The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Noyau Linux

vulnerability alert CVE-2015-5156

Linux kernel: buffer overflow of virtnet_probe

Synthesis of the vulnerability

An attacker can generate a buffer overflow in the virtnet_probe() function of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Fedora, NSM Central Manager, NSMXpress, Linux, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Creation date: 06/08/2015.
Identifiers: CERTFR-2015-AVI-435, CERTFR-2015-AVI-436, CERTFR-2018-AVI-206, CERTFR-2018-AVI-224, CERTFR-2018-AVI-241, CVE-2015-5156, DSA-3364-1, FEDORA-2015-0253d1f070, FEDORA-2015-c15f00eb95, JSA10853, RHSA-2015:1977-01, RHSA-2015:1978-01, RHSA-2016:0855-01, SUSE-SU-2015:1727-1, SUSE-SU-2015:2292-1, SUSE-SU-2018:1080-1, SUSE-SU-2018:1172-1, SUSE-SU-2018:1309-1, USN-2773-1, USN-2774-1, USN-2775-1, USN-2776-1, USN-2777-1, USN-2778-1, USN-2779-1, VIGILANCE-VUL-17601.

Description of the vulnerability

A KVM guest system uses the drivers/net/virtio_net.c network driver of the Linux kernel.

However, the NETIF_F_FRAGLIST option is used, so if the number of fragments is greater than the size of the storage array, an overflow occurs.

An attacker can therefore generate a buffer overflow in the virtnet_probe() function of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2015-3290 CVE-2015-3291 CVE-2015-5157

Linux kernel: four vulnerabilities of NMI

Synthesis of the vulnerability

Several vulnerabilities were announced in the NMI (Non-maskable interrupt) processing by the Linux kernel.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, NSM Central Manager, NSMXpress, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 4.
Creation date: 23/07/2015.
Revision date: 05/08/2015.
Identifiers: CERTFR-2015-AVI-321, CERTFR-2015-AVI-324, CERTFR-2015-AVI-357, CERTFR-2015-AVI-508, CERTFR-2015-AVI-563, CERTFR-2016-AVI-050, CERTFR-2017-AVI-012, CERTFR-2017-AVI-022, CVE-2015-3290, CVE-2015-3291, CVE-2015-5157, DSA-3313-1, FEDORA-2015-12437, JSA10774, JSA10853, openSUSE-SU-2015:1382-1, openSUSE-SU-2015:1842-1, openSUSE-SU-2016:0301-1, openSUSE-SU-2016:0318-1, RHSA-2016:0185-01, RHSA-2016:0212-01, RHSA-2016:0224-01, RHSA-2016:0715-01, SOL17326, SUSE-SU-2015:1727-1, SUSE-SU-2015:2108-1, SUSE-SU-2015:2339-1, SUSE-SU-2015:2350-1, SUSE-SU-2016:0354-1, USN-2687-1, USN-2688-1, USN-2689-1, USN-2690-1, USN-2691-1, USN-2700-1, USN-2701-1, VIGILANCE-VUL-17495.

Description of the vulnerability

Several vulnerabilities were announced in the NMI (Non-maskable interrupt) processing by the Linux kernel.

An attacker can change the execution path of SYSCALL/SYSRET instructions, in order to run code with kernel privileges. [severity:2/4; CVE-2015-3291]

An attacker can generate a memory corruption after an IRET instruction fault, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2015-5157]

An attacker can generate a log filling, in order to trigger a denial of service. [severity:2/4]

An attacker can generate a memory corruption by nesting NMIs on a 64 bit processor, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2015-3290]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-5707

Linux kernel: integer overflow of SCSI sg_start_req

Synthesis of the vulnerability

A local attacker can generate an integer overflow in the SCSI driver of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Android OS, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server.
Provenance: user shell.
Creation date: 03/08/2015.
Identifiers: CERTFR-2015-AVI-331, CERTFR-2015-AVI-369, CERTFR-2015-AVI-372, CERTFR-2015-AVI-411, CERTFR-2015-AVI-417, CERTFR-2016-AVI-073, CERTFR-2016-AVI-103, CVE-2015-5707, DSA-3329-1, openSUSE-SU-2015:1842-1, openSUSE-SU-2016:0301-1, SOL17475, SUSE-SU-2015:1478-1, SUSE-SU-2015:1592-1, SUSE-SU-2015:1611-1, SUSE-SU-2015:2084-1, SUSE-SU-2015:2085-1, SUSE-SU-2015:2086-1, SUSE-SU-2015:2087-1, SUSE-SU-2015:2089-1, SUSE-SU-2015:2090-1, SUSE-SU-2015:2091-1, SUSE-SU-2016:0585-1, SUSE-SU-2016:0785-1, USN-2733-1, USN-2734-1, USN-2737-1, USN-2738-1, USN-2750-1, USN-2759-1, USN-2760-1, VIGILANCE-VUL-17576.

Description of the vulnerability

The drivers/scsi/sg.c file of the Linux kernel implements the generic driver for SCSI.

However, if iov_count is too large, a multiplication overflows in the sg_start_req() function, and an allocated memory area is too short.

A local attacker can therefore generate an integer overflow in the SCSI driver of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2015-5706

Linux kernel: use after free via path_openat

Synthesis of the vulnerability

A local attacker can force the usage of a freed memory area in the path_openat() function of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Android OS, Linux.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server.
Provenance: user shell.
Creation date: 03/08/2015.
Identifiers: 940339, CERTFR-2015-AVI-331, CVE-2015-5706, DSA-3329-1, VIGILANCE-VUL-17575.

Description of the vulnerability

The openat() system call opens a file, with a path relative to a directory descriptor:
  int openat(dirfd, pathname, flags);

The path_openat() function of the fs/namei.c file implements openat(). However, if a file has the __O_TMPFILE flag, the path_cleanup() function is called twice.

A local attacker can therefore force the usage of a freed memory area in the path_openat() function of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-3212

Linux kernel: denial of service via SCTP ASCONF

Synthesis of the vulnerability

An attacker can send several SCTP ASCONF packets to the Linux kernel, in order to trigger a denial of service.
Impacted products: Debian, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: intranet client.
Creation date: 31/07/2015.
Identifiers: CERTFR-2015-AVI-331, CERTFR-2015-AVI-357, CERTFR-2015-AVI-391, CVE-2015-3212, DSA-3329-1, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, RHSA-2015:1778-01, RHSA-2015:1787-01, RHSA-2015:1788-01, SUSE-SU-2015:1324-1, USN-2713-1, USN-2714-1, USN-2715-1, USN-2716-1, USN-2717-1, USN-2718-1, USN-2719-1, VIGILANCE-VUL-17544.

Description of the vulnerability

The SCTP protocol is used to transport several message streams, multiplexed over one connection.

The ASCONF (Address Configuration Change) message is used when an IP address change. The kernel stores it in a list. However, a synchronization error on this list in net/sctp/socket.c generates a fatal error.

An attacker can therefore send several SCTP ASCONF packets to the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-5697

Linux kernel: information disclosure via MD get_bitmap_file

Synthesis of the vulnerability

A local attacker can read a memory fragment of the Linux kernel via the get_bitmap_file() function, in order to obtain sensitive information.
Impacted products: Debian, Fedora, Linux, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 28/07/2015.
Identifiers: CERTFR-2015-AVI-331, CERTFR-2015-AVI-359, CERTFR-2015-AVI-369, CERTFR-2015-AVI-411, CERTFR-2015-AVI-435, CVE-2015-5697, DSA-3329-1, FEDORA-2015-12908, FEDORA-2015-12917, FEDORA-2015-13391, FEDORA-2015-13396, SUSE-SU-2015:1727-1, USN-2731-1, USN-2732-1, USN-2748-1, USN-2749-1, USN-2751-1, USN-2752-1, USN-2777-1, VIGILANCE-VUL-17516.

Description of the vulnerability

The drivers/md/md.c file implements the support of Multiple Devices (RAID) for the Linux kernel.

A local user can ask a file containing the RAID Bitmap, which is generated by the get_bitmap_file() function. However, if the Bitmap feature is disabled (mdadm --bitmap=none) the get_bitmap_file() function does not initialize a memory area before returning it to the user.

A local attacker can therefore read a memory fragment of the Linux kernel via the get_bitmap_file() function, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-1333

Linux kernel: memory leak via Keyring

Synthesis of the vulnerability

A local attacker can create a memory leak, by adding many times the same key in his Keyring, in order to trigger a denial of service on the Linux kernel.
Impacted products: Debian, Fedora, Linux, openSUSE, RHEL, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: user shell.
Creation date: 27/07/2015.
Identifiers: CERTFR-2015-AVI-321, CERTFR-2015-AVI-331, CERTFR-2015-AVI-391, CVE-2015-1333, DSA-3329-1, FEDORA-2015-12437, openSUSE-SU-2015:1842-1, RHSA-2015:1778-01, RHSA-2015:1787-01, RHSA-2015:1788-01, USN-2687-1, USN-2688-1, USN-2689-1, USN-2690-1, USN-2691-1, VIGILANCE-VUL-17510.

Description of the vulnerability

The Linux kernel can store cryptographic keys, which are managed using add_key(), request_key() and keyctl() functions.

However, when the same key is added twice, the __key_link_end() function does not free 512 bytes of memory.

A local attacker can therefore create a memory leak, by adding many times the same key in his Keyring, in order to trigger a denial of service on the Linux kernel.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-5364 CVE-2015-5366

Linux kernel: denial of service via UDP

Synthesis of the vulnerability

An attacker can flood a Linux host with UDP packet with wrong checksum, in order to trigger a denial of service.
Impacted products: Debian, BIG-IP Hardware, TMOS, Android OS, Junos Space, Linux, openSUSE, Palo Alto Firewall PA***, PAN-OS, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 01/07/2015.
Identifiers: CERTFR-2015-AVI-311, CERTFR-2015-AVI-318, CERTFR-2015-AVI-331, CERTFR-2015-AVI-352, CERTFR-2015-AVI-357, CERTFR-2015-AVI-391, CERTFR-2017-AVI-012, CVE-2015-5364, CVE-2015-5366, DSA-3313-1, DSA-3329-1, JSA10770, K17307, K17309, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, PAN-SA-2016-0025, RHSA-2015:1623-01, RHSA-2015:1778-01, RHSA-2015:1787-01, RHSA-2015:1788-01, RHSA-2016:0045-01, RHSA-2016:1096-01, RHSA-2016:1100-01, RHSA-2016:1225-01, SOL17307, SOL17309, SUSE-SU-2015:1224-1, SUSE-SU-2015:1324-1, SUSE-SU-2015:1478-1, SUSE-SU-2015:1592-1, SUSE-SU-2015:1611-1, USN-2678-1, USN-2680-1, USN-2681-1, USN-2682-1, USN-2683-1, USN-2684-1, USN-2685-1, USN-2713-1, USN-2714-1, VIGILANCE-VUL-17284.

Description of the vulnerability

UDP packets carry a checksum to check whether the packet has been corrupted in transit.

However, the check occurs quite late in the packet processing process. So, when the incoming packet rate is hight, the kernel spends too much time handling packet queue and other internal data structures, which prevent resuming the user processes.

An attacker can therefore flood a Linux host with UDP packet with wrong checksum, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-4692

Linux kernel: NULL pointer dereference via kvm_apic_has_events

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced in "kvm_apic_has_events()" of the Linux kernel, in order to trigger a denial of service.
Impacted products: Debian, Fedora, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: user shell.
Creation date: 29/06/2015.
Identifiers: CERTFR-2015-AVI-269, CERTFR-2015-AVI-318, CERTFR-2015-AVI-331, CERTFR-2015-AVI-357, CVE-2015-4692, DSA-3329-1, FEDORA-2015-10677, FEDORA-2015-10678, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, SUSE-SU-2015:1324-1, USN-2678-1, USN-2680-1, USN-2681-1, USN-2682-1, USN-2683-1, USN-2684-1, USN-2685-1, VIGILANCE-VUL-17254.

Description of the vulnerability

The noyau Linux product offers a virtualization layer: KVM.

A KVM virtual machine may have an interrupt controller. In such a case, the emulation of which is partially implemented by the source file "arch/x86/kvm/lapic.h". However, the function "kvm_apic_has_events", defined in this file, it does not check whether a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced in "kvm_apic_has_events()" of the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2015-4700

Linux kernel: denial of service via BPF JIT

Synthesis of the vulnerability

An attacker can define a malicious BPF filter to be compiled to native code, in order to raise a fatal exception in the Linux kernel and so trigger a denial of service.
Impacted products: Debian, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: user shell.
Creation date: 23/06/2015.
Identifiers: 1233615, CERTFR-2015-AVI-283, CERTFR-2015-AVI-318, CERTFR-2015-AVI-331, CERTFR-2015-AVI-357, CERTFR-2015-AVI-391, CVE-2015-4700, DSA-3329-1, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, RHSA-2015:1778-01, RHSA-2015:1788-01, SUSE-SU-2015:1224-1, SUSE-SU-2015:1478-1, SUSE-SU-2015:1592-1, SUSE-SU-2015:1611-1, USN-2664-1, USN-2666-1, USN-2678-1, USN-2679-1, USN-2680-1, USN-2681-1, USN-2683-1, USN-2684-1, VIGILANCE-VUL-17207.

Description of the vulnerability

The Linux kernel includes a packet filter from BSD. A rule set for this filter may be compiled to native machine code, just before running.

There is more than one way to translate a BPF instruction to x86 code, and these instructions have different lengths. So, the compiler does several passes overs the code to adjust jump instructions. However, some filters require more passes than the allowed maximum. In this case, the produced code includes INT 3 instructions, used to call the debugger. This instruction is not allowed in the kernel.

An attacker can therefore define a malicious BPF filter to be compiled to native code, in order to raise a fatal exception in the Linux kernel and so trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Noyau Linux: