The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Linux kernel

computer vulnerability bulletin CVE-2013-7446

Linux kernel: use after free via peer_wait_queue

Synthesis of the vulnerability

A local attacker can force the usage of a freed memory area in the peer_wait_queue() function of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Android OS, Linux, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 18/11/2015.
Identifiers: CERTFR-2015-AVI-554, CERTFR-2015-AVI-561, CERTFR-2016-AVI-044, CERTFR-2016-AVI-073, CERTFR-2016-AVI-103, CERTFR-2016-AVI-110, CVE-2013-7446, DSA-3426-1, DSA-3426-2, FEDORA-2015-c1c2f5e168, FEDORA-2015-c59710b05d, openSUSE-SU-2016:1641-1, openSUSE-SU-2016:2144-1, openSUSE-SU-2016:2649-1, SOL20022580, SUSE-SU-2016:0585-1, SUSE-SU-2016:0785-1, SUSE-SU-2016:0911-1, SUSE-SU-2016:1102-1, SUSE-SU-2016:1203-1, SUSE-SU-2016:2074-1, USN-2886-1, USN-2886-2, USN-2887-1, USN-2887-2, USN-2888-1, USN-2889-1, USN-2889-2, USN-2890-1, USN-2890-2, USN-2890-3, VIGILANCE-VUL-18328.

Description of the vulnerability

The Linux kernel implements an epoll wait mechanism which can monitor Unix sockets (AF_UNIX) stored in a chained list.

However, if the socket is closed, the reference in this list is still used.

A local attacker can therefore force the usage of a freed memory area in the peer_wait_queue() function of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2015-0272 CVE-2015-8215

Linux kernel, NetworkManager: denial of service via IPv6 RA MTU

Synthesis of the vulnerability

An attacker can send an IPv6 RA packet with a malicious MTU, which is accepted by NetworkManager and by the Linux kernel, in order to trigger a denial of service.
Impacted products: Debian, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 22/09/2015.
Revision date: 17/11/2015.
Identifiers: 1192132, CERTFR-2015-AVI-435, CERTFR-2015-AVI-436, CERTFR-2015-AVI-508, CERTFR-2015-AVI-563, CERTFR-2016-AVI-050, CERTFR-2016-AVI-073, CVE-2015-0272, CVE-2015-8215, DSA-3364-1, openSUSE-SU-2015:1842-1, openSUSE-SU-2016:0301-1, openSUSE-SU-2016:0318-1, openSUSE-SU-2016:2649-1, RHSA-2015:2315-01, RHSA-2016:0855-01, SUSE-SU-2015:2108-1, SUSE-SU-2015:2194-1, SUSE-SU-2015:2292-1, SUSE-SU-2015:2339-1, SUSE-SU-2015:2350-1, SUSE-SU-2016:0354-1, SUSE-SU-2016:0585-1, SUSE-SU-2016:2074-1, USN-2775-1, USN-2776-1, USN-2778-1, USN-2779-1, USN-2792-1, USN-2796-1, USN-2797-1, VIGILANCE-VUL-17946.

Description of the vulnerability

On a local network, IPv6 routers send the ICMPv6 Router Advertisement message to announce their presence and propose a MTU.

However, neither NetworkManager (CVE-2015-0272), nor the Linux kernel (CVE-2015-8215), check if the offered MTU is in the range IPV6_MIN_MTU to InterfaceMTU.

An attacker can therefore send an IPv6 RA packet with a malicious MTU, which is accepted by NetworkManager and by the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2015-8104

Xen, Linux KVM: infinite loop of x86 Debug Exception

Synthesis of the vulnerability

An attacker, who is administrator in a guest system, can generate an infinite loop with a Debug Exception on Xen, in order to trigger a denial of service on the host system.
Impacted products: XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, Junos Space, NSM Central Manager, NSMXpress, Linux, openSUSE, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Xen.
Severity: 1/4.
Creation date: 10/11/2015.
Identifiers: CERTFR-2015-AVI-466, CERTFR-2015-AVI-508, CERTFR-2015-AVI-549, CERTFR-2015-AVI-554, CERTFR-2015-AVI-556, CERTFR-2015-AVI-563, CERTFR-2016-AVI-050, CERTFR-2017-AVI-012, CTX202583, CTX203879, CVE-2015-8104, DLA-479-1, DSA-3414-1, DSA-3426-1, DSA-3426-2, DSA-3454-1, FEDORA-2015-115c302856, FEDORA-2015-394835a3f6, FEDORA-2015-668d213dc3, FEDORA-2015-cd94ad8d7c, FEDORA-2015-f150b2a8c8, FEDORA-2015-f2c534bc12, JSA10770, JSA10853, K31026324, openSUSE-SU-2015:2232-1, openSUSE-SU-2015:2249-1, openSUSE-SU-2015:2250-1, openSUSE-SU-2016:0124-1, openSUSE-SU-2016:0301-1, openSUSE-SU-2016:0318-1, openSUSE-SU-2016:1008-1, openSUSE-SU-2016:2649-1, RHSA-2015:2552-01, RHSA-2015:2636-01, RHSA-2015:2645-01, RHSA-2016:0004-01, RHSA-2016:0024-01, RHSA-2016:0046-01, RHSA-2016:0103-01, SOL31026324, SUSE-SU-2015:2108-1, SUSE-SU-2015:2194-1, SUSE-SU-2015:2339-1, SUSE-SU-2015:2350-1, SUSE-SU-2016:0354-1, SUSE-SU-2016:0658-1, SUSE-SU-2016:2074-1, USN-2840-1, USN-2841-1, USN-2841-2, USN-2842-1, USN-2842-2, USN-2843-1, USN-2843-2, USN-2844-1, VIGILANCE-VUL-18269, XSA-156.

Description of the vulnerability

On an x86 processor, when an exception occurs, while another exception is in progress, the second has to be managed sequentially. The Xen product implements workarounds to forbid infinite loops in this case.

However, when a DB (Debug) exception occurs with a hardware breakpoint, this case is not managed.

An attacker, who is administrator in a guest system, can therefore generate an infinite loop with a Debug Exception on Xen, in order to trigger a denial of service on the host system.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2015-5307

Xen, KVM: infinite loop of x86 Alignment Check Exception

Synthesis of the vulnerability

An attacker, who is administrator in a guest system, can generate an infinite loop with an Alignment Check Exception on Xen/KVM, in order to trigger a denial of service on the host system.
Impacted products: XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, Junos Space, NSM Central Manager, NSMXpress, Linux, openSUSE, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Xen.
Severity: 1/4.
Creation date: 10/11/2015.
Identifiers: CERTFR-2015-AVI-466, CERTFR-2015-AVI-467, CERTFR-2015-AVI-508, CERTFR-2015-AVI-563, CERTFR-2016-AVI-050, CERTFR-2017-AVI-012, CTX202583, CVE-2015-5307, DLA-479-1, DSA-3396-1, DSA-3414-1, DSA-3454-1, FEDORA-2015-115c302856, FEDORA-2015-394835a3f6, FEDORA-2015-668d213dc3, FEDORA-2015-cd94ad8d7c, FEDORA-2015-f150b2a8c8, FEDORA-2015-f2c534bc12, JSA10770, JSA10853, K31026324, openSUSE-SU-2015:2232-1, openSUSE-SU-2015:2249-1, openSUSE-SU-2015:2250-1, openSUSE-SU-2016:0123-1, openSUSE-SU-2016:0124-1, openSUSE-SU-2016:0126-1, openSUSE-SU-2016:0301-1, openSUSE-SU-2016:0318-1, openSUSE-SU-2016:2649-1, RHSA-2015:2552-01, RHSA-2015:2587-01, RHSA-2015:2636-01, RHSA-2015:2645-01, RHSA-2016:0004-01, RHSA-2016:0024-01, RHSA-2016:0046-01, SOL31026324, SUSE-SU-2015:2108-1, SUSE-SU-2015:2194-1, SUSE-SU-2015:2339-1, SUSE-SU-2015:2350-1, SUSE-SU-2016:0354-1, SUSE-SU-2016:0658-1, SUSE-SU-2016:2074-1, USN-2800-1, USN-2801-1, USN-2802-1, USN-2803-1, USN-2804-1, USN-2805-1, USN-2806-1, USN-2807-1, VIGILANCE-VUL-18268, XSA-156.

Description of the vulnerability

On an x86 processor, when an exception occurs, while another exception is in progress, the second has to be managed sequentially. The Xen/KVM product implements workarounds to forbid infinite loops in this case.

However, when an AC (Alignment Check) exception occurs with a Ring-3 Handler and an unaligned stack pointer, this case is not managed.

An attacker, who is administrator in a guest system, can therefore generate an infinite loop with an Alignment Check Exception on Xen/KVM, in order to trigger a denial of service on the host system.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce 18252

Linux kernel: denial of service via selinux_nlmsg_perm

Synthesis of the vulnerability

A local attacker can use malicious Netlink messages on the Linux kernel, in order to trigger a denial of service.
Impacted products: Linux.
Severity: 1/4.
Creation date: 05/11/2015.
Identifiers: VIGILANCE-VUL-18252.

Description of the vulnerability

The Linux kernel uses Netlink sockets to exchange information about the network.

The selinux_nlmsg_perm() function of the security/selinux/hooks.c file displays an error message if the Netlink message is unknown. However, there is no rate limitation on the number of messages which can be displayed.

A local attacker can therefore use malicious Netlink messages on the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2015-8019

Linux kernel: memory corruption via skb_copy_and_csum_datagram_iovec

Synthesis of the vulnerability

A local attacker can generate a memory corruption in the skb_copy_and_csum_datagram_iovec() function of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Linux.
Severity: 2/4.
Creation date: 27/10/2015.
Identifiers: CVE-2015-8019, VIGILANCE-VUL-18194.

Description of the vulnerability

The Linux kernel uses the skb_copy_and_csum_datagram_iovec() function of the net/core/datagram.c file to copy a network buffer.

However, this function does not check the size copied by memcpy_toiovec() from the skb to the iov.

A local attacker can therefore generate a memory corruption in the skb_copy_and_csum_datagram_iovec() function of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2015-7990

Linux kernel: NULL pointer dereference via net/rds/send.c

Synthesis of the vulnerability

A local attacker can force a NULL pointer to be dereferenced in net/rds/connection.c of the Linux kernel, in order to trigger a denial of service.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Linux, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 27/10/2015.
Identifiers: CERTFR-2015-AVI-508, CERTFR-2015-AVI-563, CERTFR-2016-AVI-044, CERTFR-2016-AVI-050, CVE-2015-7990, DSA-3396-1, FEDORA-2015-115c302856, FEDORA-2015-cd94ad8d7c, FEDORA-2015-f2c534bc12, openSUSE-SU-2015:2232-1, openSUSE-SU-2016:0301-1, openSUSE-SU-2016:0318-1, openSUSE-SU-2016:2649-1, SOL98102572, SUSE-SU-2015:2108-1, SUSE-SU-2015:2194-1, SUSE-SU-2015:2292-1, SUSE-SU-2015:2339-1, SUSE-SU-2015:2350-1, SUSE-SU-2016:0354-1, SUSE-SU-2016:2074-1, USN-2886-1, USN-2886-2, USN-2887-1, USN-2887-2, USN-2888-1, USN-2889-1, USN-2889-2, USN-2890-1, USN-2890-2, USN-2890-3, VIGILANCE-VUL-18191.

Description of the vulnerability

The Linux kernel implements RDS (Reliable Datagram Sockets).

However, if the socket is not bound before sending a message, the rds_sendmsg() function of the net/rds/send.c file does not use a lock, which triggers the vulnerability VIGILANCE-VUL-17886.

A local attacker can therefore force a NULL pointer to be dereferenced in net/rds/connection.c of the Linux kernel, via an error in net/rds/send.c, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2015-7885

Linux kernel: information disclosure via dgnc_mgmt_ioctl

Synthesis of the vulnerability

A local attacker can read a memory fragment via dgnc_mgmt_ioctl() of the Linux kernel, in order to obtain sensitive information.
Impacted products: Linux, openSUSE, Ubuntu.
Severity: 1/4.
Creation date: 22/10/2015.
Identifiers: CERTFR-2015-AVI-549, CVE-2015-7885, openSUSE-SU-2016:0301-1, openSUSE-SU-2016:0318-1, USN-2841-1, USN-2841-2, USN-2842-1, USN-2842-2, USN-2843-1, USN-2843-2, USN-2843-3, USN-2844-1, VIGILANCE-VUL-18157.

Description of the vulnerability

The Linux kernel implements a dgnc (Digi Neo and Digi ClassicBoard) driver.

However, the dgnc_mgmt_ioctl() function of the drivers/staging/dgnc/dgnc_mgmt.c file does not initialize a memory area before returning it to the user.

A local attacker can therefore read a memory fragment via dgnc_mgmt_ioctl() of the Linux kernel, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2015-7884

Linux kernel: information disclosure via vivid_fb_ioctl

Synthesis of the vulnerability

A local attacker can read a memory fragment via vivid_fb_ioctl() of the Linux kernel, in order to obtain sensitive information.
Impacted products: Linux, openSUSE Leap, Ubuntu.
Severity: 1/4.
Creation date: 22/10/2015.
Identifiers: CERTFR-2015-AVI-549, CVE-2015-7884, openSUSE-SU-2016:1008-1, USN-2842-1, USN-2842-2, USN-2843-1, USN-2843-2, USN-2843-3, VIGILANCE-VUL-18156.

Description of the vulnerability

The Linux kernel implements a vivid (Virtual Video) driver.

However, the vivid_fb_ioctl() function of the drivers/media/platform/vivid/vivid-osd.c file does not initialize a memory area before returning it to the user.

A local attacker can therefore read a memory fragment via vivid_fb_ioctl() of the Linux kernel, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2015-7872

Linux kernel: use after free via key_garbage_collector

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area in key_garbage_collector() of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Android OS, NSM Central Manager, NSMXpress, Linux, openSUSE, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 20/10/2015.
Identifiers: CERTFR-2015-AVI-508, CERTFR-2015-AVI-512, CERTFR-2015-AVI-518, CERTFR-2015-AVI-549, CERTFR-2015-AVI-563, CERTFR-2016-AVI-050, CVE-2015-7872, DSA-3396-1, JSA10853, openSUSE-SU-2015:1842-1, openSUSE-SU-2016:0301-1, openSUSE-SU-2016:1008-1, openSUSE-SU-2016:2649-1, RHSA-2015:2636-01, RHSA-2016:0185-01, RHSA-2016:0212-01, RHSA-2016:0224-01, SOL94105604, SUSE-SU-2015:2108-1, SUSE-SU-2015:2194-1, SUSE-SU-2015:2292-1, SUSE-SU-2015:2339-1, SUSE-SU-2015:2350-1, SUSE-SU-2016:0354-1, SUSE-SU-2016:2074-1, USN-2823-1, USN-2824-1, USN-2826-1, USN-2829-1, USN-2829-2, USN-2840-1, USN-2840-2, USN-2843-1, USN-2843-2, USN-2843-3, VIGILANCE-VUL-18142.

Description of the vulnerability

The Linux kernel can store cryptographic keys, which are managed using keyctl.

However, if an error occurs during the creation of the keyring, the garbage collector (function key_garbage_collector) calls keyring_destroy() on an non-existent keyring.

An attacker can therefore force the usage of a freed memory area in key_garbage_collector() of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Linux kernel: