Amazon Linux AMI update for kernel

Published: 2017-08-17

Risk	Medium
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2017-11473 CVE-2017-7533 CVE-2017-7542
CWE-ID	CWE-120 CWE-362 CWE-835 CWE-190
Exploitation vector	Local
Public exploit	Vulnerability #2 is being exploited in the wild.
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Buffer overflow

EUVDB-ID: #VU12137

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-11473

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c due to buffer overflow. A local attacker can submit a specially crafted ACPI table, trigger memory corruption and gain root privileges.

Mitigation

Update the affected packages.

i686:
    perf-4.9.43-17.38.amzn1.i686
    kernel-tools-devel-4.9.43-17.38.amzn1.i686
    kernel-tools-4.9.43-17.38.amzn1.i686
    kernel-tools-debuginfo-4.9.43-17.38.amzn1.i686
    kernel-headers-4.9.43-17.38.amzn1.i686
    kernel-debuginfo-common-i686-4.9.43-17.38.amzn1.i686
    kernel-debuginfo-4.9.43-17.38.amzn1.i686
    kernel-devel-4.9.43-17.38.amzn1.i686
    perf-debuginfo-4.9.43-17.38.amzn1.i686
    kernel-4.9.43-17.38.amzn1.i686

noarch:
    kernel-doc-4.9.43-17.38.amzn1.noarch

src:
    kernel-4.9.43-17.38.amzn1.src

x86_64:
    kernel-headers-4.9.43-17.38.amzn1.x86_64
    perf-4.9.43-17.38.amzn1.x86_64
    kernel-4.9.43-17.38.amzn1.x86_64
    kernel-debuginfo-4.9.43-17.38.amzn1.x86_64
    kernel-tools-debuginfo-4.9.43-17.38.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.9.43-17.38.amzn1.x86_64
    kernel-tools-4.9.43-17.38.amzn1.x86_64
    perf-debuginfo-4.9.43-17.38.amzn1.x86_64
    kernel-devel-4.9.43-17.38.amzn1.x86_64
    kernel-tools-devel-4.9.43-17.38.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2017-870.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Race condition

EUVDB-ID: #VU7694

Risk: Medium

CVSSv4.0: 8.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Green]

CVE-ID: CVE-2017-7533

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: Yes

Description

The vulnerability allows a local user to execute arbitrary code with escalated privileges.

The vulnerability exists due to a race condition in the fsnotify implementation in the Linux kernel through 4.12.4. A local user can create an application, which leverages simultaneous execution of the inotify_handle_event and vfs_rename functions and trigger memory corruption and denials of service attack or execute arbitrary code on the target system with root privileges.

Successful exploitation of this vulnerability may allow a local user to obtain elevated privileges on the system.

Note: this vulnerability is being active exploited in the wild for 32-bit systems in August 2017.

Mitigation

Update the affected packages.

i686:
    perf-4.9.43-17.38.amzn1.i686
    kernel-tools-devel-4.9.43-17.38.amzn1.i686
    kernel-tools-4.9.43-17.38.amzn1.i686
    kernel-tools-debuginfo-4.9.43-17.38.amzn1.i686
    kernel-headers-4.9.43-17.38.amzn1.i686
    kernel-debuginfo-common-i686-4.9.43-17.38.amzn1.i686
    kernel-debuginfo-4.9.43-17.38.amzn1.i686
    kernel-devel-4.9.43-17.38.amzn1.i686
    perf-debuginfo-4.9.43-17.38.amzn1.i686
    kernel-4.9.43-17.38.amzn1.i686

noarch:
    kernel-doc-4.9.43-17.38.amzn1.noarch

src:
    kernel-4.9.43-17.38.amzn1.src

x86_64:
    kernel-headers-4.9.43-17.38.amzn1.x86_64
    perf-4.9.43-17.38.amzn1.x86_64
    kernel-4.9.43-17.38.amzn1.x86_64
    kernel-debuginfo-4.9.43-17.38.amzn1.x86_64
    kernel-tools-debuginfo-4.9.43-17.38.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.9.43-17.38.amzn1.x86_64
    kernel-tools-4.9.43-17.38.amzn1.x86_64
    perf-debuginfo-4.9.43-17.38.amzn1.x86_64
    kernel-devel-4.9.43-17.38.amzn1.x86_64
    kernel-tools-devel-4.9.43-17.38.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2017-870.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

3) Denial of service

EUVDB-ID: #VU10722

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-7542

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a local attacker to cause DoS condition on the target system.

The weakness exists in the ip6_find_1stfragopt function in net/ipv6/output_core.c due to leveraging the ability to open a raw socket. A local attacker can trigger integer overflow and infinite loop and cause a denial of service.

Mitigation

Update the affected packages.

i686:
    perf-4.9.43-17.38.amzn1.i686
    kernel-tools-devel-4.9.43-17.38.amzn1.i686
    kernel-tools-4.9.43-17.38.amzn1.i686
    kernel-tools-debuginfo-4.9.43-17.38.amzn1.i686
    kernel-headers-4.9.43-17.38.amzn1.i686
    kernel-debuginfo-common-i686-4.9.43-17.38.amzn1.i686
    kernel-debuginfo-4.9.43-17.38.amzn1.i686
    kernel-devel-4.9.43-17.38.amzn1.i686
    perf-debuginfo-4.9.43-17.38.amzn1.i686
    kernel-4.9.43-17.38.amzn1.i686

noarch:
    kernel-doc-4.9.43-17.38.amzn1.noarch

src:
    kernel-4.9.43-17.38.amzn1.src

x86_64:
    kernel-headers-4.9.43-17.38.amzn1.x86_64
    perf-4.9.43-17.38.amzn1.x86_64
    kernel-4.9.43-17.38.amzn1.x86_64
    kernel-debuginfo-4.9.43-17.38.amzn1.x86_64
    kernel-tools-debuginfo-4.9.43-17.38.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.9.43-17.38.amzn1.x86_64
    kernel-tools-4.9.43-17.38.amzn1.x86_64
    perf-debuginfo-4.9.43-17.38.amzn1.x86_64
    kernel-devel-4.9.43-17.38.amzn1.x86_64
    kernel-tools-devel-4.9.43-17.38.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2017-870.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.