Kernel security update: CVE-2018-1130 and other; Virtuozzo ReadyKernel patch 52.0 for Virtuozzo 7.0.7 HF3¶

1. Overview¶

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the Virtuozzo 7.0 kernel 3.10.0-693.21.1.vz7.48.2 (7.0.7 HF3).

2. Security Fixes¶

• [Moderate] Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of certain crafted system calls. (CVE-2018-1130)

• [Moderate] It was found that _sctp_make_chunk() function did not check if the chunk length for INIT and INIT_ACK packets was within the allowed limits. A local attacker could exploit this to trigger a kernel crash. (CVE-2018-5803)

• [Moderate] It was discovered that nfnl_cthelper_list structure was accessible to any user with CAP_NET_ADMIN capability in a network namespace. An unprivileged local user could exploit that to affect netfilter conntrack helpers on the host. (CVE-2017-17448)

• [Moderate] It was discovered that a nlmon link inside a child network namespace was not restricted to that namespace. An unprivileged local user could exploit that to monitor system-wide netlink activity. (CVE-2017-17449)

• [Moderate] The KEYS subsystem in the Linux kernel omitted an access-control check when writing a key to the current task’s default keyring, allowing a local user to bypass security checks to the keyring. This compromises the validity of the keyring for those who rely on it. (CVE-2017-17807)

• [Low] net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations. This allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all network namespaces. (CVE-2017-17450)

3. Bug Fixes¶

• Potential kernel crash in tcache_detach_page(). (PSBM-81731)

• If the kernel failed to create an IPv6 socket, for example, due to cgroup.memsw limit, it would crash in ip6mr_sk_done() when trying to clean up multicast routes. (PSBM-83474)

• It was found that offlined memory cgroups were not destroyed for a long time in some cases. As a result, the system could hit the limit on cgroups (65535) and would be unable to create new ones. (PSBM-83628)

• Kernel crash in shrink_slab() when trying to mount an image with a broken ext4 file system. (PSBM-83691)

• It was discovered that the BUG_ON() check in move_freepages() did not verify that the relevant memory pages were valid. The kernel could crash as a result. (PSBM-83746)

• It was discovered that clone_mnt() did not clear MNT_INTERNAL flag for the internal mounts. As a result, the kernel could crash due to a stack overflow if lots of bind mounts of /proc//ns/ were created in a new namespace. (PSBM-83874)

4. Installing the Update¶

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.

5. References¶

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-52.0-2.vl7/

• https://access.redhat.com/security/cve/cve-2017-17448

• https://access.redhat.com/security/cve/cve-2017-17449

• https://access.redhat.com/security/cve/cve-2017-17450

• https://access.redhat.com/security/cve/cve-2017-17807

• https://access.redhat.com/security/cve/cve-2018-1130

• https://access.redhat.com/security/cve/cve-2018-5803

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2018-038.json.