ID

VAR-201611-0386

CVE

CVE-2016-5195

TITLE

Linux Implemented in the kernel memory subsystem copy-on-write Vulnerability that causes a race condition in the mechanism

DESCRIPTION

Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW.". Linux Implemented in the kernel memory subsystem copy-on-write The mechanism contains a vulnerability that causes a race condition. Race condition (CWE-362) - CVE-2016-5195 Linux The kernel memory subsystem copy-on-write Due to the implementation problem of the mechanism, A vulnerability exists that causes a race condition. Detailed information such as reproduction code Dirty COW Please refer to. Dirty COW https://dirtycow.ninja/ Attack activity using this vulnerability has been confirmed.Depending on who can log in, root You may get permission. Linux kernel is prone to a local privilege-escalation vulnerability. Local attackers may exploit this issue to gain elevated privileges. 7) - noarch, x86_64 3. Description: The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. (CVE-2016-5195, Important) * Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path; As an unlimited recursion could unfold in both VLAN and TEB modules, leading to a stack corruption in the kernel. ========================================================================== Ubuntu Security Notice USN-3106-2 October 20, 2016 linux-lts-xenial vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS Summary: The system could be made to run programs as an administrator. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: linux-image-4.4.0-45-generic 4.4.0-45.66~14.04.1 linux-image-4.4.0-45-generic-lpae 4.4.0-45.66~14.04.1 linux-image-4.4.0-45-lowlatency 4.4.0-45.66~14.04.1 linux-image-4.4.0-45-powerpc-e500mc 4.4.0-45.66~14.04.1 linux-image-4.4.0-45-powerpc-smp 4.4.0-45.66~14.04.1 linux-image-4.4.0-45-powerpc64-emb 4.4.0-45.66~14.04.1 linux-image-4.4.0-45-powerpc64-smp 4.4.0-45.66~14.04.1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security update Advisory ID: RHSA-2016:2133-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2133.html Issue date: 2016-11-01 CVE Names: CVE-2016-4470 CVE-2016-5195 ===================================================================== 1. Summary: An update for kernel is now available for Red Hat Enterprise Linux 6.4 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 6.4) - noarch, x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 6.4) - x86_64 3. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important) * A flaw was found in the Linux kernel's keyring handling code: the key_reject_and_link() function could be forced to free an arbitrary memory block. An attacker could use this flaw to trigger a use-after-free condition on the system, potentially allowing for privilege escalation. (CVE-2016-4470, Important) Red Hat would like to thank Phil Oester for reporting CVE-2016-5195. The CVE-2016-4470 issue was discovered by David Howells (Red Hat). 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1341716 - CVE-2016-4470 kernel: Uninitialized variable in request_key handling causes kernel crash in error handling path 1384344 - CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage 6. Package List: Red Hat Enterprise Linux Server AUS (v. 6.4): Source: kernel-2.6.32-358.75.1.el6.src.rpm noarch: kernel-doc-2.6.32-358.75.1.el6.noarch.rpm kernel-firmware-2.6.32-358.75.1.el6.noarch.rpm x86_64: kernel-2.6.32-358.75.1.el6.x86_64.rpm kernel-debug-2.6.32-358.75.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-358.75.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-358.75.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.75.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.75.1.el6.x86_64.rpm kernel-devel-2.6.32-358.75.1.el6.x86_64.rpm kernel-headers-2.6.32-358.75.1.el6.x86_64.rpm perf-2.6.32-358.75.1.el6.x86_64.rpm perf-debuginfo-2.6.32-358.75.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.75.1.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional AUS (v. 6.4): Source: kernel-2.6.32-358.75.1.el6.src.rpm x86_64: kernel-debug-debuginfo-2.6.32-358.75.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.75.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.75.1.el6.x86_64.rpm perf-debuginfo-2.6.32-358.75.1.el6.x86_64.rpm python-perf-2.6.32-358.75.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.75.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-4470 https://access.redhat.com/security/cve/CVE-2016-5195 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYGJggXlSAg2UNWIIRAmjIAJ9Hv+CFW/7G9pWkwyCccCUjLGWYaQCgkVuO VBItM1/0m2DIAPJoL6l4Gkg= =mjf6 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03707en_us SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesbgn03707en_us Version: 1 HPESBGN03707 rev.1 - HPE ConvergedSystem 700 2.0 VMware Kit, Remote Increase of Privilege NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2017-03-10 Last Updated: 2017-03-10 Potential Security Impact: Remote: Increase of Privilege Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY HPE has identified two VMware security advisories affecting the HPE ConvergedSystem 700 2.0 VMware Kit. The vulnerability could be exploited remotely to allow an increase of privilege. References: - CVE-2016-5195 - VMWare vROps, VMSA-2016-0018.3 - CVE-2016-7457 - VMWare vROps, VMSA-2016-0016.1 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HP ConvergedSystem 700 1.0 or 1.1 - Customers running the HPE ConvergedSystem 700 Firmware and Software Compatibility Matrix -June 2016 - HP ConvergedSystem 700 Virtualization 2.0 VMware Kit 2.0 - HPE ConvergedSystem 700 Firmware and Software Compatibility Matrix -June 2016 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2016-5195 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) CVE-2016-7457 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 8.0 (AV:N/AC:L/Au:S/C:P/I:P/A:C) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION HPE recommends applying the following vROps patches from VMWARE to HPE ConvergedSystem 700 Firmware and Software Compatibility Matrix - June 2016 on CS700 2.0 solutions: * VMSA-2016-0016.1 <http://www.vmware.com/security/advisories/VMSA-2016-0016.html> * VMSA-2016-0018.3 <http://www.vmware.com/security/advisories/VMSA-2016-0018.html> HISTORY Version:1 (rev.1) - 10 March 2017 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. 5.9 server) - i386, ia64, noarch, x86_64 3

AFFECTED PRODUCTS