Arch Linux Security Advisory ASA-201801-2 ========================================= Severity: High Date : 2018-01-05 CVE-ID : CVE-2017-16995 CVE-2017-17449 CVE-2017-17558 CVE-2017-17712 CVE-2017-17805 CVE-2017-17806 CVE-2017-17862 CVE-2017-17863 CVE-2017-17864 Package : linux-lts Type : multiple issues Remote : No Link : https://security.archlinux.org/AVG-561 Summary ======= The package linux-lts before version 4.9.74-1 is vulnerable to multiple issues including denial of service, privilege escalation and information disclosure. Resolution ========== Upgrade to 4.9.74-1. # pacman -Syu "linux-lts>=4.9.74-1" The problems have been fixed upstream in version 4.9.74. Workaround ========== BPF related issues can be circumvented by disabling unprivileged BPF: sysctl -w kernel.unprivileged_bpf_disabled=1 Description =========== - CVE-2017-16995 (privilege escalation) An arbitrary memory r/w access issue was found in the Linux kernel before 4.14.9, 4.9.72 compiled with the eBPF bpf(2) system call (CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation errors in the eBPF verifier module, triggered by user supplied malicious BPF program. An unprivileged user could use this flaw to escalate their privileges on a system. Setting parameter "kernel.unprivileged_bpf_disabled=1" prevents such privilege escalation by restricting access to bpf(2) call. - CVE-2017-17449 (information disclosure) The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel before 4.14.11, 4.9.74, 4.4.109, 3.18.91 and 3.16.52 when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system. - CVE-2017-17558 (denial of service) The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel before 4.14.8, 4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out- of-bounds write access) or possibly have unspecified other impact via a crafted USB device. - CVE-2017-17712 (privilege escalation) A flaw was found in the Linux kernel's implementation of raw_sendmsg before 4.14.11, 4.4.109 and 4.9.74 allowing a local attacker to panic the kernel or possibly leak kernel addresses. A local attacker, with the privilege of creating raw sockets, can abuse a possible race condition when setting the socket option to allow the kernel to automatically create ip header values and thus potentially escalate their privileges. - CVE-2017-17805 (denial of service) The Salsa20 encryption algorithm in the Linux kernel before 4.14.8, 4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG- based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable. - CVE-2017-17806 (denial of service) The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8, 4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization. - CVE-2017-17862 (denial of service) It has been discovered that kernel/bpf/verifier.c in the Linux kernel before 4.14.9 and 4.9.72 ignore unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service. - CVE-2017-17863 (denial of service) It has been discovered that kernel/bpf/verifier.c in the Linux kernel before 4.14.9 and 4.9.72 does not check the relationship between pointer values and the BPF stack, which allows local users to cause a denial of service (integer overflow or invalid memory access) or possibly have unspecified other impact. - CVE-2017-17864 (information disclosure) It has been discovered that kernel/bpf/verifier.c in the Linux kernel before 4.14.9 and 4.9.73 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a "pointer leak." Impact ====== A local unprivileged attacker is able to escalate privileges, crash the system or obtain sensitive information by sniffing an nlmon interface for all Netlink activity on the system. References ========== https://bugs.chromium.org/p/project-zero/issues/detail?id=1454 http://www.openwall.com/lists/oss-security/2017/12/21/2 https://git.kernel.org/linus/95a762e2c8c942780948091f8f2a4f32fce1ac6f https://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291 https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md https://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 http://openwall.com/lists/oss-security/2017/12/12/7 https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 https://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e https://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1 https://git.kernel.org/linus/c131187db2d3fa2f8bf32fdf4e9a4ef805168467 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/comm... https://git.kernel.org/linus/de31796c052e47c99b1bb342bc70aa826733e862 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/comm... https://security.archlinux.org/CVE-2017-16995 https://security.archlinux.org/CVE-2017-17449 https://security.archlinux.org/CVE-2017-17558 https://security.archlinux.org/CVE-2017-17712 https://security.archlinux.org/CVE-2017-17805 https://security.archlinux.org/CVE-2017-17806 https://security.archlinux.org/CVE-2017-17862 https://security.archlinux.org/CVE-2017-17863 https://security.archlinux.org/CVE-2017-17864