VARIoT IoT vulnerabilities database

A Stack-based Buffer Overflow issue was discovered in Delta Electronics Delta Industrial Automation Screen Editor, Version 2.00.23.00 or prior. Stack-based buffer overflow vulnerabilities caused by processing specially crafted .dpb files may allow an attacker to remotely execute arbitrary code. Multiple stack-based buffer-overflow vulnerabilities 2. Multiple denial-of-service vulnerabilities 3

A Type Confusion issue was discovered in Delta Electronics Delta Industrial Automation Screen Editor, Version 2.00.23.00 or prior. An access of resource using incompatible type ('type confusion') vulnerability may allow an attacker to execute remote code when processing specially crafted .dpb files. Multiple stack-based buffer-overflow vulnerabilities 2. Multiple denial-of-service vulnerabilities 3

A Use-after-Free issue was discovered in Delta Electronics Delta Industrial Automation Screen Editor, Version 2.00.23.00 or prior. Specially crafted .dpb files could exploit a use-after-free vulnerability. Multiple stack-based buffer-overflow vulnerabilities 2. Multiple denial-of-service vulnerabilities 3

An Out-of-bounds Write issue was discovered in Delta Electronics Delta Industrial Automation Screen Editor, Version 2.00.23.00 or prior. Specially crafted .dpb files may cause the system to write outside the intended buffer area. An attacker could exploit this vulnerability to execute arbitrary code (over boundary writes) with a specially crafted .dpb file. Multiple stack-based buffer-overflow vulnerabilities 2. Multiple denial-of-service vulnerabilities 3

D-LinkDSL-6850U is a wireless router product of D-Link. D-LinkDSL-6850U Router Remote Command Execution Vulnerability. Since the router has the remote web management service enabled by default, the service has the default credentials support:support and cannot be disabled. The attacker can log in to the router's web management interface through the default credentials, and then manually open the Wan port telnet service that is turned off by default. After logging in to the telnet service, you can use the && or || command sandbox escape to get full shell permissions.

An Improper Input Validation issue was discovered in Advantech WebAccess versions prior to 8.3. WebAccess allows some inputs that may cause the program to crash. Advantech WebAccess Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. The vulnerability is caused by a failure to properly validate WebAccess input. Advantech WebAccess is prone to the following security vulnerabilities: 1. Multiple denial-of-service vulnerabilities 2. Multiple stack-based buffer-overflow vulnerabilities 3. A directory-traversal vulnerability 4. An SQL-injection vulnerability 5. Multiple denial-of-service vulnerabilities An attacker can exploit these issues to execute arbitrary code in the context of the application, or modify data, or exploit latent vulnerabilities in the underlying database,perform certain unauthorized actions, gain unauthorized access and obtain sensitive information

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. Two vulnerabilities are identified, known as "Variant 3a" and "Variant 4". CPUhardware is a set of firmware that runs in the CPU (Central Processing Unit) for managing and controlling the CPU. The Meltdown vulnerability exists in the CPU processor core, which \"melts\" the security boundary implemented by hardware, allowing low-privileged user-level applications to \"cross-border\" access to system-level memory, causing data leakage. The following products and versions are affected: ARM Cortex-R7; Cortex-R8; Cortex-A8; Cortex-A9; Cortex-A12; Xeon CPU E5-1650 v3, v2, v4; Xeon E3-1265l v2, v3, v4 ; Xeon E3-1245 v2, v3, v5, v6 versions; Xeon X7542, etc. X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 04 Jan 2018 01:01:25 +0000 (UTC) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security update Advisory ID: RHSA-2018:0007-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:0007 Issue date: 2018-01-03 ===================================================================== 1. Summary: An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Note: This issue is present in hardware and cannot be fully fixed via software update. The updated kernel packages provide software mitigation for this hardware issue at a cost of potential performance penalty. Please refer to References section for further information about this issue and the performance impact. In this update mitigations for x86-64 architecture are provided. Variant CVE-2017-5753 triggers the speculative execution by performing a bounds-check bypass. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall boundary and read privileged memory by conducting targeted cache side-channel attacks. (CVE-2017-5753, Important) Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks. (CVE-2017-5715, Important) Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. (CVE-2017-5754, Important) Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue. Red Hat would like to thank Google Project Zero for reporting these issues. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1519778 - CVE-2017-5753 hw: cpu: speculative execution bounds-check bypass 1519780 - CVE-2017-5715 hw: cpu: speculative execution branch target injection 1519781 - CVE-2017-5754 hw: cpu: speculative execution permission faults handling 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: kernel-3.10.0-693.11.6.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-693.11.6.el7.noarch.rpm kernel-doc-3.10.0-693.11.6.el7.noarch.rpm x86_64: kernel-3.10.0-693.11.6.el7.x86_64.rpm kernel-debug-3.10.0-693.11.6.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debug-devel-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-693.11.6.el7.x86_64.rpm kernel-devel-3.10.0-693.11.6.el7.x86_64.rpm kernel-headers-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-libs-3.10.0-693.11.6.el7.x86_64.rpm perf-3.10.0-693.11.6.el7.x86_64.rpm perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm python-perf-3.10.0-693.11.6.el7.x86_64.rpm python-perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: kernel-debug-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-693.11.6.el7.x86_64.rpm perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm python-perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: kernel-3.10.0-693.11.6.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-693.11.6.el7.noarch.rpm kernel-doc-3.10.0-693.11.6.el7.noarch.rpm x86_64: kernel-3.10.0-693.11.6.el7.x86_64.rpm kernel-debug-3.10.0-693.11.6.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debug-devel-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-693.11.6.el7.x86_64.rpm kernel-devel-3.10.0-693.11.6.el7.x86_64.rpm kernel-headers-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-libs-3.10.0-693.11.6.el7.x86_64.rpm perf-3.10.0-693.11.6.el7.x86_64.rpm perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm python-perf-3.10.0-693.11.6.el7.x86_64.rpm python-perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: kernel-debug-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-693.11.6.el7.x86_64.rpm perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm python-perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: kernel-3.10.0-693.11.6.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-693.11.6.el7.noarch.rpm kernel-doc-3.10.0-693.11.6.el7.noarch.rpm ppc64: kernel-3.10.0-693.11.6.el7.ppc64.rpm kernel-bootwrapper-3.10.0-693.11.6.el7.ppc64.rpm kernel-debug-3.10.0-693.11.6.el7.ppc64.rpm kernel-debug-debuginfo-3.10.0-693.11.6.el7.ppc64.rpm kernel-debug-devel-3.10.0-693.11.6.el7.ppc64.rpm kernel-debuginfo-3.10.0-693.11.6.el7.ppc64.rpm kernel-debuginfo-common-ppc64-3.10.0-693.11.6.el7.ppc64.rpm kernel-devel-3.10.0-693.11.6.el7.ppc64.rpm kernel-headers-3.10.0-693.11.6.el7.ppc64.rpm kernel-tools-3.10.0-693.11.6.el7.ppc64.rpm kernel-tools-debuginfo-3.10.0-693.11.6.el7.ppc64.rpm kernel-tools-libs-3.10.0-693.11.6.el7.ppc64.rpm perf-3.10.0-693.11.6.el7.ppc64.rpm perf-debuginfo-3.10.0-693.11.6.el7.ppc64.rpm python-perf-3.10.0-693.11.6.el7.ppc64.rpm python-perf-debuginfo-3.10.0-693.11.6.el7.ppc64.rpm ppc64le: kernel-3.10.0-693.11.6.el7.ppc64le.rpm kernel-bootwrapper-3.10.0-693.11.6.el7.ppc64le.rpm kernel-debug-3.10.0-693.11.6.el7.ppc64le.rpm kernel-debug-debuginfo-3.10.0-693.11.6.el7.ppc64le.rpm kernel-debuginfo-3.10.0-693.11.6.el7.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-693.11.6.el7.ppc64le.rpm kernel-devel-3.10.0-693.11.6.el7.ppc64le.rpm kernel-headers-3.10.0-693.11.6.el7.ppc64le.rpm kernel-tools-3.10.0-693.11.6.el7.ppc64le.rpm kernel-tools-debuginfo-3.10.0-693.11.6.el7.ppc64le.rpm kernel-tools-libs-3.10.0-693.11.6.el7.ppc64le.rpm perf-3.10.0-693.11.6.el7.ppc64le.rpm perf-debuginfo-3.10.0-693.11.6.el7.ppc64le.rpm python-perf-3.10.0-693.11.6.el7.ppc64le.rpm python-perf-debuginfo-3.10.0-693.11.6.el7.ppc64le.rpm s390x: kernel-3.10.0-693.11.6.el7.s390x.rpm kernel-debug-3.10.0-693.11.6.el7.s390x.rpm kernel-debug-debuginfo-3.10.0-693.11.6.el7.s390x.rpm kernel-debug-devel-3.10.0-693.11.6.el7.s390x.rpm kernel-debuginfo-3.10.0-693.11.6.el7.s390x.rpm kernel-debuginfo-common-s390x-3.10.0-693.11.6.el7.s390x.rpm kernel-devel-3.10.0-693.11.6.el7.s390x.rpm kernel-headers-3.10.0-693.11.6.el7.s390x.rpm kernel-kdump-3.10.0-693.11.6.el7.s390x.rpm kernel-kdump-debuginfo-3.10.0-693.11.6.el7.s390x.rpm kernel-kdump-devel-3.10.0-693.11.6.el7.s390x.rpm perf-3.10.0-693.11.6.el7.s390x.rpm perf-debuginfo-3.10.0-693.11.6.el7.s390x.rpm python-perf-3.10.0-693.11.6.el7.s390x.rpm python-perf-debuginfo-3.10.0-693.11.6.el7.s390x.rpm x86_64: kernel-3.10.0-693.11.6.el7.x86_64.rpm kernel-debug-3.10.0-693.11.6.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debug-devel-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-693.11.6.el7.x86_64.rpm kernel-devel-3.10.0-693.11.6.el7.x86_64.rpm kernel-headers-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-libs-3.10.0-693.11.6.el7.x86_64.rpm perf-3.10.0-693.11.6.el7.x86_64.rpm perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm python-perf-3.10.0-693.11.6.el7.x86_64.rpm python-perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: kernel-debug-debuginfo-3.10.0-693.11.6.el7.ppc64.rpm kernel-debuginfo-3.10.0-693.11.6.el7.ppc64.rpm kernel-debuginfo-common-ppc64-3.10.0-693.11.6.el7.ppc64.rpm kernel-tools-debuginfo-3.10.0-693.11.6.el7.ppc64.rpm kernel-tools-libs-devel-3.10.0-693.11.6.el7.ppc64.rpm perf-debuginfo-3.10.0-693.11.6.el7.ppc64.rpm python-perf-debuginfo-3.10.0-693.11.6.el7.ppc64.rpm ppc64le: kernel-debug-debuginfo-3.10.0-693.11.6.el7.ppc64le.rpm kernel-debug-devel-3.10.0-693.11.6.el7.ppc64le.rpm kernel-debuginfo-3.10.0-693.11.6.el7.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-693.11.6.el7.ppc64le.rpm kernel-tools-debuginfo-3.10.0-693.11.6.el7.ppc64le.rpm kernel-tools-libs-devel-3.10.0-693.11.6.el7.ppc64le.rpm perf-debuginfo-3.10.0-693.11.6.el7.ppc64le.rpm python-perf-debuginfo-3.10.0-693.11.6.el7.ppc64le.rpm x86_64: kernel-debug-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-693.11.6.el7.x86_64.rpm perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm python-perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: kernel-3.10.0-693.11.6.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-693.11.6.el7.noarch.rpm kernel-doc-3.10.0-693.11.6.el7.noarch.rpm x86_64: kernel-3.10.0-693.11.6.el7.x86_64.rpm kernel-debug-3.10.0-693.11.6.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debug-devel-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-693.11.6.el7.x86_64.rpm kernel-devel-3.10.0-693.11.6.el7.x86_64.rpm kernel-headers-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-libs-3.10.0-693.11.6.el7.x86_64.rpm perf-3.10.0-693.11.6.el7.x86_64.rpm perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm python-perf-3.10.0-693.11.6.el7.x86_64.rpm python-perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: kernel-debug-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-693.11.6.el7.x86_64.rpm perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm python-perf-debuginfo-3.10.0-693.11.6.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/speculativeexecution https://access.redhat.com/security/cve/CVE-2017-5753 https://access.redhat.com/security/cve/CVE-2017-5715 https://access.redhat.com/security/cve/CVE-2017-5754 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFaTXxVXlSAg2UNWIIRAnGZAKCCDXCEpNliyl378yhPHJ11vj74bwCdFc9+ 0mPrmOPm1+0ayOnwPiH6wmA= =fBN+ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . By now, we're sure most everyone have heard of the Meltdown and Spectre attacks. If not, head over to https://meltdownattack.com/ and get an overview. https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html The FreeBSD Security Team was notified of the issue in late December and received a briefing under NDA with the original embargo date of January 9th. Since we received relatively late notice of the issue, our ability to provide fixes is delayed. Meltdown (CVE-2017-5754) ~~~~~~~~~~~~~~~~~~~~~~~~ In terms of priority, the first step is to mitigate against the Meltdown attack (CVE-2017-5754, cited as variant 3 by Project Zero). Work for this is ongoing, but due to the relatively large changes needed, this is going to take a little while. We are currently targeting patches for amd64 being dev complete this week with testing probably running into next week. From there, we hope to give it a short bake time before pushing it into the 11.1-RELEASE branch. Additional work will be required to bring the mitigation to 10.3-RELEASE and 10.4-RELEASE. The code will be selectable via a tunable which will automatically turn on for modern Intel processors and off for AMD processors (since they are reportedly not vulnerable). Since the fix for Meltdown does incur a performance hit for any transition between user space and kernel space, this could be rather impactful depending on the workload. As such, the tunable can also be overridden by the end-user if they are willing to accept the risk. Initial work can be tracked at https://reviews.freebsd.org/D13797. Please note this is a work in progress and some stuff is likely to be broken. Spectre (CVE-2017-5753 and CVE-2017-5715) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When it comes to the Spectre vulnerabilities, it is much harder to sort these out. Variant 1 (CVE-2017-5753) is going to require some static analysis to determine vulnerable use cases that will require barriers to stop speculation from disclosing information it shouldn't. While we haven't done the analysis to determine where we are vulnerable, the number of cases here are supposed to be pretty small. Apparently there have been some Coverity rules developed to help look for these, but we are still evaluating what can be done here. The other half of Spectre, variant 2 (CVE-2017-5715) is a bit trickier as it affects both normal processes and bhyve. There is a proposed patch for LLVM (https://reviews.llvm.org/D41723) that introduces a concept called 'retpoline' which mitigates this issue. We are likely to pull this into HEAD and 11-STABLE once it hits the LLVM tree. Unfortunately, the currently supported FreeBSD releases are using older versions of LLVM for which we are not sure the LLVM project will produce patches. We will be looking at the feasibility to backport these patches to these earlier versions. There are CPU microcode fixes coming out when in concert with OS changes would also help, but that's a bit down the road at the moment. Best regards, Gordon Tetlow with security-officer hat on . 7.3) - ppc64, ppc64le, x86_64 3. In this update initial mitigations for IBM Power (PowerPC) and IBM zSeries (S390) architectures are provided. Bug Fix(es): * When attempting to reread parent blocks in btree traversal, the xfs code which deletes extended attributes from an inode assumed that the parent blocks were still on the cache. Under memory pressure and memory reclaim, such parent blocks were sometimes removed from the cache. Consequently, attempts to reread previously cached parent blocks caused the file system to read invalid memory. This update fixes xfs to reinitialize the pointer to the parent block buffers after the block has been reread. As a result, pointers to btree blocks now point to valid memory, and the kernel no longer crashes due to an invalid memory access. (BZ#1512811) * The write access check for huge pages did not function correctly on IBM z Systems. Consequently, if asynchronous I/O reads were used, buffers sometimes contained zeroes rather than data from a file, even when the io_getevents() system call reported that the associated read had finished successfully. This update fixes the write access check in the gup_huge_pmd() function in memory management, and read data is stored in asynchronous I/O buffers properly. (BZ#1513315) * With this update, the rule for iptables reloading has been optimized to complete faster. (BZ#1514040) 4. 6.6) - noarch, x86_64 3. ========================================================================== Kernel Live Patch Security Notice 0046-1 December 20, 2018 linux vulnerability ========================================================================== A security issue affects these releases of Ubuntu: | Series | Base kernel | Arch | flavors | |------------------+--------------+----------+------------------| | Ubuntu 14.04 LTS | 4.4.0 | amd64 | generic | | Ubuntu 14.04 LTS | 4.4.0 | amd64 | lowlatency | | Ubuntu 16.04 LTS | 4.4.0 | amd64 | generic | | Ubuntu 16.04 LTS | 4.4.0 | amd64 | lowlatency | | Ubuntu 18.04 LTS | 4.15.0 | amd64 | generic | | Ubuntu 18.04 LTS | 4.15.0 | amd64 | lowlatency | Summary: Several security issues were fixed in the kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710) It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10902) It was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445) Noam Rathaus discovered that a use-after-free vulnerability existed in the Infiniband implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2018-14734) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly ensure that xattr information remained in inode bodies. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10880) Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690) It was discovered that an integer overflow existed in the HID Bluetooth implementation in the Linux kernel that could lead to a buffer overwrite. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2017-5753) It was discovered that the YUREX USB device driver for the Linux kernel did not properly restrict user space reads or writes. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16276) It was discovered that an integer overflow existed in the CD-ROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-16658) Update instructions: The problem can be corrected by updating your livepatches to the following versions: | Kernel | Version | flavors | |--------------------------+----------+--------------------------| | 4.4.0-133.159 | 46.3 | generic, lowlatency | | 4.4.0-133.159~14.04.1 | 46.3 | lowlatency, generic | | 4.4.0-134.160 | 46.3 | generic, lowlatency | | 4.4.0-134.160~14.04.1 | 46.3 | lowlatency, generic | | 4.4.0-135.161~14.04.1 | 46.3 | lowlatency, generic | | 4.4.0-137.163 | 46.3 | generic, lowlatency | | 4.4.0-137.163~14.04.1 | 46.3 | generic, lowlatency | | 4.4.0-138.164 | 46.3 | generic, lowlatency | | 4.4.0-138.164~14.04.1 | 46.3 | lowlatency, generic | | 4.4.0-139.165 | 46.3 | generic, lowlatency | | 4.4.0-139.165~14.04.1 | 46.3 | lowlatency, generic | | 4.4.0-140.166 | 46.3 | lowlatency, generic | | 4.4.0-140.166~14.04.1 | 46.3 | lowlatency, generic | | 4.15.0-32.35 | 46.3 | lowlatency, generic | | 4.15.0-33.36 | 46.3 | lowlatency, generic | | 4.15.0-34.37 | 46.3 | generic, lowlatency | | 4.15.0-36.39 | 46.3 | generic, lowlatency | | 4.15.0-38.41 | 46.3 | lowlatency, generic | | 4.15.0-39.42 | 46.3 | generic, lowlatency | | 4.15.0-42.45 | 46.3 | lowlatency, generic | References: CVE-2018-18710, CVE-2018-10902, CVE-2018-18445, CVE-2018-14734, CVE-2018-10880, CVE-2018-18690, CVE-2018-9363, CVE-2017-5753, CVE-2018-16276, CVE-2018-16658 -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesbhf03805en_us Version: 7 HPESBHF03805 rev.7 - Certain HPE products using Microprocessors from Intel, AMD, and ARM, with Speculative Execution, Elevation of Privilege and Information Disclosure. NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2018-01-23 Last Updated: 2018-01-22 Potential Security Impact: Local: Disclosure of Information, Elevation of Privilege Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY On January 3 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed HPE products, potentially leading to information disclosure and elevation of privilege. Mitigation and resolution of these vulnerabilities may call for both an operating system update, provided by the OS vendor, and a system ROM update from HPE. **Note:** * This issue takes advantage of techniques commonly used in many modern processor architectures. * For further information, microprocessor vendors have provided security advisories: - Intel: <https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00088&langu geid=en-fr> - AMD: <http://www.amd.com/en/corporate/speculative-execution> - ARM: <https://developer.arm.com/support/security-update> References: - CVE-2017-5715 - aka Spectre, branch target injection - CVE-2017-5753 - aka Spectre, bounds check bypass - CVE-2017-5754 - aka Meltdown, rogue data cache load, memory access permission check performed after kernel memory read SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HPE ProLiant DL380 Gen10 Server - To be delivered - HPE ProLiant DL180 Gen10 Server - To be delivered - HPE ProLiant DL160 Gen10 Server - To be delivered - HPE ProLiant DL360 Gen10 Server - To be delivered - HPE ProLiant ML110 Gen10 Server - To be delivered - HPE ProLiant DL580 Gen10 Server - To be delivered - HPE ProLiant DL560 Gen10 Server - To be delivered - HPE ProLiant DL120 Gen10 Server - To be delivered - HPE ProLiant ML350 Gen10 Server - To be delivered - HPE ProLiant XL450 Gen10 Server - To be delivered - HPE Synergy 660 Gen10 Compute Module - To be delivered - HPE ProLiant DL385 Gen10 Server - prior to v1.04 - HPE ProLiant XL170r Gen10 Server - To be delivered - HPE ProLiant BL460c Gen10 Server Blade - To be delivered - HPE ProLiant XL190r Gen10 Server - To be delivered - HPE ProLiant XL230k Gen10 Server - To be delivered - HPE Synergy 480 Gen10 Compute Module - To be delivered - HPE ProLiant XL730f Gen9 Server - To be delivered - HPE ProLiant XL230a Gen9 Server - To be delivered - HPE ProLiant XL740f Gen9 Server - To be delivered - HPE ProLiant XL750f Gen9 Server - To be delivered - HPE ProLiant XL170r Gen9 Server - To be delivered - HP ProLiant DL60 Gen9 Server - To be delivered - HP ProLiant DL160 Gen9 Server - To be delivered - HPE ProLiant DL360 Gen9 Server - To be delivered - HP ProLiant DL380 Gen9 Server - To be delivered - HPE ProLiant XL450 Gen9 Server - To be delivered - HPE Apollo 4200 Gen9 Server - To be delivered - HP ProLiant BL460c Gen9 Server Blade - To be delivered - HP ProLiant ML110 Gen9 Server - To be delivered - HP ProLiant ML150 Gen9 Server - To be delivered - HPE ProLiant ML350 Gen9 Server - To be delivered - HP ProLiant DL120 Gen9 Server - To be delivered - HPE ProLiant DL560 Gen9 Server - To be delivered - HP ProLiant BL660c Gen9 Server - To be delivered - HPE ProLiant ML30 Gen9 Server - To be delivered - HPE ProLiant XL170r Gen10 Server - To be delivered - HPE ProLiant DL20 Gen9 Server - To be delivered - HPE Synergy 660 Gen9 Compute Module - To be delivered - HPE Synergy 480 Gen9 Compute Module - To be delivered - HPE ProLiant XL250a Gen9 Server - To be delivered - HPE ProLiant XL190r Gen9 Server - To be delivered - HP ProLiant DL80 Gen9 Server - To be delivered - HPE ProLiant DL180 Gen9 Server - To be delivered - HPE ProLiant XL270d Gen9 Accelerator Tray 2U Configure-to-order Server - To be delivered - HPE ProLiant WS460c Gen9 Workstation - To be delivered - HPE ProLiant XL260a Gen9 Server - To be delivered - HPE Synergy 620 Gen9 Compute Module - To be delivered - HPE ProLiant DL580 Gen9 Server - To be delivered - HP ProLiant XL220a Gen8 v2 Server - To be delivered - HPE Synergy 680 Gen9 Compute Module - To be delivered - HPE ProLiant m510 Server Cartridge - To be delivered - HPE ProLiant m710p Server Cartridge - To be delivered - HPE ProLiant m710x Server Cartridge - To be delivered - HP ProLiant m710 Server Cartridge - To be delivered - HP ProLiant DL980 G7 Server - To be delivered - HPE Synergy Composer - To be delivered - HPE ProLiant Thin Micro TM200 Server - To be delivered - HPE ProLiant ML10 v2 Server - To be delivered - HPE ProLiant m350 Server Cartridge - To be delivered - HPE ProLiant m300 Server Cartridge - To be delivered - HPE ProLiant MicroServer Gen8 - To be delivered - HPE ProLiant ML310e Gen8 v2 Server - To be delivered - HPE Superdome Flex Server - To be delivered - HP 3PAR StoreServ File Controller - To be delivered - v3 impacted - HPE StoreVirtual 3000 File Controller - To be delivered - HPE StoreEasy 1450 Storage - To be delivered - HPE StoreEasy 1550 Storage - To be delivered - HPE StoreEasy 1650 Storage - To be delivered - HPE StoreEasy 3850 Gateway Storage - To be delivered - HPE StoreEasy 1850 Storage - To be delivered - HP ConvergedSystem 700 - To be delivered - HPE Converged Architecture 700 - To be delivered - HP ProLiant DL580 Gen8 Server - To be delivered - HPE Cloudline CL2100 Gen10 Server - To be delivered - HPE Cloudline CL2200 Gen10 Server - To be delivered - HPE Cloudline CL3150 G4 Server - To be delivered - HPE Cloudline CL5200 G3 Server - To be delivered - HPE Cloudline CL3100 G3 Server - To be delivered - HPE Cloudline CL2100 G3 807S 8 SFF Configure-to-order Server - To be delivered - HPE Cloudline CL2100 G3 407S 4 LFF Configure-to-order Server - To be delivered - HPE Cloudline CL2100 G3 806R 8SFF Configure-to-order Server - To be delivered - HPE Cloudline CL2200 G3 1211R 12 LFF Configure-to-order Server - To be delivered BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2017-5715 8.2 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N 6.8 (AV:A/AC:L/Au:N/C:C/I:P/A:N) CVE-2017-5753 5.0 CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L 5.4 (AV:A/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-5754 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION On January 11, Intel announced issues with an increased frequency of reboots when using the microcodes they released to address Variant 2 of the Spectre Vulnerability for numerous processors including Broadwell, Haswell, Skylake, Kaby Lake, Ivybridge, and Sandybridge processors. Intel has now identified the root cause of these issues and determined that these microcodes may introduce reboots and other unpredictable system behavior. Due to the severity of the potential issues that may occur when using these microcodes, Intel is now recommending that customers discontinue their use. Additional information is available from Intels Security Exploit Newsroom here: <https://newsroom.intel.com/press-kits/security-exploits-intel-products/> . HPE is in alignment with Intel in our recommendation that customers discontinue use of System ROMs including impacted microcodes and revert to earlier System ROM versions. All System ROMs including impacted microcodes have been removed from the HPE Support Site. This impacts HPE ProLiant and Synergy Gen10, Gen9, and Gen8 v2 servers as well as HPE Superdome servers for which updated System ROMs had previously been made available. Intel is working on updated microcodes to address these issues, and HPE will validate updated System ROMs including these microcodes and make them available to our customers in the coming weeks. Mitigations for Variant 1 (Spectre) and Variant 3 (Meltdown) vulnerabilities require only OS updates and are not impacted. * HPE has provided a customer bulletin <https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039267en_us> with specific instructions to obtain the udpated sytem ROM - Note: + CVE-2017-5715 (Variant 2) requires that the System ROM be updated and a vendor supplied operating system update be applied as well. + For CVE-2017-5753, CVE-2017-5754 (Variants 1 and 3) require only updates of a vendor supplied operating system. + HPE will continue to add additional products to the list. HISTORY Version:1 (rev.1) - 4 January 2018 Initial release Version:2 (rev.2) - 5 January 2018 Added additional impacted products Version:3 (rev.3) - 10 January 2018 Added more impacted products Version:4 (rev.4) - 9 January 2018 Fixed product ID Version:5 (rev.5) - 18 January 2018 Added additional impacted products Version:6 (rev.6) - 19 January 2018 updated impacted product list Version:7 (rev.7) - 23 January 2018 Marked impacted products with TBD for System ROM updates per Intel's guidance on microcode issues Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2018-1-8-2 macOS High Sierra 10.13.2 Supplemental Update macOS High Sierra 10.13.2 Supplemental Update is now available and addresses the following: Available for: macOS High Sierra 10.13.2 Description: macOS High Sierra 10.13.2 Supplemental Update includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715). We would like to acknowledge Jann Horn of Google Project Zero; and Paul Kocher in collaboration with Daniel Genkin of University of Pennsylvania and University of Maryland, Daniel Gruss of Graz University of Technology, Werner Haas of Cyberus Technology, Mike Hamburg of Rambus (Cryptography Research Division), Moritz Lipp of Graz University of Technology, Stefan Mangard of Graz University of Technology, Thomas Prescher of Cyberus Technology, Michael Schwarz of Graz University of Technology, and Yuval Yarom of University of Adelaide and Data61 for their assistance. Installation note: macOS High Sierra 10.13.2 Supplemental Update may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAlpTsDUpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEZMSg// WW0oSMlU0KgLL1Fe6z2fCSXF06I/QMdUTFV3tt7Rwb49BfnhLstNb0hE/XRcX/fy IMTurdMlRwOqamrOC7LdSiBvCCeJqyfudEq52uqbFpYDLDK6D/RxUKagTJip+M5P 3KCrTt8qpFA2Ip8KzEmBeS3Of9GnNoGdfI7ir38dFrqCADuWYtd6bVxurcM/Uhs0 yjH38JPGyvRXvxM9Qy5wAezQM9oFN1Jlly79n+RX1d9vDpjfExhUV7n1JS9zTOXw Dy+bjYsXcrlzrmcSlHaRa4E4FTPVYWyLSZmEokoQmTbsIABHiPSc9s92CEEzd2LQ FiOyHgT+QWA3zyySjQ+InhSf17QRpUUIYkgTsZJhbcdLSHXW/2etHq6vh5z5wD92 +HfmKYGozUk6QH7TEApYmS71lKaAFRQscP7D0EGhi81YIlu6shqxZr/HnK2Q1FXJ I7yWXtsZq7BSvYu31uSc/YAr76VBgplETE0hnsPZRdRNiaJyNg6ForfDA7kn7t8W GIdJvjkZzG55fUpW1b/GqPxv8wSb/DDzlrJjb7yAffDyCRr4KGVT0lk2f1aBVYSY NVxrdDtGOEWfd/P+6bU0s5v09mFefCbhIqGTFrqEjrDifYz7nW6BhoBAK+I0cyQf U1316sNsG/gmTuOx7wO6sqyOkYyPGZzDI882U8un+n8= =r0HS -----END PGP SIGNATURE----- . Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: linux-image-3.13.0-141-generic 3.13.0-141.190 linux-image-3.13.0-141-lowlatency 3.13.0-141.190 linux-image-generic 3.13.0.141.151 linux-image-lowlatency 3.13.0.141.151 Please note that fully mitigating CVE-2017-5715 (Spectre Variant 2) requires corresponding processor microcode/firmware updates or, in virtual environments, hypervisor updates. On i386 and amd64 architectures, the IBRS and IBPB features are required to enable the kernel mitigations. Ubuntu is working with Intel and AMD to provide future microcode updates that implement IBRS and IBPB as they are made available. Ubuntu users with a processor from a different vendor should contact the vendor to identify necessary firmware updates. Ubuntu will provide corresponding QEMU updates in the future for users of self-hosted virtual environments in coordination with upstream QEMU. Ubuntu users in cloud environments should contact the cloud provider to confirm that the hypervisor has been updated to expose the new CPU features to virtual machines. The vulnerability could be exploited to Local Disclosure of Information. References: - CVE-2017-5753 - CVE-2017-5715 - CVE-2017-5754 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HP Virtualization Performance Viewer Software - v2.20, v3.0, v3.01, v3.02, v3.03 - HPE Cloud Optimizer - v2.20, v3.0, v3.01, v3.02, v3.03 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector RESOLUTION Micro Focus is actively working with its vendors to address any systems-level Spectre and Meltdown impacts.However, if you have immediate concerns or questions regarding CentOS and its approach to Spectre or Meltdown, please contact them directly. Please note that you will need to sign in using a Passport account. 3P = 3rd Party Software GN = Micro Focus General Software MU = Multi-Platform Software System management and security procedures must be reviewed frequently to maintain system integrity. Micro Focus is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "Micro Focus is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected Micro Focus products the important security information contained in this Bulletin. Micro Focus recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Micro Focus does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Micro Focus will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, Micro Focus disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2017 EntIT Software LLC Micro Focus shall not be liable for technical or editorial errors or omissions contained herein

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. CPU hardware utilizing speculative execution may be vulnerable to cache timing side-channel analysis. Two vulnerabilities are identified, known as "Variant 3a" and "Variant 4". CPUhardware is a set of firmware that runs in the CPU (Central Processing Unit) for managing and controlling the CPU. The Meltdown vulnerability exists in the CPU processor core, which \"melts\" the security boundary implemented by hardware, allowing low-privileged user-level applications to \"cross-border\" access to system-level memory, causing data leakage. The following products and versions are affected: ARM Cortex-R7; Cortex-R8; Cortex-A8; Cortex-A9; Cortex-A12; Intel Xeon CPU E5-1650 v3, v2, v4 versions; Xeon E3-1265l v2, v3, v4 Version; Xeon E3-1245 v2, v3, v5, v6 versions; Xeon X7542, etc. Summary VMware vSphere, Workstation and Fusion updates add Hypervisor- Assisted Guest remediation for speculative execution issue. Notes: Hypervisor remediation can be classified into the two following categories: - Hypervisor-Specific Remediation (documented in VMSA-2018-0002) - Hypervisor-Assisted Guest Remediation (documented in this advisory) The ESXi patches and new versions of Workstation and Fusion of this advisory include the Hypervisor-Specific Remediation documented in VMware Security Advisory VMSA-2018-0002. More information on the types of Hypervisor remediation may be found in VMware Knowledge Base article 52245. Relevant Products VMware vCenter Server (VC) VMware ESXi (ESXi) VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) 3. Problem Description New speculative-execution control mechanism for Virtual Machines Updates of vCenter Server, ESXi, Workstation and Fusion virtualize the new speculative-execution control mechanism for Virtual Machines (VMs). As a result, a patched Guest Operating System (Guest OS) can remediate the Branch Target Injection issue (CVE-2017-5715). This issue may allow for information disclosure between processes within the VM. To remediate CVE-2017-5715 in the Guest OS the following VMware and third party requirements must be met: VMware Requirements ------------------- - Deploy the updated version of vCenter Server listed in the table (if vCenter Server is used). - Deploy the ESXi patches and/or the new versions for Workstation or Fusion listed in the table. - Ensure that your VMs are using Hardware Version 9 or higher. For best performance, Hardware Version 11 or higher is recommended. VMware Knowledge Base article 1010675 discusses Hardware Versions. Third party Requirements ------------------------ - Deploy the Guest OS patches for CVE-2017-5715. These patches are to be obtained from your OS vendor. - Update the CPU microcode. Additional microcode is needed for your CPU to be able to expose the new MSRs that are used by the patched Guest OS. This microcode should be available from your hardware platform vendor. VMware is providing several versions of the required microcode from INTEL and AMD through ESXi patches listed in the table. See VMware Knowledge Base 52085 for more details. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation Product Version on Severity Apply patch Workaround =========== ======= ======= ======== ============= ========== VC 6.5 Any Important 6.5 U1e * None VC 6.0 Any Important 6.0 U3d * None VC 5.5 Any Important 5.5 U3g * None ESXi 6.5 Any Important ESXi650-201801401-BG None ESXi650-201801402-BG ** ESXi 6.0 Any Important ESXi600-201801401-BG None ESXi600-201801402-BG ** ESXi 5.5 Any Important ESXi550-201801401-BG ** None Workstation 14.x Any Important 14.1.1 None Workstation 12.x Any Important 12.5.9 None Fusion 10.x OS X Important 10.1.1 None Fusion 8.x OS X Important 8.5.10 None * The new versions of vCenter Server set restrictions on ESXi hosts joining an Enhanced vMotion Cluster, see VMware Knowledge Base article 52085 for details. ** These ESXi patches install the microcodes if present for your CPU, see VMware Knowledge Base article 52085. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server 6.5 U1e Downloads and Documentation: https://my.vmware.com/web/vmware/details?productId=614&rPId=20950 &downloadGroup=VC65U1E vCenter Server 6.0 U3d Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=VC60U3D &productId=491&rPId=20946 vCenter Server 5.5 U3g Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=VC55U3G &productId=353&rPId=20876 VMware ESXi 6.5 Downloads: https://my.vmware.com/group/vmware/patch Documentation: http://kb.vmware.com/kb/52198 http://kb.vmware.com/kb/52199 VMware ESXi 6.0 Downloads: https://my.vmware.com/group/vmware/patch Documentation: http://kb.vmware.com/kb/52205 http://kb.vmware.com/kb/52206 VMware ESXi 5.5 Downloads: https://my.vmware.com/group/vmware/patch Documentation: http://kb.vmware.com/kb/52127 VMware Workstation Pro, Player 14.1.1 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://www.vmware.com/go/downloadplayer https://www.vmware.com/support/pubs/ws_pubs.html VMware Workstation Pro, Player 12.5.9 Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/desktop_ end_user_computing/vmware_workstation_pro/12_0 https://my.vmware.com/en/web/vmware/free#desktop_end _user_computing/vmware_workstation_player/12_0 https://www.vmware.com/support/pubs/ws_pubs.html VMware Fusion Pro / Fusion 8.5.10, 10.1.1 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://www.vmware.com/support/pubs/fusion_pubs.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 VMware Knowledge Base Article 52085 https://kb.vmware.com/s/article/52085 VMware Knowledge Base Article 1010675 https://kb.vmware.com/s/article/1010675 VMware Knowledge Base article 52245 https://kb.vmware.com/s/article/52245 - - --------------------------------------------------------------------- 6. Change log 2018-01-09 VMSA-2018-0004 Initial security advisory in conjunction with the release of VMware vCenter Server 5.5 U3g, 6.0 U3d and 6.5 U1e, ESXi 5.5, 6.0, and 6.5 patches, Workstation 14.1.1, and Fusion 10.1.1 and 8.5.10 on 2018-01-09. 2018-01-10 VMSA-2018-0004.1 Updated security advisory to add Workstation 12.x version i.e. 12.5.9 which addresses CVE-2017-5715. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2018 VMware Inc. All rights reserved. 7.2) - noarch 3. Description: The linux-firmware packages contain all of the firmware files that are required by various devices to operate. Relevant releases/architectures: Management Agent for RHEL 7 Hosts - ppc64le, x86_64 3. Issue date: 2018-01-03 Updated on: 2018-01-09 CVE number: CVE-2017-5753, CVE-2017-5715 1. Problem Description Bounds Check bypass and Branch Target Injection issues CPU data cache timing can be abused to efficiently leak information out of mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. (Speculative execution is an automatic and inherent CPU performance optimization used in all modern processors.) ESXi, Workstation and Fusion are vulnerable to Bounds Check Bypass and Branch Target Injection issues resulting from this vulnerability. Result of exploitation may allow for information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host. The remediation listed in the table below is for the known variants of the Bounds Check Bypass and Branch Target Injection issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-5753 (Bounds Check bypass) and CVE-2017-5715 (Branch Target Injection) to these issues. ========================================================================== Ubuntu Security Notice USN-3540-1 January 23, 2018 linux, linux-aws, linux-euclid vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were addressed in the Linux kernel. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory. This update provides mitigations for the i386 (CVE-2017-5753 only), amd64, ppc64el, and s390x architectures. (CVE-2017-5715, CVE-2017-5753) USN-3522-1 mitigated CVE-2017-5754 (Meltdown) for the amd64 architecture in Ubuntu 16.04 LTS. This update provides the corresponding mitigations for the ppc64el architecture. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2017-5754) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: linux-image-4.4.0-1049-aws 4.4.0-1049.58 linux-image-4.4.0-112-generic 4.4.0-112.135 linux-image-4.4.0-112-generic-lpae 4.4.0-112.135 linux-image-4.4.0-112-lowlatency 4.4.0-112.135 linux-image-4.4.0-112-powerpc-e500mc 4.4.0-112.135 linux-image-4.4.0-112-powerpc-smp 4.4.0-112.135 linux-image-4.4.0-112-powerpc64-emb 4.4.0-112.135 linux-image-4.4.0-112-powerpc64-smp 4.4.0-112.135 linux-image-4.4.0-9023-euclid 4.4.0-9023.24 linux-image-aws 4.4.0.1049.51 linux-image-euclid 4.4.0.9023.24 linux-image-generic 4.4.0.112.118 linux-image-generic-lpae 4.4.0.112.118 linux-image-lowlatency 4.4.0.112.118 linux-image-powerpc-e500mc 4.4.0.112.118 linux-image-powerpc-smp 4.4.0.112.118 linux-image-powerpc64-emb 4.4.0.112.118 linux-image-powerpc64-smp 4.4.0.112.118 Please note that fully mitigating CVE-2017-5715 (Spectre Variant 2) requires corresponding processor microcode/firmware updates or, in virtual environments, hypervisor updates. On i386 and amd64 architectures, the IBRS and IBPB features are required to enable the kernel mitigations. Ubuntu users with a processor from a different vendor should contact the vendor to identify necessary firmware updates. Ubuntu will provide corresponding QEMU updates in the future for users of self-hosted virtual environments in coordination with upstream QEMU. Ubuntu users in cloud environments should contact the cloud provider to confirm that the hypervisor has been updated to expose the new CPU features to virtual machines. Description: The VDSM service is required by a Virtualization Manager to manage the Linux hosts. VDSM manages and monitors the host's storage, memory and networks as well as virtual machine creation, other host administration tasks, statistics gathering, and log collection. X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 04 Jan 2018 18:33:21 +0000 (UTC) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: libvirt security update Advisory ID: RHSA-2018:0030-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:0030 Issue date: 2018-01-04 ===================================================================== 1. Summary: An update for libvirt is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - x86_64 3. Description: The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix(es): * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks. (CVE-2017-5715) Note: This is the libvirt side of the CVE-2017-5715 mitigation. Red Hat would like to thank Google Project Zero for reporting this issue. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, libvirtd will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1519780 - CVE-2017-5715 hw: cpu: speculative execution branch target injection 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: libvirt-0.10.2-62.el6_9.1.src.rpm i386: libvirt-0.10.2-62.el6_9.1.i686.rpm libvirt-client-0.10.2-62.el6_9.1.i686.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.i686.rpm libvirt-python-0.10.2-62.el6_9.1.i686.rpm x86_64: libvirt-0.10.2-62.el6_9.1.x86_64.rpm libvirt-client-0.10.2-62.el6_9.1.i686.rpm libvirt-client-0.10.2-62.el6_9.1.x86_64.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.i686.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.x86_64.rpm libvirt-python-0.10.2-62.el6_9.1.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: libvirt-debuginfo-0.10.2-62.el6_9.1.i686.rpm libvirt-devel-0.10.2-62.el6_9.1.i686.rpm x86_64: libvirt-debuginfo-0.10.2-62.el6_9.1.i686.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.x86_64.rpm libvirt-devel-0.10.2-62.el6_9.1.i686.rpm libvirt-devel-0.10.2-62.el6_9.1.x86_64.rpm libvirt-lock-sanlock-0.10.2-62.el6_9.1.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: libvirt-0.10.2-62.el6_9.1.src.rpm x86_64: libvirt-0.10.2-62.el6_9.1.x86_64.rpm libvirt-client-0.10.2-62.el6_9.1.i686.rpm libvirt-client-0.10.2-62.el6_9.1.x86_64.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.i686.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.x86_64.rpm libvirt-python-0.10.2-62.el6_9.1.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: libvirt-debuginfo-0.10.2-62.el6_9.1.i686.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.x86_64.rpm libvirt-devel-0.10.2-62.el6_9.1.i686.rpm libvirt-devel-0.10.2-62.el6_9.1.x86_64.rpm libvirt-lock-sanlock-0.10.2-62.el6_9.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: libvirt-0.10.2-62.el6_9.1.src.rpm i386: libvirt-0.10.2-62.el6_9.1.i686.rpm libvirt-client-0.10.2-62.el6_9.1.i686.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.i686.rpm libvirt-devel-0.10.2-62.el6_9.1.i686.rpm libvirt-python-0.10.2-62.el6_9.1.i686.rpm ppc64: libvirt-0.10.2-62.el6_9.1.ppc64.rpm libvirt-client-0.10.2-62.el6_9.1.ppc.rpm libvirt-client-0.10.2-62.el6_9.1.ppc64.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.ppc.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.ppc64.rpm libvirt-devel-0.10.2-62.el6_9.1.ppc.rpm libvirt-devel-0.10.2-62.el6_9.1.ppc64.rpm libvirt-python-0.10.2-62.el6_9.1.ppc64.rpm s390x: libvirt-0.10.2-62.el6_9.1.s390x.rpm libvirt-client-0.10.2-62.el6_9.1.s390.rpm libvirt-client-0.10.2-62.el6_9.1.s390x.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.s390.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.s390x.rpm libvirt-devel-0.10.2-62.el6_9.1.s390.rpm libvirt-devel-0.10.2-62.el6_9.1.s390x.rpm libvirt-python-0.10.2-62.el6_9.1.s390x.rpm x86_64: libvirt-0.10.2-62.el6_9.1.x86_64.rpm libvirt-client-0.10.2-62.el6_9.1.i686.rpm libvirt-client-0.10.2-62.el6_9.1.x86_64.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.i686.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.x86_64.rpm libvirt-devel-0.10.2-62.el6_9.1.i686.rpm libvirt-devel-0.10.2-62.el6_9.1.x86_64.rpm libvirt-python-0.10.2-62.el6_9.1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): x86_64: libvirt-debuginfo-0.10.2-62.el6_9.1.x86_64.rpm libvirt-lock-sanlock-0.10.2-62.el6_9.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: libvirt-0.10.2-62.el6_9.1.src.rpm i386: libvirt-0.10.2-62.el6_9.1.i686.rpm libvirt-client-0.10.2-62.el6_9.1.i686.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.i686.rpm libvirt-devel-0.10.2-62.el6_9.1.i686.rpm libvirt-python-0.10.2-62.el6_9.1.i686.rpm x86_64: libvirt-0.10.2-62.el6_9.1.x86_64.rpm libvirt-client-0.10.2-62.el6_9.1.i686.rpm libvirt-client-0.10.2-62.el6_9.1.x86_64.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.i686.rpm libvirt-debuginfo-0.10.2-62.el6_9.1.x86_64.rpm libvirt-devel-0.10.2-62.el6_9.1.i686.rpm libvirt-devel-0.10.2-62.el6_9.1.x86_64.rpm libvirt-python-0.10.2-62.el6_9.1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): x86_64: libvirt-debuginfo-0.10.2-62.el6_9.1.x86_64.rpm libvirt-lock-sanlock-0.10.2-62.el6_9.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/speculativeexecution https://access.redhat.com/security/cve/CVE-2017-5715 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFaTnLjXlSAg2UNWIIRAqs1AKCpXcWqqiQyb39EK0GOMogSwsTEcgCeKqbW Ab/658VXT7Z12L6emcI3jyw= =51wc -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Description: Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Once all virtual machines have shut down, start them again for this update to take effect

A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature (JWS) standard for JSON Web Tokens (JWTs). This standard specifies that a JSON Web Key (JWK) representing a public key can be embedded within the header of a JWS. This public key is then trusted for verification. An attacker could exploit this by forging valid JWS objects by removing the original signature, adding a new public key to the header, and then signing the object using the (attacker-owned) private key associated with the public key embedded in that JWS header. Cisco Node-jose Library is prone to a remote security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions to gain unauthorized access. This may aid in further attacks

A vulnerability in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files could allow a remote attacker to execute arbitrary code on the system of a targeted user. The attacker could exploit this vulnerability by sending the user a link or email attachment with a malicious ARF file and persuading the user to follow the link or launch the file. Successful exploitation could allow the attacker to execute arbitrary code on the user's system. This vulnerability affects Cisco WebEx Business Suite meeting sites, Cisco WebEx Meetings sites, Cisco WebEx Meetings Server, and Cisco WebEx ARF players. Cisco Bug IDs: CSCvg78853, CSCvg78856, CSCvg78857. Vendors have confirmed this vulnerability Bug ID CSCvg78853 , CSCvg78856 ,and CSCvg78857 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. While opening an ARF file, WebEx Network Recording Player loads a DLL from an unqualified path

IBM WebSphere MQ 7.0, 7.1, 7.5, 8.0, and 9.0 service trace module could be used to execute untrusted code under 'mqm' user. IBM X-Force ID: 132953. Vendors have confirmed this vulnerability IBM X-Force ID: 132953 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. IBM WebSphere MQ is prone to a local privilege-escalation vulnerability. Successfully exploiting this issue may allow an attacker to execute arbitrary code with elevated privileges

EmbedThis GoAhead Webserver version 4.0.0 is vulnerable to a NULL pointer dereference in the CGI handler resulting in memory corruption or denial of service. Embedthis Goahead Webserver is a small and exquisite embedded Web server of American Embedthis Software Company, which supports embedding in various devices and applications. CGI handler is one of the CGI handlers

A Buffer Overflow vulnerability in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files could allow a local attacker to execute arbitrary code on the system of a user. The attacker could exploit this vulnerability by sending the user a link or email attachment with a malicious ARF file and persuading the user to follow the link or launch the file. Successful exploitation could allow the attacker to execute arbitrary code on the user's system. This vulnerability affects Cisco WebEx Business Suite meeting sites, Cisco WebEx Meetings sites, Cisco WebEx Meetings Server, and Cisco WebEx ARF players. Cisco Bug IDs: CSCvg78835, CSCvg78837, CSCvg78839. Vendors have confirmed this vulnerability Bug ID CSCvg78835 , CSCvg78837 ,and CSCvg78839 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Crafted data in an ARF file can trigger an overflow of a heap-based buffer. Attackers can exploit this issue to cause a denial-of-service condition. WebEx ARF player is one of the media players mainly used to play WebEx recording files in ARF format

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. Two vulnerabilities are identified, known as "Variant 3a" and "Variant 4". CPUhardware is a set of firmware that runs in the CPU (Central Processing Unit) for managing and controlling the CPU. The Spectre vulnerability exists in the CPU processor core. Because Intel does not separate low-privileged applications from accessing kernel memory, an attacker can use a malicious application to obtain private data that should be quarantined. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. Intel and ARM CPU chips have an information disclosure vulnerability, which originates from a flaw in the processor data boundary mechanism. The following products and versions are affected: ARM Cortex-A75; Intel Xeon E5-1650 v3, v2, v4; Xeon E3-1265l v2, v3, v4; Xeon E3-1245 v2, v3, v5, v6; Xeon X7542 wait. Relevant releases/architectures: Image Updates for RHV-H - noarch 3. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Unfortunately, that update introduced a regression where a few systems failed to boot successfully. This update fixes the problem. We apologize for the inconvenience. X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Wed, 07 Mar 2018 15:25:00 +0000 (UTC) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2018:0464-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:0464 Issue date: 2018-03-07 ===================================================================== 1. Summary: An update for kernel is now available for Red Hat Enterprise Linux 5.9 Long Life. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Relevant releases/architectures: Red Hat Enterprise Linux Long Life (v. 5.9 server) - i386, ia64, noarch, x86_64 3. Security Fix(es): An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Note: This issue is present in hardware and cannot be fully fixed via software update. The updated kernel packages provide software mitigation for this hardware issue at a cost of potential performance penalty. * Variant CVE-2017-5753 triggers the speculative execution by performing a bounds-check bypass. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall boundary and read privileged memory by conducting targeted cache side-channel attacks. (CVE-2017-5753, Important) * Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. (CVE-2017-5754, Important) Red Hat would like to thank Google Project Zero for reporting these issues. Bug Fix(es): * Previously, the page table isolation feature was able to modify the kernel Page Global Directory (PGD) entries with the _NX bit even for CPUs without the capability to use the "no execute" (NX) bit technology. Consequently, the page tables got corrupted, and the kernel panicked at the first page-fault occurrence. This update adds the check of CPU capabilities before modifying kernel PGD entries with _NX. As a result, the operating system no longer panics on boot due to corrupted page tables under the described circumstances. (BZ#1538169) * When booting the operating system with the Kernel Page Table Isolation option enabled, the HPET VSYSCALL shadow mapping was not placed correctly. Consequently, the High Precision Event Timer (HPET) feature was not available early enough, and warnings on boot time occurred. This update fixes the placement of HPET VSYSCALL, and the warnings on boot time due to this behavior no longer occur. (BZ#1541281) * Previously, the routine preparing the kexec crashkernel area did not properly clear the page allocated to be kexec's Page Global Directory (PGD). Consequently, the page table isolation shadow mapping routines failed with a warning message when setting up page table entries. With this update, the underlying source code has been fixed to clear the kexec PGD allocated page before setting up its page table entries. As a result, warnings are no longer issued when setting up kexec. (BZ#1541285) * When changing a kernel page mapping from Read Only (RO) to Read Write (RW), the Translation Lookaside Buffer (TLB) entry was previously not updated. Consequently, a protection fault on a write operation occurred, which led to a kernel panic. With this update, the underlying source code has been fixed to handle such kind of fault properly, and the kernel no longer panics in the described situation. (BZ#1541892) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. Bugs fixed (https://bugzilla.redhat.com/): 1519778 - CVE-2017-5753 hw: cpu: speculative execution bounds-check bypass 1519781 - CVE-2017-5754 hw: cpu: speculative execution permission faults handling 6. Package List: Red Hat Enterprise Linux Long Life (v. 5.9 server): Source: kernel-2.6.18-348.35.1.el5.src.rpm i386: kernel-2.6.18-348.35.1.el5.i686.rpm kernel-PAE-2.6.18-348.35.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-348.35.1.el5.i686.rpm kernel-PAE-devel-2.6.18-348.35.1.el5.i686.rpm kernel-debug-2.6.18-348.35.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-348.35.1.el5.i686.rpm kernel-debug-devel-2.6.18-348.35.1.el5.i686.rpm kernel-debuginfo-2.6.18-348.35.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-348.35.1.el5.i686.rpm kernel-devel-2.6.18-348.35.1.el5.i686.rpm kernel-headers-2.6.18-348.35.1.el5.i386.rpm kernel-xen-2.6.18-348.35.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-348.35.1.el5.i686.rpm kernel-xen-devel-2.6.18-348.35.1.el5.i686.rpm ia64: kernel-2.6.18-348.35.1.el5.ia64.rpm kernel-debug-2.6.18-348.35.1.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-348.35.1.el5.ia64.rpm kernel-debug-devel-2.6.18-348.35.1.el5.ia64.rpm kernel-debuginfo-2.6.18-348.35.1.el5.ia64.rpm kernel-debuginfo-common-2.6.18-348.35.1.el5.ia64.rpm kernel-devel-2.6.18-348.35.1.el5.ia64.rpm kernel-headers-2.6.18-348.35.1.el5.ia64.rpm kernel-xen-2.6.18-348.35.1.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-348.35.1.el5.ia64.rpm kernel-xen-devel-2.6.18-348.35.1.el5.ia64.rpm noarch: kernel-doc-2.6.18-348.35.1.el5.noarch.rpm x86_64: kernel-2.6.18-348.35.1.el5.x86_64.rpm kernel-debug-2.6.18-348.35.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-348.35.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-348.35.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-348.35.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-348.35.1.el5.x86_64.rpm kernel-devel-2.6.18-348.35.1.el5.x86_64.rpm kernel-headers-2.6.18-348.35.1.el5.x86_64.rpm kernel-xen-2.6.18-348.35.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-348.35.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-348.35.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesbhf03805en_us Version: 4 HPESBHF03805 rev.4 - Certain HPE products using Microprocessors from Intel, AMD, and ARM, with Speculative Execution, Elevation of Privilege and Information Disclosure. NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2018-01-10 Last Updated: 2018-01-09 Potential Security Impact: Local: Disclosure of Information, Elevation of Privilege Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY On January 3 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed HPE products, potentially leading to information disclosure and elevation of privilege. Mitigation and resolution of these vulnerabilities may call for both an operating system update, provided by the OS vendor, and a system ROM update from HPE. **Note:** * This issue takes advantage of techniques commonly used in many modern processor architectures. * For further information, microprocessor vendors have provided security advisories: - Intel: <https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00088&langu geid=en-fr> - AMD: <http://www.amd.com/en/corporate/speculative-execution> - ARM: <https://developer.arm.com/support/security-update> References: - PSRT110634 - PSRT110633 - PSRT110632 - CVE-2017-5715 - aka Spectre, branch target injection - CVE-2017-5753 - aka Spectre, bounds check bypass - CVE-2017-5754 - aka Meltdown, rogue data cache load, memory access permission check performed after kernel memory read SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HPE ProLiant DL380 Gen10 Server prior to v1.28 - HPE ProLiant DL180 Gen10 Server prior to v1.28 - HPE ProLiant DL160 Gen10 Server prior to v1.28 - HPE ProLiant DL360 Gen10 Server prior to v1.28 - HPE ProLiant ML110 Gen10 Server prior to v1.28 - HPE ProLiant DL580 Gen10 Server prior to v1.28 - HPE ProLiant DL560 Gen10 Server prior to v1.28 - HPE ProLiant DL120 Gen10 Server prior to v1.28 - HPE ProLiant ML350 Gen10 Server prior to v1.28 - HPE ProLiant XL450 Gen10 Server prior to v1.28 - HPE ProLiant XL170r Gen10 Server prior to v1.28 - HPE ProLiant BL460c Gen10 Server Blade prior to v1.28 - HPE ProLiant XL230a Gen9 Server prior to v2.54 - HPE ProLiant XL230k Gen10 Server prior to v1.28 - HPE ProLiant XL730f Gen9 Server prior to v2.54 - HPE ProLiant XL740f Gen9 Server prior to v2.54 - HPE ProLiant XL750f Gen9 Server prior to v2.54 - HPE ProLiant XL170r Gen9 Server prior to v2.54 - HP ProLiant DL60 Gen9 Server prior to v2.54 - HPE ProLiant XL450 Gen9 Server prior to v2.54 - HP ProLiant DL160 Gen9 Server prior to v2.54 - HPE Apollo 4200 Gen9 Server prior to v2.54 - HP ProLiant BL460c Gen9 Server Blade prior to v2.54 - HP ProLiant ML110 Gen9 Server prior to v2.54 - HP ProLiant ML150 Gen9 Server prior to v2.54 - HPE ProLiant ML350 Gen9 Server prior to v2.54 - HP ProLiant DL380 Gen9 Server prior to v2.54 - HP ProLiant DL120 Gen9 Server prior to v2.54 - HPE ProLiant DL560 Gen9 Server prior to v2.54 - HPE ProLiant XL270d Gen9 Special Server prior to v2.54 - HP ProLiant BL660c Gen9 Server prior to v2.54 - HPE ProLiant m710x Server Cartridge prior to v1.60 - HPE ProLiant DL20 Gen9 Server prior to v2.52 - HPE ProLiant DL385 Gen10 Server prior to v1.04 - HPE Synergy 660 Gen9 Compute Module prior to v2.54 - HPE Synergy 480 Gen10 Compute Module prior to v1.28 - HPE Synergy 480 Gen9 Compute Module prior to v2.54 - HPE ProLiant ML30 Gen9 Server prior to v2.52 - HPE ProLiant XL190r Gen10 Server prior to v1.28 - HPE ProLiant XL250a Gen9 Server prior to v2.54 - HPE ProLiant XL190r Gen9 Server prior to v2.54 - HP ProLiant DL80 Gen9 Server prior to v2.54 - HPE ProLiant DL180 Gen9 Server prior to v2.54 - HPE ProLiant XL270d Gen9 Accelerator Tray 2U Configure-to-order Server prior to v2.54 - HPE ProLiant WS460c Gen9 Workstation prior to v2.54 - HPE ProLiant DL580 Gen9 Special Server prior to v2.54 - HPE Synergy 680 Gen9 Compute Modules prior to v2.54 - HPE ProLiant XL260a Gen9 Server prior to 1/22/2018 - HPE ProLiant m510 Server Cartridge prior to 1/22/2018 - HPE ProLiant m710p Server Cartridge prior to 12/12/2017 - HP ProLiant m350 Server Cartridge prior to 12/12/2017 - HP ProLiant m300 Server Cartridge prior to 12/12/2017 - HP ProLiant ML350e Gen8 Server prior to 12/12/2017 - HPE ProLiant ML350e Gen8 v2 Server prior to 12/12/2017 - HP ProLiant BL460c Gen8 Server prior to 12/12/2017 - HP ProLiant BL660c Gen8 Server prior to 12/12/2017 - HPE ProLiant SL4540 Gen8 1 Node Server prior to 12/12/2017 - HP ProLiant DL380e Gen8 Server prior to 12/12/2017 - HP ProLiant DL360e Gen8 Server prior to 12/12/2017 - HP ProLiant ML350p Gen8 Server prior to 12/12/2017 - HP ProLiant DL360p Gen8 Server prior to 12/12/2017 - HP ProLiant DL380p Gen8 Server prior to 12/12/2017 - HP ProLiant DL320e Gen8 Server prior to 12/12/2017 - HPE ProLiant DL320e Gen8 v2 Server prior to 12/12/2017 - HP ProLiant ML310e Gen8 Server prior to 12/12/2017 - HPE ProLiant ML310e Gen8 v2 Server prior to 12/12/2017 - HP ProLiant DL160 Gen8 Server prior to 12/12/2017 - HP ProLiant SL270s Gen8 Server prior to 12/12/2017 - HP ProLiant SL250s Gen8 Server prior to 12/12/2017 - HP ProLiant SL230s Gen8 Server prior to 12/12/2017 - HP ProLiant DL560 Gen8 Server prior to 12/12/2017 - HPE ProLiant SL210t Gen8 Server prior to 12/12/2017 - HP ProLiant DL580 Gen8 Server prior to 12/12/2017 (v1.98) - HP ProLiant ML10 Server prior to 12/12/2017 - HP ProLiant m710 Server Cartridge prior to 12/12/2017 (v1.60) - HPE Synergy Composer prior to 12/12/2017 - HPE Integrity Superdome X with BL920s Blades prior to 8.8.6 - HPE Superdome Flex Server prior to 2.3.110 - HP ProLiant DL360 Gen9 Server prior to v2.54 - HPE Synergy 620 Gen9 Compute Module prior to v2.54 - HPE ProLiant Thin Micro TM200 Server prior to 1/16/2017 - HPE ProLiant ML350 Gen10 Server prior to v1.28 - HP ProLiant BL420c Gen8 Server prior to 12/12/2017 - HPE ProLiant ML10 v2 Server prior to 12/12/2017 - HPE ProLiant MicroServer Gen8 prior to 12/12/2017 - HPE Synergy 660 Gen10 Compute Module prior to v1.28 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2017-5715 8.2 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N 6.8 (AV:A/AC:L/Au:N/C:C/I:P/A:N) CVE-2017-5753 5.0 CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L 5.4 (AV:A/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-5754 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION HPE has made the following system ROM updates which include an updated microcode to resolve the vulnerability: * HPE has provided a customer bulletin <https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039267en_us> with specific instructions to obtain the udpated sytem ROM - Note: + CVE-2017-5715 requires that the System ROM be updated and a vendor supplied operating system update be applied as well. + For CVE-2017-5753, CVE-2017-5754 require only updates of a vendor supplied operating system. + HPE will continue to add additional products to the list. Not all listed products have updated system ROMs yet. Impacted products awaiting system ROM updates are marked TBS (to be supplied). HISTORY Version:1 (rev.1) - 4 January 2018 Initial release Version:2 (rev.2) - 5 January 2018 Added additional impacted products Version:3 (rev.3) - 10 January 2018 Added more impacted products Version:4 (rev.4) - 9 January 2018 Fixed product ID Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-18:03.speculative_execution Security Advisory The FreeBSD Project Topic: Speculative Execution Vulnerabilities Category: core Module: kernel Announced: 2018-03-14 Credits: Jann Horn (Google Project Zero); Werner Haas, Thomas Prescher (Cyberus Technology); Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology); Paul Kocher; Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus); Yuval Yarom (University of Adelaide and Data6) Affects: All supported versions of FreeBSD. Corrected: 2018-02-17 18:00:01 UTC (stable/11, 11.1-STABLE) 2018-03-14 04:00:00 UTC (releng/11.1, 11.1-RELEASE-p8) CVE Name: CVE-2017-5715, CVE-2017-5754 Special Note: Speculative execution vulnerability mitigation is a work in progress. This advisory addresses the most significant issues for FreeBSD 11.1 on amd64 CPUs. We expect to update this advisory to include 10.x for amd64 CPUs. Future FreeBSD releases will address this issue on i386 and other CPUs. freebsd-update will include changes on i386 as part of this update due to common code changes shared between amd64 and i386, however it contains no functional changes for i386 (in particular, it does not mitigate the issue on i386). For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. II. Problem Description A number of issues relating to speculative execution were found last year and publicly announced January 3rd. Two of these, known as Meltdown and Spectre V2, are addressed here. CVE-2017-5754 (Meltdown) - ------------------------ This issue relies on an affected CPU speculatively executing instructions beyond a faulting instruction. When this happens, changes to architectural state are not committed, but observable changes may be left in micro- architectural state (for example, cache). This may be used to infer privileged data. CVE-2017-5715 (Spectre V2) - -------------------------- Spectre V2 uses branch target injection to speculatively execute kernel code at an address under the control of an attacker. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility, followed by a reboot into the new kernel: # freebsd-update fetch # freebsd-update install # shutdown -r now 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:03/speculative_execution-amd64-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:03/speculative_execution-amd64-11.patch.asc # gpg --verify speculative_execution-amd64-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details CVE-2017-5754 (Meltdown) - ------------------------ The mitigation is known as Page Table Isolation (PTI). PTI largely separates kernel and user mode page tables, so that even during speculative execution most of the kernel's data is unmapped and not accessible. A positive result is definitive (that is, the vulnerability exists with certainty). A negative result indicates either that the CPU is not affected, or that the test is not capable of demonstrating the issue on the CPU (and may need to be modified). A patched kernel will automatically enable PTI on Intel CPUs. The status can be checked via the vm.pmap.pti sysctl: # sysctl vm.pmap.pti vm.pmap.pti: 1 The default setting can be overridden by setting the loader tunable vm.pmap.pti to 1 or 0 in /boot/loader.conf. This setting takes effect only at boot. PTI introduces a performance regression. The observed performance loss is significant in microbenchmarks of system call overhead, but is much smaller for many real workloads. CVE-2017-5715 (Spectre V2) - -------------------------- There are two common mitigations for Spectre V2. This patch includes a mitigation using Indirect Branch Restricted Speculation, a feature available via a microcode update from processor manufacturers. The alternate mitigation, Retpoline, is a feature available in newer compilers. The feasibility of applying Retpoline to stable branches and/or releases is under investigation. The patch includes the IBRS mitigation for Spectre V2. To use the mitigation the system must have an updated microcode; with older microcode a patched kernel will function without the mitigation. IBRS can be disabled via the hw.ibrs_disable sysctl (and tunable), and the status can be checked via the hw.ibrs_active sysctl. IBRS may be enabled or disabled at runtime. Additional detail on microcode updates will follow. The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/11/ r329462 releng/11.1/ r330908 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:03.speculative_execution.asc> -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqon0RfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKORw/+Lc5lxLhDgU1rQ0JF6sb2b80Ly5k+rJLXFWBvmEQt0uVyVkF4TMJ99M04 bcmrLbT4Pl0Csh/iEYvZQ4el12KvPDApHszsLTBgChD+KfCLvCZvBZzasgDWGD0E JhL4eIX0wjJ4oGGsT+TAqkmwXyAMJgWW/ZgZPFVXocylZTL3fV4g52VdG1Jnd2yu hnkViH2kVlVJqXX9AHlenIUfEmUiRUGrMh5oPPpFYDDmfJ+enZ8QLxfZtOKIliD7 u+2GP8V/bvaErkxqF5wwobybrBOMXpq9Y/fWw0EH/om7myevj/oORqK+ZmGZ17bl IRbdWxgjc1hN2TIMVn9q9xX6i0I0wSPwbpLYagKnSnE8WNVUTZUteaj1GKGTG1rj DFH2zOLlbRr/IXUFldM9b6VbZX6G5Ijxwy1DJzB/0KL5ZTbAReUR0pqHR7xpulbJ eDv8SKCwYiUpMuwPOXNdVlVLZSsH5/9A0cyjH3+E+eIhM8qyxw7iRFwA0DxnGVkr tkMo51Vl3Gl7JFFimGKljsE9mBh00m8B0WYJwknvfhdehO4WripcwI7/V5zL6cwj s018kaW4Xm77LOz6P1iN8nbcjZ9gN2AsPYUYYZqJxjCcZ7r489Hg9BhbDf0QtC0R gnwZWiZ/KuAy0C6vaHljsm0xPEM5nBz/yScFXDbuhEdmEgBBD6w= =fqrI -----END PGP SIGNATURE----- . Security Fix(es): * hw: cpu: speculative execution permission faults handling (CVE-2017-5754) * Kernel: error in exception handling leads to DoS (CVE-2018-8897) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * The kernel build requirements have been updated to the GNU Compiler Collection (GCC) compiler version that has the support for Retpolines. The Retpolines mechanism is a software construct that leverages specific knowledge of the underlying hardware to mitigate the branch target injection, also known as Spectre variant 2 vulnerability described in CVE-2017-5715. (BZ#1554253) 4. 6.2) - x86_64 3. (CVE-2017-5754, Important) Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue. ========================================================================== Ubuntu Security Notice USN-3583-1 February 23, 2018 linux vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel Details: It was discovered that an out-of-bounds write vulnerability existed in the Flash-Friendly File System (f2fs) in the Linux kernel. An attacker could construct a malicious file system that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0750) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) Bo Zhang discovered that the netlink wireless configuration interface in the Linux kernel did not properly validate attributes when handling certain requests. A local attacker with the CAP_NET_ADMIN could use this to cause a denial of service (system crash). (CVE-2017-12153) Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux kernel did not properly track reference counts when merging buffers. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2017-12190) It was discovered that the key management subsystem in the Linux kernel did not properly restrict key reads on negatively instantiated keys. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12192) It was discovered that an integer overflow existed in the sysfs interface for the QLogic 24xx+ series SCSI driver in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2017-14051) Otto Ebeling discovered that the memory manager in the Linux kernel did not properly check the effective UID in some situations. (CVE-2017-14140) It was discovered that the ATI Radeon framebuffer driver in the Linux kernel did not properly initialize a data structure returned to user space. (CVE-2017-14156) ChunYu Wang discovered that the iSCSI transport implementation in the Linux kernel did not properly validate data structures. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14489) James Patrick-Evans discovered a race condition in the LEGO USB Infrared Tower driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15102) ChunYu Wang discovered that a use-after-free vulnerability existed in the SCTP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code, (CVE-2017-15115) It was discovered that the key management subsystem in the Linux kernel did not properly handle NULL payloads with non-zero length values. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-15274) It was discovered that the Bluebooth Network Encapsulation Protocol (BNEP) implementation in the Linux kernel did not validate the type of socket passed in the BNEPCONNADD ioctl(). A local attacker with the CAP_NET_ADMIN privilege could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15868) Andrey Konovalov discovered a use-after-free vulnerability in the USB serial console driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16525) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the systemwide OS fingerprint list. (CVE-2017-17450) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) Denys Fedoryshchenko discovered a use-after-free vulnerability in the netfilter xt_TCPMSS filter of the Linux kernel. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-18017) Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669) It was discovered that an integer overflow vulnerability existing in the IPv6 implementation in the Linux kernel. A local attacker could use this to cause a denial of service (infinite loop). (CVE-2017-7542) Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889) Mohamed Ghannam discovered a use-after-free vulnerability in the DCCP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-8824) Mohamed Ghannam discovered a null pointer dereference in the RDS (Reliable Datagram Sockets) protocol implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5333) ee3/4ePS discovered that a race condition existed in loop block device implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5344) USN-3524-1 mitigated CVE-2017-5754 (Meltdown) for the amd64 architecture in Ubuntu 14.04 LTS. This update provides the corresponding mitigations for the ppc64el architecture. This flaw is known as Meltdown. (CVE-2017-5754) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: linux-image-3.13.0-142-generic 3.13.0-142.191 linux-image-3.13.0-142-generic-lpae 3.13.0-142.191 linux-image-3.13.0-142-lowlatency 3.13.0-142.191 linux-image-3.13.0-142-powerpc-e500 3.13.0-142.191 linux-image-3.13.0-142-powerpc-e500mc 3.13.0-142.191 linux-image-3.13.0-142-powerpc-smp 3.13.0-142.191 linux-image-3.13.0-142-powerpc64-emb 3.13.0-142.191 linux-image-3.13.0-142-powerpc64-smp 3.13.0-142.191 linux-image-generic 3.13.0.142.152 linux-image-generic-lpae 3.13.0.142.152 linux-image-lowlatency 3.13.0.142.152 linux-image-powerpc-e500 3.13.0.142.152 linux-image-powerpc-e500mc 3.13.0.142.152 linux-image-powerpc-smp 3.13.0.142.152 linux-image-powerpc64-emb 3.13.0.142.152 linux-image-powerpc64-smp 3.13.0.142.152 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://usn.ubuntu.com/usn/usn-3583-1 CVE-2017-0750, CVE-2017-0861, CVE-2017-1000407, CVE-2017-12153, CVE-2017-12190, CVE-2017-12192, CVE-2017-14051, CVE-2017-14140, CVE-2017-14156, CVE-2017-14489, CVE-2017-15102, CVE-2017-15115, CVE-2017-15274, CVE-2017-15868, CVE-2017-16525, CVE-2017-17450, CVE-2017-17806, CVE-2017-18017, CVE-2017-5669, CVE-2017-5754, CVE-2017-7542, CVE-2017-7889, CVE-2017-8824, CVE-2018-5333, CVE-2018-5344 Package Information: https://launchpad.net/ubuntu/+source/linux/3.13.0-142.191 . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201810-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Xen: Multiple vulnerabilities Date: October 30, 2018 Bugs: #643350, #655188, #655544, #659442 ID: 201810-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Xen, the worst of which could cause a Denial of Service condition. Background ========== Xen is a bare-metal hypervisor. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-emulation/xen < 4.10.1-r2 >= 4.10.1-r2 2 app-emulation/xen-tools < 4.10.1-r2 >= 4.10.1-r2 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple vulnerabilities have been discovered in Xen. Please review the referenced CVE identifiers for details. Resolution ========== All Xen users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.10.1-r2" All Xen tools users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.10.1-r2" References ========== [ 1 ] CVE-2017-5715 https://nvd.nist.gov/vuln/detail/CVE-2017-5715 [ 2 ] CVE-2017-5753 https://nvd.nist.gov/vuln/detail/CVE-2017-5753 [ 3 ] CVE-2017-5754 https://nvd.nist.gov/vuln/detail/CVE-2017-5754 [ 4 ] CVE-2018-10471 https://nvd.nist.gov/vuln/detail/CVE-2018-10471 [ 5 ] CVE-2018-10472 https://nvd.nist.gov/vuln/detail/CVE-2018-10472 [ 6 ] CVE-2018-10981 https://nvd.nist.gov/vuln/detail/CVE-2018-10981 [ 7 ] CVE-2018-10982 https://nvd.nist.gov/vuln/detail/CVE-2018-10982 [ 8 ] CVE-2018-12891 https://nvd.nist.gov/vuln/detail/CVE-2018-12891 [ 9 ] CVE-2018-12892 https://nvd.nist.gov/vuln/detail/CVE-2018-12892 [ 10 ] CVE-2018-12893 https://nvd.nist.gov/vuln/detail/CVE-2018-12893 [ 11 ] CVE-2018-15468 https://nvd.nist.gov/vuln/detail/CVE-2018-15468 [ 12 ] CVE-2018-15469 https://nvd.nist.gov/vuln/detail/CVE-2018-15469 [ 13 ] CVE-2018-15470 https://nvd.nist.gov/vuln/detail/CVE-2018-15470 [ 14 ] CVE-2018-3620 https://nvd.nist.gov/vuln/detail/CVE-2018-3620 [ 15 ] CVE-2018-3646 https://nvd.nist.gov/vuln/detail/CVE-2018-3646 [ 16 ] CVE-2018-5244 https://nvd.nist.gov/vuln/detail/CVE-2018-5244 [ 17 ] CVE-2018-7540 https://nvd.nist.gov/vuln/detail/CVE-2018-7540 [ 18 ] CVE-2018-7541 https://nvd.nist.gov/vuln/detail/CVE-2018-7541 [ 19 ] CVE-2018-7542 https://nvd.nist.gov/vuln/detail/CVE-2018-7542 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201810-06 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2018 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action. Linux Kernel is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause a denial-of-service condition. Linux kernel versions prior to 4.11, and 4.9.x prior to 4.9.36 are vulnerable. (BZ#1549731) * Intel Core X-Series (Skylake) processors use a hardcoded Time Stamp Counter (TSC) frequency of 25 MHz. In some cases this can be imprecise and lead to timing-related problems such as time drift, timers being triggered early, or TSC clock instability. This update mitigates these problems by no longer using the "native_calibrate_tsc()" function to define the TSC frequency. Refined calibration is now used to update the clock rate accordingly in these cases. (BZ#1547854) 4. 7) - noarch, x86_64 3. Description: The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4187-1 security@debian.org https://www.debian.org/security/ Ben Hutchings May 01, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2015-9016 CVE-2017-0861 CVE-2017-5715 CVE-2017-5753 CVE-2017-13166 CVE-2017-13220 CVE-2017-16526 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-18017 CVE-2017-18203 CVE-2017-18216 CVE-2017-18232 CVE-2017-18241 CVE-2018-1066 CVE-2018-1068 CVE-2018-1092 CVE-2018-5332 CVE-2018-5333 CVE-2018-5750 CVE-2018-5803 CVE-2018-6927 CVE-2018-7492 CVE-2018-7566 CVE-2018-7740 CVE-2018-7757 CVE-2018-7995 CVE-2018-8781 CVE-2018-8822 CVE-2018-1000004 CVE-2018-1000199 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2015-9016 Ming Lei reported a race condition in the multiqueue block layer (blk-mq). On a system with a driver using blk-mq (mtip32xx, null_blk, or virtio_blk), a local user might be able to use this for denial of service or possibly for privilege escalation. CVE-2017-0861 Robb Glasser reported a potential use-after-free in the ALSA (sound) PCM core. We believe this was not possible in practice. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using the "retpoline" compiler feature which allows indirect branches to be isolated from speculative execution. CVE-2017-5753 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 1 (bounds-check bypass) and is mitigated by identifying vulnerable code sections (array bounds checking followed by array access) and replacing the array access with the speculation-safe array_index_nospec() function. More use sites will be added over time. CVE-2017-13166 A bug in the 32-bit compatibility layer of the v4l2 ioctl handling code has been found. Memory protections ensuring user-provided buffers always point to userland memory were disabled, allowing destination addresses to be in kernel space. On a 64-bit kernel a local user with access to a suitable video device can exploit this to overwrite kernel memory, leading to privilege escalation. CVE-2017-13220 Al Viro reported that the Bluetooth HIDP implementation could dereference a pointer before performing the necessary type check. A local user could use this to cause a denial of service. CVE-2017-16526 Andrey Konovalov reported that the UWB subsystem may dereference an invalid pointer in an error case. A local user might be able to use this for denial of service. CVE-2017-16911 Secunia Research reported that the USB/IP vhci_hcd driver exposed kernel heap addresses to local users. This information could aid the exploitation of other vulnerabilities. CVE-2017-16912 Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to an out-of-bounds read. A remote user able to connect to the USB/IP server could use this for denial of service. CVE-2017-16913 Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to excessive memory allocation. A remote user able to connect to the USB/IP server could use this for denial of service. CVE-2017-16914 Secunia Research reported that the USB/IP stub driver failed to check for an invalid combination of fields in a received packet, leading to a null pointer dereference. A remote user able to connect to the USB/IP server could use this for denial of service. CVE-2017-18017 Denys Fedoryshchenko reported that the netfilter xt_TCPMSS module failed to validate TCP header lengths, potentially leading to a use-after-free. If this module is loaded, it could be used by a remote attacker for denial of service or possibly for code execution. CVE-2017-18203 Hou Tao reported that there was a race condition in creation and deletion of device-mapper (DM) devices. A local user could potentially use this for denial of service. CVE-2017-18216 Alex Chen reported that the OCFS2 filesystem failed to hold a necessary lock during nodemanager sysfs file operations, potentially leading to a null pointer dereference. A local user could use this for denial of service. CVE-2017-18232 Jason Yan reported a race condition in the SAS (Serial-Attached SCSI) subsystem, between probing and destroying a port. This could lead to a deadlock. CVE-2017-18241 Yunlei He reported that the f2fs implementation does not properly initialise its state if the "noflush_merge" mount option is used. A local user with access to a filesystem mounted with this option could use this to cause a denial of service. CVE-2018-1066 Dan Aloni reported to Red Hat that the CIFS client implementation would dereference a null pointer if the server sent an invalid response during NTLMSSP setup negotiation. This could be used by a malicious server for denial of service. CVE-2018-1068 The syzkaller tool found that the 32-bit compatibility layer of ebtables did not sufficiently validate offset values. On a 64-bit kernel, a local user with the CAP_NET_ADMIN capability (in any user namespace) could use this to overwrite kernel memory, possibly leading to privilege escalation. Debian disables unprivileged user namespaces by default. CVE-2018-1092 Wen Xu reported that a crafted ext4 filesystem image would trigger a null dereference when mounted. A local user able to mount arbitrary filesystems could use this for denial of service. CVE-2018-5332 Mohamed Ghannam reported that the RDS protocol did not sufficiently validate RDMA requests, leading to an out-of-bounds write. A local attacker on a system with the rds module loaded could use this for denial of service or possibly for privilege escalation. CVE-2018-5333 Mohamed Ghannam reported that the RDS protocol did not properly handle an error case, leading to a null pointer dereference. A local attacker on a system with the rds module loaded could possibly use this for denial of service. CVE-2018-5750 Wang Qize reported that the ACPI sbshc driver logged a kernel heap address. This information could aid the exploitation of other vulnerabilities. CVE-2018-5803 Alexey Kodanev reported that the SCTP protocol did not range-check the length of chunks to be created. A local or remote user could use this to cause a denial of service. CVE-2018-6927 Li Jinyue reported that the FUTEX_REQUEUE operation on futexes did not check for negative parameter values, which might lead to a denial of service or other security impact. CVE-2018-7492 The syzkaller tool found that the RDS protocol was lacking a null pointer check. A local attacker on a system with the rds module loaded could use this for denial of service. CVE-2018-7566 Fan LongFei reported a race condition in the ALSA (sound) sequencer core, between write and ioctl operations. This could lead to an out-of-bounds access or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation. CVE-2018-7740 Nic Losby reported that the hugetlbfs filesystem's mmap operation did not properly range-check the file offset. A local user with access to files on a hugetlbfs filesystem could use this to cause a denial of service. CVE-2018-7757 Jason Yan reported a memory leak in the SAS (Serial-Attached SCSI) subsystem. A local user on a system with SAS devices could use this to cause a denial of service. CVE-2018-7995 Seunghun Han reported a race condition in the x86 MCE (Machine Check Exception) driver. This is unlikely to have any security impact. CVE-2018-8781 Eyal Itkin reported that the udl (DisplayLink) driver's mmap operation did not properly range-check the file offset. A local user with access to a udl framebuffer device could exploit this to overwrite kernel memory, leading to privilege escalation. CVE-2018-8822 Dr Silvio Cesare of InfoSect reported that the ncpfs client implementation did not validate reply lengths from the server. An ncpfs server could use this to cause a denial of service or remote code execution in the client. CVE-2018-1000004 Luo Quan reported a race condition in the ALSA (sound) sequencer core, between multiple ioctl operations. This could lead to a deadlock or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation. CVE-2018-1000199 Andy Lutomirski discovered that the ptrace subsystem did not sufficiently validate hardware breakpoint settings. Local users can use this to cause a denial of service, or possibly for privilege escalation, on x86 (amd64 and i386) and possibly other architectures. For the oldstable distribution (jessie), these problems have been fixed in version 3.16.56-1. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlron61fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Rtqw//Xf/L4bP65wU9M59Ef6xBt+Eph+yxeMsioGhu80ODdMemlmHzASMtfZjY AXxyt9l8lbHn8MmwDA4aLhhwHYXwvKATdpHSy1SILrRfb4s9P9uV1vsHaIeZ649E hDyNon9hP2tPso6BwqiYHZZy9Xxtd+T8vTBeBZwUKOLBkBRvV/gyNSUdJWp6L8WH aF4D1hHl9ZotDkyIvkubbx77aqbJ88I4R0n69x7L9udFbuXa+U7hV6dJdnpzyl/7 OukJfEtnkaUgWu0MdOfFss6iH5OQISn/y/ricRi29oKQiEp3YwnT5J9pFwSQeJJS H8ABVt251UoS0J+of3QWw0muOT/6UAF8SNpPKMJXC7Euq8pTmYVPSIeUYf4eqn65 UHZSCKXaszItq+uzVNYdkj504BJ4cG1lFxZtlrFWwKE8p7QOETN0GKvTRdu/SvDd Hl2nb4HouLpBYS518Th2/MGgzhXXAuO12MH3smenptZbqxKn9Z0XSTJYzFupgJk/ kKF2xkDFBE4toTLVE+6XdUKwYk4vkeDZyOGOwRYThSkKAzrUh5zThgal4HnknD2A 5ye4XLhjgSIT47/nmor6lhxd7WGXGkV33GF0azYlHr/sclfzxcU2Ev3NUBWQ8M3s CxfIO0FNCzO0WIUf40md7MlIAnDBIRGyYgNIIe7AnSRKKPykEx8= =wNQS -----END PGP SIGNATURE----- . Summary: An update for kernel is now available for Red Hat Enterprise Linux 7.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux ComputeNode EUS (v. 7.4) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.4) - x86_64 Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 7.4) - noarch, ppc64, ppc64le, x86_64 3. Security Fix(es): * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) * kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) * kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) * kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) * kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) * kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) * kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) * kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Mohamed Ghannam for reporting CVE-2017-8824; Jan H. SchAPnherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. Bug Fix(es): These updated kernel packages include also numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. See the bug fix descriptions in the related Knowledge Article: https://access.redhat.com/articles/3411331 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1489088 - CVE-2017-9725 kernel: Incorrect type conversion for size during dma allocation 1490781 - CVE-2017-1000252 kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ 1501878 - CVE-2017-15265 kernel: Use-after-free in snd_seq_ioctl_create_port() 1519160 - CVE-2017-1000410 kernel: Stack information leak in the EFS element 1519591 - CVE-2017-8824 kernel: Use-after-free vulnerability in DCCP socket 1525762 - CVE-2017-17449 kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity 1531135 - CVE-2017-18017 kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c 1548412 - CVE-2017-13166 kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation 6. Package List: Red Hat Enterprise Linux ComputeNode EUS (v. 7.4): Source: kernel-3.10.0-693.25.2.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-693.25.2.el7.noarch.rpm kernel-doc-3.10.0-693.25.2.el7.noarch.rpm x86_64: kernel-3.10.0-693.25.2.el7.x86_64.rpm kernel-debug-3.10.0-693.25.2.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm kernel-debug-devel-3.10.0-693.25.2.el7.x86_64.rpm kernel-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-693.25.2.el7.x86_64.rpm kernel-devel-3.10.0-693.25.2.el7.x86_64.rpm kernel-headers-3.10.0-693.25.2.el7.x86_64.rpm kernel-tools-3.10.0-693.25.2.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm kernel-tools-libs-3.10.0-693.25.2.el7.x86_64.rpm perf-3.10.0-693.25.2.el7.x86_64.rpm perf-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm python-perf-3.10.0-693.25.2.el7.x86_64.rpm python-perf-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.4): x86_64: kernel-debug-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm kernel-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-693.25.2.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-693.25.2.el7.x86_64.rpm perf-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm python-perf-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 7.4): Source: kernel-3.10.0-693.25.2.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-693.25.2.el7.noarch.rpm kernel-doc-3.10.0-693.25.2.el7.noarch.rpm ppc64: kernel-3.10.0-693.25.2.el7.ppc64.rpm kernel-bootwrapper-3.10.0-693.25.2.el7.ppc64.rpm kernel-debug-3.10.0-693.25.2.el7.ppc64.rpm kernel-debug-debuginfo-3.10.0-693.25.2.el7.ppc64.rpm kernel-debug-devel-3.10.0-693.25.2.el7.ppc64.rpm kernel-debuginfo-3.10.0-693.25.2.el7.ppc64.rpm kernel-debuginfo-common-ppc64-3.10.0-693.25.2.el7.ppc64.rpm kernel-devel-3.10.0-693.25.2.el7.ppc64.rpm kernel-headers-3.10.0-693.25.2.el7.ppc64.rpm kernel-tools-3.10.0-693.25.2.el7.ppc64.rpm kernel-tools-debuginfo-3.10.0-693.25.2.el7.ppc64.rpm kernel-tools-libs-3.10.0-693.25.2.el7.ppc64.rpm perf-3.10.0-693.25.2.el7.ppc64.rpm perf-debuginfo-3.10.0-693.25.2.el7.ppc64.rpm python-perf-3.10.0-693.25.2.el7.ppc64.rpm python-perf-debuginfo-3.10.0-693.25.2.el7.ppc64.rpm ppc64le: kernel-3.10.0-693.25.2.el7.ppc64le.rpm kernel-bootwrapper-3.10.0-693.25.2.el7.ppc64le.rpm kernel-debug-3.10.0-693.25.2.el7.ppc64le.rpm kernel-debug-debuginfo-3.10.0-693.25.2.el7.ppc64le.rpm kernel-debuginfo-3.10.0-693.25.2.el7.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-693.25.2.el7.ppc64le.rpm kernel-devel-3.10.0-693.25.2.el7.ppc64le.rpm kernel-headers-3.10.0-693.25.2.el7.ppc64le.rpm kernel-tools-3.10.0-693.25.2.el7.ppc64le.rpm kernel-tools-debuginfo-3.10.0-693.25.2.el7.ppc64le.rpm kernel-tools-libs-3.10.0-693.25.2.el7.ppc64le.rpm perf-3.10.0-693.25.2.el7.ppc64le.rpm perf-debuginfo-3.10.0-693.25.2.el7.ppc64le.rpm python-perf-3.10.0-693.25.2.el7.ppc64le.rpm python-perf-debuginfo-3.10.0-693.25.2.el7.ppc64le.rpm s390x: kernel-3.10.0-693.25.2.el7.s390x.rpm kernel-debug-3.10.0-693.25.2.el7.s390x.rpm kernel-debug-debuginfo-3.10.0-693.25.2.el7.s390x.rpm kernel-debug-devel-3.10.0-693.25.2.el7.s390x.rpm kernel-debuginfo-3.10.0-693.25.2.el7.s390x.rpm kernel-debuginfo-common-s390x-3.10.0-693.25.2.el7.s390x.rpm kernel-devel-3.10.0-693.25.2.el7.s390x.rpm kernel-headers-3.10.0-693.25.2.el7.s390x.rpm kernel-kdump-3.10.0-693.25.2.el7.s390x.rpm kernel-kdump-debuginfo-3.10.0-693.25.2.el7.s390x.rpm kernel-kdump-devel-3.10.0-693.25.2.el7.s390x.rpm perf-3.10.0-693.25.2.el7.s390x.rpm perf-debuginfo-3.10.0-693.25.2.el7.s390x.rpm python-perf-3.10.0-693.25.2.el7.s390x.rpm python-perf-debuginfo-3.10.0-693.25.2.el7.s390x.rpm x86_64: kernel-3.10.0-693.25.2.el7.x86_64.rpm kernel-debug-3.10.0-693.25.2.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm kernel-debug-devel-3.10.0-693.25.2.el7.x86_64.rpm kernel-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-693.25.2.el7.x86_64.rpm kernel-devel-3.10.0-693.25.2.el7.x86_64.rpm kernel-headers-3.10.0-693.25.2.el7.x86_64.rpm kernel-tools-3.10.0-693.25.2.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm kernel-tools-libs-3.10.0-693.25.2.el7.x86_64.rpm perf-3.10.0-693.25.2.el7.x86_64.rpm perf-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm python-perf-3.10.0-693.25.2.el7.x86_64.rpm python-perf-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 7.4): noarch: kernel-doc-3.10.0-693.25.2.el7.noarch.rpm ppc64: kernel-debug-debuginfo-3.10.0-693.25.2.el7.ppc64.rpm kernel-debuginfo-3.10.0-693.25.2.el7.ppc64.rpm kernel-debuginfo-common-ppc64-3.10.0-693.25.2.el7.ppc64.rpm kernel-tools-debuginfo-3.10.0-693.25.2.el7.ppc64.rpm kernel-tools-libs-devel-3.10.0-693.25.2.el7.ppc64.rpm perf-debuginfo-3.10.0-693.25.2.el7.ppc64.rpm python-perf-debuginfo-3.10.0-693.25.2.el7.ppc64.rpm ppc64le: kernel-debug-debuginfo-3.10.0-693.25.2.el7.ppc64le.rpm kernel-debug-devel-3.10.0-693.25.2.el7.ppc64le.rpm kernel-debuginfo-3.10.0-693.25.2.el7.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-693.25.2.el7.ppc64le.rpm kernel-tools-debuginfo-3.10.0-693.25.2.el7.ppc64le.rpm kernel-tools-libs-devel-3.10.0-693.25.2.el7.ppc64le.rpm perf-debuginfo-3.10.0-693.25.2.el7.ppc64le.rpm python-perf-debuginfo-3.10.0-693.25.2.el7.ppc64le.rpm x86_64: kernel-debug-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm kernel-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-693.25.2.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-693.25.2.el7.x86_64.rpm perf-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm python-perf-debuginfo-3.10.0-693.25.2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFa1h9vXlSAg2UNWIIRAgQYAJ9SYf3YVGwDtvYuYkVuDVmdm9DiPgCfW2Kv cMaOuMHITklMFw/e0S86gxs= =83T9 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================== Ubuntu Security Notice USN-3583-1 February 23, 2018 linux vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS Summary: Several security issues were fixed in the Linux kernel. (CVE-2017-0750) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. (CVE-2017-1000407) Bo Zhang discovered that the netlink wireless configuration interface in the Linux kernel did not properly validate attributes when handling certain requests. (CVE-2017-12153) Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux kernel did not properly track reference counts when merging buffers. (CVE-2017-12190) It was discovered that the key management subsystem in the Linux kernel did not properly restrict key reads on negatively instantiated keys. (CVE-2017-12192) It was discovered that an integer overflow existed in the sysfs interface for the QLogic 24xx+ series SCSI driver in the Linux kernel. (CVE-2017-14051) Otto Ebeling discovered that the memory manager in the Linux kernel did not properly check the effective UID in some situations. (CVE-2017-14140) It was discovered that the ATI Radeon framebuffer driver in the Linux kernel did not properly initialize a data structure returned to user space. (CVE-2017-14156) ChunYu Wang discovered that the iSCSI transport implementation in the Linux kernel did not properly validate data structures. (CVE-2017-14489) James Patrick-Evans discovered a race condition in the LEGO USB Infrared Tower driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code, (CVE-2017-15115) It was discovered that the key management subsystem in the Linux kernel did not properly handle NULL payloads with non-zero length values. (CVE-2017-15274) It was discovered that the Bluebooth Network Encapsulation Protocol (BNEP) implementation in the Linux kernel did not validate the type of socket passed in the BNEPCONNADD ioctl(). (CVE-2017-16525) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the systemwide OS fingerprint list. (CVE-2017-17450) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. (CVE-2017-18017) Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. (CVE-2017-5669) It was discovered that an integer overflow vulnerability existing in the IPv6 implementation in the Linux kernel. (CVE-2017-7542) Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. (CVE-2018-5333) ee3/4ePS discovered that a race condition existed in loop block device implementation in the Linux kernel. (CVE-2018-5344) USN-3524-1 mitigated CVE-2017-5754 (Meltdown) for the amd64 architecture in Ubuntu 14.04 LTS. This update provides the corresponding mitigations for the ppc64el architecture. Original advisory details: Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. (CVE-2017-5754) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: linux-image-3.13.0-142-generic 3.13.0-142.191 linux-image-3.13.0-142-generic-lpae 3.13.0-142.191 linux-image-3.13.0-142-lowlatency 3.13.0-142.191 linux-image-3.13.0-142-powerpc-e500 3.13.0-142.191 linux-image-3.13.0-142-powerpc-e500mc 3.13.0-142.191 linux-image-3.13.0-142-powerpc-smp 3.13.0-142.191 linux-image-3.13.0-142-powerpc64-emb 3.13.0-142.191 linux-image-3.13.0-142-powerpc64-smp 3.13.0-142.191 linux-image-generic 3.13.0.142.152 linux-image-generic-lpae 3.13.0.142.152 linux-image-lowlatency 3.13.0.142.152 linux-image-powerpc-e500 3.13.0.142.152 linux-image-powerpc-e500mc 3.13.0.142.152 linux-image-powerpc-smp 3.13.0.142.152 linux-image-powerpc64-emb 3.13.0.142.152 linux-image-powerpc64-smp 3.13.0.142.152 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://usn.ubuntu.com/usn/usn-3583-1 CVE-2017-0750, CVE-2017-0861, CVE-2017-1000407, CVE-2017-12153, CVE-2017-12190, CVE-2017-12192, CVE-2017-14051, CVE-2017-14140, CVE-2017-14156, CVE-2017-14489, CVE-2017-15102, CVE-2017-15115, CVE-2017-15274, CVE-2017-15868, CVE-2017-16525, CVE-2017-17450, CVE-2017-17806, CVE-2017-18017, CVE-2017-5669, CVE-2017-5754, CVE-2017-7542, CVE-2017-7889, CVE-2017-8824, CVE-2018-5333, CVE-2018-5344 Package Information: https://launchpad.net/ubuntu/+source/linux/3.13.0-142.191

IBM WebSphere MQ 8.0 and 9.0 could allow an authenticated user with authority to send a specially crafted request that could cause a channel process to cease processing further requests. IBM X-Force ID: 131547. IBM WebSphere MQ Contains an access control vulnerability. Vendors have confirmed this vulnerability IBM X-Force ID: 131547 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to cause a denial-of-service condition

getConfigExportFile.cgi on FLIR Brickstream 2300 devices 2.0 4.1.53.166 has Incorrect Access Control, as demonstrated by reading the AVI_USER_ID and AVI_USER_PASSWORD fields via a direct request. FLIR Brickstream 2300 The device contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FLIR Brickstream 2300 is a customer flow analysis and statistics equipment of Canada FLIR company. An access control error vulnerability exists in the getConfigExportFile.cgi file in FLIR Brickstream 2300 version 2.0 4.1.53.166. An attacker could exploit this vulnerability to obtain information

Trustwave Secure Web Gateway (SWG) through 11.8.0.27 allows remote attackers to append an arbitrary public key to the device's SSH Authorized Keys data, and consequently obtain remote root access, via the publicKey parameter to the /sendKey URI. Trustwave Secure Web Gateway (SWG) Contains a vulnerability related to key management errors.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TrustwaveSecureWebGateway (SWG) is a Web security gateway product from Trustwave Corporation of the United States. Security vulnerabilities existed in TrustwaveSWG 11.8.0.27 and earlier

BA SYSTEMS BAS Web on BAS920 devices (with Firmware 01.01.00*, HTTPserv 00002, and Script 02.*) and ISC2000 devices allows remote attackers to obtain sensitive information via a request for isc/get_sid_js.aspx or isc/get_sid.aspx, as demonstrated by obtaining administrative access by subsequently using the credential information for the Supervisor/Administrator account. BA SYSTEMS BAS920 Device and ISC2000 The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The BAS920 and ISC2000 devices are programmable intelligent controller products from BA SYSTEMS, Denmark. BA SYSTEMS BAS Web is a building automation system running in it. A remote attacker can exploit this vulnerability to obtain sensitive information by sending a request to the isc/get_sid_js.aspx or isc/get_sid.aspx file

On Hoermann BiSecur devices before 2018, a vulnerability can be exploited by recording a single radio transmission. An attacker can intercept an arbitrary radio frame exchanged between a BiSecur transmitter and a receiver to obtain the encrypted packet and the 32-bit serial number. The interception of the one-time pairing process is specifically not required. Due to use of AES-128 with an initial static random value and static data vector (all of this static information is the same across different customers' installations), the attacker can easily derive the utilized encryption key and decrypt the intercepted packet. The key can be verified by decrypting the intercepted packet and checking for known plaintext. Subsequently, an attacker can create arbitrary radio frames with the correct encryption key to control BiSecur garage and entrance gate operators and possibly other BiSecur systems as well ("wireless cloning"). To conduct the attack, a low cost Software Defined Radio (SDR) is sufficient. This affects Hoermann Hand Transmitter HS5-868-BS, HSE1-868-BS, and HSE2-868-BS devices. Hoermann BiSecur The device contains a cryptographic vulnerability.Denial of service (DoS) May be in a state. HoermannBiSecurdevices is a security door remote control device from Hoermann, Germany. A security vulnerability exists in previous versions of HoermannBiSecur device 2018