Debian DSA-3945-1 : linux - security update (Stack Clash)

high Nessus Plugin ID 102550

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

- CVE-2014-9940 A use-after-free flaw in the voltage and current regulator driver could allow a local user to cause a denial of service or potentially escalate privileges.

- CVE-2017-7346 Li Qiang discovered that the DRM driver for VMware virtual GPUs does not properly check user-controlled values in the vmw_surface_define_ioctl() functions for upper limits. A local user can take advantage of this flaw to cause a denial of service.

- CVE-2017-7482 Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does not properly verify metadata, leading to information disclosure, denial of service or potentially execution of arbitrary code.

- CVE-2017-7533 Fan Wu and Shixiong Zhao discovered a race condition between inotify events and VFS rename operations allowing an unprivileged local attacker to cause a denial of service or escalate privileges.

- CVE-2017-7541 A buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN driver could allow a local user to cause kernel memory corruption, leading to a denial of service or potentially privilege escalation.

- CVE-2017-7542 An integer overflow vulnerability in the ip6_find_1stfragopt() function was found allowing a local attacker with privileges to open raw sockets to cause a denial of service.

- CVE-2017-7889 Tommi Rantala and Brad Spengler reported that the mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, allowing a local attacker with access to /dev/mem to obtain sensitive information or potentially execute arbitrary code.

- CVE-2017-9605 Murray McAllister discovered that the DRM driver for VMware virtual GPUs does not properly initialize memory, potentially allowing a local attacker to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call.

- CVE-2017-10911 / XSA-216

Anthony Perard of Citrix discovered an information leak flaw in Xen blkif response handling, allowing a malicious unprivileged guest to obtain sensitive information from the host or other guests.

- CVE-2017-11176 It was discovered that the mq_notify() function does not set the sock pointer to NULL upon entry into the retry logic. An attacker can take advantage of this flaw during a userspace close of a Netlink socket to cause a denial of service or potentially cause other impact.

- CVE-2017-1000363 Roee Hay reported that the lp driver does not properly bounds-check passed arguments, allowing a local attacker with write access to the kernel command line arguments to execute arbitrary code.

- CVE-2017-1000365 It was discovered that argument and environment pointers are not taken properly into account to the imposed size restrictions on arguments and environmental strings passed through RLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of this flaw in conjunction with other flaws to execute arbitrary code.

Solution

Upgrade the linux packages.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.43-2+deb8u3.

See Also

https://security-tracker.debian.org/tracker/CVE-2014-9940

https://security-tracker.debian.org/tracker/CVE-2017-7346

https://security-tracker.debian.org/tracker/CVE-2017-7482

https://security-tracker.debian.org/tracker/CVE-2017-7533

https://security-tracker.debian.org/tracker/CVE-2017-7541

https://security-tracker.debian.org/tracker/CVE-2017-7542

https://security-tracker.debian.org/tracker/CVE-2017-7889

https://security-tracker.debian.org/tracker/CVE-2017-9605

https://security-tracker.debian.org/tracker/CVE-2017-10911

https://security-tracker.debian.org/tracker/CVE-2017-11176

https://security-tracker.debian.org/tracker/CVE-2017-1000363

https://security-tracker.debian.org/tracker/CVE-2017-1000365

https://packages.debian.org/source/jessie/linux

https://www.debian.org/security/2017/dsa-3945

Plugin Details

Severity: High

ID: 102550

File Name: debian_DSA-3945.nasl

Version: 3.7

Type: local

Agent: unix

Published: 8/18/2017

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.9

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:linux, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/17/2017

Vulnerability Publication Date: 3/30/2017

Reference Information

CVE: CVE-2014-9940, CVE-2017-1000363, CVE-2017-1000365, CVE-2017-10911, CVE-2017-11176, CVE-2017-7346, CVE-2017-7482, CVE-2017-7533, CVE-2017-7541, CVE-2017-7542, CVE-2017-7889, CVE-2017-9605

DSA: 3945