SB2017021601 - Multiple vulnerabilities in Linux kernel

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Integer overflow (CVE-ID: CVE-2016-8636)

The vulnerability allows a local user to cause denial of service and escalate privileges on the system.

The vulnerability exists due to integer overflow in mem_check_range(). A local user can trigger memory corruption and cause denial of service or elevate privileges on vulnerable system

Successful exploitation of this vulnerability may lead to kernel panic or privilege escalation.

2) Off-by-one error (CVE-ID: CVE-2017-2618)

The vulnerability allows a local user to cause denial of service.

The vulnerability exists due to off-by-one error in setprocattr. A local process with the process:setfscreate permission can cause a kernel panic.

Successful exploitation of this vulnerability may lead to denial of service conditions.

Remediation

Install update from vendor's website.

References

• https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.10
• https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.49