http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=36e4ad0316c017d5b271378ed9a1c9a4b77fab5f

[debian-lts-announce] 20190925 [SECURITY] [DLA 1930-1] linux security update

https://support.f5.com/csp/article/K31332013

https://support.f5.com/csp/article/K31332013?utm_source=f5support&amp;utm_medium=RSS

USN-4145-1

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2020-0044 for details.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5879 advisory.

  - An issue was discovered in fs/gfs2/rgrp.c in the Linux kernel before 4.8. A use-after-free is caused by     the functions gfs2_clear_rgrpd and read_rindex_entry. (CVE-2016-10905)

  - The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel before 4.10.4 allows     local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer     underflow. (CVE-2017-8924)

  - The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel before 4.10.4 allows local     users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling.
    (CVE-2017-8925)

  - Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow     attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout()     failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the     htc_connect_service() function, aka CID-853acf7caf10. (CVE-2019-19073)

  - In the Linux kernel through 5.4.6, there is a NULL pointer dereference in     drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related     to a PHY down race condition, aka CID-f70267f379b5. (CVE-2019-19965)

  - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in     fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)

  - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file     system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash     the system if the directory exists. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14314)

  - A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified     other impact, aka CID-17743798d812. (CVE-2020-25285)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5866 advisory.

  - An issue was discovered in fs/gfs2/rgrp.c in the Linux kernel before 4.8. A use-after-free is caused by     the functions gfs2_clear_rgrpd and read_rindex_entry. (CVE-2016-10905)

  - An issue was discovered in drivers/net/ethernet/arc/emac_main.c in the Linux kernel before 4.5. A use-     after-free is caused by a race condition between the functions arc_emac_tx and arc_emac_tx_clean.
    (CVE-2016-10906)

  - The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel before 4.10.4 allows     local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer     underflow. (CVE-2017-8924)

  - The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel before 4.10.4 allows local     users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling.
    (CVE-2017-8925)

  - sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local users to cause a denial of service     (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a     crafted USB device. (CVE-2017-16528)

  - In driver_override_store and driver_override_show of bus.c, there is a possible double free due to     improper locking. This could lead to local escalation of privilege with System execution privileges     needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android     ID: A-69129004 References: Upstream kernel. (CVE-2018-9415)

  - A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network     namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-     free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system     panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2018-16884)

  - An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an
    __blk_drain_queue() use-after-free because a certain error case is mishandled. (CVE-2018-20856)

  - A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the     mwifiex kernel module while connecting to a malicious wireless network. (CVE-2019-3846)

  - The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An     attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are     believed to be vulnerable. (CVE-2019-3874)

  - An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An     attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations     before the required authentication process has completed. This could lead to different denial-of-service     scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already     existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge     Authentication and Association Request packets to trigger this vulnerability. (CVE-2019-5108)

  - In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference     counting because of a race condition, leading to a use-after-free. (CVE-2019-6974)

  - The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free. (CVE-2019-7221)

  - The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. (CVE-2019-7222)

  - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-     free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could     use this flaw to obtain sensitive information, cause a denial of service, or possibly have other     unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.
    (CVE-2019-14898)

  - An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a     malicious USB device in the drivers/media/usb/siano/smsusb.c driver. (CVE-2019-15218)

  - drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through 5.2.9 has an out-of-bounds read via     crafted USB device traffic (which may be remote via usbip or usbredir). (CVE-2019-15505)

  - An issue was discovered in the Linux kernel before 4.20.2. An out-of-bounds access exists in the function     build_audio_procunit in the file sound/usb/mixer.c. (CVE-2019-15927)

  - An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check     the length of variable elements in a beacon head, leading to a buffer overflow. (CVE-2019-16746)

  - An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has security relevance. (CVE-2019-17075)

  - fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer     dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka     CID-09ba3bc9dd15. (CVE-2019-18885)

  - A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel before     5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb()     failures, aka CID-fb5be6a7b486. (CVE-2019-19052)

  - Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow     attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout()     failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the     htc_connect_service() function, aka CID-853acf7caf10. (CVE-2019-19073)

  - In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in     kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-     buffer). (CVE-2019-19768)

  - In the Linux kernel through 5.4.6, there is a NULL pointer dereference in     drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related     to a PHY down race condition, aka CID-f70267f379b5. (CVE-2019-19965)

  - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in     fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)

  - In the Linux kernel before 5.1, there is a memory leak in __feat_register_sp() in net/dccp/feat.c, which     may cause denial of service, aka CID-1d3ff0950e2b. (CVE-2019-20096)

  - An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka CID-b43d1f9f7067. (CVE-2019-20812)

  - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN     and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't     correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would     allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this     vulnerability is to data confidentiality. (CVE-2020-1749)

  - A flaw was found in the Linux kernel's implementation of GRO in versions before 5.2. This flaw allows an     attacker with local access to crash the system. (CVE-2020-10720)

  - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it     incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly     only validate the first netlink message in the skb and allow or deny the rest of the messages within the     skb with the granted permission without further processing. (CVE-2020-10751)

  - A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in     crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4     bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat,     leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of     service. (CVE-2020-10769)

  - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file     system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash     the system if the directory exists. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14314)

  - A flaw was found in the Linux kernels implementation of the invert video code on VGA consoles when a     local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds     write to occur. This flaw allows a local user with access to the VGA console to crash the system,     potentially escalating their privileges on the system. The highest threat from this vulnerability is to     data confidentiality and integrity as well as system availability. (CVE-2020-14331)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

  - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap     rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)

  - A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified     other impact, aka CID-17743798d812. (CVE-2020-25285)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities:

  - The bnep_sock_ioctl function in     net/bluetooth/bnep/sock.c in the Linux kernel before     2.6.39 does not ensure that a certain device field ends     with a '\0' character, which allows local users to     obtain potentially sensitive information from kernel     stack memory, or cause a denial of service (BUG and     system crash), via a BNEPCONNADD command.
    (CVE-2011-1079)

  - An issue was discovered in fs/gfs2/rgrp.c in the Linux     kernel before 4.8. A use-after-free is caused by the     functions gfs2_clear_rgrpd and read_rindex_entry.
    (CVE-2016-10905)

  - An issue was discovered in     drivers/scsi/aacraid/commctrl.c in the Linux kernel     before 4.13. There is potential exposure of kernel stack     memory because aac_get_hba_info does not initialize the     hbainfo structure. (CVE-2017-18550)

  - An issue was discovered in the Linux kernel before     4.14.11. A double free may be caused by the function     allocate_trace_buffer in the file kernel/trace/trace.c.
    (CVE-2017-18595)

  - Improper invalidation for page table updates by a     virtual guest operating system for multiple Intel(R)     Processors may allow an authenticated user to     potentially enable denial of service of the host system     via local access. (CVE-2018-12207)

  - An issue was discovered in the Linux kernel before 4.20.
    There is a race condition in smp_task_timedout() and     smp_task_done() in drivers/scsi/libsas/sas_expander.c,     leading to a use-after-free. (CVE-2018-20836)

  - An issue was discovered in the Linux kernel before     4.18.7. In create_qp_common in     drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp     was never initialized, resulting in a leak of stack     memory to userspace. (CVE-2018-20855)

  - An issue was discovered in fs/xfs/xfs_super.c in the     Linux kernel before 4.18. A use after free exists,     related to xfs_fs_fill_super failure. (CVE-2018-20976)

  - In the tun subsystem in the Linux kernel before 4.13.14,     dev_get_valid_name is not called before     register_netdevice. This allows local users to cause a     denial of service (NULL pointer dereference and panic)     via an ioctl(TUNSETIFF) call with a dev name containing     a / character. This is similar to CVE-2013-4343.
    (CVE-2018-7191)

  - Insufficient access control in subsystem for Intel (R)     processor graphics in 6th, 7th, 8th and 9th Generation     Intel(R) Core(TM) Processor Families; Intel(R)     Pentium(R) Processor J, N, Silver and Gold Series;
    Intel(R) Celeron(R) Processor J, N, G3900 and G4900     Series; Intel(R) Atom(R) Processor A and E3900 Series;
    Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100     Processor Families may allow an authenticated user to     potentially enable denial of service via local access.
    (CVE-2019-0154)

  - Insufficient access control in a subsystem for Intel (R)     processor graphics in 6th, 7th, 8th and 9th Generation     Intel(R) Core(TM) Processor Families; Intel(R)     Pentium(R) Processor J, N, Silver and Gold Series;
    Intel(R) Celeron(R) Processor J, N, G3900 and G4900     Series; Intel(R) Atom(R) Processor A and E3900 Series;
    Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and     E-2200 Processor Families; Intel(R) Graphics Driver for     Windows before 26.20.100.6813 (DCH) or 26.20.100.6812     and before 21.20.x.5077 (aka15.45.5077), i915 Linux     Driver for Intel(R) Processor Graphics before versions     5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may     allow an authenticated user to potentially enable     escalation of privilege via local access.
    (CVE-2019-0155)

  - TSX Asynchronous Abort condition on some CPUs utilizing     speculative execution may allow an authenticated user to     potentially enable information disclosure via a side     channel with local access. (CVE-2019-11135)

  - The Linux kernel before 5.1-rc5 allows page->_refcount     reference count overflow, with resultant use-after-free     issues, if about 140 GiB of RAM exists. This is related     to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h,     kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - The do_hidp_sock_ioctl function in     net/bluetooth/hidp/sock.c in the Linux kernel before     5.0.15 allows a local user to obtain potentially     sensitive information from kernel stack memory via a     HIDPCONNADD command, because a name field may not end     with a '\0' character. (CVE-2019-11884)

  - ** DISPUTED ** An issue was discovered in     drm_load_edid_firmware in     drivers/gpu/drm/drm_edid_load.c in the Linux kernel     through 5.1.5. There is an unchecked kstrdup of fwstr,     which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash).
    NOTE: The vendor disputes this issues as not being a     vulnerability because kstrdup() returning NULL is     handled sufficiently and there is no chance for a NULL     pointer dereference. (CVE-2019-12382)

  - An issue was discovered in the Linux kernel before     5.2.3. There is a use-after-free caused by a malicious     USB device in the drivers/media/usb/dvb-usb/dvb-usb-     init.c driver. (CVE-2019-15213)

  - An issue was discovered in xfs_setattr_nonsize in     fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS     partially wedges when a chgrp fails on account of being     out of disk quota. xfs_setattr_nonsize is failing to     unlock the ILOCK after the xfs_qm_vop_chown_reserve call     fails. This is primarily a local DoS attack vector, but     it might result as well in remote DoS if the XFS     filesystem is exported for instance via NFS.
    (CVE-2019-15538)

  - In the Linux kernel before 5.1.13, there is a memory     leak in drivers/scsi/libsas/sas_expander.c when SAS     expander discovery fails. This will cause a BUG and     denial of service. (CVE-2019-15807)

  - An issue was discovered in the Linux kernel before     5.0.1. There is a memory leak in     register_queue_kobjects() in net/core/net-sysfs.c, which     will cause denial of service. (CVE-2019-15916)

  - An issue was discovered in the Linux kernel before     5.0.4. The 9p filesystem did not protect i_size_write()     properly, which causes an i_size_read() infinite loop     and denial of service on SMP systems. (CVE-2019-16413)

  - An issue was discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance. (CVE-2019-17075)

  - The SCTP socket buffer used by a userspace application     is not accounted by the cgroups subsystem. An attacker     can use this flaw to cause a denial of service attack.
    Kernel 3.10.x and 4.18.x branches are believed to be     vulnerable. (CVE-2019-3874)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities:

  - The bnep_sock_ioctl function in     net/bluetooth/bnep/sock.c in the Linux kernel before     2.6.39 does not ensure that a certain device field ends     with a '\0' character, which allows local users to     obtain potentially sensitive information from kernel     stack memory, or cause a denial of service (BUG and     system crash), via a BNEPCONNADD command.
    (CVE-2011-1079)

  - An issue was discovered in fs/gfs2/rgrp.c in the Linux     kernel before 4.8. A use-after-free is caused by the     functions gfs2_clear_rgrpd and read_rindex_entry.
    (CVE-2016-10905)

  - An issue was discovered in     drivers/scsi/aacraid/commctrl.c in the Linux kernel     before 4.13. There is potential exposure of kernel stack     memory because aac_get_hba_info does not initialize the     hbainfo structure. (CVE-2017-18550)

  - An issue was discovered in the Linux kernel before     4.14.11. A double free may be caused by the function     allocate_trace_buffer in the file kernel/trace/trace.c.
    (CVE-2017-18595)

  - Improper invalidation for page table updates by a     virtual guest operating system for multiple Intel(R)     Processors may allow an authenticated user to     potentially enable denial of service of the host system     via local access. (CVE-2018-12207)

  - An issue was discovered in the Linux kernel before 4.20.
    There is a race condition in smp_task_timedout() and     smp_task_done() in drivers/scsi/libsas/sas_expander.c,     leading to a use-after-free. (CVE-2018-20836)

  - An issue was discovered in the Linux kernel before     4.18.7. In create_qp_common in     drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp     was never initialized, resulting in a leak of stack     memory to userspace. (CVE-2018-20855)

  - An issue was discovered in fs/xfs/xfs_super.c in the     Linux kernel before 4.18. A use after free exists,     related to xfs_fs_fill_super failure. (CVE-2018-20976)

  - In the tun subsystem in the Linux kernel before 4.13.14,     dev_get_valid_name is not called before     register_netdevice. This allows local users to cause a     denial of service (NULL pointer dereference and panic)     via an ioctl(TUNSETIFF) call with a dev name containing     a / character. This is similar to CVE-2013-4343.
    (CVE-2018-7191)

  - Insufficient access control in subsystem for Intel (R)     processor graphics in 6th, 7th, 8th and 9th Generation     Intel(R) Core(TM) Processor Families; Intel(R)     Pentium(R) Processor J, N, Silver and Gold Series;
    Intel(R) Celeron(R) Processor J, N, G3900 and G4900     Series; Intel(R) Atom(R) Processor A and E3900 Series;
    Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100     Processor Families may allow an authenticated user to     potentially enable denial of service via local access.
    (CVE-2019-0154)

  - Insufficient access control in a subsystem for Intel (R)     processor graphics in 6th, 7th, 8th and 9th Generation     Intel(R) Core(TM) Processor Families; Intel(R)     Pentium(R) Processor J, N, Silver and Gold Series;
    Intel(R) Celeron(R) Processor J, N, G3900 and G4900     Series; Intel(R) Atom(R) Processor A and E3900 Series;
    Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and     E-2200 Processor Families; Intel(R) Graphics Driver for     Windows before 26.20.100.6813 (DCH) or 26.20.100.6812     and before 21.20.x.5077 (aka15.45.5077), i915 Linux     Driver for Intel(R) Processor Graphics before versions     5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may     allow an authenticated user to potentially enable     escalation of privilege via local access.
    (CVE-2019-0155)

  - TSX Asynchronous Abort condition on some CPUs utilizing     speculative execution may allow an authenticated user to     potentially enable information disclosure via a side     channel with local access. (CVE-2019-11135)

  - The Linux kernel before 5.1-rc5 allows page->_refcount     reference count overflow, with resultant use-after-free     issues, if about 140 GiB of RAM exists. This is related     to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h,     kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - The do_hidp_sock_ioctl function in     net/bluetooth/hidp/sock.c in the Linux kernel before     5.0.15 allows a local user to obtain potentially     sensitive information from kernel stack memory via a     HIDPCONNADD command, because a name field may not end     with a '\0' character. (CVE-2019-11884)

  - ** DISPUTED ** An issue was discovered in     drm_load_edid_firmware in     drivers/gpu/drm/drm_edid_load.c in the Linux kernel     through 5.1.5. There is an unchecked kstrdup of fwstr,     which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash).
    NOTE: The vendor disputes this issues as not being a     vulnerability because kstrdup() returning NULL is     handled sufficiently and there is no chance for a NULL     pointer dereference. (CVE-2019-12382)

  - An issue was discovered in the Linux kernel before     5.2.3. There is a use-after-free caused by a malicious     USB device in the drivers/media/usb/dvb-usb/dvb-usb-     init.c driver. (CVE-2019-15213)

  - An issue was discovered in xfs_setattr_nonsize in     fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS     partially wedges when a chgrp fails on account of being     out of disk quota. xfs_setattr_nonsize is failing to     unlock the ILOCK after the xfs_qm_vop_chown_reserve call     fails. This is primarily a local DoS attack vector, but     it might result as well in remote DoS if the XFS     filesystem is exported for instance via NFS.
    (CVE-2019-15538)

  - In the Linux kernel before 5.1.13, there is a memory     leak in drivers/scsi/libsas/sas_expander.c when SAS     expander discovery fails. This will cause a BUG and     denial of service. (CVE-2019-15807)

  - An issue was discovered in the Linux kernel before     5.0.1. There is a memory leak in     register_queue_kobjects() in net/core/net-sysfs.c, which     will cause denial of service. (CVE-2019-15916)

  - An issue was discovered in the Linux kernel before     5.0.4. The 9p filesystem did not protect i_size_write()     properly, which causes an i_size_read() infinite loop     and denial of service on SMP systems. (CVE-2019-16413)

  - An issue was discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance. (CVE-2019-17075)

  - The SCTP socket buffer used by a userspace application     is not accounted by the cgroups subsystem. An attacker     can use this flaw to cause a denial of service attack.
    Kernel 3.10.x and 4.18.x branches are believed to be     vulnerable. (CVE-2019-3874)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

New kernel packages are available for Slackware 14.2 to fix security issues.

It was discovered that a race condition existed in the GFS2 file system in the Linux kernel. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2016-10905)

It was discovered that the IPv6 implementation in the Linux kernel did not properly validate socket options in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18509)

It was discovered that the USB gadget Midi driver in the Linux kernel contained a double-free vulnerability when handling certain error conditions. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-20961)

It was discovered that the XFS file system in the Linux kernel did not properly handle mount failures in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2018-20976)

It was discovered that the Intel Wi-Fi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (Wi-Fi disconnect). (CVE-2019-0136)

It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207)

It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487)

It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-13631)

It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.
(CVE-2019-15211)

It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215)

It was discovered that the Atheros mobile chipset driver in the Linux kernel did not properly validate data in some situations. An attacker could use this to cause a denial of service (system crash).
(CVE-2019-15926).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2016-10905

A race condition was discovered in the GFS2 file-system implementation, which could lead to a use-after-free. On a system using GFS2, a local attacker could use this for denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2018-20976

It was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear.

CVE-2018-21008

It was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after- free. The security impact of this is unclear.

CVE-2019-0136

It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages.
A nearby attacker could use this for denial of service (loss of wifi connectivity).

CVE-2019-9506

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the 'KNOB attack'. An attacker that is nearby during pairing could use this to weaken the encryption used between the paired devices, and then to eavesdrop on and/or spoof communication between them.

This update mitigates the attack by requiring a minimum encryption key length of 56 bits.

CVE-2019-14814, CVE-2019-14815, CVE-2019-14816

Multiple bugs were discovered in the mwifiex wifi driver, which could lead to heap buffer overflows. A local user permitted to configure a device handled by this driver could probably use this for privilege escalation.

CVE-2019-14821

Matt Delco reported a race condition in KVM's coalesced MMIO facility, which could lead to out-of-bounds access in the kernel. A local attacker permitted to access /dev/kvm could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-14835

Peter Pi of Tencent Blade Team discovered a missing bounds check in vhost_net, the network back-end driver for KVM hosts, leading to a buffer overflow when the host begins live migration of a VM. An attacker in control of a VM could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation on the host.

CVE-2019-15117

Hui Peng and Mathias Payer reported a missing bounds check in the usb-audio driver's descriptor parsing code, leading to a buffer over-read. An attacker able to add USB devices could possibly use this to cause a denial of service (crash).

CVE-2019-15118

Hui Peng and Mathias Payer reported unbounded recursion in the usb-audio driver's descriptor parsing code, leading to a stack overflow. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15211

The syzkaller tool found a bug in the radio-raremono driver that could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15212

The syzkaller tool found that the rio500 driver does not work correctly if more than one device is bound to it. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15215

The syzkaller tool found a bug in the cpia2_usb driver that leads to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15218

The syzkaller tool found that the smsusb driver did not validate that USB devices have the expected endpoints, potentially leading to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15219

The syzkaller tool found that a device initialisation error in the sisusbvga driver could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15220

The syzkaller tool found a race condition in the p54usb driver which could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15221

The syzkaller tool found that the line6 driver did not validate USB devices' maximum packet sizes, which could lead to a heap buffer overrun. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15292

The Hulk Robot tool found missing error checks in the Appletalk protocol implementation, which could lead to a use-after-free. The security impact of this is unclear.

CVE-2019-15807

Jian Luo reported that the Serial Attached SCSI library (libsas) did not correctly handle failure to discover devices beyond a SAS expander. This could lead to a resource leak and crash (BUG). The security impact of this is unclear.

CVE-2019-15917

The syzkaller tool found a race condition in code supporting UART-attached Bluetooth adapters, which could lead to a use- after-free. A local user with access to a pty device or other suitable tty device could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15926

It was found that the ath6kl wifi driver did not consistently validate traffic class numbers in received control packets, leading to out-of-bounds memory accesses. A nearby attacker on the same wifi network could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.74-1.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the linux package has been released.

ID	Name	Product	Family	Severity
141374	OracleVM 3.4 : Unbreakable / etc (OVMSA-2020-0044)	Nessus	OracleVM Local Security Checks	critical
141367	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5879)	Nessus	Oracle Linux Local Security Checks	medium
141207	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5866)	Nessus	Oracle Linux Local Security Checks	critical
132499	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0266)	Nessus	NewStart CGSL Local Security Checks	high
132490	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0264)	Nessus	NewStart CGSL Local Security Checks	high
130751	Slackware 14.2 : Slackware 14.2 kernel (SSA:2019-311-01)	Nessus	Slackware Local Security Checks	critical
129491	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-4145-1)	Nessus	Ubuntu Local Security Checks	critical
129361	Debian DLA-1930-1 : linux security update	Nessus	Debian Local Security Checks	critical
129293	Photon OS 1.0: Linux PHSA-2019-1.0-0251	Nessus	PhotonOS Local Security Checks	medium

CVE-2016-10905

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

critical

medium

critical

high

high

critical

critical

critical

medium