Important kernel security update: CVE-2017-1000253; Virtuozzo ReadyKernel patch 32.1 for Virtuozzo 7.0.x

Issue date: 2017-09-28

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2017-086

1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security fixes. The patch applies to Virtuozzo kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3), 3.10.0-514.16.1.vz7.30.10 (Virtuozzo 7.0.4), 3.10.0-514.16.1.vz7.30.15 (Virtuozzo 7.0.4 HF3), and 3.10.0-514.26.1.vz7.33.22 (Virtuozzo 7.0.5).

2. Security Fixes

  • [Important] A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application’s data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. (CVE-2017-1000253)

  • [Important] A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-1000251)

  • [Important] The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that the ‘CR8-load exiting’ and ‘CR8-store exiting’ L0 vmcs02 controls exist in cases where L1 omits the ‘use TPR shadow’ vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the hardware CR8 register. (CVE-2017-12154)

3. Installing the Update

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.