USB core subsystem in the Linux kernel before 4.14.8, 4.9.71,
4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not consider the maximum
number of configurations and interfaces before attempting to release
resources, which allows local users to cause a denial of service (out-
of-bounds write access) or possibly have unspecified other impact via a
crafted USB device.
- CVE-2017-17712 (privilege escalation)
A flaw was found in the Linux kernel's implementation of raw_sendmsg
before 4.14.11, 4.4.109 and 4.9.74 allowing a local attacker to panic
the kernel or possibly leak kernel addresses. A local attacker, with
the privilege of creating raw sockets, can abuse a possible race
condition when setting the socket option to allow the kernel to
automatically create ip header values and thus potentially escalate
their privileges.
- CVE-2017-17805 (denial of service)
The Salsa20 encryption algorithm in the Linux kernel before 4.14.8,
4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not correctly handle
zero-length inputs, allowing a local attacker able to use the AF_ALG-
based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a
denial of service (uninitialized-memory free and kernel crash) or have
unspecified other impact by executing a crafted sequence of system
calls that use the blkcipher_walk API. Both the generic implementation
(crypto/salsa20_generic.c) and x86 implementation
(arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.
- CVE-2017-17806 (denial of service)
The HMAC implementation (crypto/hmac.c) in the Linux kernel before
4.14.8, 4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not validate
that the underlying cryptographic hash algorithm is unkeyed, allowing a
local attacker able to use the AF_ALG-based hash interface
(CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm
(CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by
executing a crafted sequence of system calls that encounter a missing
SHA-3 initialization.
- CVE-2017-17852 (denial of service)
It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 allows local users to cause a denial of service (memory
corruption) or possibly have unspecified other impact by leveraging
mishandling of 32-bit ALU ops.
- CVE-2017-17853 (denial of service)
It has been discovered kernel/bpf/verifier.c in the Linux kernel before
4.14.9 allows local users to cause a denial of service (memory
corruption) or possibly have unspecified other impact by leveraging
incorrect BPF_RSH signed bounds calculations.
- CVE-2017-17854 (denial of service)
It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 allows local users to cause a denial of service (integer
overflow and memory corruption) or possibly have unspecified other
impact by leveraging unrestricted integer values for pointer
arithmetic.
- CVE-2017-17855 (denial of service)
It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 allows local users to cause a denial of service (memory
corruption) or possibly have unspecified other impact by leveraging
improper use of pointers in place of scalars.
- CVE-2017-17856 (denial of service)
It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 allows local users to cause a denial of service (memory
corruption) or possibly have unspecified other impact by leveraging the
lack of stack-pointer alignment enforcement.
- CVE-2017-17857 (denial of service)
The check_stack_boundary function in kernel/bpf/verifier.c in the Linux
kernel before 4.14.9 allows local users to cause a denial of service
(memory corruption) or possibly have unspecified other impact by
leveraging mishandling of invalid variable stack read operations.
- CVE-2017-17862 (denial of service)
It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 and 4.9.72 ignore unreachable code, even though it would
still be processed by JIT compilers. This behavior, also considered an
improper branch-pruning logic issue, could possibly be used by local
users for denial of service.
- CVE-2017-17863 (denial of service)
It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 and 4.9.72 does not check the relationship between
pointer values and the BPF stack, which allows local users to cause a
denial of service (integer overflow or invalid memory access) or
possibly have unspecified other impact.
- CVE-2017-17864 (information disclosure)
It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 and 4.9.73 mishandles states_equal comparisons between
the pointer data type and the UNKNOWN_VALUE data type, which allows
local users to obtain potentially sensitive address information, aka a
"pointer leak."
- CVE-2017-5754 (access restriction bypass)
An industry-wide issue was found in the way many modern microprocessor
designs have implemented speculative execution of instructions (a
commonly used performance optimization).
This variant ("Rogue Data Load") relies on the fact that, on impacted
microprocessors, during speculative execution of instruction permission
faults, exception generation triggered by a faulting access is
suppressed until the retirement of the whole instruction block. In a
combination with the fact that memory accesses may populate the cache
even when the block is being dropped and never committed (executed), an
unprivileged local attacker could use this flaw to read memory from
arbitrary addresses, including privileged (kernel space) and all other
processes running on the system by conducting targeted cache side-
channel attacks.
- CVE-2017-8824 (privilege escalation)
A use-after-free vulnerability was found in DCCP socket code affecting
the Linux kernel since 2.6.16. The dccp_disconnect function in
net/dccp/proto.c allows local users to gain privileges or cause a
denial of service via an AF_UNSPEC connect system call during the
DCCP_LISTEN state.
Impact
======
A local unprivileged attacker is able to escalate privileges, crash the
system, read memory from arbitrary addresses including from the kernel
and all other processes running on the system or obtain sensitive
information by sniffing an nlmon interface for all Netlink activity on
the system.
References
==========
https://bugs.archlinux.org/task/56832https://bugs.chromium.org/p/project-zero/issues/detail?id=1454http://www.openwall.com/lists/oss-security/2017/12/21/2https://git.kernel.org/linus/95a762e2c8c942780948091f8f2a4f32fce1ac6fhttps://git.kernel.org/linus/0c17d1d2c61936401f4702e1846e2c19b200f958https://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.mdhttps://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7http://openwall.com/lists/oss-security/2017/12/12/7https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483https://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500ehttps://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1https://git.kernel.org/linus/468f6eafa6c44cb2c5d8aad35e12f06c240a812ahttps://git.kernel.org/linus/4374f256ce8182019353c0c639bb8d0695b4c941https://git.kernel.org/linus/bb7f0f989ca7de1153bd128a40a71709e339fa03https://git.kernel.org/linus/179d1c5602997fef5a940c6ddcf31212cbfebd14https://git.kernel.org/linus/a5ec6ae161d72f01411169a938fa5f8baea16e8fhttps://git.kernel.org/linus/ea25f914dc164c8d56b36147ecc86bc65f83c469https://git.kernel.org/linus/c131187db2d3fa2f8bf32fdf4e9a4ef805168467https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/com…https://git.kernel.org/linus/de31796c052e47c99b1bb342bc70aa826733e862https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/com…https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-wi…https://meltdownattack.comhttps://xenbits.xen.org/xsa/advisory-254.htmlhttp://blog.cyberus-technology.de/posts/2018-01-03-meltdown.htmlhttps://git.kernel.org/linus/5aa90a84589282b87666f92b6c3c917c8080a9bfhttps://git.kernel.org/linus/00a5ae218d57741088068799b810416ac249a9cehttps://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76https://security.archlinux.org/CVE-2017-16995https://security.archlinux.org/CVE-2017-16996https://security.archlinux.org/CVE-2017-17449https://security.archlinux.org/CVE-2017-17558https://security.archlinux.org/CVE-2017-17712https://security.archlinux.org/CVE-2017-17805https://security.archlinux.org/CVE-2017-17806https://security.archlinux.org/CVE-2017-17852https://security.archlinux.org/CVE-2017-17853https://security.archlinux.org/CVE-2017-17854https://security.archlinux.org/CVE-2017-17855https://security.archlinux.org/CVE-2017-17856https://security.archlinux.org/CVE-2017-17857https://security.archlinux.org/CVE-2017-17862https://security.archlinux.org/CVE-2017-17863https://security.archlinux.org/CVE-2017-17864https://security.archlinux.org/CVE-2017-5754https://security.archlinux.org/CVE-2017-8824