openSUSE-SU-2019:1404

106735

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16880

https://support.f5.com/csp/article/K03593314

USN-3903-1

USN-3903-2

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):Heap-based buffer overflow     in the udf_load_logicalvol function in fs/udf/super.c     in the Linux kernel before 3.4.5 allows remote     attackers to cause a denial of service (system crash)     or possibly have unspecified other impact via a crafted     UDF filesystem.(CVE-2012-3400)The     mmc_ioctl_cdrom_read_data function in     drivers/cdrom/cdrom.c in the Linux kernel through 3.10     allows local users to obtain sensitive information from     kernel memory via a read operation on a malfunctioning     CD-ROM drive.(CVE-2013-2164)The     sctp_sf_do_5_2_4_dupcook function in     net/sctp/sm_statefuns.c in the SCTP implementation in     the Linux kernel before 3.8.5 does not properly handle     associations during the processing of a duplicate     COOKIE ECHO chunk, which allows remote attackers to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via crafted SCTP traffic.(CVE-2013-2206)The (1)     get_user and (2) put_user API functions in the Linux     kernel before 3.5.5 on the v6k and v7 ARM platforms do     not validate certain addresses, which allows attackers     to read or modify the contents of arbitrary kernel     memory locations via a crafted application, as     exploited in the wild against Android devices in     October and November 2013.(CVE-2013-6282)An issue was     discovered in the Linux kernel before 4.20. There is a     race condition in smp_task_timedout() and     smp_task_done() in drivers/scsi/libsas/sas_expander.c,     leading to a use-after-free.(CVE-2018-20836)The Siemens     R3964 line discipline driver in drivers/tty/n_r3964.c     in the Linux kernel before 5.0.8 has multiple race     conditions.(CVE-2019-11486)The Linux kernel before     5.1-rc5 allows page->_refcount reference count     overflow, with resultant use-after-free issues, if     about 140 GiB of RAM exists. This is related to     fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h,     kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It     can occur with FUSE requests.(CVE-2019-11487)The     coredump implementation in the Linux kernel before     5.0.10 does not use locking or other mechanisms to     prevent vma layout or vma flags changes while it runs,     which allows local users to obtain sensitive     information, cause a denial of service, or possibly     have unspecified other impact by triggering a race     condition with mmget_not_zero or get_task_mm calls.
    This is related to fs/userfaultfd.c, mm/mmap.c,     fs/proc/task_mmu.c, and     drivers/infiniband/core/uverbs_main.c.(CVE-2019-11599)A     n issue was discovered in the Linux kernel before     5.0.7. A NULL pointer dereference can occur when     megasas_create_frame_pool() fails in     megasas_alloc_cmds() in     drivers/scsi/megaraid/megaraid_sas_base.c. This causes     a Denial of Service, related to a     use-after-free.(CVE-2019-11810)An issue was discovered     in the Linux kernel before 5.0.4. There is a     use-after-free upon attempted read access to     /proc/ioports after the ipmi_si module is removed,     related to drivers/char/ipmi/ipmi_si_intf.c,     drivers/char/ipmi/ipmi_si_mem_io.c, and     drivers/char/ipmi/ipmi_si_port_io.c.(CVE-2019-11811)A     flaw was found in the Linux kernel's handle_rx()     function in the [vhost_net] driver. A malicious virtual     guest, under specific conditions, can trigger an     out-of-bounds write in a kmalloc-8 slab on a virtual     host which may lead to a kernel memory corruption and a     system panic. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out. Versions from     v4.16 and newer are vulnerable.(CVE-2018-16880)An issue     was discovered in rds_tcp_kill_sock in net/rds/tcp.c in     the Linux kernel before 5.0.8. There is a race     condition leading to a use-after-free, related to net     namespace cleanup.(CVE-2019-11815)A flaw was found in     the Linux kernel in the function     hid_debug_events_read() in drivers/hid/hid-debug.c file     which may enter an infinite loop with certain     parameters passed from a userspace. A local privileged     user ('root') can cause a system lock up and a denial     of service. Versions from v4.18 and newer are     vulnerable.(CVE-2019-3819)A flaw was found in the Linux     kernel's vfio interface implementation that permits     violation of the user's locked memory limit. If a     device is bound to a vfio driver, such as vfio-pci, and     the local attacker is administratively granted     ownership of the device, it may cause a system memory     exhaustion and thus a denial of service (DoS). Versions     3.10, 4.14 and 4.18 are vulnerable.(CVE-2019-3882)An     infinite loop issue was found in the vhost_net kernel     module in Linux Kernel up to and including v5.1-rc6,     while handling incoming packets in handle_rx(). It     could occur if one end sends packets faster than the     other end can process them. A guest user, maybe remote     one, could use this flaw to stall the vhost_net kernel     thread, resulting in a DoS scenario.(CVE-2019-3900)In     the Linux Kernel before versions 4.20.8 and 4.19.21 a     use-after-free error in the 'sctp_sendmsg()' function     (net/sctp/socket.c) when handling SCTP_SENDALL flag can     be exploited to corrupt memory.(CVE-2019-8956)A flaw     was found in the Linux kernel's implementation of ext4     extent management. The kernel doesn't correctly     initialize memory regions in the extent tree block     which may be exported to a local user to obtain     sensitive information by reading empty/uninitialized     data from the filesystem.(CVE-2019-11833)An issue was     discovered in drm_load_edid_firmware in     drivers/gpu/drm/drm_edid_load.c in the Linux kernel     through 5.1.5. There is an unchecked kstrdup of fwstr,     which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash).
    NOTE: The vendor disputes this issues as not being a     vulnerability because kstrdup() returning NULL is     handled sufficiently and there is no chance for a NULL     pointer dereference.(CVE-2019-12382)An issue was     discovered in the efi subsystem in the Linux kernel     through 5.1.5. phys_efi_set_virtual_address_map in     arch/x86/platform/efi/efi.c and efi_call_phys_prolog in     arch/x86/platform/efi/efi_64.c mishandle memory     allocation failures. NOTE: This id is disputed as not     being an issue because ?All the code touched by the     referenced commit runs only at boot, before any user     processes are started. Therefore, there is no     possibility for an unprivileged user to control     it.(CVE-2019-12380)An issue was discovered in the Linux     kernel before 5.2.3. An out of bounds access exists in     the function hclge_tm_schd_mode_vnet_base_cfg in the     file drivers     et/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c.(CVE-2019-     15925)An issue was discovered in     dlpar_parse_cc_property in     arch/powerpc/platforms/pseries/dlpar.c in the Linux     kernel through 5.1.6. There is an unchecked kstrdup of     prop-i1/4zname, which might allow an attacker to cause a     denial of service (NULL pointer dereference and system     crash).(CVE-2019-12614)An issue was discovered in     net/ipv4/sysctl_net_ipv4.c in the Linux kernel before     5.0.11. There is a net/ipv4/tcp_input.c signed integer     overflow in tcp_ack_update_rtt() when userspace writes     a very large integer to     /proc/syset/ipv4/tcp_min_rtt_wlen, leading to a denial     of service or possibly unspecified other impact, aka     CID-19fad20d15a6.(CVE-2019-18805)A flaw was found in     the way PTRACE_TRACEME functionality was handled in the     Linux kernel. The kernel's implementation of ptrace can     inadvertently grant elevated permissions to an attacker     who can then abuse the relationship between the tracer     and the process being traced. This flaw could allow a     local, unprivileged user to increase their privileges     on the system or cause a denial of     service.(CVE-2019-13272)An issue was discovered in     ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux     kernel through 5.1.5. There is an unchecked kmalloc of     new_ra, which might allow an attacker to cause a denial     of service (NULL pointer dereference and system crash).
    NOTE: This has been disputed as not an     issue.(CVE-2019-12378)An issue was discovered in     ip_ra_control in net/ipv4/ip_sockglue.c in the Linux     kernel through 5.1.5. There is an unchecked kmalloc of     new_ra, which might allow an attacker to cause a denial     of service (NULL pointer dereference and system crash).
    NOTE: this is disputed because new_ra is never used if     it is NULL.(CVE-2019-12381)An issue was discovered in     sunxi_divs_clk_setup in drivers/clk/sunxi/clk-sunxi.c     in the Linux kernel through 5.1.5. There is an     unchecked kstrndup of derived_name, which might allow     an attacker to cause a denial of service (NULL pointer     dereference and system crash). NOTE: This id is     disputed as not being an issue because 'The memory     allocation that was not checked is part of a code that     only runs at boot time, before user processes are     started. Therefore, there is no possibility for an     unprivileged user to control it, and no denial of     service.'.(CVE-2019-12455)An issue was discovered in     the MPT3COMMAND case in _ctl_ioctl_main in     drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux kernel     through 5.1.5. It allows local users to cause a denial     of service or possibly have unspecified other impact by     changing the value of ioc_number between two kernel     reads of that value, aka a ''double fetch''     vulnerability. NOTE: a third party reports that this is     unexploitable because the doubly fetched value is not     used.(CVE-2019-12456)An issue was discovered in     get_vdev_port_node_info in arch/sparc/kernel/mdesc.c in     the Linux kernel through 5.1.6. There is an unchecked     kstrdup_const of node_info-i1/4zvdev_port.name, which     might allow an attacker to cause a denial of service     (NULL pointer dereference and system     crash).(CVE-2019-12615)In parse_hid_report_descriptor     in drivers/input/tablet/gtco.c in the Linux kernel     through 5.2.1, a malicious USB device can send an HID     report that triggers an out-of-bounds write during     generation of debugging messages.(CVE-2019-13631)A     vulnerability was found in the Linux kernelaEURtms floppy     disk driver implementation. A local attacker with     access to the floppy device could call set_geometry in     drivers/block/floppy.c, which does not validate the     sect and head fields, causing an integer overflow and     out-of-bounds read. This flaw may crash the system or     allow an attacker to gather information causing     subsequent successful     attacks.(CVE-2019-14283)check_input_term in     sound/usb/mixer.c in the Linux kernel through 5.2.9     mishandles recursion, leading to kernel stack     exhaustion.(CVE-2019-15118)An issue was discovered in     the Linux kernel before 5.2.6. There is a     use-after-free caused by a malicious USB device in the     drivers/media/v4l2-core/v4l2-dev.c driver because     drivers/media/radio/radio-raremono.c does not properly     allocate memory.(CVE-2019-15211)An issue was discovered     in the Linux kernel before 5.0.10. There is a     use-after-free in the sound subsystem because card     disconnection causes certain data structures to be     deleted too early. This is related to sound/core/init.c     and sound/core/info.c.(CVE-2019-15214)An issue was     discovered in the Linux kernel before 5.1.8. There is a     NULL pointer dereference caused by a malicious USB     device in the drivers/media/usb/siano/smsusb.c     driver.(CVE-2019-15218)An issue was discovered in the     Linux kernel before 5.1.8. There is a NULL pointer     dereference caused by a malicious USB device in the     drivers/usb/misc/sisusbvga/sisusb.c     driver.(CVE-2019-15219)An issue was discovered in the     Linux kernel before 5.2.1. There is a use-after-free     caused by a malicious USB device in the     driverset/wireless/intersil/p54/p54usb.c     driver.(CVE-2019-15220)An issue was discovered in the     Linux kernel before 5.1.17. There is a NULL pointer     dereference caused by a malicious USB device in the     sound/usb/line6/pcm.c driver.(CVE-2019-15221)An issue     was discovered in the Linux kernel before 5.0.9. There     is a use-after-free in atalk_proc_exit, related to     net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and     net/appletalk/sysctl_net_atalk.c.(CVE-2019-15292)An     issue was discovered in xfs_setattr_nonsize in     fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9.
    XFS partially wedges when a chgrp fails on account of     being out of disk quota. xfs_setattr_nonsize is failing     to unlock the ILOCK after the xfs_qm_vop_chown_reserve     call fails. This is primarily a local DoS attack     vector, but it might result as well in remote DoS if     the XFS filesystem is exported for instance via     NFS.(CVE-2019-15538)An issue was discovered in the     Linux kernel before 5.0.19. There is an out-of-bounds     array access in __xfrm_policy_unlink, which will cause     denial of service, because verify_newpolicy_info in     net/xfrm/xfrm_user.c mishandles directory     validation.(CVE-2019-15666)In the Linux kernel before     5.1.13, there is a memory leak in     drivers/scsi/libsas/sas_expander.c when SAS expander     discovery fails. This will cause a BUG and denial of     service.(CVE-2019-15807)An issue was discovered in the     Linux kernel before 5.0.5. There is a use-after-free     issue when hci_uart_register_dev() fails in     hci_uart_set_proto() in     drivers/bluetooth/hci_ldisc.c.(CVE-2019-15917)An issue     was discovered in the Linux kernel before 5.0.10.
    SMB2_write in fs/cifs/smb2pdu.c has a     use-after-free.(CVE-2019-15919)An issue was discovered     in the Linux kernel before 5.0.10. SMB2_read in     fs/cifs/smb2pdu.c has a use-after-free. NOTE: this was     not fixed correctly in 5.0.10 see the 5.0.11 ChangeLog,     which documents a memory leak.(CVE-2019-15920)An issue     was discovered in the Linux kernel before 5.0.4. The 9p     filesystem did not protect i_size_write() properly,     which causes an i_size_read() infinite loop and denial     of service on SMP systems.(CVE-2019-16413)An issue was     discovered in can_can_gw_rcv in net/can/gw.c in the     Linux kernel through 4.19.13. The CAN frame     modification rules allow bitwise logical operations     that can be also applied to the can_dlc field. Because     of a missing check, the CAN drivers may write arbitrary     content beyond the data registers in the CAN     controller's I/O memory when processing can-gw     manipulated outgoing frames. This is related to     cgw_csum_xor_rel. An unprivileged user can trigger a     system crash (general protection     fault).(CVE-2019-3701)A flaw was found in the Linux     kernel's Marvell wifi chip driver. A heap overflow in     mwifiex_update_bss_desc_with_ie function in     marvell/mwifiex/scan.c allows remote attackers to cause     a denial of service(system crash) or execute arbitrary     code.(CVE-2019-3846)A new software page cache side     channel attack scenario was discovered in operating     systems that implement the very common 'page cache'     caching mechanism. A malicious user/process could use     'in memory' page-cache knowledge to infer access     timings to shared memory and gain knowledge which can     be used to reduce effectiveness of cryptographic     strength by monitoring algorithmic behavior, infer     access patterns of memory to determine code paths     taken, and exfiltrate data to a blinded attacker     through page-granularity access times as a     side-channel.(CVE-2019-5489)In the Android kernel in     the video driver there is a kernel pointer leak due to     a WARN_ON statement. This could lead to local     information disclosure with System execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2019-9455)A vulnerability was found     in the arch/x86/lib/insn-eval.c function in the Linux     kernel. An attacker could corrupt the memory due to a     flaw in use-after-free access to an LDT entry caused by     a race condition between modify_ldt() and a #BR     exception for an MPX bounds violation.(CVE-2019-13233)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-12126 CVE-2018-12127 CVE-2018-12130: Microarchitectural Store Buffer Data Sampling (MSBDS): Stored buffers on some microprocessors utilizing speculative execution which may have allowed an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here :

https://www.intel.com/content/dam/www/public/us/en/documents/corporate
-info rmation/SA00233-microcode-update-guidance_05132019.
(bsc#1103186)CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may have allowed an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here :

https://www.intel.com/content/dam/www/public/us/en/documents/corporate
-info rmation/SA00233-microcode-update-guidance_05132019.
(bsc#1111331)CVE-2019-12382: An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the Linux kernel There was an unchecked kstrdup of fwstr, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). (bsc#1136586)

CVE-2019-10124: An issue was discovered in the hwpoison implementation in mm/memory-failure.c in the Linux kernel. When soft_offline_in_use_page() runs on a thp tail page after pmd is split, an attacker could cause a denial of service (bsc#1130699).

CVE-2019-11486: The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel has multiple race conditions. (bsc#1133188)

CVE-2019-11811: An issue was discovered in the Linux kernel There was a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module was removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c. (bsc#1134397)

CVE-2019-11487: The Linux kernel allowed page reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It could occur with FUSE requests.
(bsc#1133190)

CVE-2019-12818: The nfc_llcp_build_tlv function in net/nfc/llcp_commands.c may return NULL. If the caller does not check for this, it will trigger a NULL pointer dereference. This will cause denial of service. This used to affect nfc_llcp_build_gb in net/nfc/llcp_core.c. (bsc#1138293)

CVE-2019-11833: fs/ext4/extents.c in the Linux kernel did not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem. (bsc#1135281)

CVE-2019-5489: The mincore() implementation in mm/mincore.c in the Linux kernel allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server. (bsc#1120843)

CVE-2018-7191: In the tun subsystem in the Linux kernel, dev_get_valid_name was not called before register_netdevice. This allowed local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. (bsc#1135603)

CVE-2019-11884: The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel allowed a local user to obtain potentially sensitive information from kernel stack memory via a hidPCONNADD command, because a name field may not end with a '\0' character. (bsc#1134848)

CVE-2019-9500: An issue was discovered that lead to brcmfmac heap buffer overflow. (bsc#1132681)

CVE-2019-11085: Insufficient input validation in Kernel Mode Driver in Intel(R) i915 Graphics for Linux may have allowed an authenticated user to potentially enable escalation of privilege via local access.
(bsc#1135278)

CVE-2019-11815: An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel There was a race condition leading to a use-after-free, related to net namespace cleanup. (bsc#1135278)

CVE-2018-16880: A flaw was found in the Linux kernel's handle_rx() function in the [vhost_net] driver. A malicious virtual guest, under specific conditions, could trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may have lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (bsc#1122767)

CVE-2019-12819: The function __mdiobus_register() called put_device(), which triggered a fixed_mdio_bus_init use-after-free. This would cause a denial of service. (bsc#1138291)

CVE-2019-3882: A flaw was found in the Linux kernel's vfio interface implementation that permitted violation of the user's locked memory limit. If a device was bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may have caused a system memory exhaustion and thus a denial of service (DoS). (bsc#1131427)

CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network. (bsc#1136424)

CVE-2019-8564: An issue was discoved which meant that brcmfmac frame validation could be bypassed. (bsc#1132673)

CVE-2019-9503: An issue was discoved which meant that brcmfmac frame validation could be bypassed. (bsc#1132828)

CVE-2019-9003: In the Linux kernel, attackers could trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a 'service ipmievd restart' loop. (bsc#1126704)

CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may have allowed unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

CVE-2019-11478: It was possible to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. An attacker may have been able to further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection.

CVE-2019-11479: An attacker could force the Linux kernel to segment its responses into multiple TCP segments. This would drastically increased the bandwidth required to deliver the same amount of data.
Further, it would consume additional resources such as CPU and NIC processing power.

CVE-2018-16871: A NULL pointer dereference due to an anomalized NFS message sequence was fixed. (bnc#1137103).

CVE-2019-12614: An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c. There was an unchecked kstrdup of prop->name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash) (bnc#1137194).

CVE-2019-12817: On the PowerPC architecture, local attackers could access other users processes memory (bnc#1138263).

CVE-2018-20836: An issue was discovered in the Linux kernel There was a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free (bnc#1134395).

CVE-2019-10638: In the Linux kernel, a device could be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic was sent to multiple destination IP addresses, it was possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may have been conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses (bnc#1140575 1140577).

CVE-2019-10639: The Linux kernel allowed Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it was possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic was sent to multiple destination IP addresses, it was possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key was extracted (via enumeration), the offset of the kernel image was exposed. This attack could be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable because IP ID generation was changed to have a dependency on an address associated with a network namespace (bnc#1140577).

CVE-2019-11599: The coredump implementation in the Linux kernel did not use locking or other mechanisms to prevent vma layout or vma flags changes while it ran, which allowed local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c (bnc#1131645 1133738).

CVE-2019-13233: In arch/x86/lib/insn-eval.c in the Linux kernel, there was a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation (bnc#1140454).

CVE-2018-20855: An issue was discovered in the Linux kernel In create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace(bsc#1143045).

CVE-2019-1125: Exclude ATOMs from speculation through SWAPGS (bsc#1139358).

CVE-2019-11810: An issue was discovered in the Linux kernel A NULL pointer dereference could occur when megasas_create_frame_pool() failed in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This caused a Denial of Service, related to a use-after-free (bnc#1134399).

CVE-2019-13631: In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel, a malicious USB device could send an HID report that triggered an out-of-bounds write during generation of debugging messages. (bnc#1142023)

CVE-2019-13648: In the Linux kernel on the powerpc platform, when hardware transactional memory was disabled, a local user could cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sent a crafted signal frame.
(bnc#1142254)

CVE-2019-14283: In the Linux kernel, set_geometry in drivers/block/floppy.c did not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It could be triggered by an unprivileged local user when a floppy disk was inserted. NOTE: QEMU creates the floppy device by default.
(bnc#1143191)

CVE-2019-14284: In the Linux kernel, drivers/block/floppy.c allows a denial of service by setup_format_params division-by-zero.
(bnc#1143189)

CVE-2019-12456: An issue was discovered in the MPT3COMMAND case in
_ctl_ioctl_main in drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux. It allows local users to cause a denial of service or possibly have unspecified other impact by changing the value of ioc_number between two kernel reads of that value, aka a 'double fetch' vulnerability.
NOTE: a third-party reports that this is unexploitable because the doubly fetched value is not used. (bsc#1136922)

CVE-2019-12380: An issue was discovered in the efi subsystem in the Linux kernel phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and efi_call_phys_prolog in arch/x86/platform/efi/efi_64.c mishandle memory allocation failures.
(bsc#1136598)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2019-12819: The function __mdiobus_register() called put_device(), which triggered a fixed_mdio_bus_init use-after-free. This would cause a denial of service. (bsc#1138291)

CVE-2019-12818: The nfc_llcp_build_tlv function in net/nfc/llcp_commands.c may return NULL. If the caller does not check for this, it will trigger a NULL pointer dereference. This will cause denial of service. This used to affect nfc_llcp_build_gb in net/nfc/llcp_core.c. (bsc#1138293)

CVE-2019-11477: A sequence of SACKs may have been crafted such that one can trigger an integer overflow, leading to a kernel panic.

CVE-2019-11478: It was possible to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. An attacker may have been able to further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection.

CVE-2019-11479: An attacker could force the Linux kernel to segment its responses into multiple TCP segments. This would drastically increased the bandwidth required to deliver the same amount of data.
Further, it would consume additional resources such as CPU and NIC processing power.

CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network. (bsc#1136424)

CVE-2019-10124: An issue was discovered in the hwpoison implementation in mm/memory-failure.c in the Linux kernel. When soft_offline_in_use_page() runs on a thp tail page after pmd is split, an attacker could cause a denial of service (bsc#1130699, CVE-2019-10124).

CVE-2019-12382: An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the Linux kernel There was an unchecked kstrdup of fwstr, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).
(bsc#1136586)

CVE-2019-11487: The Linux kernel allowed page reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It could occur with FUSE requests.
(bbsc#1133190)

CVE-2019-5489: The mincore() implementation in mm/mincore.c in the Linux kernel allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server. (bsc#1120843)

CVE-2019-11833: fs/ext4/extents.c in the Linux kernel did not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem. (bsc#1135281)

CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may have allowed an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here :

https://www.intel.com/content/dam/www/public/us/en/documents/corporate
-info rmation/SA00233-microcode-update-guidance_05132019.
(bsc##1111331) CVE-2018-7191: In the tun subsystem in the Linux kernel, dev_get_valid_name was not called before register_netdevice.
This allowed local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. (bsc#1135603)

CVE-2018-12126 CVE-2018-12127 CVE-2018-12130: Microarchitectural Store Buffer Data Sampling (MSBDS): Stored buffers on some microprocessors utilizing speculative execution which may have allowed an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here :

https://www.intel.com/content/dam/www/public/us/en/documents/corporate
-info rmation/SA00233-microcode-update-guidance_05132019.
(bsc#1103186) CVE-2019-11085: Insufficient input validation in Kernel Mode Driver in Intel(R) i915 Graphics for Linux may have allowed an authenticated user to potentially enable escalation of privilege via local access. (bsc#1135278)

CVE-2019-11815: An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel There was a race condition leading to a use-after-free, related to net namespace cleanup. (bsc#1135278)

CVE-2019-11884: The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel allowed a local user to obtain potentially sensitive information from kernel stack memory via a hidPCONNADD command, because a name field may not end with a '\0' character. (bsc#1134848)

CVE-2019-11811: An issue was discovered in the Linux kernel There was a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module was removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c. (bsc#1134397)

CVE-2019-11486: The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel has multiple race conditions. (bsc#1133188)

CVE-2019-9003: In the Linux kernel, attackers could trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a 'service ipmievd restart' loop. (bsc#1126704)

CVE-2018-16880: A flaw was found in the Linux kernel's handle_rx() function in the [vhost_net] driver. A malicious virtual guest, under specific conditions, could trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may have lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.(bsc#1122767)

CVE-2019-9503: An issue was discoved which meant that brcmfmac frame validation could be bypassed. (bsc#1132828)

CVE-2019-9500: An issue was discovered that lead to brcmfmac heap buffer overflow. (bsc#1132681)

CVE-2019-8564: An issue was discoved which meant that brcmfmac frame validation could be bypassed. (bsc#1132673)

CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may have allowed unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

CVE-2019-3882: A flaw was found in the Linux kernel's vfio interface implementation that permitted violation of the user's locked memory limit. If a device was bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may have caused a system memory exhaustion and thus a denial of service (DoS). (bsc#1131427)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):An issue was discovered in     rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel     before 5.0.8. There is a race condition leading to a     use-after-free, related to net namespace     cleanup.(CVE-2019-11815)A flaw was found in the Linux     kernel's handle_rx() function in the vhost_net driver.
    A malicious virtual guest, under specific conditions,     can trigger an out-of-bounds write in a kmalloc-8 slab     on a virtual host which may lead to a kernel memory     corruption and a system panic. Due to the nature of the     flaw, privilege escalation cannot be fully ruled     out.(CVE-2018-16880)A NULL pointer dereference security     flaw was found in the Linux kernel in kvm_pv_send_ipi()     in arch/x86/kvm/lapic.c. This allows local users with     certain privileges to cause a denial of service via a     crafted system call to the KVM     subsystem.(CVE-2018-19406)The function     hso_get_config_data in driverset/usb/hso.c in the Linux     kernel through 4.19.8 reads if_num from the USB device     (as a u8) and uses it to index a small array, resulting     in an object out-of-bounds (OOB) read that potentially     allows arbitrary read in the kernel address     space.(CVE-2018-19985)** RESERVED ** This candidate has     been reserved by an organization or individual that     will use it when announcing a new security problem.
    When the candidate has been publicized, the details for     this candidate will be provided.(CVE-2019-3459)**     RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2019-3460)A flaw was found in the     Linux kernel in the function hid_debug_events_read() in     the drivers/hid/hid-debug.c file which may enter an     infinite loop with certain parameters passed from a     userspace. A local privileged user ('root') can cause a     system lock up and a denial of     service.(CVE-2019-3819)In the Linux kernel before     4.20.14, expand_downwards in mm/mmap.c lacks a check     for the mmap minimum address, which makes it easier for     attackers to exploit kernel NULL pointer dereferences     on non-SMAP platforms. This is related to a capability     check for the wrong task.(CVE-2019-9213)A flaw was     found in the Linux kernel's vfio interface     implementation that permits violation of the user's     locked memory limit. If a device is bound to a vfio     driver, such as vfio-pci, and the local attacker is     administratively granted ownership of the device, it     may cause a system memory exhaustion and thus a denial     of service (DoS). Versions 3.10, 4.14 and 4.18 are     vulnerable.(CVE-2019-3882)An infinite loop issue was     found in the vhost_net kernel module in Linux Kernel up     to and including v5.1-rc6, while handling incoming     packets in handle_rx(). It could occur if one end sends     packets faster than the other end can process them. A     guest user, maybe remote one, could use this flaw to     stall the vhost_net kernel thread, resulting in a DoS     scenario.(CVE-2019-3900)It was found that the net_dma     code in tcp_recvmsg() in the 2.6.32 kernel as shipped     in RHEL6 is thread-unsafe. So an unprivileged     multi-threaded userspace application calling recvmsg()     for the same network socket in parallel executed on     ioatdma-enabled hardware with net_dma enabled can leak     the memory, crash the host leading to a     denial-of-service or cause a random memory     corruption.(CVE-2019-3837)A race condition in     perf_event_open() allows local attackers to leak     sensitive data from setuid programs. As no relevant     locks (in particular the cred_guard_mutex) are held     during the ptrace_may_access() call, it is possible for     the specified target task to perform an execve()     syscall with setuid execution before perf_event_alloc()     actually attaches to it, allowing an attacker to bypass     the ptrace_may_access() check and the     perf_event_exit_task(current) call that is performed in     install_exec_creds() during privileged execve() calls.
    This issue affects kernel versions before 4.8.
    (CVE-2019-3901)** RESERVED ** This candidate has been     reserved by an organization or individual that will use     it when announcing a new security problem. When the     candidate has been publicized, the details for this     candidate will be     provided.(CVE-2019-8956)cipso_v4_validate in     includeet/cipso_ipv4.h in the Linux kernel before     3.11.7, when CONFIG_NETLABEL is disabled, allows     attackers to cause a denial of service (infinite loop     and crash), as demonstrated by icmpsic, a different     vulnerability than CVE-2013-0310.(CVE-2013-7470)Note1:
    kernel-4.19.36-vhulk1907.1.0.h529 and earlier versions     in EulerOS Virtualization for ARM 64 3.0.2.0 return     incorrect time information when executing the uname -a     command.Note2: The kernel version number naming format     has been changed after 4.19.36-1.2.184.aarch64, the new     version format is 4.19.36-vhulk1907.1.0.hxxx.aarch64,     which may lead to false positives of this security     advisory.

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 Azure kernel was updated to receive various security and bugfixes.

Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)

CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)

CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)

CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)

CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

This kernel update contains software mitigations for these issues, which also utilize CPU microcode updates shipped in parallel.

For more information on this set of information leaks, check out https://www.suse.com/support/kb/doc/?id=7023736

The following security bugs were fixed: CVE-2018-16880: A flaw was found in the handle_rx() function in the vhost_net driver. A malicious virtual guest, under specific conditions, could trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.
(bnc#1122767).

CVE-2019-9003: Attackers could trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a 'service ipmievd restart' loop (bnc#1126704).

CVE-2019-9503: A brcmfmac frame validation bypass was fixed.
(bnc#1132828).

CVE-2019-9500: A brcmfmac heap buffer overflow in brcmf_wowl_nd_results was fixed. (bnc#1132681).

CVE-2019-3882: A flaw was found in the vfio interface implementation that permitted violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS).
(bnc#1131416 bnc#1131427).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3903-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.10.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.10 for Ubuntu 18.04 LTS.

Jason Wang discovered that the vhost net driver in the Linux kernel contained an out of bounds write vulnerability. An attacker in a guest virtual machine could use this to cause a denial of service (host system crash) or possibly execute arbitrary code in the host kernel.
(CVE-2018-16880)

Jann Horn discovered that the userfaultd implementation in the Linux kernel did not properly restrict access to certain ioctls. A local attacker could use this possibly to modify files. (CVE-2018-18397)

Jann Horn discovered a race condition in the fork() system call in the Linux kernel. A local attacker could use this to gain access to services that cache authorizations. (CVE-2019-6133).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jason Wang discovered that the vhost net driver in the Linux kernel contained an out of bounds write vulnerability. An attacker in a guest virtual machine could use this to cause a denial of service (host system crash) or possibly execute arbitrary code in the host kernel.
(CVE-2018-16880)

Jann Horn discovered that the userfaultd implementation in the Linux kernel did not properly restrict access to certain ioctls. A local attacker could use this possibly to modify files. (CVE-2018-18397)

Jann Horn discovered a race condition in the fork() system call in the Linux kernel. A local attacker could use this to gain access to services that cache authorizations. (CVE-2019-6133).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 4.20.5 stable kernel update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
134387	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1186)	Nessus	Huawei Local Security Checks	critical
129284	SUSE SLED15 / SLES15 Security Update : kernel-source-rt (SUSE-SU-2019:2430-1) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) (SACK Panic) (SACK Slowness) (Spectre)	Nessus	SuSE Local Security Checks	high
126045	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:1550-1) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) (SACK Panic) (SACK Slowness) (Spectre)	Nessus	SuSE Local Security Checks	high
125588	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1636)	Nessus	Huawei Local Security Checks	high
125243	openSUSE Security Update : the Linux Kernel (openSUSE-2019-1404) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)	Nessus	SuSE Local Security Checks	high
125132	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:1242-1) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)	Nessus	SuSE Local Security Checks	high
122669	Ubuntu 18.04 LTS : linux-hwe, linux-azure vulnerabilities (USN-3903-2)	Nessus	Ubuntu Local Security Checks	medium
122668	Ubuntu 18.10 : linux, linux-azure, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities (USN-3903-1)	Nessus	Ubuntu Local Security Checks	medium
121520	Fedora 29 : kernel / kernel-headers / kernel-tools (2019-aabdaa013d)	Nessus	Fedora Local Security Checks	medium
121519	Fedora 28 : kernel / kernel-headers / kernel-tools (2019-4002b91800)	Nessus	Fedora Local Security Checks	medium

CVE-2018-16880

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins