Main Vulnerability Database SB2017091523

SB2017091523 - Multiple vulnerabilities in Linux Kernel

Published: September 15, 2017 Updated: May 23, 2018

Security Bulletin ID SB2017091523

Severity

Low

Patch available

YES

Number of vulnerabilities 4

Exploitation vector Adjecent network

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2018-11232)

The vulnerability allows a local unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the etm_setup_aux function due to improper validation of parameters. A local attacker can send specially crafted requests and cause the service to crash.

2) Denial of service (CVE-ID: CVE-2017-18270)

The vulnerability allows a local attacker to cause DoS condition on the target system.

The weakness exists due to improper security restrictions during the creation of user keyrings. A local attacker can submit keyctl commands, create keyrings of other users on the system and cause the service to crash.

3) Resource exhaustion (CVE-ID: CVE-2017-7472)

The vulnerability allows a local attacker to cause DoD condition on the target system.

The weakness exists in the KEYS subsystem due to memory consumption. A local attacker can cause the service to crash via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.

4) Heap-based buffer overflow (CVE-ID: CVE-2017-0786)

The vulnerability allows an adjacent attacker to gain elevated privileges on the target system.

The weakness exists due to corrupting heap memory because of buffer overruns. An adjacent attacker can gain root privileges.

Remediation

Install update from vendor's website.

SB2017091523 - Multiple vulnerabilities in Linux Kernel

Breakdown by Severity

Description

Remediation

References