Oracle Linux 6 : kernel (ELSA-2018-1319)

critical Nessus Plugin ID 109629

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2018-1319 advisory.

- [x86] entry/64: Don't use IST entry for #BP stack (Waiman Long) [1567078 1567079] {CVE-2018-8897}
- [x86] pti: Disable kaiser_add_mapping if X86_FEATURE_NOPTI (Waiman Long) [1561441 1557562] {CVE-2017-5754}
- [x86] irq/ioapic: Check for valid irq_cfg pointer in smp_irq_move_cleanup_interrupt (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] kexec/64: Clear control page after PGD init (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] efi/64: Fix potential PTI data corruption problem (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pti/mm: Fix machine check with PTI on old AMD CPUs (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pti/mm: Enable PAGE_GLOBAL if not affected by Meltdown (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] retpoline: Avoid retpolines for built-in __init functions (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] kexec/32: Allocate 8k PGD for PTI (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] spec_ctrl: Patch out lfence on old 32-bit CPUs (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] spec_ctrl/32: Enable IBRS processing on kernel entries & exits (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] spec_ctrl/32: Stuff RSB on kernel entry (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pti: Allow CONFIG_PAGE_TABLE_ISOLATION for x86_32 (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pti/32: Add a PAE specific version of __pti_set_user_pgd (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] mm/dump_pagetables: Support PAE page table dumping (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pgtable/pae: Use separate kernel PMDs for user page-table (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] mm/pae: Populate valid user PGD entries (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pti: Enable x86-32 for kaiser.c (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pti: Disable PCID handling in x86-32 TLB flushing code (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pgtable: Disable user PGD poisoning for PAE (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pgtable: Move more PTI functions out of pgtable_64.h (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pgtable: Move pgdp kernel/user conversion functions to pgtable.h (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pgtable/32: Allocate 8k page-tables when PTI is enabled (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pgtable/pae: Unshare kernel PMDs when PTI is enabled (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Handle debug exception similar to NMI (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Add PTI cr3 switch to non-NMI entry/exit points (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Add PTI cr3 switches to NMI handler code (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Introduce SAVE_ALL_NMI and RESTORE_ALL_NMI (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Enable the use of trampoline stack (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Change INT80 to be an interrupt gate (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Handle Entry from Kernel-Mode on Entry-Stack (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Leave the kernel via trampoline stack (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Enter the kernel via trampoline stack (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Restore segments before int registers (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Split off return-to-kernel path (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Unshare NMI return path (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Put ESPFIX code into a macro (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Load task stack from x86_tss.sp1 in SYSENTER handler (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Rename TSS_sysenter_sp0 to TSS_entry_stack (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pti: Add X86_FEATURE_NOPTI to permanently disable PTI (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Simplify and fix up the SYSENTER stack #DB/NMI fixup (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] doublefault: Set the right gs register for doublefault (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] syscall: int80 must not clobber r12-15 (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] syscall: change ia32_syscall() to create the full register frame in ia32_do_call() (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] cve: Make all Meltdown/Spectre percpu variables available to x86-32 (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [net] dccp: use-after-free in DCCP code (Stefano Brivio) [1520818 1520817] {CVE-2017-8824}
- [fs] nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields) [1447640 1447641] {CVE-2017-7645}
- [v4l] media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic fixup (Jarod Wilson) [1548429 1548432] {CVE-2017-13166}
- [v4l] media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic (Jarod Wilson) [1548429 1548432] {CVE-2017-13166}
- [net] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff (Florian Westphal) [1543089 1543091] {CVE-2017-18017}
- [net] netfilter: xt_TCPMSS: fix handling of malformed TCP header and options (Florian Westphal) [1543089 1543091] {CVE-2017-18017}
- [net] netfilter: xt_TCPMSS: SYN packets are allowed to contain data (Florian Westphal) [1543089 1543091] {CVE-2017-18017}
- [net] bluetooth: Prevent uninitialized data (Gopal Tiwari) [1519627 1519626] {CVE-2017-1000410}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2018-1319.html

Plugin Details

Severity: Critical

ID: 109629

File Name: oraclelinux_ELSA-2018-1319.nasl

Version: 1.13

Type: local

Agent: unix

Published: 5/9/2018

Updated: 10/24/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.5

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2017-18017

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel-abi-whitelists, p-cpe:/a:oracle:linux:kernel-devel, p-cpe:/a:oracle:linux:perf, p-cpe:/a:oracle:linux:kernel-firmware, p-cpe:/a:oracle:linux:python-perf, p-cpe:/a:oracle:linux:kernel-debug-devel, p-cpe:/a:oracle:linux:kernel-debug, p-cpe:/a:oracle:linux:kernel-headers, p-cpe:/a:oracle:linux:kernel, cpe:/o:oracle:linux:6

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/8/2018

Vulnerability Publication Date: 4/14/2017

Exploitable With

Metasploit (Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability)

Reference Information

CVE: CVE-2017-1000410, CVE-2017-13166, CVE-2017-18017, CVE-2017-7645, CVE-2017-8824, CVE-2018-8897

RHSA: 2018:1319