Arch Linux Security Advisory ASA-201801-4 ========================================= Severity: High Date : 2018-01-05 CVE-ID : CVE-2017-16995 CVE-2017-16996 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17712 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806 CVE-2017-17852 CVE-2017-17853 CVE-2017-17854 CVE-2017-17855 CVE-2017-17856 CVE-2017-17857 CVE-2017-17862 CVE-2017-17863 CVE-2017-17864 CVE-2017-5754 CVE-2017-8824 Package : linux-hardened Type : multiple issues Remote : No Link : https://security.archlinux.org/AVG-574 Summary ======= The package linux-hardened before version 4.14.11.a-1 is vulnerable to multiple issues including access restriction bypass, denial of service, privilege escalation and information disclosure. Resolution ========== Upgrade to 4.14.11.a-1. # pacman -Syu "linux-hardened>=4.14.11.a-1" The problems have been fixed upstream in version 4.14.11.a. Workaround ========== BPF related issues can be circumvented by disabling unprivileged BPF: sysctl -w kernel.unprivileged_bpf_disabled=1 On systems that do not already have the dccp module loaded, CVE-2017-8824 can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-dccp.conf install dccp false Description =========== - CVE-2017-16995 (privilege escalation) An arbitrary memory r/w access issue was found in the Linux kernel before 4.14.9, 4.9.72 compiled with the eBPF bpf(2) system call (CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation errors in the eBPF verifier module, triggered by user supplied malicious BPF program. An unprivileged user could use this flaw to escalate their privileges on a system. Setting parameter "kernel.unprivileged_bpf_disabled=1" prevents such privilege escalation by restricting access to bpf(2) call. - CVE-2017-16996 (privilege escalation) An arbitrary memory r/w access issue was found in the Linux kernel before 4.14.9 compiled with the eBPF bpf(2) system call (CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation errors in the eBPF verifier module, triggered by user supplied malicious BPF program. An unprivileged user could use this flaw to escalate their privileges on a system. Setting parameter "kernel.unprivileged_bpf_disabled=1" prevents such privilege escalation by restricting access to bpf(2) call. - CVE-2017-17448 (access restriction bypass) It has been discovered that net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces. - CVE-2017-17449 (information disclosure) The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel before 4.14.11, 4.9.74, 4.4.109, 3.18.91 and 3.16.52 when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system. - CVE-2017-17450 (access restriction bypass) It has been discovered that net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces. - CVE-2017-17558 (denial of service) The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel before 4.14.8, 4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out- of-bounds write access) or possibly have unspecified other impact via a crafted USB device. - CVE-2017-17712 (privilege escalation) A flaw was found in the Linux kernel's implementation of raw_sendmsg before 4.14.11, 4.4.109 and 4.9.74 allowing a local attacker to panic the kernel or possibly leak kernel addresses. A local attacker, with the privilege of creating raw sockets, can abuse a possible race condition when setting the socket option to allow the kernel to automatically create ip header values and thus potentially escalate their privileges. - CVE-2017-17741 (information disclosure) The KVM implementation in the Linux kernel through 4.14.7 allows attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h. - CVE-2017-17805 (denial of service) The Salsa20 encryption algorithm in the Linux kernel before 4.14.8, 4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG- based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable. - CVE-2017-17806 (denial of service) The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8, 4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization. - CVE-2017-17852 (denial of service) It has been discovered that kernel/bpf/verifier.c in the Linux kernel before 4.14.9 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of 32-bit ALU ops. - CVE-2017-17853 (denial of service) It has been discovered kernel/bpf/verifier.c in the Linux kernel before 4.14.9 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect BPF_RSH signed bounds calculations. - CVE-2017-17854 (denial of service) It has been discovered that kernel/bpf/verifier.c in the Linux kernel before 4.14.9 allows local users to cause a denial of service (integer overflow and memory corruption) or possibly have unspecified other impact by leveraging unrestricted integer values for pointer arithmetic. - CVE-2017-17855 (denial of service) It has been discovered that kernel/bpf/verifier.c in the Linux kernel before 4.14.9 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging improper use of pointers in place of scalars. - CVE-2017-17856 (denial of service) It has been discovered that kernel/bpf/verifier.c in the Linux kernel before 4.14.9 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the lack of stack-pointer alignment enforcement. - CVE-2017-17857 (denial of service) The check_stack_boundary function in kernel/bpf/verifier.c in the Linux kernel before 4.14.9 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of invalid variable stack read operations. - CVE-2017-17862 (denial of service) It has been discovered that kernel/bpf/verifier.c in the Linux kernel before 4.14.9 and 4.9.72 ignore unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service. - CVE-2017-17863 (denial of service) It has been discovered that kernel/bpf/verifier.c in the Linux kernel before 4.14.9 and 4.9.72 does not check the relationship between pointer values and the BPF stack, which allows local users to cause a denial of service (integer overflow or invalid memory access) or possibly have unspecified other impact. - CVE-2017-17864 (information disclosure) It has been discovered that kernel/bpf/verifier.c in the Linux kernel before 4.14.9 and 4.9.73 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a "pointer leak." - CVE-2017-5754 (access restriction bypass) An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). This variant ("Rogue Data Load") relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read memory from arbitrary addresses, including privileged (kernel space) and all other processes running on the system by conducting targeted cache side- channel attacks. - CVE-2017-8824 (privilege escalation) A use-after-free vulnerability was found in DCCP socket code affecting the Linux kernel since 2.6.16. The dccp_disconnect function in net/dccp/proto.c allows local users to gain privileges or cause a denial of service via an AF_UNSPEC connect system call during the DCCP_LISTEN state. Impact ====== A local unprivileged attacker is able to escalate privileges, crash the system, read memory from arbitrary addresses including from the kernel and all other processes running on the system or obtain sensitive information by sniffing an nlmon interface for all Netlink activity on the system. References ========== https://bugs.archlinux.org/task/56832 https://bugs.chromium.org/p/project-zero/issues/detail?id=1454 http://www.openwall.com/lists/oss-security/2017/12/21/2 https://git.kernel.org/linus/95a762e2c8c942780948091f8f2a4f32fce1ac6f https://git.kernel.org/linus/0c17d1d2c61936401f4702e1846e2c19b200f958 https://git.kernel.org/linus/4b380c42f7d00a395feede754f0bc2292eebe6e5 https://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291 https://git.kernel.org/linus/916a27901de01446bcf57ecca4783f6cff493309 https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md https://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 http://openwall.com/lists/oss-security/2017/12/12/7 https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 https://git.kernel.org/linus/e39d200fa5bf5b94a0948db0dae44c1b73b84a56 https://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e https://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1 https://git.kernel.org/linus/468f6eafa6c44cb2c5d8aad35e12f06c240a812a https://git.kernel.org/linus/4374f256ce8182019353c0c639bb8d0695b4c941 https://git.kernel.org/linus/bb7f0f989ca7de1153bd128a40a71709e339fa03 https://git.kernel.org/linus/179d1c5602997fef5a940c6ddcf31212cbfebd14 https://git.kernel.org/linus/a5ec6ae161d72f01411169a938fa5f8baea16e8f https://git.kernel.org/linus/ea25f914dc164c8d56b36147ecc86bc65f83c469 https://git.kernel.org/linus/c131187db2d3fa2f8bf32fdf4e9a4ef805168467 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=d75d3ee237cee9068022117e059b64bbab617f3d https://git.kernel.org/linus/de31796c052e47c99b1bb342bc70aa826733e862 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=37435f7e80ef9adc32a69013c18f135e3f434244 https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html https://meltdownattack.com https://xenbits.xen.org/xsa/advisory-254.html http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html https://git.kernel.org/linus/5aa90a84589282b87666f92b6c3c917c8080a9bf https://git.kernel.org/linus/00a5ae218d57741088068799b810416ac249a9ce https://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76 https://security.archlinux.org/CVE-2017-16995 https://security.archlinux.org/CVE-2017-16996 https://security.archlinux.org/CVE-2017-17448 https://security.archlinux.org/CVE-2017-17449 https://security.archlinux.org/CVE-2017-17450 https://security.archlinux.org/CVE-2017-17558 https://security.archlinux.org/CVE-2017-17712 https://security.archlinux.org/CVE-2017-17741 https://security.archlinux.org/CVE-2017-17805 https://security.archlinux.org/CVE-2017-17806 https://security.archlinux.org/CVE-2017-17852 https://security.archlinux.org/CVE-2017-17853 https://security.archlinux.org/CVE-2017-17854 https://security.archlinux.org/CVE-2017-17855 https://security.archlinux.org/CVE-2017-17856 https://security.archlinux.org/CVE-2017-17857 https://security.archlinux.org/CVE-2017-17862 https://security.archlinux.org/CVE-2017-17863 https://security.archlinux.org/CVE-2017-17864 https://security.archlinux.org/CVE-2017-5754 https://security.archlinux.org/CVE-2017-8824