Security Alert (A17-06-05): Multiple Vulnerabilities in Linux/Unix Operating Systems


 

Published on: 23 June 2017

  
  

Description:

Multiple vulnerabilities were found in the memory management of the affected operating systems. These vulnerabilities can lead to privilege escalation on these systems by corrupting memory and executing arbitrary code. A local attacker may leverage these vulnerabilities in the affected systems to gain root privileges.

 

Affected Systems:

  • Linux operating systems (on 32-bit and 64-bit) based on kernel 4.11.5 and earlier versions
  • OpenBSD, NetBSD, FreeBSD, and Solaris operating systems (on 32-bit and 64-bit)

 

Impact:

Successful exploitation could lead to elevation of privilege or compromise of a vulnerable system.

 

Recommendation:

The vulnerabilities were mitigated in some of the affected systems, such as CentOS, Debian, Oracle Linux, RedHat, SUSE and Ubuntu. System administrators should check with their product vendors to confirm if their Linux/Unix systems are affected and the availability of patches, and if so, apply the patches or follow the recommendations provided by the product vendors to mitigate the risk.

  • CentOS 6
    https://lists.centos.org/pipermail/centos-announce/2017-June/022461.html
    https://lists.centos.org/pipermail/centos-announce/2017-June/022462.html

  • CentOS 7
    https://lists.centos.org/pipermail/centos-announce/2017-June/022463.html
    https://lists.centos.org/pipermail/centos-announce/2017-June/022464.html

  • Debian
    https://security-tracker.debian.org/tracker/CVE-2017-1000364
    https://security-tracker.debian.org/tracker/CVE-2017-1000366

  • Oracle Linux
    https://linux.oracle.com/cve/CVE-2017-1000364.html
    https://linux.oracle.com/cve/CVE-2017-1000366.html

  • RedHat
    https://access.redhat.com/security/cve/CVE-2017-1000364
    https://access.redhat.com/security/cve/CVE-2017-1000366

  • SUSE
    https://www.suse.com/security/cve/CVE-2017-1000364
    https://www.suse.com/security/cve/CVE-2017-1000366

  • Ubuntu
    https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000364.html
    https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000366.html

 

More Information:

https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
https://www.cyberciti.biz/faq/howto-patch-linux-kernel-stack-clash-vulnerability-cve-2017-1000364/
http://cert.europa.eu/static/SecurityAdvisories/2017/CERT-EU-SA2017-013.pdf
https://access.redhat.com/security/vulnerabilities/stackguard
https://bugs.centos.org/view.php?id=13453
https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/008_exec_subr.patch.sig
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366 



Tag: Linux , Unix , OpenBSD , NetBSD , FreeBSD , Solaris
Tags