kernel-2.6.32-696.28.1.el6
エラータID: AXSA:2018-3099:04
リリース日:
2018/05/18 Friday - 10:32
題名:
kernel-2.6.32-696.28.1.el6
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Bluetooth の L2CAP コマンドの受信処理は、初期化されていないスタック
変数の情報を受け取ることができるため、攻撃者はそれを利用して、カーネル
空間の情報を取得することが可能となる脆弱性が存在します。
(CVE-2017-1000410)
- v4l2 ビデオドライバの ioctl 処理コードの 32ビット互換レイヤーには、
ユーザーのバッファが常にユーザー空間のメモリを指し示すことを保証するメ
モリ保護機構が無効にされ、宛先アドレスをカーネル空間内とすることが可能
となるため、攻撃者により、権限のないユーザー空間プロセスからカーネルメ
モリを上書きし、権限昇格が可能となる脆弱性が存在します。
(CVE-2017-13166)
- net/netfilter/xt_TCPMSS.c の tcpmss_mangle_packet 関数には、iptables
のアクションで xt_TCPMSS を利用することで、リモートの攻撃者により、サー
ビス拒否(use-after-free と memory corruption) を引き起こしたり、その他
の影響を与えることを可能とする脆弱性が存在します。 (CVE-2017-18017)
- nfsd サブシステムの NFSv2/NFSv3 サーバには、net/sunrpc/svc.c、
fs/nfsd/nfs3xdr.c、および fs/nfsd/nfsxdr.c に関する処理に不備があるた
め、リモートの攻撃者により、過度に長い RPC 応答を介して、サービス運用
妨害 (システムクラッシュ) 状態にされる脆弱性が存在します。
(CVE-2017-7645)
- net/dccp/proto.c の dccp_disconnect 関数には、DCCP_LISTEN 状態で
AF_UNSPEC を指定した connect システムコールを用いることにより、ローカ
ルのユーザーが、権限昇格、およびサービス拒否 (use-after-free) を引き起
こすことを可能とする脆弱性が存在します。 (CVE-2017-8824)
- MOV SS または POP SS 命令実行中に発生した例外は、スタック切り替え後
の次の命令の実行が終了した後に処理されるため、特権を持たないユーザーは、
これを利用して、サービス拒否 (システムクラッシュ) を引き起こすことを可
能とする脆弱性が存在します。 (CVE-2018-8897)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2017-1000410
The Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. By manipulating the code flows that precede the handling of these configuration messages, an attacker can also gain some control over which data will be held in the uninitialized stack variables. This can allow him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in this manner. Combining this vulnerability (for example) with the previously disclosed RCE vulnerability in L2CAP configuration parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE against kernels which were built with the above mitigations. These are the specifics of this vulnerability: In the function l2cap_parse_conf_rsp and in the function l2cap_parse_conf_req the following variable is declared without initialization: struct l2cap_conf_efs efs; In addition, when parsing input configuration parameters in both of these functions, the switch case for handling EFS elements may skip the memcpy call that will write to the efs variable: ... case L2CAP_CONF_EFS: if (olen == sizeof(efs)) memcpy(&efs, (void *)val, olen); ... The olen in the above if is attacker controlled, and regardless of that if, in both of these functions the efs variable would eventually be added to the outgoing configuration request that is being built: l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs); So by sending a configuration request, or response, that contains an L2CAP_CONF_EFS element, but with an element length that is not sizeof(efs) - the memcpy to the uninitialized efs variable can be avoided, and the uninitialized variable would be returned to the attacker (16 bytes).
The Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. By manipulating the code flows that precede the handling of these configuration messages, an attacker can also gain some control over which data will be held in the uninitialized stack variables. This can allow him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in this manner. Combining this vulnerability (for example) with the previously disclosed RCE vulnerability in L2CAP configuration parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE against kernels which were built with the above mitigations. These are the specifics of this vulnerability: In the function l2cap_parse_conf_rsp and in the function l2cap_parse_conf_req the following variable is declared without initialization: struct l2cap_conf_efs efs; In addition, when parsing input configuration parameters in both of these functions, the switch case for handling EFS elements may skip the memcpy call that will write to the efs variable: ... case L2CAP_CONF_EFS: if (olen == sizeof(efs)) memcpy(&efs, (void *)val, olen); ... The olen in the above if is attacker controlled, and regardless of that if, in both of these functions the efs variable would eventually be added to the outgoing configuration request that is being built: l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs); So by sending a configuration request, or response, that contains an L2CAP_CONF_EFS element, but with an element length that is not sizeof(efs) - the memcpy to the uninitialized efs variable can be avoided, and the uninitialized variable would be returned to the attacker (16 bytes).
CVE-2017-13166
An elevation of privilege vulnerability in the kernel v4l2 video driver. Product: Android. Versions: Android kernel. Android ID A-34624167.
An elevation of privilege vulnerability in the kernel v4l2 video driver. Product: Android. Versions: Android kernel. Android ID A-34624167.
CVE-2017-18017
The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action.
The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action.
CVE-2017-7645
The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c.
The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c.
CVE-2017-8824
The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state.
The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state.
CVE-2018-8897
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.
追加情報:
N/A
ダウンロード:
SRPMS
- kernel-2.6.32-696.28.1.el6.src.rpm
MD5: 283c76d94fe2c13429663f011192ba86
SHA-256: 3310f1c54842299bdbc8eff31a76bd64b6227a47ba876b40c74dc0bf591d6bc8
Size: 128.73 MB
Asianux Server 4 for x86
- kernel-2.6.32-696.28.1.el6.i686.rpm
MD5: 2301df62eb87e3c67f82a62079ef0a81
SHA-256: 55762be1da93f14c954151f908f1c4a3b83207f7ead18f531b1322a0f817b349
Size: 29.99 MB - kernel-abi-whitelists-2.6.32-696.28.1.el6.noarch.rpm
MD5: 8268c1bef33195da3e82e056e13d7027
SHA-256: 4dd7e4f9b048b4f3a1e7d7128a1ec45cca1ed9f0dc2541c96d57a335161bcf08
Size: 3.77 MB - kernel-debug-2.6.32-696.28.1.el6.i686.rpm
MD5: 80280c6605a10c6f4e2ff136774bd3b9
SHA-256: c1d4eaf4499f90681618142ce979e6dd3fe44919b9b40bfd386e745d1a021718
Size: 30.78 MB - kernel-debug-devel-2.6.32-696.28.1.el6.i686.rpm
MD5: e6d1e4093e409caba04f733e8d589301
SHA-256: bcb35c23b4a509545d69cfeca8b1abae723551dc897eaf2e2b5724b94dc32ac0
Size: 10.75 MB - kernel-devel-2.6.32-696.28.1.el6.i686.rpm
MD5: 9eb5d122ccea80656f4d7d642d8a3cb0
SHA-256: 64bb1e8dea806899286f9b5862ead9a4f2fab60c1734870a988b3176c8301bbd
Size: 10.71 MB - kernel-doc-2.6.32-696.28.1.el6.noarch.rpm
MD5: d8e8f3e71d6201a38f35b397205b407b
SHA-256: 61eff246b80b63b11eafe98f111a044791fb1995d35f6334de5c9df80c4a93e8
Size: 12.35 MB - kernel-firmware-2.6.32-696.28.1.el6.noarch.rpm
MD5: 837e7336fc406f26822cab5ba852a827
SHA-256: 425828a2b3a41fc3074fc46b61853bb04d635e3cb46467dad0881fb81fd939a6
Size: 28.84 MB - kernel-headers-2.6.32-696.28.1.el6.i686.rpm
MD5: 69891b35b18f1c8e058084b0c52b3548
SHA-256: 1e23ae7b461d49d8e6cb2b481a29c9c9dde974ccec13ddfc53f2a1f76bd84d29
Size: 4.50 MB - perf-2.6.32-696.28.1.el6.i686.rpm
MD5: a0b594422ef3a6cdfe8c6e5f913fa484
SHA-256: c23ab91427a99521942c947ef3c30abe84ab5187e7b9f6a68d1c85247641b817
Size: 4.73 MB
Asianux Server 4 for x86_64
- kernel-2.6.32-696.28.1.el6.x86_64.rpm
MD5: 54fbcb80cc46c968b18e5a92a05f6352
SHA-256: 80e8319dabc14b2403887916658b73781c39c3dda77b99c67afa66a1e69a8550
Size: 32.30 MB - kernel-abi-whitelists-2.6.32-696.28.1.el6.noarch.rpm
MD5: 2f4770613cb92e5d114af850cbd9a476
SHA-256: 839680dc8318c162b91bd12ddb29540d0614d1e850a56d3bb337c3c02cfdcc72
Size: 3.77 MB - kernel-debug-2.6.32-696.28.1.el6.x86_64.rpm
MD5: 9109a104cc324b951756363f9c1db2d9
SHA-256: 52efca96d107795488d06a2a046279d9c2de2969bf619f400eb9c9e0a7307405
Size: 33.18 MB - kernel-debug-devel-2.6.32-696.28.1.el6.x86_64.rpm
MD5: a5cf6535f0922e653f99040b74ae9f40
SHA-256: a7047939528e49408d26bd503ccc30d00560da99ad77a214fa266e6b1db0b15c
Size: 10.80 MB - kernel-devel-2.6.32-696.28.1.el6.x86_64.rpm
MD5: 05e5a0543d7ea39295c024a46f735577
SHA-256: 07f7077da88c0ee6357304260dba76ac02942f1855aae8b9304d321ef688e2d5
Size: 10.76 MB - kernel-doc-2.6.32-696.28.1.el6.noarch.rpm
MD5: ce86915b8841be494ad84d0589c0b4c6
SHA-256: 326f7b09b8c7b61093eb0802cfb339bc5eb56988152976475212eede8819d956
Size: 12.35 MB - kernel-firmware-2.6.32-696.28.1.el6.noarch.rpm
MD5: 70e8edc81e25fa7be84bcd6a7196340a
SHA-256: 324971241793215d02cfe0e48e03fba771c125dddfb0348f87ed17187ee281e7
Size: 28.84 MB - kernel-headers-2.6.32-696.28.1.el6.x86_64.rpm
MD5: 4ed1aa31599aaf6493b7ca84b4156fac
SHA-256: a2cec1a70cf911739465085c1c7c368882b16a39d5128dd3d4ffba5106bbee2c
Size: 4.50 MB - perf-2.6.32-696.28.1.el6.x86_64.rpm
MD5: 1b4e5cd3f606fa36f2f99321ae98e60c
SHA-256: ea9ef16726a04beb1296d803abcc1eb4774803c57e2c248d517b623e0d2510b8
Size: 4.70 MB
English