http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=36e4ad0316c017d5b271378ed9a1c9a4b77fab5f

[debian-lts-announce] 20190925 [SECURITY] [DLA 1930-1] linux security update

https://support.f5.com/csp/article/K31332013

https://support.f5.com/csp/article/K31332013?utm_source=f5support&amp;utm_medium=RSS

USN-4145-1

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities:

  - The bnep_sock_ioctl function in     net/bluetooth/bnep/sock.c in the Linux kernel before     2.6.39 does not ensure that a certain device field ends     with a '\0' character, which allows local users to     obtain potentially sensitive information from kernel     stack memory, or cause a denial of service (BUG and     system crash), via a BNEPCONNADD command.
    (CVE-2011-1079)

  - An issue was discovered in fs/gfs2/rgrp.c in the Linux     kernel before 4.8. A use-after-free is caused by the     functions gfs2_clear_rgrpd and read_rindex_entry.
    (CVE-2016-10905)

  - An issue was discovered in     drivers/scsi/aacraid/commctrl.c in the Linux kernel     before 4.13. There is potential exposure of kernel stack     memory because aac_get_hba_info does not initialize the     hbainfo structure. (CVE-2017-18550)

  - An issue was discovered in the Linux kernel before     4.14.11. A double free may be caused by the function     allocate_trace_buffer in the file kernel/trace/trace.c.
    (CVE-2017-18595)

  - Improper invalidation for page table updates by a     virtual guest operating system for multiple Intel(R)     Processors may allow an authenticated user to     potentially enable denial of service of the host system     via local access. (CVE-2018-12207)

  - An issue was discovered in the Linux kernel before 4.20.
    There is a race condition in smp_task_timedout() and     smp_task_done() in drivers/scsi/libsas/sas_expander.c,     leading to a use-after-free. (CVE-2018-20836)

  - An issue was discovered in the Linux kernel before     4.18.7. In create_qp_common in     drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp     was never initialized, resulting in a leak of stack     memory to userspace. (CVE-2018-20855)

  - An issue was discovered in fs/xfs/xfs_super.c in the     Linux kernel before 4.18. A use after free exists,     related to xfs_fs_fill_super failure. (CVE-2018-20976)

  - In the tun subsystem in the Linux kernel before 4.13.14,     dev_get_valid_name is not called before     register_netdevice. This allows local users to cause a     denial of service (NULL pointer dereference and panic)     via an ioctl(TUNSETIFF) call with a dev name containing     a / character. This is similar to CVE-2013-4343.
    (CVE-2018-7191)

  - Insufficient access control in subsystem for Intel (R)     processor graphics in 6th, 7th, 8th and 9th Generation     Intel(R) Core(TM) Processor Families; Intel(R)     Pentium(R) Processor J, N, Silver and Gold Series;
    Intel(R) Celeron(R) Processor J, N, G3900 and G4900     Series; Intel(R) Atom(R) Processor A and E3900 Series;
    Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100     Processor Families may allow an authenticated user to     potentially enable denial of service via local access.
    (CVE-2019-0154)

  - Insufficient access control in a subsystem for Intel (R)     processor graphics in 6th, 7th, 8th and 9th Generation     Intel(R) Core(TM) Processor Families; Intel(R)     Pentium(R) Processor J, N, Silver and Gold Series;
    Intel(R) Celeron(R) Processor J, N, G3900 and G4900     Series; Intel(R) Atom(R) Processor A and E3900 Series;
    Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and     E-2200 Processor Families; Intel(R) Graphics Driver for     Windows before 26.20.100.6813 (DCH) or 26.20.100.6812     and before 21.20.x.5077 (aka15.45.5077), i915 Linux     Driver for Intel(R) Processor Graphics before versions     5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may     allow an authenticated user to potentially enable     escalation of privilege via local access.
    (CVE-2019-0155)

  - TSX Asynchronous Abort condition on some CPUs utilizing     speculative execution may allow an authenticated user to     potentially enable information disclosure via a side     channel with local access. (CVE-2019-11135)

  - The Linux kernel before 5.1-rc5 allows page->_refcount     reference count overflow, with resultant use-after-free     issues, if about 140 GiB of RAM exists. This is related     to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h,     kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - The do_hidp_sock_ioctl function in     net/bluetooth/hidp/sock.c in the Linux kernel before     5.0.15 allows a local user to obtain potentially     sensitive information from kernel stack memory via a     HIDPCONNADD command, because a name field may not end     with a '\0' character. (CVE-2019-11884)

  - ** DISPUTED ** An issue was discovered in     drm_load_edid_firmware in     drivers/gpu/drm/drm_edid_load.c in the Linux kernel     through 5.1.5. There is an unchecked kstrdup of fwstr,     which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash).
    NOTE: The vendor disputes this issues as not being a     vulnerability because kstrdup() returning NULL is     handled sufficiently and there is no chance for a NULL     pointer dereference. (CVE-2019-12382)

  - An issue was discovered in the Linux kernel before     5.2.3. There is a use-after-free caused by a malicious     USB device in the drivers/media/usb/dvb-usb/dvb-usb-     init.c driver. (CVE-2019-15213)

  - An issue was discovered in xfs_setattr_nonsize in     fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS     partially wedges when a chgrp fails on account of being     out of disk quota. xfs_setattr_nonsize is failing to     unlock the ILOCK after the xfs_qm_vop_chown_reserve call     fails. This is primarily a local DoS attack vector, but     it might result as well in remote DoS if the XFS     filesystem is exported for instance via NFS.
    (CVE-2019-15538)

  - In the Linux kernel before 5.1.13, there is a memory     leak in drivers/scsi/libsas/sas_expander.c when SAS     expander discovery fails. This will cause a BUG and     denial of service. (CVE-2019-15807)

  - An issue was discovered in the Linux kernel before     5.0.1. There is a memory leak in     register_queue_kobjects() in net/core/net-sysfs.c, which     will cause denial of service. (CVE-2019-15916)

  - An issue was discovered in the Linux kernel before     5.0.4. The 9p filesystem did not protect i_size_write()     properly, which causes an i_size_read() infinite loop     and denial of service on SMP systems. (CVE-2019-16413)

  - An issue was discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance. (CVE-2019-17075)

  - The SCTP socket buffer used by a userspace application     is not accounted by the cgroups subsystem. An attacker     can use this flaw to cause a denial of service attack.
    Kernel 3.10.x and 4.18.x branches are believed to be     vulnerable. (CVE-2019-3874)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities:

  - The bnep_sock_ioctl function in     net/bluetooth/bnep/sock.c in the Linux kernel before     2.6.39 does not ensure that a certain device field ends     with a '\0' character, which allows local users to     obtain potentially sensitive information from kernel     stack memory, or cause a denial of service (BUG and     system crash), via a BNEPCONNADD command.
    (CVE-2011-1079)

  - An issue was discovered in fs/gfs2/rgrp.c in the Linux     kernel before 4.8. A use-after-free is caused by the     functions gfs2_clear_rgrpd and read_rindex_entry.
    (CVE-2016-10905)

  - An issue was discovered in     drivers/scsi/aacraid/commctrl.c in the Linux kernel     before 4.13. There is potential exposure of kernel stack     memory because aac_get_hba_info does not initialize the     hbainfo structure. (CVE-2017-18550)

  - An issue was discovered in the Linux kernel before     4.14.11. A double free may be caused by the function     allocate_trace_buffer in the file kernel/trace/trace.c.
    (CVE-2017-18595)

  - Improper invalidation for page table updates by a     virtual guest operating system for multiple Intel(R)     Processors may allow an authenticated user to     potentially enable denial of service of the host system     via local access. (CVE-2018-12207)

  - An issue was discovered in the Linux kernel before 4.20.
    There is a race condition in smp_task_timedout() and     smp_task_done() in drivers/scsi/libsas/sas_expander.c,     leading to a use-after-free. (CVE-2018-20836)

  - An issue was discovered in the Linux kernel before     4.18.7. In create_qp_common in     drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp     was never initialized, resulting in a leak of stack     memory to userspace. (CVE-2018-20855)

  - An issue was discovered in fs/xfs/xfs_super.c in the     Linux kernel before 4.18. A use after free exists,     related to xfs_fs_fill_super failure. (CVE-2018-20976)

  - In the tun subsystem in the Linux kernel before 4.13.14,     dev_get_valid_name is not called before     register_netdevice. This allows local users to cause a     denial of service (NULL pointer dereference and panic)     via an ioctl(TUNSETIFF) call with a dev name containing     a / character. This is similar to CVE-2013-4343.
    (CVE-2018-7191)

  - Insufficient access control in subsystem for Intel (R)     processor graphics in 6th, 7th, 8th and 9th Generation     Intel(R) Core(TM) Processor Families; Intel(R)     Pentium(R) Processor J, N, Silver and Gold Series;
    Intel(R) Celeron(R) Processor J, N, G3900 and G4900     Series; Intel(R) Atom(R) Processor A and E3900 Series;
    Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100     Processor Families may allow an authenticated user to     potentially enable denial of service via local access.
    (CVE-2019-0154)

  - Insufficient access control in a subsystem for Intel (R)     processor graphics in 6th, 7th, 8th and 9th Generation     Intel(R) Core(TM) Processor Families; Intel(R)     Pentium(R) Processor J, N, Silver and Gold Series;
    Intel(R) Celeron(R) Processor J, N, G3900 and G4900     Series; Intel(R) Atom(R) Processor A and E3900 Series;
    Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and     E-2200 Processor Families; Intel(R) Graphics Driver for     Windows before 26.20.100.6813 (DCH) or 26.20.100.6812     and before 21.20.x.5077 (aka15.45.5077), i915 Linux     Driver for Intel(R) Processor Graphics before versions     5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may     allow an authenticated user to potentially enable     escalation of privilege via local access.
    (CVE-2019-0155)

  - TSX Asynchronous Abort condition on some CPUs utilizing     speculative execution may allow an authenticated user to     potentially enable information disclosure via a side     channel with local access. (CVE-2019-11135)

  - The Linux kernel before 5.1-rc5 allows page->_refcount     reference count overflow, with resultant use-after-free     issues, if about 140 GiB of RAM exists. This is related     to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h,     kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - The do_hidp_sock_ioctl function in     net/bluetooth/hidp/sock.c in the Linux kernel before     5.0.15 allows a local user to obtain potentially     sensitive information from kernel stack memory via a     HIDPCONNADD command, because a name field may not end     with a '\0' character. (CVE-2019-11884)

  - ** DISPUTED ** An issue was discovered in     drm_load_edid_firmware in     drivers/gpu/drm/drm_edid_load.c in the Linux kernel     through 5.1.5. There is an unchecked kstrdup of fwstr,     which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash).
    NOTE: The vendor disputes this issues as not being a     vulnerability because kstrdup() returning NULL is     handled sufficiently and there is no chance for a NULL     pointer dereference. (CVE-2019-12382)

  - An issue was discovered in the Linux kernel before     5.2.3. There is a use-after-free caused by a malicious     USB device in the drivers/media/usb/dvb-usb/dvb-usb-     init.c driver. (CVE-2019-15213)

  - An issue was discovered in xfs_setattr_nonsize in     fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS     partially wedges when a chgrp fails on account of being     out of disk quota. xfs_setattr_nonsize is failing to     unlock the ILOCK after the xfs_qm_vop_chown_reserve call     fails. This is primarily a local DoS attack vector, but     it might result as well in remote DoS if the XFS     filesystem is exported for instance via NFS.
    (CVE-2019-15538)

  - In the Linux kernel before 5.1.13, there is a memory     leak in drivers/scsi/libsas/sas_expander.c when SAS     expander discovery fails. This will cause a BUG and     denial of service. (CVE-2019-15807)

  - An issue was discovered in the Linux kernel before     5.0.1. There is a memory leak in     register_queue_kobjects() in net/core/net-sysfs.c, which     will cause denial of service. (CVE-2019-15916)

  - An issue was discovered in the Linux kernel before     5.0.4. The 9p filesystem did not protect i_size_write()     properly, which causes an i_size_read() infinite loop     and denial of service on SMP systems. (CVE-2019-16413)

  - An issue was discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance. (CVE-2019-17075)

  - The SCTP socket buffer used by a userspace application     is not accounted by the cgroups subsystem. An attacker     can use this flaw to cause a denial of service attack.
    Kernel 3.10.x and 4.18.x branches are believed to be     vulnerable. (CVE-2019-3874)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

New kernel packages are available for Slackware 14.2 to fix security issues.

It was discovered that a race condition existed in the GFS2 file system in the Linux kernel. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2016-10905)

It was discovered that the IPv6 implementation in the Linux kernel did not properly validate socket options in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18509)

It was discovered that the USB gadget Midi driver in the Linux kernel contained a double-free vulnerability when handling certain error conditions. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-20961)

It was discovered that the XFS file system in the Linux kernel did not properly handle mount failures in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2018-20976)

It was discovered that the Intel Wi-Fi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (Wi-Fi disconnect). (CVE-2019-0136)

It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207)

It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487)

It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-13631)

It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.
(CVE-2019-15211)

It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215)

It was discovered that the Atheros mobile chipset driver in the Linux kernel did not properly validate data in some situations. An attacker could use this to cause a denial of service (system crash).
(CVE-2019-15926).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2016-10905

A race condition was discovered in the GFS2 file-system implementation, which could lead to a use-after-free. On a system using GFS2, a local attacker could use this for denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2018-20976

It was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear.

CVE-2018-21008

It was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after- free. The security impact of this is unclear.

CVE-2019-0136

It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages.
A nearby attacker could use this for denial of service (loss of wifi connectivity).

CVE-2019-9506

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the 'KNOB attack'. An attacker that is nearby during pairing could use this to weaken the encryption used between the paired devices, and then to eavesdrop on and/or spoof communication between them.

This update mitigates the attack by requiring a minimum encryption key length of 56 bits.

CVE-2019-14814, CVE-2019-14815, CVE-2019-14816

Multiple bugs were discovered in the mwifiex wifi driver, which could lead to heap buffer overflows. A local user permitted to configure a device handled by this driver could probably use this for privilege escalation.

CVE-2019-14821

Matt Delco reported a race condition in KVM's coalesced MMIO facility, which could lead to out-of-bounds access in the kernel. A local attacker permitted to access /dev/kvm could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-14835

Peter Pi of Tencent Blade Team discovered a missing bounds check in vhost_net, the network back-end driver for KVM hosts, leading to a buffer overflow when the host begins live migration of a VM. An attacker in control of a VM could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation on the host.

CVE-2019-15117

Hui Peng and Mathias Payer reported a missing bounds check in the usb-audio driver's descriptor parsing code, leading to a buffer over-read. An attacker able to add USB devices could possibly use this to cause a denial of service (crash).

CVE-2019-15118

Hui Peng and Mathias Payer reported unbounded recursion in the usb-audio driver's descriptor parsing code, leading to a stack overflow. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15211

The syzkaller tool found a bug in the radio-raremono driver that could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15212

The syzkaller tool found that the rio500 driver does not work correctly if more than one device is bound to it. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15215

The syzkaller tool found a bug in the cpia2_usb driver that leads to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15218

The syzkaller tool found that the smsusb driver did not validate that USB devices have the expected endpoints, potentially leading to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15219

The syzkaller tool found that a device initialisation error in the sisusbvga driver could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15220

The syzkaller tool found a race condition in the p54usb driver which could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15221

The syzkaller tool found that the line6 driver did not validate USB devices' maximum packet sizes, which could lead to a heap buffer overrun. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15292

The Hulk Robot tool found missing error checks in the Appletalk protocol implementation, which could lead to a use-after-free. The security impact of this is unclear.

CVE-2019-15807

Jian Luo reported that the Serial Attached SCSI library (libsas) did not correctly handle failure to discover devices beyond a SAS expander. This could lead to a resource leak and crash (BUG). The security impact of this is unclear.

CVE-2019-15917

The syzkaller tool found a race condition in code supporting UART-attached Bluetooth adapters, which could lead to a use- after-free. A local user with access to a pty device or other suitable tty device could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15926

It was found that the ath6kl wifi driver did not consistently validate traffic class numbers in received control packets, leading to out-of-bounds memory accesses. A nearby attacker on the same wifi network could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.74-1.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the linux package has been released.

ID	Name	Product	Family	Severity
132499	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0266)	Nessus	NewStart CGSL Local Security Checks	high
132490	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0264)	Nessus	NewStart CGSL Local Security Checks	high
130751	Slackware 14.2 : Slackware 14.2 kernel (SSA:2019-311-01)	Nessus	Slackware Local Security Checks	critical
129491	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-4145-1)	Nessus	Ubuntu Local Security Checks	critical
129361	Debian DLA-1930-1 : linux security update	Nessus	Debian Local Security Checks	critical
129293	Photon OS 1.0: Linux PHSA-2019-1.0-0251	Nessus	PhotonOS Local Security Checks	medium

CVE-2016-10905

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins