[ASA-201801-2] linux-lts: multiple issues

Levente Polyak anthraxx at archlinux.org
Fri Jan 5 17:27:15 UTC 2018 

Arch Linux Security Advisory ASA-201801-2
=========================================

Severity: High
Date    : 2018-01-05
CVE-ID  : CVE-2017-16995 CVE-2017-17449 CVE-2017-17558 CVE-2017-17712
          CVE-2017-17805 CVE-2017-17806 CVE-2017-17862 CVE-2017-17863
          CVE-2017-17864
Package : linux-lts
Type    : multiple issues
Remote  : No
Link    : https://security.archlinux.org/AVG-561

Summary
=======

The package linux-lts before version 4.9.74-1 is vulnerable to multiple
issues including denial of service, privilege escalation and
information disclosure.

Resolution
==========

Upgrade to 4.9.74-1.

# pacman -Syu "linux-lts>=4.9.74-1"

The problems have been fixed upstream in version 4.9.74.

Workaround
==========

BPF related issues can be circumvented by disabling unprivileged BPF:

    sysctl -w kernel.unprivileged_bpf_disabled=1

Description
===========

- CVE-2017-16995 (privilege escalation)

An arbitrary memory r/w access issue was found in the Linux kernel
before 4.14.9, 4.9.72 compiled with the eBPF bpf(2) system call
(CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation
errors in the eBPF verifier module, triggered by user supplied
malicious BPF program. An unprivileged user could use this flaw to
escalate their privileges on a system. Setting parameter
"kernel.unprivileged_bpf_disabled=1" prevents such privilege escalation
by restricting access to bpf(2) call.

- CVE-2017-17449 (information disclosure)

The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in
the Linux kernel before 4.14.11, 4.9.74, 4.4.109, 3.18.91 and 3.16.52
when CONFIG_NLMON is enabled, does not restrict observations of Netlink
messages to a single net namespace, which allows local users to obtain
sensitive information by leveraging the CAP_NET_ADMIN capability to
sniff an nlmon interface for all Netlink activity on the system.

- CVE-2017-17558 (denial of service)

The usb_destroy_configuration function in drivers/usb/core/config.c in
the USB core subsystem in the Linux kernel before 4.14.8, 4.9.71,
4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not consider the maximum
number of configurations and interfaces before attempting to release
resources, which allows local users to cause a denial of service (out-
of-bounds write access) or possibly have unspecified other impact via a
crafted USB device.

- CVE-2017-17712 (privilege escalation)

A flaw was found in the Linux kernel's implementation of raw_sendmsg
before 4.14.11, 4.4.109 and 4.9.74 allowing a local attacker to panic
the kernel or possibly leak kernel addresses. A local attacker, with
the privilege of creating raw sockets, can abuse a possible race
condition when setting the socket option to allow the kernel to
automatically create ip header values and thus potentially escalate
their privileges.

- CVE-2017-17805 (denial of service)

The Salsa20 encryption algorithm in the Linux kernel before 4.14.8,
4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not correctly handle
zero-length inputs, allowing a local attacker able to use the AF_ALG-
based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a
denial of service (uninitialized-memory free and kernel crash) or have
unspecified other impact by executing a crafted sequence of system
calls that use the blkcipher_walk API. Both the generic implementation
(crypto/salsa20_generic.c) and x86 implementation
(arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.

- CVE-2017-17806 (denial of service)

The HMAC implementation (crypto/hmac.c) in the Linux kernel before
4.14.8, 4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not validate
that the underlying cryptographic hash algorithm is unkeyed, allowing a
local attacker able to use the AF_ALG-based hash interface
(CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm
(CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by
executing a crafted sequence of system calls that encounter a missing
SHA-3 initialization.

- CVE-2017-17862 (denial of service)

It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 and 4.9.72 ignore unreachable code, even though it would
still be processed by JIT compilers. This behavior, also considered an
improper branch-pruning logic issue, could possibly be used by local
users for denial of service.

- CVE-2017-17863 (denial of service)

It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 and 4.9.72 does not check the relationship between
pointer values and the BPF stack, which allows local users to cause a
denial of service (integer overflow or invalid memory access) or
possibly have unspecified other impact.

- CVE-2017-17864 (information disclosure)

It has been discovered that kernel/bpf/verifier.c in the Linux kernel
before 4.14.9 and 4.9.73 mishandles states_equal comparisons between
the pointer data type and the UNKNOWN_VALUE data type, which allows
local users to obtain potentially sensitive address information, aka a
"pointer leak."

Impact
======

A local unprivileged attacker is able to escalate privileges, crash the
system or obtain sensitive information by sniffing an nlmon interface
for all Netlink activity on the system.

References
==========

https://bugs.chromium.org/p/project-zero/issues/detail?id=1454
http://www.openwall.com/lists/oss-security/2017/12/21/2
https://git.kernel.org/linus/95a762e2c8c942780948091f8f2a4f32fce1ac6f
https://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291
https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md
https://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7
http://openwall.com/lists/oss-security/2017/12/12/7
https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483
https://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e
https://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1
https://git.kernel.org/linus/c131187db2d3fa2f8bf32fdf4e9a4ef805168467
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=d75d3ee237cee9068022117e059b64bbab617f3d
https://git.kernel.org/linus/de31796c052e47c99b1bb342bc70aa826733e862
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=37435f7e80ef9adc32a69013c18f135e3f434244
https://security.archlinux.org/CVE-2017-16995
https://security.archlinux.org/CVE-2017-17449
https://security.archlinux.org/CVE-2017-17558
https://security.archlinux.org/CVE-2017-17712
https://security.archlinux.org/CVE-2017-17805
https://security.archlinux.org/CVE-2017-17806
https://security.archlinux.org/CVE-2017-17862
https://security.archlinux.org/CVE-2017-17863
https://security.archlinux.org/CVE-2017-17864

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20180105/69edf089/attachment.asc>

More information about the arch-security mailing list