105049

https://github.com/johnsonwangqize/cve-linux/blob/master/CVE-2018-5995.md

[debian-lts-announce] 20190528 [SECURITY] [DLA 1799-1] linux security update

[debian-lts-announce] 20190528 [SECURITY] [DLA 1799-2] linux security update

[debian-lts-announce] 20190814 [SECURITY] [DLA 1885-1] linux-4.9 security update

20190813 [SECURITY] [DSA 4497-1] linux security update

DSA-4497

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Array index error in the tcm_vhost_make_tpg function in     drivers/vhost/scsi.c in the Linux kernel before 4.0     might allow guest OS users to cause a denial of service     (memory corruption) or possibly have unspecified other     impact via a crafted VHOST_SCSI_SET_ENDPOINT ioctl     call. NOTE: the affected function was renamed to     vhost_scsi_make_tpg before the vulnerability was     announced.(CVE-2015-4036)

  - The ecryptfs_privileged_open function in     fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3     allows local users to gain privileges or cause a denial     of service (stack memory consumption) via vectors     involving crafted mmap calls for /proc pathnames,     leading to recursive pagefault handling.(CVE-2016-1583)

  - It was found that SCSI driver in the Linux kernel can     improperly access userspace memory outside the provided     buffer. A local privileged attacker could potentially     use this flaw to expose information from the kernel     memory.(CVE-2017-13168)

  - The acpi_ds_create_operands() function in     drivers/acpi/acpica/dsutils.c in the Linux kernel     through 4.12.9 does not flush the operand cache and     causes a kernel stack dump, which allows local users to     obtain sensitive information from kernel memory and     bypass the KASLR protection mechanism (in the kernel     through 4.9) via a crafted ACPI table.(CVE-2017-13693)

  - The acpi_ps_complete_final_op() function in     drivers/acpi/acpica/psobject.c in the Linux kernel     through 4.12.9 does not flush the node and node_ext     caches and causes a kernel stack dump, which allows     local users to obtain sensitive information from kernel     memory and bypass the KASLR protection mechanism (in     the kernel through 4.9) via a crafted ACPI     table.(CVE-2017-13694)

  - The acpi_ns_evaluate() function in     drivers/acpi/acpica/nseval.c in the Linux kernel     through 4.12.9 does not flush the operand cache and     causes a kernel stack dump, which allows local users to     obtain sensitive information from kernel memory and     bypass the KASLR protection mechanism (in the kernel     through 4.9) via a crafted ACPI table.(CVE-2017-13695)

  - The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h     in the Linux kernel before 4.13.2 does not verify that     a filesystem has a realtime device, which allows local     users to cause a denial of service (NULL pointer     dereference and OOPS) via vectors related to setting an     RHINHERIT flag on a directory.(CVE-2017-14340)

  - The xfs_bmap_extents_to_btree function in     fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through     4.16.3 allows local users to cause a denial of service     (xfs_bmapi_write NULL pointer dereference) via a     crafted xfs image.(CVE-2018-10323)

  - A flaw was found in Linux kernel in the ext4 filesystem     code. A use-after-free is possible in     ext4_ext_remove_space() function when mounting and     operating a crafted ext4 image.(CVE-2018-10876)

  - A flaw was found in the Linux kernel ext4 filesystem.
    An out-of-bound access is possible in the     ext4_ext_drop_refs() function when operating on a     crafted ext4 filesystem image.(CVE-2018-10877)

  - The pcpu_embed_first_chunk function in mm/percpu.c in     the Linux kernel through 4.14.14 allows local users to     obtain sensitive address information by reading dmesg     data from a(CVE-2018-5995)

  - Memory leak in the irda_bind function in     net/irda/af_irda.c and later in     drivers/staging/irda/net/af_irda.c in the Linux kernel     before 4.17 allows local users to cause a denial of     service (memory consumption) by repeatedly binding an     AF_IRDA socket.(CVE-2018-6554)

  - A NULL pointer dereference was found in the     net/rds/rdma.c __rds_rdma_map() function in the Linux     kernel before 4.14.7 allowing local attackers to cause     a system panic and a denial-of-service, related to     RDS_GET_MR and RDS_GET_MR_FOR_DEST.(CVE-2018-7492)

  - ** DISPUTED ** Race condition in the     store_int_with_restart() function in     arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel     through 4.15.7 allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck<cpu     number> directory. NOTE: a third party has indicated     that this report is not security     relevant.(CVE-2018-7995)

  - Non-optimized code for key handling of shared futexes     was found in the Linux kernel in the form of unbounded     contention time due to the page lock for real-time     users. Before the fix, the page lock was an     unnecessarily heavy lock for the futex path that     protected too much. After the fix, the page lock is     only required in a specific corner case.(CVE-2018-9422)

  - A memory leak in the ccp_run_sha_cmd() function in     drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-128c66429247.(CVE-2019-18808)

  - In the Linux kernel before 5.1, there is a memory leak     in __feat_register_sp() in net/dccp/feat.c, which may     cause denial of service, aka     CID-1d3ff0950e2b.(CVE-2019-20096)

  - An issue was discovered in the Linux kernel before     5.4.7. The prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of     service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka     CID-b43d1f9f7067.(CVE-2019-20812)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the linux package has been released.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):** DISPUTED ** In     kernel/compat.c in the Linux kernel before 3.17, as     used in Google Chrome OS and other products, there is a     possible out-of-bounds read. restart_syscall uses     uninitialized data when restarting     compat_sys_nanosleep. NOTE: this is disputed because     the code path is unreachable.(CVE-2014-3180)A heap     overflow flaw was found in the Linux kernel, all     versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi     chip driver. The vulnerability allows a remote attacker     to cause a system crash, resulting in a denial of     service, or execute arbitrary code. The highest threat     with this vulnerability is with the availability of the     system. If code execution occurs, the code will run     with the permissions of root. This will affect both     confidentiality and integrity of files on the     system.(CVE-2019-14901)A heap-based buffer overflow     vulnerability was found in the Linux kernel, version     kernel-2.6.32, in Marvell WiFi chip driver. A remote     attacker could cause a denial of service (system crash)     or, possibly execute arbitrary code, when the     lbs_ibss_join_existing function is called after a STA     connects to an AP.(CVE-2019-14896)A memory leak in the     ath10k_usb_hif_tx_sg() function in drivers/     net/wireless/ath/ath10k/usb.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     usb_submit_urb() failures, aka     CID-b8d17e7d93d2.(CVE-2019-19078)A memory leak in the     mlx5_fpga_conn_create_cq() function in drivers/     net/ethernet/mellanox/mlx5/core/fpga/conn.c in the     Linux kernel before 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     mlx5_vector2eqn() failures, aka     CID-c8c2a057fdc7.(CVE-2019-19045)A stack-based buffer     overflow was found in the Linux kernel, version     kernel-2.6.32, in Marvell WiFi chip driver. An attacker     is able to cause a denial of service (system crash) or,     possibly execute arbitrary code, when a STA works in     IBSS mode (allows connecting stations together without     the use of an AP) and connects to another     STA.(CVE-2019-14897)An out-of-bounds memory write issue     was found in the Linux Kernel, version 3.13 through     5.4, in the way the Linux kernel's KVM hypervisor     handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request     to get CPUID features emulated by the KVM hypervisor. A     user or process able to access the '/dev/kvm' device     could use this flaw to crash the system, resulting in a     denial of service.(CVE-2019-19332)Improper invalidation     for page table updates by a virtual guest operating     system for multiple Intel(R) Processors may allow an     authenticated user to potentially enable denial of     service of the host system via local     access.(CVE-2018-12207)In the Android kernel in the     video driver there is a use after free due to a race     condition. This could lead to local escalation of     privilege with no additional execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2019-9458)In the AppleTalk subsystem     in the Linux kernel before 5.1, there is a potential     NULL pointer dereference because register_snap_client     may return NULL. This will lead to denial of service in     net/appletalk/aarp.c and net/appletalk/ddp.c, as     demonstrated by unregister_snap_client, aka     CID-9804501fa122.(CVE-2019-19227)In the Linux kernel     5.0.21, mounting a crafted btrfs filesystem image,     performing some operations, and then making a syncfs     system call can lead to a use-after-free in
    __mutex_lock in kernel/locking/mutex.c. This is related     to mutex_can_spin_on_owner in kernel/locking/mutex.c,
    __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and     btrfs_insert_delayed_items in     fs/btrfs/delayed-inode.c.(CVE-2019-19813)In the Linux     kernel 5.4.0-rc2, there is a use-after-free (read) in     the __blk_add_trace function in kernel/trace/blktrace.c     (which is used to fill out a blk_io_trace structure and     place it in a per-cpu sub-buffer).(CVE-2019-19768)In     the Linux kernel before 5.0.6, there is a NULL pointer     dereference in drop_sysctl_table() in     fs/proc/proc_sysctl.c, related to put_links, aka     CID-23da9588037e.(CVE-2019-20054)In the Linux kernel     before 5.2.9, there is an info-leak bug that can be     caused by a malicious USB device in the drivers/     net/can/usb/peak_usb/pcan_usb_pro.c driver, aka     CID-ead16e53c2f0.(CVE-2019-19536)In the Linux kernel     before 5.3.11, there is an info-leak bug that can be     caused by a malicious USB device in the drivers/     net/can/usb/peak_usb/pcan_usb_core.c driver, aka     CID-f7a1337f0d29.(CVE-2019-19534)In the Linux kernel     before 5.3.6, there is a use-after-free bug that can be     caused by a malicious USB device in the drivers/     net/ieee802154/atusb.c driver, aka     CID-7fd25e6fc035.(CVE-2019-19525)Insufficient access     control in a subsystem for Intel (R) processor graphics     in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM)     Processor Families Intel(R) Pentium(R) Processor J, N,     Silver and Gold Series Intel(R) Celeron(R) Processor J,     N, G3900 and G4900 Series Intel(R) Atom(R) Processor A     and E3900 Series Intel(R) Xeon(R) Processor E3-1500 v5     and v6, E-2100 and E-2200 Processor Families Intel(R)     Graphics Driver for Windows before 26.20.100.6813 (DCH)     or 26.20.100.6812 and before 21.20.x.5077     (aka15.45.5077), i915 Linux Driver for Intel(R)     Processor Graphics before versions 5.4-rc7, 5.3.11,     4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an     authenticated user to potentially enable escalation of     privilege via local access.(CVE-2019-0155)Insufficient     input validation in Kernel Mode Driver in Intel(R) i915     Graphics for Linux before version 5.0 may allow an     authenticated user to potentially enable escalation of     privilege via local     access.(CVE-2019-11085)kernel/sched/fair.c in the Linux     kernel before 5.3.9, when cpu.cfs_quota_us is used     (e.g., with Kubernetes), allows attackers to cause a     denial of service against non-cpu-bound applications by     generating a workload that triggers unwanted slice     expiration, aka CID-de53fd7aedb1. (In other words,     although this slice expiration would typically be seen     with benign workloads, it is possible that an attacker     could calculate how many stray requests are required to     force an entire Kubernetes cluster into a     low-performance state caused by slice expiration, and     ensure that a DDoS attack sent that number of stray     requests. An attack does not affect the stability of     the kernel it only causes mismanagement of application     execution.)(CVE-2019-19922)The evm_verify_hmac function     in security/integrity/evm/evm_main.c in the Linux     kernel before 4.5 does not properly copy data, which     makes it easier for local users to forge MAC values via     a timing side-channel attack.(CVE-2016-2085)The     pcpu_embed_first_chunk function in mm/percpu.c in the     Linux kernel through 4.14.14 allows local users to     obtain sensitive address information by reading dmesg     data from a 'pages/cpu' printk call.(CVE-2018-5995)TSX     Asynchronous Abort condition on some CPUs utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access.(CVE-2019-11135)An issue was     discovered in drivers/scsi/aacraid/commctrl.c in the     Linux kernel before 4.13. There is potential exposure     of kernel stack memory because aac_send_raw_srb does     not initialize the reply structure.(CVE-2017-18549)An     issue was discovered in drivers/scsi/aacraid/commctrl.c     in the Linux kernel before 4.13. There is potential     exposure of kernel stack memory because     aac_get_hba_info does not initialize the hbainfo     structure.(CVE-2017-18550)In the Linux kernel through     4.15.4, the floppy driver reveals the addresses of     kernel functions and global variables using printk     calls within the function show_floppy in     drivers/block/floppy.c. An attacker can read this     information from dmesg and use the addresses to find     the locations of kernel code and data and bypass kernel     security protections such as KASLR.(CVE-2018-7273)A     heap-based buffer overflow was discovered in the Linux     kernel, all versions 3.x.x and 4.x.x before 4.18.0, in     Marvell WiFi chip driver. The flaw could occur when the     station attempts a connection negotiation during the     handling of the remote devices country settings. This     could allow the remote device to cause a denial of     service (system crash) or possibly execute arbitrary     code.(CVE-2019-14895)The Linux kernel before 5.4.1 on     powerpc allows Information Exposure because the     Spectre-RSB mitigation is not in place for all     applicable CPUs, aka CID-39e72bf96f58. This is related     to arch/powerpc/kernel/entry_64.S and     arch/powerpc/kernel/security.c.(CVE-2019-18660)In the     Linux kernel 5.0.21, mounting a crafted ext4 filesystem     image, performing some operations, and unmounting can     lead to a use-after-free in ext4_put_super in     fs/ext4/super.c, related to dump_orphan_list in     fs/ext4/super.c.(CVE-2019-19447)In the Linux kernel     through 5.4.6, there is a NULL pointer dereference in     drivers/scsi/libsas/sas_discover.c because of     mishandling of port disconnection during discovery,     related to a PHY down race condition, aka     CID-f70267f379b5.(CVE-2019-19965)In the Linux kernel     before 5.1.6, there is a use-after-free in cpia2_exit()     in drivers/media/usb/cpia2/cpia2_v4l.c that will cause     denial of service, aka     CID-dea37a972655.(CVE-2019-19966)An exploitable     denial-of-service vulnerability exists in the Linux     kernel prior to mainline 5.3. An attacker could exploit     this vulnerability by triggering AP to send IAPP     location updates for stations before the required     authentication process has completed. This could lead     to different denial-of-service scenarios, either by     causing CAM table attacks, or by leading to traffic     flapping if faking already existing clients in other     nearby APs of the same wireless infrastructure. An     attacker can forge Authentication and Association     Request packets to trigger this     vulnerability.(CVE-2019-5108)mwifiex_tm_cmd in drivers/     net/wireless/marvell/mwifiex/cfg80211.c in the Linux     kernel before 5.1.6 has some error-handling cases that     did not free allocated hostcmd memory, aka     CID-003b686ace82. This will cause a memory leak and     denial of service.(CVE-2019-20095)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2017-18509

Denis Andzakovic reported a missing type check in the IPv4 multicast routing implementation. A user with the CAP_NET_ADMIN capability (in any user namespace) could use this for denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2018-5995

ADLab of VenusTech discovered that the kernel logged the virtual addresses assigned to per-CPU data, which could make it easier to exploit other vulnerabilities.

CVE-2018-20836

chenxiang reported a race condition in libsas, the kernel subsystem supporting Serial Attached SCSI (SAS) devices, which could lead to a use-after-free. It is not clear how this might be exploited.

CVE-2018-20856

Xiao Jin reported a potential double-free in the block subsystem, in case an error occurs while initialising the I/O scheduler for a block device. It is not clear how this might be exploited.

CVE-2019-1125

It was discovered that most x86 processors could speculatively skip a conditional SWAPGS instruction used when entering the kernel from user mode, and/or could speculatively execute it when it should be skipped.
This is a subtype of Spectre variant 1, which could allow local users to obtain sensitive information from the kernel or other processes. It has been mitigated by using memory barriers to limit speculative execution. Systems using an i386 kernel are not affected as the kernel does not use SWAPGS.

CVE-2019-3882

It was found that the vfio implementation did not limit the number of DMA mappings to device memory. A local user granted ownership of a vfio device could use this to cause a denial of service (out-of-memory condition).

CVE-2019-3900

It was discovered that vhost drivers did not properly control the amount of work done to service requests from guest VMs. A malicious guest could use this to cause a denial of service (unbounded CPU usage) on the host.

CVE-2019-10207

The syzkaller tool found a potential null dereference in various drivers for UART-attached Bluetooth adapters. A local user with access to a pty device or other suitable tty device could use this for denial of service (BUG/oops).

CVE-2019-10638

Amit Klein and Benny Pinkas discovered that the generation of IP packet IDs used a weak hash function, 'jhash'. This could enable tracking individual computers as they communicate with different remote servers and from different networks. The 'siphash' function is now used instead.

CVE-2019-10639

Amit Klein and Benny Pinkas discovered that the generation of IP packet IDs used a weak hash function that incorporated a kernel virtual address. This hash function is no longer used for IP IDs, although it is still used for other purposes in the network stack.

CVE-2019-13631

It was discovered that the gtco driver for USB input tablets could overrun a stack buffer with constant data while parsing the device's descriptor. A physically present user with a specially constructed USB device could use this to cause a denial of service (BUG/oops), or possibly for privilege escalation.

CVE-2019-13648

Praveen Pandey reported that on PowerPC (ppc64el) systems without Transactional Memory (TM), the kernel would still attempt to restore TM state passed to the sigreturn() system call. A local user could use this for denial of service (oops).

CVE-2019-14283

The syzkaller tool found a missing bounds check in the floppy disk driver. A local user with access to a floppy disk device, with a disk present, could use this to read kernel memory beyond the I/O buffer, possibly obtaining sensitive information.

CVE-2019-14284

The syzkaller tool found a potential division-by-zero in the floppy disk driver. A local user with access to a floppy disk device could use this for denial of service (oops).

(CVE ID not yet assigned)

Denis Andzakovic reported a possible use-after-free in the TCP sockets implementation. A local user could use this for denial of service (memory corruption or crash) or possibly for privilege escalation.

(CVE ID not yet assigned)

The netfilter conntrack subsystem used kernel addresses as user-visible IDs, which could make it easier to exploit other security vulnerabilities.

XSA-300

Julien Grall reported that Linux does not limit the amount of memory which a domain will attempt to baloon out, nor limits the amount of 'foreign / grant map' memory which any individual guest can consume, leading to denial of service conditions (for host or guests).

For Debian 8 'Jessie', these problems have been fixed in version 4.9.168-1+deb9u5~deb8u1.

We recommend that you upgrade your linux-4.9 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2015-8553     Jan Beulich discovered that CVE-2015-2150 was not     completely addressed. If a PCI physical function is     passed through to a Xen guest, the guest is able to     access its memory and I/O regions before enabling     decoding of those regions. This could result in a     denial-of-service (unexpected NMI) on the host.

  The fix for this is incompatible with qemu versions before 2.5.

  - CVE-2017-18509     Denis Andzakovic reported a missing type check in the     IPv4 multicast routing implementation. A user with the     CAP_NET_ADMIN capability (in any user namespace) could     use this for denial-of-service (memory corruption or     crash) or possibly for privilege escalation.

  - CVE-2018-5995     ADLab of VenusTech discovered that the kernel logged the     virtual addresses assigned to per-CPU data, which could     make it easier to exploit other vulnerabilities.

  - CVE-2018-20836     chenxiang reported a race condition in libsas, the     kernel subsystem supporting Serial Attached SCSI (SAS)     devices, which could lead to a use-after-free. It is not     clear how this might be exploited.

  - CVE-2018-20856     Xiao Jin reported a potential double-free in the block     subsystem, in case an error occurs while initialising     the I/O scheduler for a block device. It is not clear     how this might be exploited.

  - CVE-2019-1125     It was discovered that most x86 processors could     speculatively skip a conditional SWAPGS instruction used     when entering the kernel from user mode, and/or could     speculatively execute it when it should be skipped. This     is a subtype of Spectre variant 1, which could allow     local users to obtain sensitive information from the     kernel or other processes. It has been mitigated by     using memory barriers to limit speculative execution.
    Systems using an i386 kernel are not affected as the     kernel does not use SWAPGS.

  - CVE-2019-3882     It was found that the vfio implementation did not limit     the number of DMA mappings to device memory. A local     user granted ownership of a vfio device could use this     to cause a denial of service (out-of-memory condition).

  - CVE-2019-3900     It was discovered that vhost drivers did not properly     control the amount of work done to service requests from     guest VMs. A malicious guest could use this to cause a     denial-of-service (unbounded CPU usage) on the host.

  - CVE-2019-10207     The syzkaller tool found a potential null dereference in     various drivers for UART-attached Bluetooth adapters. A     local user with access to a pty device or other suitable     tty device could use this for denial-of-service     (BUG/oops).

  - CVE-2019-10638     Amit Klein and Benny Pinkas discovered that the     generation of IP packet IDs used a weak hash function,     'jhash'. This could enable tracking individual computers     as they communicate with different remote servers and     from different networks. The 'siphash' function is now     used instead.

  - CVE-2019-10639     Amit Klein and Benny Pinkas discovered that the     generation of IP packet IDs used a weak hash function     that incorporated a kernel virtual address. This hash     function is no longer used for IP IDs, although it is     still used for other purposes in the network stack.

  - CVE-2019-13631     It was discovered that the gtco driver for USB input     tablets could overrun a stack buffer with constant data     while parsing the device's descriptor. A physically     present user with a specially constructed USB device     could use this to cause a denial-of-service (BUG/oops),     or possibly for privilege escalation.

  - CVE-2019-13648     Praveen Pandey reported that on PowerPC (ppc64el)     systems without Transactional Memory (TM), the kernel     would still attempt to restore TM state passed to the     sigreturn() system call. A local user could use this for     denial-of-service (oops).

  - CVE-2019-14283     The syzkaller tool found a missing bounds check in the     floppy disk driver. A local user with access to a floppy     disk device, with a disk present, could use this to read     kernel memory beyond the I/O buffer, possibly obtaining     sensitive information.

  - CVE-2019-14284     The syzkaller tool found a potential division-by-zero in     the floppy disk driver. A local user with access to a     floppy disk device could use this for denial-of-service     (oops).

  - CVE-2019-15239     Denis Andzakovic reported a possible use-after-free in     the TCP sockets implementation. A local user could use     this for denial-of-service (memory corruption or crash)     or possibly for privilege escalation.

  - (CVE ID not yet assigned)

    The netfilter conntrack subsystem used kernel addresses     as user-visible IDs, which could make it easier to     exploit other security vulnerabilities.

  - XSA-300

    Julien Grall reported that Linux does not limit the     amount of memory which a domain will attempt to balloon     out, nor limits the amount of 'foreign / grant map'     memory which any individual guest can consume, leading     to denial of service conditions (for host or guests).

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

This updated advisory text adds a note about the need to install new binary packages.

CVE-2018-5995

ADLab of VenusTech discovered that the kernel logged the virtual addresses assigned to per-CPU data, which could make it easier to exploit other vulnerabilities.

CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

Multiple researchers have discovered vulnerabilities in the way that Intel processor designs implement speculative forwarding of data filled into temporary microarchitectural structures (buffers). This flaw could allow an attacker controlling an unprivileged process to read sensitive information, including from the kernel and all other processes running on the system, or across guest/host boundaries to read host memory.

See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/m ds.html for more details.

To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode. An updated intel-microcode package (only available in Debian non-free) was provided via DLA-1789-1. The updated CPU microcode may also be available as part of a system firmware ('BIOS') update.

CVE-2019-2024

A use-after-free bug was discovered in the em28xx video capture driver. Local users might be able to use this for denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-3459, CVE-2019-3460

Shlomi Oberman, Yuli Shapiro, and Karamba Security Ltd. research team discovered missing range checks in the Bluetooth L2CAP implementation.
If Bluetooth is enabled, a nearby attacker could use these to read sensitive information from the kernel.

CVE-2019-3882

It was found that the vfio implementation did not limit the number of DMA mappings to device memory. A local user granted ownership of a vfio device could use this to cause a denial of service (out-of-memory condition).

CVE-2019-3901

Jann Horn of Google reported a race condition that would allow a local user to read performance events from a task after it executes a setuid program. This could leak sensitive information processed by setuid programs. Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue.

CVE-2019-6133

Jann Horn of Google found that Policykit's authentication check could be bypassed by a local user creating a process with the same start time and process ID as an older authenticated process. PolicyKit was already updated to fix this in DLA-1644-1. The kernel has additionally been updated to avoid a delay between assigning start time and process ID, which should make the attack impractical.

CVE-2019-9503

Hugues Anguelkov and others at Quarkslab discovered that the brcmfmac (Broadcom wifi FullMAC) driver did not correctly distinguish messages sent by the wifi firmware from other packets. An attacker using the same wifi network could use this for denial of service or to exploit other vulnerabilities in the driver.

CVE-2019-11190

Robert &#x15A;wi&#x119;cki reported that when a setuid program was executed it was still possible to read performance events while the kernel set up the program's address space. A local user could use this to defeat ASLR in a setuid program, making it easier to exploit other vulnerabilities in the program. Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue.

CVE-2019-11486

Jann Horn of Google reported numerous race conditions in the Siemens R3964 line discipline. A local user could use these to cause unspecified security impact. This module has therefore been disabled.

CVE-2019-11599

Jann Horn of Google reported a race condition in the core dump implementation which could lead to a use-after-free. A local user could use this to read sensitive information, to cause a denial of service (memory corruption), or for privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.68-1. This version also includes a fix for Debian bug #927781, and other fixes included in upstream stable updates.

We recommend that you upgrade your linux and linux-latest packages.
You will need to use 'apt-get upgrade --with-new-pkgs' or 'apt upgrade' as the binary package names have changed.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - In the Linux kernel through 4.19, a use-after-free can     occur due to a race condition between fanout_add from     setsockopt and bind on an AF_PACKET socket. This issue     exists because of the     15fe076edea787807a7cdc168df832544b58eba6 incomplete fix     for a race condition. The code mishandles a certain     multithreaded case involving a packet_do_bind     unregister action followed by a packet_notifier     register action. Later, packet_release operates on only     one of the two applicable linked lists. The attacker     can achieve Program Counter control.(CVE-2018-18559i1/4%0

  - The acpi_ns_terminate() function in     drivers/acpi/acpica/nsutils.c in the Linux kernel     before 4.12 does not flush the operand cache and causes     a kernel stack dump. A local users could obtain     sensitive information from kernel memory and bypass the     KASLR protection mechanism (in the kernel through 4.9)     via a crafted ACPI table.(CVE-2017-11472i1/4%0

  - Race condition in net/packet/af_packet.c in the Linux     kernel allows local users to cause a denial of service     (use-after-free) or possibly have unspecified other     impact via a multithreaded application that makes     PACKET_FANOUT setsockopt system calls.(CVE-2017-6346i1/4%0

  - Multiple race conditions in ipc/shm.c in the Linux     kernel before 3.12.2 allow local users to cause a     denial of service (use-after-free and system crash) or     possibly have unspecified other impact via a crafted     application that uses shmctl IPC_RMID operations in     conjunction with other shm system     calls.(CVE-2013-7026i1/4%0

  - An issue was discovered in the Linux kernel. A NULL     pointer dereference and panic in hfsplus_lookup() in     the fs/hfsplus/dir.c function can occur when opening a     file (that is purportedly a hard link) in an hfs+     filesystem that has malformed catalog data, and is     mounted read-only without a metadata     directory.(CVE-2018-14617i1/4%0

  - The treo_attach function in drivers/usb/serial/visor.c     in the Linux kernel before 4.5 allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and system crash) or possibly have     unspecified other impact by inserting a USB device that     lacks a (1) bulk-in or (2) interrupt-in     endpoint.(CVE-2016-2782i1/4%0

  - An information-exposure flaw was found in the Linux     kernel where the pcpu_embed_first_chunk() function in     mm/percpu.c allows local users to obtain kernel-object     address information by reading the kernel log (dmesg).
    However, this address is not static and cannot be used     to commit a further attack.(CVE-2018-5995i1/4%0

  - Buffer overflow in net/ceph/auth_x.c in Ceph, as used     in the Linux kernel before 3.16.3, allows remote     attackers to cause a denial of service (memory     corruption and panic) or possibly have unspecified     other impact via a long unencrypted auth     ticket.(CVE-2014-6416i1/4%0

  - It was found that the Linux kernel's ptrace subsystem     allowed a traced process' instruction pointer to be set     to a non-canonical memory address without forcing the     non-sysret code path when returning to user space. A     local, unprivileged user could use this flaw to crash     the system or, potentially, escalate their privileges     on the system.Note: The CVE-2014-4699 issue only     affected systems using an Intel CPU.(CVE-2014-4699i1/4%0

  - The snd_compr_tstamp function in     sound/core/compress_offload.c in the Linux kernel     through 4.7, as used in Android before 2016-08-05 on     Nexus 5 and 7 (2013) devices, does not properly     initialize a timestamp data structure, which allows     attackers to obtain sensitive information via a crafted     application, aka Android internal bug 28770164 and     Qualcomm internal bug CR568717.(CVE-2014-9892i1/4%0

  - A flaw was found in the way the Linux kernel's ext4     file system handled the 'page size i1/4z block size'     condition when the fallocate zero range functionality     was used. A local attacker could use this flaw to crash     the system.(CVE-2015-0275i1/4%0

  - An information leak flaw was found in the way the Linux     kernel's ISO9660 file system implementation accessed     data on an ISO9660 image with RockRidge Extension     Reference (ER) records. An attacker with physical     access to the system could use this flaw to disclose up     to 255 bytes of kernel memory.(CVE-2014-9584i1/4%0

  - The pivot_root implementation in fs/namespace.c in the     Linux kernel through 3.17 does not properly interact     with certain locations of a chroot directory, which     allows local users to cause a denial of service     (mount-tree loop) via . (dot) values in both arguments     to the pivot_root system call.(CVE-2014-7970i1/4%0

  - arch/x86/kvm/emulate.c in the Linux kernel before     4.8.12 does not properly initialize Code Segment (CS)     in certain error cases, which allows local users to     obtain sensitive information from kernel stack memory     via a crafted application.(CVE-2016-9756i1/4%0

  - A flaw was found in the Linux kernel where the     swiotlb_print_info() function in lib/swiotlb.c allows     local users to obtain some kernel address information     by reading the kernel log (dmesg). This address is not     useful to commit a further attack.(CVE-2018-5953i1/4%0

  - A flaw was found in the way the Linux kernel's file     system implementation handled rename operations in     which the source was inside and the destination was     outside of a bind mount. A privileged user inside a     container could use this flaw to escape the bind mount     and, potentially, escalate their privileges on the     system.(CVE-2015-2925i1/4%0

  - A use-after-free fault in the Linux kernel's usbtv     driver could allow an attacker to cause a denial of     service (system crash), or have unspecified other     impacts, by triggering failure of audio registration of     USB hardware using the usbtv kernel     module.(CVE-2017-17975i1/4%0

  - The mm subsystem in the Linux kernel through 4.10.10     does not properly enforce the CONFIG_STRICT_DEVMEM     protection mechanism, which allows local users to read     or write to kernel memory locations in the first     megabyte (and bypass slab-allocation access     restrictions) via an application that opens the     /dev/mem file, related to arch/x86/mm/init.c and     drivers/char/mem.c.(CVE-2017-7889i1/4%0

  - A flaw was discovered in the way the kernel allows     stackable filesystems to overlay. A local attacker who     is able to mount filesystems can abuse this flaw to     escalate privileges.(CVE-2014-9922i1/4%0

  - sound/core/timer.c in the Linux kernel before 4.4.1     retains certain linked lists after a close or stop     action, which allows local users to cause a denial of     service (system crash) via a crafted ioctl call,     related to the (1) snd_timer_close and (2)
    _snd_timer_stop functions.(CVE-2016-2548i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
141697	EulerOS Virtualization 3.0.2.2 : kernel (EulerOS-SA-2020-2222)	Nessus	Huawei Local Security Checks	high
137316	Photon OS 1.0: Linux PHSA-2020-1.0-0299	Nessus	PhotonOS Local Security Checks	low
133913	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2020-1112)	Nessus	Huawei Local Security Checks	critical
127921	Debian DLA-1885-1 : linux-4.9 security update	Nessus	Debian Local Security Checks	high
127867	Debian DSA-4497-1 : linux - security update	Nessus	Debian Local Security Checks	high
125478	Debian DLA-1799-2 : linux security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)	Nessus	Debian Local Security Checks	high
124977	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1524)	Nessus	Huawei Local Security Checks	high

CVE-2018-5995

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins