Important kernel security update: CVE-2017-7542 and other; new kernel 2.6.32-042stab124.2, Virtuozzo 6.0 Update 12 Hotfix 14 (6.0.12-3683)

Issue date: 2017-09-04

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2017-076

1. Overview

This update provides a new kernel 2.6.32-042stab124.2 for Virtuozzo 6.0 and is a rebase to the Red Hat Enterprise Linux 6.9 kernel 2.6.32-696.10.1.el6. It inherits fixes from the original RHEL kernel and provides internal security and stability fixes.

2. Security Fixes

  • [Important] An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542)

  • [Important] Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing. (CVE-2017-10661)

  • [Important] A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111)

  • [Important] Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. (CVE-2017-1000112)

  • [Moderate] Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-7541)

  • [Moderate] The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use after free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176)

  • [Moderate] The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path. (CVE-2017-14106)

3. Bug Fixes

  • Stopping a container with NFS server inside could crash the host with BUG at kernel/bc/dcache.c:370. (PSBM-34802, PSBM-43499, PSBM-68560, OVZ-5610)

  • Under certain circumstances container could crash the host after the skb_under_panic error message. (OVZ-6908)

  • cpt: support for inotify watches on Unix sockets. (OVZ-6918)

  • Ploop improvements ()

4. Installing the Update

Install the update by running ‘yum update’.