User login
Qlustar: Install and enjoy!

[QSA-1124151] Linux kernel vulnerabilities

Qlustar Security Advisory 1124151

November 24, 2015


Summary:

The system could crash or be made to run programs as an administrator.


    Package(s)       : linux-image-ql-generic,
    qlustar-module-core-trusty-amd64-9.0.1,
    qlustar-module-core-wheezy-amd64-9.0.1
    Qlustar releases : 9.0
    Affected versions: All versions prior to this update
    Vulnerability    : privilege escalation/denial of service
    Problem type     : local
    Qlustar-specific : no
    CVE Id(s)        : CVE-2015-7613, CVE-2015-6252, CVE-2015-5707,
        CVE-2015-5706, CVE-2015-5366, CVE-2015-5364, CVE-2015-5157,
        CVE-2015-4700, CVE-2015-4692, CVE-2015-3291, CVE-2015-1805
  

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problem:

CVE-2015-7613

Dmitry Vyukov discovered that the Linux kernel did not properly initialize IPC object state in certain situations. A local attacker could use this to escalate their privileges, expose confidential information, or cause a denial of service (system crash).

CVE-2015-6252

Michael S. Tsirkin of Red Hat Engineering found that the vhost driver leaked file descriptors passed to it with the VHOST_SET_LOG_FD ioctl command. A privileged local user with access to the /dev/vhost-net file, either directly or via libvirt, could use this to cause a denial of service (hang or crash).

CVE-2015-5707

Integer overflow in the sg_start_req function in drivers/scsi/sg.c allows local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request.

CVE-2015-5706

Use-after-free vulnerability in the path_openat function in fs/namei.c allows local users to cause a denial of service or possibly have unspecified other impact via O_TMPFILE filesystem operations that leverage a duplicate cleanup operation.

CVE-2015-5366

A flaw was discovered in how the Linux kernel handles invalid UDP checksums. A remote attacker can cause a denial of service against applications that use epoll by injecting a single packet with an invalid checksum.

CVE-2015-5364

A flaw was discovered in how the Linux kernel handles invalid UDP checksums. A remote attacker could exploit this flaw to cause a denial of service using a flood of UDP packets with invalid checksums.

CVE-2015-5157

Andy Lutomirski and Petr Matousek discovered that an NMI (non-maskable interrupt) that interrupts userspace and encounters an IRET fault is incorrectly handled by the Linux kernel. An unprivileged local user could exploit this flaw to cause a denial of service (kernel OOPs), corruption, or potentially escalate privileges on the system.

CVE-2015-4700

Daniel Borkmann reported a kernel crash in the Linux kernel's BPF filter JIT optimization. A local attacker could exploit this flaw to cause a denial of service (system crash).

CVE-2015-4692

A flaw was discovered in the kvm (kernel virtual machine) subsystem's kvm_apic_has_events function. A unprivileged local user could exploit this flaw to cause a denial of service (system crash).

CVE-2015-3291

Andy Lutomirski discovered a flaw that allows user to cause the Linux kernel to ignore some NMIs (non-maskable interrupts). A local unprivileged user could exploit this flaw to potentially cause the system to miss important NMIs resulting in unspecified effects.

CVE-2015-1805

A flaw was discovered in the user space memory copying for the pipe iovecs in the Linux kernel. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges.

CVE-2015-3636

Wen Xu discovered a use-after-free flaw in the Linux kernel's ipv4 ping support. A local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges on the system.

CVE-2015-3339

A race condition between chown() and execve() was discovered in the Linux kernel. A local attacker could exploit this race by using chown on a setuid-user-binary to gain administrative privileges.

CVE-2015-1420

It was discovered that the open_by_handle_at() system call reads the handle size from user memory a second time after validating it. A local user with the CAP_DAC_READ_SEARCH capability could use this flaw for privilege escalation.

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions (follow the Qlustar Update Guide):

    linux-image-ql-generic                     3.12.50-ql-generic-9.0-59
    qlustar-module-core-trusty-amd64-9.0.1     9.0.1.6-b451f984
    qlustar-module-core-wheezy-amd64-9.0.1     9.0.1.6-b451f984
  
glqxz9283 sfy39587stf02 mnesdcuix8
sfy39587stf03
sfy39587p08