Kernel security update: Virtuozzo ReadyKernel patch 49.1 for Virtuozzo 7.0.4 and 7.0.4 HF3¶

1. Overview¶

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo 7.0 kernels 3.10.0-514.16.1.vz7.30.10 (7.0.4) and 3.10.0-514.16.1.vz7.30.15 (7.0.4 HF3).

2. Security Fixes¶

• [Moderate] It was discovered that nfnl_cthelper_list structure was accessible to any user with CAP_NET_ADMIN capability in a network namespace. An unprivileged local user could exploit that to affect netfilter conntrack helpers on the host. (CVE-2017-17448)

• [Moderate] It was discovered that a nlmon link inside a child network namespace was not restricted to that namespace. An unprivileged local user could exploit that to monitor system-wide netlink activity. (CVE-2017-17449)

• [Low] It was discovered that xt_osf_fingers data structure was accessible from any network namespace. This allowed unprivileged local users to bypass intended access restrictions and modify the system-wide OS fingerprint list used by specific iptables rules. (CVE-2017-17450)

• [Moderate] The KEYS subsystem omitted an access-control check when writing a key to the default keyring of the current task, allowing a local user to bypass security checks for the keyring. This compromised the validity of the keyring for those who relied on it. (CVE-2017-17807)

• [Moderate] If ‘dccp_ipv6’ module was loaded on the host, a local unprivileged user could trigger a kernel crash in dccp_write_xmit() or inet_csk_get_port() using a specially crafted sequence of system calls. (PSBM-83692)

3. Bug Fixes¶

• If the kernel failed to create an IPv6 socket, for example, due to cgroup.memsw limit, it would crash in ip6mr_sk_done() when trying to clean up multicast routes. (PSBM-83474)

• It was discovered that clone_mnt() did not clear MNT_INTERNAL flag for the internal mounts. As a result, the kernel could crash due to a stack overflow if lots of bind mounts of /proc//ns/ were created in a new namespace. (PSBM-83874)

4. Installing the Update¶

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.

5. References¶

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-49.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-49.1-1.vl7/

• https://access.redhat.com/security/cve/cve-2017-17448

• https://access.redhat.com/security/cve/cve-2017-17449

• https://access.redhat.com/security/cve/cve-2017-17450

• https://access.redhat.com/security/cve/cve-2017-17807

• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67f93df79aeefc3add4e4b31a752600f834236e2

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2018-026.json.