[arch-security] [ASA-201709-8] linux-lts: arbitrary code execution
Levente Polyak
anthraxx at archlinux.org
Thu Sep 14 15:43:29 UTC 2017
Arch Linux Security Advisory ASA-201709-8
=========================================
Severity: High
Date : 2017-09-14
CVE-ID : CVE-2017-1000251
Package : linux-lts
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-393
Summary
=======
The package linux-lts before version 4.9.49-2 is vulnerable to
arbitrary code execution.
Resolution
==========
Upgrade to 4.9.49-2.
# pacman -Syu "linux-lts>=4.9.49-2"
The problem has been fixed upstream but no release is available yet.
Workaround
==========
None.
Description
===========
A stack buffer overflow flaw was found in the way the Bluetooth
subsystem of the Linux kernel processed pending L2CAP configuration
responses from a client. On systems with the stack protection feature
enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on
all architectures), an unauthenticated attacker able to initiate a
connection to a system via Bluetooth could use this flaw to crash the
system. Due to the nature of the stack protection feature, code
execution cannot be fully ruled out, although it is unlikely. On
systems without the stack protection feature, an unauthenticated
attacker able to initiate a connection to a system via Bluetooth could
use this flaw to remotely execute arbitrary code on the system with
ring 0 (kernel) privileges.
Impact
======
An unauthenticated attacker able to initiate a connection via Bluetooth
is able to crash the system or possibly execute arbitrary code.
References
==========
https://bugs.archlinux.org/task/55601
https://git.kernel.org/linus/e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3
https://www.armis.com/blueborne/
https://security.archlinux.org/CVE-2017-1000251
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170914/c53680ae/attachment.asc>
More information about the arch-security
mailing list