ID

VAR-201611-0386

CVE

CVE-2016-5195

TITLE

Linux kernel memory subsystem copy on write mechanism contains a race condition vulnerability

DESCRIPTION

Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW.". Linux kernel is prone to a local privilege-escalation vulnerability. Local attackers may exploit this issue to gain elevated privileges. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel-rt security update Advisory ID: RHSA-2016:2110-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2110.html Issue date: 2016-10-26 CVE Names: CVE-2016-5195 CVE-2016-7039 ===================================================================== 1. Summary: An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Realtime (v. 7) - noarch, x86_64 Red Hat Enterprise Linux for Real Time for NFV (v. 7) - noarch, x86_64 3. Description: The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important) * Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path; As an unlimited recursion could unfold in both VLAN and TEB modules, leading to a stack corruption in the kernel. (CVE-2016-7039, Important) Red Hat would like to thank Phil Oester for reporting CVE-2016-5195. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1375944 - CVE-2016-7039 kernel: remotely triggerable unbounded recursion in the vlan gro code leading to a kernel crash 1384344 - CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage 6. Package List: Red Hat Enterprise Linux for Real Time for NFV (v. 7): Source: kernel-rt-3.10.0-327.36.3.rt56.238.el7.src.rpm noarch: kernel-rt-doc-3.10.0-327.36.3.rt56.238.el7.noarch.rpm x86_64: kernel-rt-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-debug-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-debug-debuginfo-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-debug-devel-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-debug-kvm-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-debug-kvm-debuginfo-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-debuginfo-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-debuginfo-common-x86_64-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-devel-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-kvm-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-kvm-debuginfo-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-trace-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-trace-debuginfo-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-trace-devel-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-trace-kvm-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-trace-kvm-debuginfo-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm Red Hat Enterprise Linux Realtime (v. 7): Source: kernel-rt-3.10.0-327.36.3.rt56.238.el7.src.rpm noarch: kernel-rt-doc-3.10.0-327.36.3.rt56.238.el7.noarch.rpm x86_64: kernel-rt-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-debug-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-debug-debuginfo-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-debug-devel-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-debuginfo-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-debuginfo-common-x86_64-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-devel-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-trace-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-trace-debuginfo-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm kernel-rt-trace-devel-3.10.0-327.36.3.rt56.238.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-5195 https://access.redhat.com/security/cve/CVE-2016-7039 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/2706661 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYEKKsXlSAg2UNWIIRAmI+AJkB5tkOU2r9pjWJ4cYCSD9mtyJFBwCgt+er yvfTfHwrbVXZfa/y1n2XeMs= =LaOt -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Stop ovc processes: ovc stop 3. Stop vertica db: su pv_vertica -c "/opt/vertica/bin/adminTools -t stop_db - -d pv -i -F" 4. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03722en_us SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesbgn03722en_us Version: 1 HPESBGN03722 rev.1 - HPE Operations Agent, Local Escalation of Privilege NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2017-03-30 Last Updated: 2017-03-30 Potential Security Impact: Local: Escalation of Privilege Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A security vulnerability in Linux kernel, also known as "Dirty COW", has been addressed in HPE Operations Agent. This vulnerability could be exploited locally to allow escalation of privilege. References: - CVE-2016-5195 - Linux kernel vulnerability, Dirty "COW" SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HPE Operations agent software - v11.11, v11.12, v11.13, v11.14 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2016-5195 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION HPE has made the following mitigation steps available to resolve the vulnerability in the impacted versions of HPE Operations Agent. Login to the Operations Agent system with root privileges 2. Update the system using 'yum update kernel' command 3. Reboot the server using '/sbin/shutdown -r now' command Please contact HPE Technical Support if any assistance is needed regarding the mitigation steps. HISTORY Version:1 (rev.1) - 30 March 2017 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. ========================================================================== Ubuntu Security Notice USN-3105-2 October 20, 2016 linux-lts-trusty vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS Summary: The system could be made to run programs as an administrator. Software Description: - linux-lts-trusty: Linux hardware enablement kernel from Trusty for Precise Details: USN-3105-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: linux-image-3.13.0-100-generic 3.13.0-100.147~precise1 linux-image-3.13.0-100-generic-lpae 3.13.0-100.147~precise1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-041 Product: DiCal-RED Manufacturer: Swissphone Wireless AG Affected Version(s): Unknown Tested Version(s): 4009 Vulnerability Type: Use of Unmaintained Third Party Components (CWE-1104) Risk Level: High Solution Status: Open Manufacturer Notification: 2024-04-16 Solution Date: None Public Disclosure: 2024-08-20 CVE Reference: CVE-2016-5195, CVE-2016-7406, CVE-2019-12815 and others Author of Advisory: Sebastian Hamann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: DiCal-RED is a radio module for communication between emergency vehicles and control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity and runs a Linux- and BusyBox-based operating system. The manufacturer describes the product as follows (see [1]): "The DiCal-Red radio data module reliably guides you to your destination. This is ensured by the linking of navigation (also for the transmission of position data) and various radio modules." Due to the use of unmaintained third-party software components, the device is vulnerable to numerous known security issues. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The device's operating system is based on several well-known open-source products, such as the Linux kernel, the Dropbear SSH server and the ProFTPD FTP server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): None ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer recommends not running the device in an untrusted network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-02-29: Vulnerability discovered 2024-04-16: Vulnerability reported to manufacturer 2024-05-10: Manufacturer states that the vulnerability will not be fixed 2024-05-14: Vulnerability reported to CERT-Bund 2024-08-13: CERT-Bund informs us that the vendor declared the product EOL 2024-08-20: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for DiCal-RED https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/ [2] SySS Security Advisory SYSS-2024-041 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-041.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Hamann of SySS GmbH. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website

AFFECTED PRODUCTS