MGASA-2018-0418 - Updated kernel-tmb packages fix security vulnerabilities

Publication date: 27 Oct 2018
URL: https://advisories.mageia.org/MGASA-2018-0418.html
Type: security
Affected Mageia releases: 6
CVE: CVE-2018-5391,
     CVE-2018-7755,
     CVE-2018-14633,
     CVE-2018-14641,
     CVE-2018-15471,
     CVE-2018-17182,
     CVE-2018-18445

This kernel-tmb update is based on the upstream 4.14.78 and adds additional
fixes for the L1TF security issues. It also fixes atleast the following
security issues:

Linux kernel from versions 3.9 and up, is vulnerable to a denial of
service attack with low rates of specially modified packets targeting IP
fragment re-assembly. An attacker may cause a denial of service condition
by sending specially crafted IP fragments (CVE-2018-5391, FragmentSmack).

An issue was discovered in the fd_locked_ioctl function in
drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy
driver will copy a kernel pointer to user memory in response to the
FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the
obtained kernel pointer to discover the location of kernel code and data
and bypass kernel security protections such as KASLR (CVE-2018-7755).

A security flaw was found in the chap_server_compute_md5() function in the
ISCSI target code in the Linux kernel in a way an authentication request
from an ISCSI initiator is processed. An unauthenticated remote attacker
can cause a stack buffer overflow and smash up to 17 bytes of the stack.
The attack requires the iSCSI target to be enabled on the victim host.
Depending on how the target's code was built (i.e. depending on a compiler,
compile flags and hardware architecture) an attack may lead to a system
crash and thus to a denial-of-service or possibly to a non-authorized
access to data exported by an iSCSI target. Due to the nature of the flaw,
privilege escalation cannot be fully ruled out, although we believe it is
highly unlikely (CVE-2018-14633).

A security flaw was found in the ip_frag_reasm() function in
net/ipv4/ip_fragment.c in the Linux kernel caused by fixes for
CVE-2018-5391, which can cause a later system crash in ip_do_fragment().
With certain non-default, but non-rare, configuration of a victim host,
an attacker can trigger this crash remotely, thus leading to a remote
denial-of-service (CVE-2018-14641).

An issue was discovered in xenvif_set_hash_mapping in
drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used
in Xen through 4.11.x and other products. The Linux netback driver allows
frontends to control mapping of requests to request queues. When processing
a request to set or change this mapping, some input validation (e.g., for
an integer overflow) was missing or flawed, leading to OOB access in hash
handling. A malicious or buggy frontend may cause the (usually privileged)
backend to make out of bounds memory accesses, potentially resulting in
one or more of privilege escalation, Denial of Service (DoS), or
information leaks (CVE-2018-15471).

An issue was discovered in the Linux kernel through 4.18.8. The
vmacache_flush_all function in mm/vmacache.c mishandles sequence number
overflows. An attacker can trigger a use-after-free (and possibly gain
privileges) via certain thread creation, map, unmap, invalidation, and
dereference operations (CVE-2018-17182).

In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before
4.18.13, faulty computation of numeric bounds in the BPF verifier permits
out-of-bounds memory accesses because adjust_scalar_min_max_vals in
kernel/bpf/verifier.c mishandles 32-bit right shifts (CVE-2018-18445).

Other fixes in this update:
* WireGuard has been updated 0.0.20181018

For other uptstream fixes in this update, see the referenced changelogs.

References:
- https://bugs.mageia.org/show_bug.cgi?id=23688
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.70
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.71
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.72
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.73
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.74
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.75
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.76
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.77
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5391
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7755
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14633
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14641
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15471
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17182
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18445

SRPMS:
- 6/core/kernel-tmb-4.14.78-1.mga6

Mageia 2018-0418: kernel-tmb security update

This kernel-tmb update is based on the upstream 4.14.78 and adds additional fixes for the L1TF security issues

Summary

This kernel-tmb update is based on the upstream 4.14.78 and adds additional fixes for the L1TF security issues. It also fixes atleast the following security issues:
Linux kernel from versions 3.9 and up, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments (CVE-2018-5391, FragmentSmack).
An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR (CVE-2018-7755).
A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely (CVE-2018-14633).
A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel caused by fixes for CVE-2018-5391, which can cause a later system crash in ip_do_fragment(). With certain non-default, but non-rare, configuration of a victim host, an attacker can trigger this crash remotely, thus leading to a remote denial-of-service (CVE-2018-14641).
An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used in Xen through 4.11.x and other products. The Linux netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation (e.g., for an integer overflow) was missing or flawed, leading to OOB access in hash handling. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks (CVE-2018-15471).
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations (CVE-2018-17182).
In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before 4.18.13, faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandles 32-bit right shifts (CVE-2018-18445).
Other fixes in this update: * WireGuard has been updated 0.0.20181018
For other uptstream fixes in this update, see the referenced changelogs.

References

- https://bugs.mageia.org/show_bug.cgi?id=23688

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.70

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.71

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.72

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.73

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.74

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.75

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.76

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.77

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5391

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7755

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14633

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14641

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15471

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17182

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18445

Resolution

MGASA-2018-0418 - Updated kernel-tmb packages fix security vulnerabilities

SRPMS

- 6/core/kernel-tmb-4.14.78-1.mga6

Severity
Publication date: 27 Oct 2018
URL: https://advisories.mageia.org/MGASA-2018-0418.html
Type: security
CVE: CVE-2018-5391, CVE-2018-7755, CVE-2018-14633, CVE-2018-14641, CVE-2018-15471, CVE-2018-17182, CVE-2018-18445

Related News

Defending Against Remote Code Execution in Google Chrome: A Critical Update
2 - 3 min read
Google Chrome, a widely used web browser, serves millions of internet users by connecting them to the online world. Unfortunately, severe
Navigating the Linux Kernel
2 - 4 min read
The Linux operating system, widely acclaimed for its robustness and security , recently received widespread media attention due to a significant
Staying a Step Ahead of Adversaries: Mitigating Chromium
2 - 4 min read
Google Chrome, one of the world's most widely used web browsers, has recently been scrutinized due to the discovery of multiple Chromium
Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware
2 - 4 min read
Ransomware has long been a severe threat to organizations and admins alike. Recently, cybersecurity researchers discovered a new variant called
Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures
3 - 6 min read
Buffer overflow vulnerabilities have long been one of the biggest headaches in computer security, especially on Linux operating systems that power
8 Expert-Recommended Security Practices to Fortify Your Linux Systems
4 - 8 min read
As a Linux admin or an infosec professional, you understand how the security landscape changes due to evolving threats, newly discovered
Open Source Strategies for Enhancing Security in Digital Business Operations
5 - 9 min read
Digital transformation, powered by the principles of open-source security , is vital for businesses looking to excel in today's technology-driven
Microsoft Update Mayhem: Rescuing Linux Dual-Boot Systems from Secure Boot Woes
2 - 4 min read
Microsoft's recent patch, intended to strengthen Secure Boot defenses, has resulted in an unexpected setback for Linux-Windows dual-boot setups

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved