The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Linux kernel

vulnerability announce 19472

Linux kernel: information disclosure via TIOCSETD

Synthesis of the vulnerability

A local attacker can read a memory fragment via TIOCSETD of the Linux kernel, in order to obtain sensitive information.
Impacted products: Linux.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 27/04/2016.
Identifiers: VIGILANCE-VUL-19472.

Description of the vulnerability

The Linux kernel implements the TIOCGETD ioctl which obtains the Line Discipline of a tty.

However, when a change is performed with a TIOCSETD, the value obtained by TIOCGETD is not always initialized.

A local attacker can therefore read a memory fragment via TIOCSETD of the Linux kernel, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2015-8839

Linux kernel: file corruption via ext4 Punch Hole

Synthesis of the vulnerability

A local attacker can manipulate data on ext4 on the Linux kernel, in order to alter a file.
Impacted products: Fedora, Android OS, QRadar SIEM, Linux, RHEL, Ubuntu.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 20/04/2016.
Identifiers: 2011746, CERTFR-2016-AVI-199, CERTFR-2017-AVI-287, CVE-2015-8839, FEDORA-2016-373c063e79, FEDORA-2016-8e858f96b8, RHSA-2017:1842-01, RHSA-2017:2077-01, RHSA-2017:2669-01, USN-3005-1, USN-3006-1, USN-3007-1, VIGILANCE-VUL-19413.

Description of the vulnerability

The Linux kernel uses the ext4 filesystem.

However, when it reassembles file fragments, a computation error leads to file corruptions.

A local attacker can therefore manipulate data on ext4 on the Linux kernel, in order to alter a file.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2016-3955

Linux kernel: buffer overflow of usbip_recv_xbuff

Synthesis of the vulnerability

An attacker can generate a buffer overflow in usbip_recv_xbuff() of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Fedora, Linux, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server, denial of service on service.
Provenance: intranet client.
Confidence: confirmed by the editor (5/5).
Creation date: 19/04/2016.
Identifiers: CERTFR-2016-AVI-156, CERTFR-2016-AVI-186, CERTFR-2016-AVI-199, CVE-2016-3955, DLA-516-1, DSA-3607-1, FEDORA-2016-373c063e79, FEDORA-2016-8a1f49149e, openSUSE-SU-2016:1641-1, SUSE-SU-2016:1203-1, SUSE-SU-2016:2245-1, USN-2965-1, USN-2965-2, USN-2965-3, USN-2965-4, USN-2989-1, USN-2996-1, USN-2997-1, USN-2998-1, USN-3000-1, USN-3001-1, USN-3002-1, USN-3003-1, USN-3004-1, VIGILANCE-VUL-19404.

Description of the vulnerability

The Linux kernel uses the usbip driver, to share an USB device over IP.

However, if the size of data is greater than the size of the storage array, an overflow occurs in the usbip_recv_xbuff() function.

An attacker can therefore generate a buffer overflow in usbip_recv_xbuff() of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2016-3961

Xen: infinite loop of hugetlbfs

Synthesis of the vulnerability

An attacker in a PV guest system can generate an infinite loop via hugetlbfs of Xen, in order to trigger a denial of service on the host system.
Impacted products: Brocade vTM, Debian, Fedora, Linux, Ubuntu, Xen.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 14/04/2016.
Identifiers: BSA-2016-204, BSA-2016-207, BSA-2016-211, BSA-2016-212, BSA-2016-213, BSA-2016-216, BSA-2016-234, CERTFR-2016-AVI-199, CERTFR-2016-AVI-278, CERTFR-2016-AVI-378, CVE-2016-3961, DLA-516-1, FEDORA-2016-373c063e79, FEDORA-2016-8a1f49149e, USN-3002-1, USN-3004-1, USN-3005-1, USN-3006-1, USN-3007-1, USN-3049-1, USN-3050-1, USN-3051-1, USN-3052-1, USN-3053-1, USN-3054-1, USN-3055-1, USN-3056-1, USN-3057-1, USN-3127-1, USN-3127-2, VIGILANCE-VUL-19384, XSA-174.

Description of the vulnerability

The Xen product can be installed on the Linux kernel with the support of hugetlbfs (large pages) enabled.

However, a PV guest can use these hugetlbfs, and trigger an infinite error loop on the host system.

An attacker in a PV guest system can therefore generate an infinite loop via hugetlbfs of Xen, in order to trigger a denial of service on the host system.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2015-8844 CVE-2015-8845

Linux kernel: denial of service via PPC State

Synthesis of the vulnerability

A local attacker can generate an error in PowerPC states on the Linux kernel, in order to trigger a denial of service.
Impacted products: Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 13/04/2016.
Identifiers: CVE-2015-8844, CVE-2015-8845, openSUSE-SU-2016:2184-1, RHSA-2016:2574-02, RHSA-2016:2584-02, SUSE-SU-2016:1690-1, SUSE-SU-2016:1937-1, SUSE-SU-2016:2105-1, VIGILANCE-VUL-19370.

Description of the vulnerability

The Linux kernel restores registers after processing a signal.

However, some PowerPC state registers are not restored, which leads to a BUG_ON().

A local attacker can therefore generate an error in PowerPC states on the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2016-2184 CVE-2016-2185 CVE-2016-2186

Linux kernel: five vulnerabilities of USB Device Descriptor

Synthesis of the vulnerability

Several vulnerabilities were announced in the Linux kernel.
Impacted products: Debian, Fedora, Android OS, Linux, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: physical access.
Confidence: confirmed by the editor (5/5).
Creation date: 11/04/2016.
Identifiers: CERTFR-2016-AVI-156, CERTFR-2016-AVI-159, CERTFR-2016-AVI-186, CERTFR-2016-AVI-199, CERTFR-2016-AVI-267, CERTFR-2017-AVI-034, CERTFR-2017-AVI-282, CVE-2016-2184, CVE-2016-2185, CVE-2016-2186, CVE-2016-2187, CVE-2016-2188, DLA-516-1, DLA-922-1, DSA-3607-1, FEDORA-2016-7e602c0e5e, FEDORA-2016-ed5110c4bb, openSUSE-SU-2016:1008-1, openSUSE-SU-2016:1382-1, openSUSE-SU-2016:2144-1, openSUSE-SU-2016:2649-1, SUSE-SU-2016:1019-1, SUSE-SU-2016:1203-1, SUSE-SU-2016:1672-1, SUSE-SU-2016:1690-1, SUSE-SU-2016:1696-1, SUSE-SU-2016:1707-1, SUSE-SU-2016:1764-1, SUSE-SU-2016:1985-1, SUSE-SU-2016:2074-1, SUSE-SU-2016:2245-1, SUSE-SU-2017:0333-1, SUSE-SU-2017:2342-1, USN-2965-1, USN-2965-2, USN-2965-3, USN-2965-4, USN-2968-1, USN-2968-2, USN-2969-1, USN-2970-1, USN-2971-1, USN-2971-2, USN-2971-3, USN-2989-1, USN-2996-1, USN-2997-1, USN-2998-1, USN-3000-1, USN-3001-1, USN-3002-1, USN-3003-1, USN-3004-1, USN-3005-1, USN-3006-1, USN-3007-1, VIGILANCE-VUL-19331.

Description of the vulnerability

Several vulnerabilities were announced in the Linux kernel.

An attacker can force a NULL pointer to be dereferenced in powermate, in order to trigger a denial of service. [severity:1/4; CVE-2016-2186]

An attacker can force a NULL pointer to be dereferenced in gtco, in order to trigger a denial of service. [severity:1/4; CVE-2016-2187]

An attacker can force a NULL pointer to be dereferenced in iowarrior, in order to trigger a denial of service. [severity:1/4; CVE-2016-2188]

An attacker can force a NULL pointer to be dereferenced in snd_usb_audio, in order to trigger a denial of service. [severity:1/4; CVE-2016-2184]

An attacker can force a NULL pointer to be dereferenced in ati_remote2, in order to trigger a denial of service. [severity:1/4; CVE-2016-2185]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2016-3951

Linux kernel: NULL pointer dereference via usbnet

Synthesis of the vulnerability

An attacker can plug a malicious USB device, to force a NULL pointer to be dereferenced in usbnet of the Linux kernel, in order to trigger a denial of service.
Impacted products: Debian, Fedora, Android OS, Linux, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: physical access.
Confidence: confirmed by the editor (5/5).
Creation date: 07/04/2016.
Identifiers: CERTFR-2016-AVI-156, CERTFR-2016-AVI-186, CERTFR-2016-AVI-199, CERTFR-2016-AVI-220, CVE-2016-3951, DLA-516-1, DSA-3607-1, FEDORA-2016-373c063e79, FEDORA-2016-8e858f96b8, openSUSE-SU-2016:1382-1, openSUSE-SU-2016:2144-1, SUSE-SU-2016:1690-1, SUSE-SU-2016:1696-1, SUSE-SU-2016:1764-1, USN-2965-1, USN-2965-2, USN-2965-3, USN-2965-4, USN-2989-1, USN-2998-1, USN-3000-1, USN-3001-1, USN-3002-1, USN-3003-1, USN-3004-1, USN-3021-1, USN-3021-2, VIGILANCE-VUL-19318.

Description of the vulnerability

The Linux kernel implements the support of network devices on USB.

However, if an USB device uses a malformed descriptor, the drivers/net/usb/usbnet.c file does not check if a pointer is NULL, before using it.

An attacker can therefore plug a malicious USB device, to force a NULL pointer to be dereferenced in usbnet of the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2016-3672

Linux kernel: bypassing ASLR via Unlimited Stack

Synthesis of the vulnerability

An attacker can remove the stack limit for a 32 bit application, in order to bypass ASLR.
Impacted products: Debian, Fedora, Linux, openSUSE, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 06/04/2016.
Identifiers: CERTFR-2016-AVI-156, CERTFR-2016-AVI-186, CERTFR-2016-AVI-199, CVE-2016-3672, DLA-516-1, DSA-3607-1, FEDORA-2016-373c063e79, FEDORA-2016-8e858f96b8, openSUSE-SU-2016:1641-1, openSUSE-SU-2016:2144-1, openSUSE-SU-2016:2184-1, RHSA-2018:0676-01, RHSA-2018:1062-01, SUSE-SU-2016:1690-1, SUSE-SU-2016:1937-1, SUSE-SU-2016:2105-1, USN-2965-1, USN-2965-2, USN-2965-3, USN-2965-4, USN-2989-1, USN-2996-1, USN-2997-1, USN-2998-1, USN-3000-1, USN-3001-1, USN-3002-1, USN-3003-1, USN-3004-1, VIGILANCE-VUL-19312.

Description of the vulnerability

The Linux kernel uses ASLR to randomize the memory space, so attacks on processes are more difficult.

However, for historical reasons, the mmap_legacy_base() function did not add random for 32 bit applications with an unlimited stack.

An attacker can therefore remove the stack limit for a 32 bit application, in order to bypass ASLR.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2016-3689

Linux kernel: NULL pointer dereference via ims_pcu_parse_cdc_data

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced in the ims_pcu_parse_cdc_data() function of the Linux kernel, in order to trigger a denial of service.
Impacted products: Linux, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: physical access.
Confidence: confirmed by the editor (5/5).
Creation date: 30/03/2016.
Identifiers: CERTFR-2016-AVI-156, CERTFR-2016-AVI-159, CERTFR-2016-AVI-199, CVE-2016-3689, openSUSE-SU-2016:1382-1, openSUSE-SU-2016:2144-1, SUSE-SU-2016:1690-1, SUSE-SU-2016:1696-1, SUSE-SU-2016:1764-1, USN-2965-1, USN-2965-2, USN-2965-3, USN-2965-4, USN-2968-1, USN-2968-2, USN-2970-1, USN-2971-1, USN-2971-2, USN-2971-3, USN-3000-1, VIGILANCE-VUL-19268.

Description of the vulnerability

The Linux kernel supports USB devices of type IMS Passenger Control Unit.

However, when the ctrl_intf or data_intf interfaces do not exist, the ims_pcu_parse_cdc_data() function does not check if a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced in the ims_pcu_parse_cdc_data() function of the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2016-2143

Linux kernel: memory corruption via S390 Four Page Table Levels

Synthesis of the vulnerability

A local attacker can generate a memory corruption on S390 in the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, NSM Central Manager, NSMXpress, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, denial of service on server.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 17/03/2016.
Identifiers: 970504, CVE-2016-2143, DSA-3607-1, JSA10853, openSUSE-SU-2016:2649-1, RHSA-2016:1539-01, RHSA-2016:2766-01, SUSE-SU-2016:1019-1, SUSE-SU-2016:1203-1, SUSE-SU-2016:1672-1, SUSE-SU-2016:1690-1, SUSE-SU-2016:1707-1, SUSE-SU-2016:1764-1, SUSE-SU-2016:2074-1, VIGILANCE-VUL-19190.

Description of the vulnerability

The fork() function clones the memory of a process.

However, on S390, if a process has four levels of memory pages (> 4TB), the init_new_context() function does not correctly clone the memory.

A local attacker can therefore generate a memory corruption on S390 in the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Linux kernel: