RHSA-2019:2029

RHSA-2019:2043

https://source.android.com/security/bulletin/pixel/2018-09-01

USN-3932-1

USN-3932-2

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has kernel-rt packages installed that are affected by multiple vulnerabilities:

  - A flaw was found in the Linux kernel's NFS41+ subsystem.
    NFS41+ shares mounted in different network namespaces at     the same time can make bc_svc_process() use wrong back-     channel IDs and cause a use-after-free vulnerability.
    Thus a malicious container user can cause a host kernel     memory corruption and a system panic. Due to the nature     of the flaw, privilege escalation cannot be fully ruled     out. (CVE-2018-16884)

  - Insufficient input validation in Kernel Mode Driver in     Intel(R) i915 Graphics for Linux before version 5.0 may     allow an authenticated user to potentially enable     escalation of privilege via local access.
    (CVE-2019-11085)

  - A flaw was found in the Linux kernel's NFS     implementation, all versions 3.x and all versions 4.x up     to 4.20. An attacker, who is able to mount an exported     NFS filesystem, is able to trigger a null pointer     dereference by using an invalid NFS sequence. This can     panic the machine and deny access to the NFS server. Any     outstanding disk writes to the NFS server will be lost.
    (CVE-2018-16871)

  - An issue was discovered in the Linux kernel before     5.0.4. There is a use-after-free upon attempted read     access to /proc/ioports after the ipmi_si module is     removed, related to drivers/char/ipmi/ipmi_si_intf.c,     drivers/char/ipmi/ipmi_si_mem_io.c, and     drivers/char/ipmi/ipmi_si_port_io.c. (CVE-2019-11811)

  - A flaw was found in the way Linux kernel KVM hypervisor     before 4.18 emulated instructions such as     sgdt/sidt/fxsave/fxrstor. It did not check current     privilege(CPL) level while emulating unprivileged     instructions. An unprivileged guest user/process could     use this flaw to potentially escalate privileges inside     guest. (CVE-2018-10853)

  - A flaw was found in the Linux Kernel where an attacker     may be able to have an uncontrolled read to kernel-     memory from within a vm guest. A race condition between     connect() and close() function may allow an attacker     using the AF_VSOCK protocol to gather a 4 byte     information leak or possibly intercept or corrupt     AF_VSOCK messages destined to other clients.
    (CVE-2018-14625)

  - drivers/infiniband/core/ucma.c in the Linux kernel     through 4.17.11 allows ucma_leave_multicast to access a     certain data structure after a cleanup step in     ucma_process_join, which allows attackers to cause a     denial of service (use-after-free). (CVE-2018-14734)

  - arch/x86/kernel/paravirt.c in the Linux kernel before     4.18.1 mishandles certain indirect calls, which makes it     easier for attackers to conduct Spectre-v2 attacks     against paravirtual guests. (CVE-2018-15594)

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and reused. This is     fixed in the following kernel versions: 4.9.135,     4.14.78, 4.18.16, 4.19. (CVE-2018-18281)

  - An issue was discovered in the Linux kernel before     4.18.7. In block/blk-core.c, there is an
    __blk_drain_queue() use-after-free because a certain     error case is mishandled. (CVE-2018-20856)

  - In the hidp_process_report in bluetooth, there is an     integer overflow. This could lead to an out of bounds     write with no additional execution privileges needed.
    User interaction is not needed for exploitation.
    Product: Android Versions: Android kernel Android ID:
    A-65853588 References: Upstream kernel. (CVE-2018-9363)

  - In pppol2tp_connect, there is possible memory corruption     due to a use after free. This could lead to local     escalation of privilege with System execution privileges     needed. User interaction is not needed for exploitation.
    Product: Android. Versions: Android kernel. Android ID:
    A-38159931. (CVE-2018-9517)

  - A flaw was found in the Linux kernel. A heap based     buffer overflow in mwifiex_uap_parse_tail_ies function     in drivers/net/wireless/marvell/mwifiex/ie.c might lead     to memory corruption and possibly other consequences.
    (CVE-2019-10126)

  - An information disclosure vulnerability exists when     certain central processing units (CPU) speculatively     access memory, aka 'Windows Kernel Information     Disclosure Vulnerability'. This CVE ID is unique from     CVE-2019-1071, CVE-2019-1073. (CVE-2019-1125)

  - The coredump implementation in the Linux kernel before     5.0.10 does not use locking or other mechanisms to     prevent vma layout or vma flags changes while it runs,     which allows local users to obtain sensitive     information, cause a denial of service, or possibly have     unspecified other impact by triggering a race condition     with mmget_not_zero or get_task_mm calls. This is     related to fs/userfaultfd.c, mm/mmap.c,     fs/proc/task_mmu.c, and     drivers/infiniband/core/uverbs_main.c. (CVE-2019-11599)

  - An issue was discovered in the Linux kernel before     5.0.7. A NULL pointer dereference can occur when     megasas_create_frame_pool() fails in     megasas_alloc_cmds() in     drivers/scsi/megaraid/megaraid_sas_base.c. This causes a     Denial of Service, related to a use-after-free.
    (CVE-2019-11810)

  - fs/ext4/extents.c in the Linux kernel through 5.1.2 does     not zero out the unused memory region in the extent tree     block, which might allow local users to obtain sensitive     information by reading uninitialized data in the     filesystem. (CVE-2019-11833)

  - An out-of-bounds access issue was found in the Linux     kernel, all versions through 5.3, in the way Linux     kernel's KVM hypervisor implements the Coalesced MMIO     write operation. It operates on an MMIO ring buffer     'struct kvm_coalesced_mmio' object, wherein write     indices 'ring->first' and 'ring->last' value could be     supplied by a host user-space process. An unprivileged     host user or process with access to '/dev/kvm' device     could use this flaw to crash the host kernel, resulting     in a denial of service or potentially escalating     privileges on the system. (CVE-2019-14821)

  - A buffer overflow flaw was found, in versions from     2.6.34 to 5.2.x, in the way Linux kernel's vhost     functionality that translates virtqueue buffers to IOVs,     logged the buffer descriptors during migration. A     privileged guest user able to pass descriptors with     invalid length to the host when migration is underway,     could use this flaw to increase their privileges on the     host. (CVE-2019-14835)

  - A heap address information leak while using     L2CAP_GET_CONF_OPT was discovered in the Linux kernel     before 5.1-rc1. (CVE-2019-3459)

  - A heap data infoleak in multiple locations including     L2CAP_PARSE_CONF_RSP was found in the Linux kernel     before 5.1-rc1. (CVE-2019-3460)

  - A flaw that allowed an attacker to corrupt memory and     possibly escalate privileges was found in the mwifiex     kernel module while connecting to a malicious wireless     network. (CVE-2019-3846)

  - A flaw was found in the Linux kernel's vfio interface     implementation that permits violation of the user's     locked memory limit. If a device is bound to a vfio     driver, such as vfio-pci, and the local attacker is     administratively granted ownership of the device, it may     cause a system memory exhaustion and thus a denial of     service (DoS). Versions 3.10, 4.14 and 4.18 are     vulnerable. (CVE-2019-3882)

  - An infinite loop issue was found in the vhost_net kernel     module in Linux Kernel up to and including v5.1-rc6,     while handling incoming packets in handle_rx(). It could     occur if one end sends packets faster than the other end     can process them. A guest user, maybe remote one, could     use this flaw to stall the vhost_net kernel thread,     resulting in a DoS scenario. (CVE-2019-3900)

  - The mincore() implementation in mm/mincore.c in the     Linux kernel through 4.19.13 allowed local attackers to     observe page cache access patterns of other processes on     the same system, potentially allowing sniffing of secret     information. (Fixing this affects the output of the     fincore program.) Limited remote exploitation may be     possible, as demonstrated by latency differences in     accessing public files from an Apache HTTP Server.
    (CVE-2019-5489)

  - The Bluetooth BR/EDR specification up to and including     version 5.1 permits sufficiently low encryption key     length and does not prevent an attacker from influencing     the key length negotiation. This allows practical brute-     force attacks (aka KNOB) that can decrypt traffic and     inject arbitrary ciphertext without the victim noticing.
    (CVE-2019-9506)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has kernel packages installed that are affected by multiple vulnerabilities:

  - A flaw was found in the Linux kernel's NFS41+ subsystem.
    NFS41+ shares mounted in different network namespaces at     the same time can make bc_svc_process() use wrong back-     channel IDs and cause a use-after-free vulnerability.
    Thus a malicious container user can cause a host kernel     memory corruption and a system panic. Due to the nature     of the flaw, privilege escalation cannot be fully ruled     out. (CVE-2018-16884)

  - Insufficient input validation in Kernel Mode Driver in     Intel(R) i915 Graphics for Linux before version 5.0 may     allow an authenticated user to potentially enable     escalation of privilege via local access.
    (CVE-2019-11085)

  - A flaw was found in the Linux kernel's NFS     implementation, all versions 3.x and all versions 4.x up     to 4.20. An attacker, who is able to mount an exported     NFS filesystem, is able to trigger a null pointer     dereference by using an invalid NFS sequence. This can     panic the machine and deny access to the NFS server. Any     outstanding disk writes to the NFS server will be lost.
    (CVE-2018-16871)

  - An issue was discovered in the Linux kernel before     5.0.4. There is a use-after-free upon attempted read     access to /proc/ioports after the ipmi_si module is     removed, related to drivers/char/ipmi/ipmi_si_intf.c,     drivers/char/ipmi/ipmi_si_mem_io.c, and     drivers/char/ipmi/ipmi_si_port_io.c. (CVE-2019-11811)

  - A flaw was found in the way Linux kernel KVM hypervisor     before 4.18 emulated instructions such as     sgdt/sidt/fxsave/fxrstor. It did not check current     privilege(CPL) level while emulating unprivileged     instructions. An unprivileged guest user/process could     use this flaw to potentially escalate privileges inside     guest. (CVE-2018-10853)

  - A flaw was found in the Linux Kernel where an attacker     may be able to have an uncontrolled read to kernel-     memory from within a vm guest. A race condition between     connect() and close() function may allow an attacker     using the AF_VSOCK protocol to gather a 4 byte     information leak or possibly intercept or corrupt     AF_VSOCK messages destined to other clients.
    (CVE-2018-14625)

  - drivers/infiniband/core/ucma.c in the Linux kernel     through 4.17.11 allows ucma_leave_multicast to access a     certain data structure after a cleanup step in     ucma_process_join, which allows attackers to cause a     denial of service (use-after-free). (CVE-2018-14734)

  - arch/x86/kernel/paravirt.c in the Linux kernel before     4.18.1 mishandles certain indirect calls, which makes it     easier for attackers to conduct Spectre-v2 attacks     against paravirtual guests. (CVE-2018-15594)

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and reused. This is     fixed in the following kernel versions: 4.9.135,     4.14.78, 4.18.16, 4.19. (CVE-2018-18281)

  - An issue was discovered in the Linux kernel before     4.18.7. In block/blk-core.c, there is an
    __blk_drain_queue() use-after-free because a certain     error case is mishandled. (CVE-2018-20856)

  - In the hidp_process_report in bluetooth, there is an     integer overflow. This could lead to an out of bounds     write with no additional execution privileges needed.
    User interaction is not needed for exploitation.
    Product: Android Versions: Android kernel Android ID:
    A-65853588 References: Upstream kernel. (CVE-2018-9363)

  - In pppol2tp_connect, there is possible memory corruption     due to a use after free. This could lead to local     escalation of privilege with System execution privileges     needed. User interaction is not needed for exploitation.
    Product: Android. Versions: Android kernel. Android ID:
    A-38159931. (CVE-2018-9517)

  - A flaw was found in the Linux kernel. A heap based     buffer overflow in mwifiex_uap_parse_tail_ies function     in drivers/net/wireless/marvell/mwifiex/ie.c might lead     to memory corruption and possibly other consequences.
    (CVE-2019-10126)

  - An information disclosure vulnerability exists when     certain central processing units (CPU) speculatively     access memory, aka 'Windows Kernel Information     Disclosure Vulnerability'. This CVE ID is unique from     CVE-2019-1071, CVE-2019-1073. (CVE-2019-1125)

  - The coredump implementation in the Linux kernel before     5.0.10 does not use locking or other mechanisms to     prevent vma layout or vma flags changes while it runs,     which allows local users to obtain sensitive     information, cause a denial of service, or possibly have     unspecified other impact by triggering a race condition     with mmget_not_zero or get_task_mm calls. This is     related to fs/userfaultfd.c, mm/mmap.c,     fs/proc/task_mmu.c, and     drivers/infiniband/core/uverbs_main.c. (CVE-2019-11599)

  - An issue was discovered in the Linux kernel before     5.0.7. A NULL pointer dereference can occur when     megasas_create_frame_pool() fails in     megasas_alloc_cmds() in     drivers/scsi/megaraid/megaraid_sas_base.c. This causes a     Denial of Service, related to a use-after-free.
    (CVE-2019-11810)

  - fs/ext4/extents.c in the Linux kernel through 5.1.2 does     not zero out the unused memory region in the extent tree     block, which might allow local users to obtain sensitive     information by reading uninitialized data in the     filesystem. (CVE-2019-11833)

  - An out-of-bounds access issue was found in the Linux     kernel, all versions through 5.3, in the way Linux     kernel's KVM hypervisor implements the Coalesced MMIO     write operation. It operates on an MMIO ring buffer     'struct kvm_coalesced_mmio' object, wherein write     indices 'ring->first' and 'ring->last' value could be     supplied by a host user-space process. An unprivileged     host user or process with access to '/dev/kvm' device     could use this flaw to crash the host kernel, resulting     in a denial of service or potentially escalating     privileges on the system. (CVE-2019-14821)

  - A buffer overflow flaw was found, in versions from     2.6.34 to 5.2.x, in the way Linux kernel's vhost     functionality that translates virtqueue buffers to IOVs,     logged the buffer descriptors during migration. A     privileged guest user able to pass descriptors with     invalid length to the host when migration is underway,     could use this flaw to increase their privileges on the     host. (CVE-2019-14835)

  - A heap address information leak while using     L2CAP_GET_CONF_OPT was discovered in the Linux kernel     before 5.1-rc1. (CVE-2019-3459)

  - A heap data infoleak in multiple locations including     L2CAP_PARSE_CONF_RSP was found in the Linux kernel     before 5.1-rc1. (CVE-2019-3460)

  - A flaw that allowed an attacker to corrupt memory and     possibly escalate privileges was found in the mwifiex     kernel module while connecting to a malicious wireless     network. (CVE-2019-3846)

  - A flaw was found in the Linux kernel's vfio interface     implementation that permits violation of the user's     locked memory limit. If a device is bound to a vfio     driver, such as vfio-pci, and the local attacker is     administratively granted ownership of the device, it may     cause a system memory exhaustion and thus a denial of     service (DoS). Versions 3.10, 4.14 and 4.18 are     vulnerable. (CVE-2019-3882)

  - An infinite loop issue was found in the vhost_net kernel     module in Linux Kernel up to and including v5.1-rc6,     while handling incoming packets in handle_rx(). It could     occur if one end sends packets faster than the other end     can process them. A guest user, maybe remote one, could     use this flaw to stall the vhost_net kernel thread,     resulting in a DoS scenario. (CVE-2019-3900)

  - The mincore() implementation in mm/mincore.c in the     Linux kernel through 4.19.13 allowed local attackers to     observe page cache access patterns of other processes on     the same system, potentially allowing sniffing of secret     information. (Fixing this affects the output of the     fincore program.) Limited remote exploitation may be     possible, as demonstrated by latency differences in     accessing public files from an Apache HTTP Server.
    (CVE-2019-5489)

  - The Bluetooth BR/EDR specification up to and including     version 5.1 permits sufficiently low encryption key     length and does not prevent an attacker from influencing     the key length negotiation. This allows practical brute-     force attacks (aka KNOB) that can decrypt traffic and     inject arbitrary ciphertext without the victim noticing.
    (CVE-2019-9506)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities:

  - A flaw was found in the way Linux kernel KVM hypervisor     before 4.18 emulated instructions such as     sgdt/sidt/fxsave/fxrstor. It did not check current     privilege(CPL) level while emulating unprivileged     instructions. An unprivileged guest user/process could     use this flaw to potentially escalate privileges inside     guest. (CVE-2018-10853)

  - A flaw was found in the Linux Kernel where an attacker     may be able to have an uncontrolled read to kernel-     memory from within a vm guest. A race condition between     connect() and close() function may allow an attacker     using the AF_VSOCK protocol to gather a 4 byte     information leak or possibly intercept or corrupt     AF_VSOCK messages destined to other clients.
    (CVE-2018-14625)

  - drivers/infiniband/core/ucma.c in the Linux kernel     through 4.17.11 allows ucma_leave_multicast to access a     certain data structure after a cleanup step in     ucma_process_join, which allows attackers to cause a     denial of service (use-after-free). (CVE-2018-14734)

  - arch/x86/kernel/paravirt.c in the Linux kernel before     4.18.1 mishandles certain indirect calls, which makes it     easier for attackers to conduct Spectre-v2 attacks     against paravirtual guests. (CVE-2018-15594)

  - A flaw was found in the Linux kernel's NFS     implementation, all versions 3.x and all versions 4.x up     to 4.20. An attacker, who is able to mount an exported     NFS filesystem, is able to trigger a null pointer     dereference by using an invalid NFS sequence. This can     panic the machine and deny access to the NFS server. Any     outstanding disk writes to the NFS server will be lost.
    (CVE-2018-16871)

  - A flaw was found in the Linux kernel's NFS41+ subsystem.
    NFS41+ shares mounted in different network namespaces at     the same time can make bc_svc_process() use wrong back-     channel IDs and cause a use-after-free vulnerability.
    Thus a malicious container user can cause a host kernel     memory corruption and a system panic. Due to the nature     of the flaw, privilege escalation cannot be fully ruled     out. (CVE-2018-16884)

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and reused. This is     fixed in the following kernel versions: 4.9.135,     4.14.78, 4.18.16, 4.19. (CVE-2018-18281)

  - In the hidp_process_report in bluetooth, there is an     integer overflow. This could lead to an out of bounds     write with no additional execution privileges needed.
    User interaction is not needed for exploitation.
    Product: Android Versions: Android kernel Android ID:
    A-65853588 References: Upstream kernel. (CVE-2018-9363)

  - In pppol2tp_connect, there is possible memory corruption     due to a use after free. This could lead to local     escalation of privilege with System execution privileges     needed. User interaction is not needed for exploitation.
    Product: Android. Versions: Android kernel. Android ID:
    A-38159931. (CVE-2018-9517)

  - Insufficient input validation in Kernel Mode Driver in     Intel(R) i915 Graphics for Linux before version 5.0 may     allow an authenticated user to potentially enable     escalation of privilege via local access.
    (CVE-2019-11085)

  - The coredump implementation in the Linux kernel before     5.0.10 does not use locking or other mechanisms to     prevent vma layout or vma flags changes while it runs,     which allows local users to obtain sensitive     information, cause a denial of service, or possibly have     unspecified other impact by triggering a race condition     with mmget_not_zero or get_task_mm calls. This is     related to fs/userfaultfd.c, mm/mmap.c,     fs/proc/task_mmu.c, and     drivers/infiniband/core/uverbs_main.c. (CVE-2019-11599)

  - An issue was discovered in the Linux kernel before     5.0.7. A NULL pointer dereference can occur when     megasas_create_frame_pool() fails in     megasas_alloc_cmds() in     drivers/scsi/megaraid/megaraid_sas_base.c. This causes a     Denial of Service, related to a use-after-free.
    (CVE-2019-11810)

  - An issue was discovered in the Linux kernel before     5.0.4. There is a use-after-free upon attempted read     access to /proc/ioports after the ipmi_si module is     removed, related to drivers/char/ipmi/ipmi_si_intf.c,     drivers/char/ipmi/ipmi_si_mem_io.c, and     drivers/char/ipmi/ipmi_si_port_io.c. (CVE-2019-11811)

  - fs/ext4/extents.c in the Linux kernel through 5.1.2 does     not zero out the unused memory region in the extent tree     block, which might allow local users to obtain sensitive     information by reading uninitialized data in the     filesystem. (CVE-2019-11833)

  - A heap address information leak while using     L2CAP_GET_CONF_OPT was discovered in the Linux kernel     before 5.1-rc1. (CVE-2019-3459)

  - A heap data infoleak in multiple locations including     L2CAP_PARSE_CONF_RSP was found in the Linux kernel     before 5.1-rc1. (CVE-2019-3460)

  - A flaw was found in the Linux kernel's vfio interface     implementation that permits violation of the user's     locked memory limit. If a device is bound to a vfio     driver, such as vfio-pci, and the local attacker is     administratively granted ownership of the device, it may     cause a system memory exhaustion and thus a denial of     service (DoS). Versions 3.10, 4.14 and 4.18 are     vulnerable. (CVE-2019-3882)

  - An infinite loop issue was found in the vhost_net kernel     module in Linux Kernel up to and including v5.1-rc6,     while handling incoming packets in handle_rx(). It could     occur if one end sends packets faster than the other end     can process them. A guest user, maybe remote one, could     use this flaw to stall the vhost_net kernel thread,     resulting in a DoS scenario. (CVE-2019-3900)

  - The mincore() implementation in mm/mincore.c in the     Linux kernel through 4.19.13 allowed local attackers to     observe page cache access patterns of other processes on     the same system, potentially allowing sniffing of secret     information. (Fixing this affects the output of the     fincore program.) Limited remote exploitation may be     possible, as demonstrated by latency differences in     accessing public files from an Apache HTTP Server.
    (CVE-2019-5489)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities:

  - A flaw was found in the way Linux kernel KVM hypervisor     before 4.18 emulated instructions such as     sgdt/sidt/fxsave/fxrstor. It did not check current     privilege(CPL) level while emulating unprivileged     instructions. An unprivileged guest user/process could     use this flaw to potentially escalate privileges inside     guest. (CVE-2018-10853)

  - A flaw was found in the Linux Kernel where an attacker     may be able to have an uncontrolled read to kernel-     memory from within a vm guest. A race condition between     connect() and close() function may allow an attacker     using the AF_VSOCK protocol to gather a 4 byte     information leak or possibly intercept or corrupt     AF_VSOCK messages destined to other clients.
    (CVE-2018-14625)

  - drivers/infiniband/core/ucma.c in the Linux kernel     through 4.17.11 allows ucma_leave_multicast to access a     certain data structure after a cleanup step in     ucma_process_join, which allows attackers to cause a     denial of service (use-after-free). (CVE-2018-14734)

  - arch/x86/kernel/paravirt.c in the Linux kernel before     4.18.1 mishandles certain indirect calls, which makes it     easier for attackers to conduct Spectre-v2 attacks     against paravirtual guests. (CVE-2018-15594)

  - A flaw was found in the Linux kernel's NFS     implementation, all versions 3.x and all versions 4.x up     to 4.20. An attacker, who is able to mount an exported     NFS filesystem, is able to trigger a null pointer     dereference by using an invalid NFS sequence. This can     panic the machine and deny access to the NFS server. Any     outstanding disk writes to the NFS server will be lost.
    (CVE-2018-16871)

  - A flaw was found in the Linux kernel's NFS41+ subsystem.
    NFS41+ shares mounted in different network namespaces at     the same time can make bc_svc_process() use wrong back-     channel IDs and cause a use-after-free vulnerability.
    Thus a malicious container user can cause a host kernel     memory corruption and a system panic. Due to the nature     of the flaw, privilege escalation cannot be fully ruled     out. (CVE-2018-16884)

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and reused. This is     fixed in the following kernel versions: 4.9.135,     4.14.78, 4.18.16, 4.19. (CVE-2018-18281)

  - In the hidp_process_report in bluetooth, there is an     integer overflow. This could lead to an out of bounds     write with no additional execution privileges needed.
    User interaction is not needed for exploitation.
    Product: Android Versions: Android kernel Android ID:
    A-65853588 References: Upstream kernel. (CVE-2018-9363)

  - In pppol2tp_connect, there is possible memory corruption     due to a use after free. This could lead to local     escalation of privilege with System execution privileges     needed. User interaction is not needed for exploitation.
    Product: Android. Versions: Android kernel. Android ID:
    A-38159931. (CVE-2018-9517)

  - Insufficient input validation in Kernel Mode Driver in     Intel(R) i915 Graphics for Linux before version 5.0 may     allow an authenticated user to potentially enable     escalation of privilege via local access.
    (CVE-2019-11085)

  - The coredump implementation in the Linux kernel before     5.0.10 does not use locking or other mechanisms to     prevent vma layout or vma flags changes while it runs,     which allows local users to obtain sensitive     information, cause a denial of service, or possibly have     unspecified other impact by triggering a race condition     with mmget_not_zero or get_task_mm calls. This is     related to fs/userfaultfd.c, mm/mmap.c,     fs/proc/task_mmu.c, and     drivers/infiniband/core/uverbs_main.c. (CVE-2019-11599)

  - An issue was discovered in the Linux kernel before     5.0.7. A NULL pointer dereference can occur when     megasas_create_frame_pool() fails in     megasas_alloc_cmds() in     drivers/scsi/megaraid/megaraid_sas_base.c. This causes a     Denial of Service, related to a use-after-free.
    (CVE-2019-11810)

  - An issue was discovered in the Linux kernel before     5.0.4. There is a use-after-free upon attempted read     access to /proc/ioports after the ipmi_si module is     removed, related to drivers/char/ipmi/ipmi_si_intf.c,     drivers/char/ipmi/ipmi_si_mem_io.c, and     drivers/char/ipmi/ipmi_si_port_io.c. (CVE-2019-11811)

  - fs/ext4/extents.c in the Linux kernel through 5.1.2 does     not zero out the unused memory region in the extent tree     block, which might allow local users to obtain sensitive     information by reading uninitialized data in the     filesystem. (CVE-2019-11833)

  - A heap address information leak while using     L2CAP_GET_CONF_OPT was discovered in the Linux kernel     before 5.1-rc1. (CVE-2019-3459)

  - A heap data infoleak in multiple locations including     L2CAP_PARSE_CONF_RSP was found in the Linux kernel     before 5.1-rc1. (CVE-2019-3460)

  - A flaw was found in the Linux kernel's vfio interface     implementation that permits violation of the user's     locked memory limit. If a device is bound to a vfio     driver, such as vfio-pci, and the local attacker is     administratively granted ownership of the device, it may     cause a system memory exhaustion and thus a denial of     service (DoS). Versions 3.10, 4.14 and 4.18 are     vulnerable. (CVE-2019-3882)

  - An infinite loop issue was found in the vhost_net kernel     module in Linux Kernel up to and including v5.1-rc6,     while handling incoming packets in handle_rx(). It could     occur if one end sends packets faster than the other end     can process them. A guest user, maybe remote one, could     use this flaw to stall the vhost_net kernel thread,     resulting in a DoS scenario. (CVE-2019-3900)

  - The mincore() implementation in mm/mincore.c in the     Linux kernel through 4.19.13 allowed local attackers to     observe page cache access patterns of other processes on     the same system, potentially allowing sniffing of secret     information. (Fixing this affects the output of the     fincore program.) Limited remote exploitation may be     possible, as demonstrated by latency differences in     accessing public files from an Apache HTTP Server.
    (CVE-2019-5489)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900)

* Kernel: page cache side channel attacks (CVE-2019-5489)

* kernel: Buffer overflow in hidp_process_report (CVE-2018-9363)

* kernel: l2tp: Race condition between pppol2tp_session_create() and l2tp_eth_create() (CVE-2018-9517)

* kernel: kvm: guest userspace to guest kernel write (CVE-2018-10853)

* kernel: use-after-free Read in vhost_transport_send_pkt (CVE-2018-14625)

* kernel: use-after-free in ucma_leave_multicast in drivers/infiniband/core/ ucma.c (CVE-2018-14734)

* kernel: Mishandling of indirect calls weakens Spectre mitigation for paravirtual guests (CVE-2018-15594)

* kernel: TLB flush happens too late on mremap (CVE-2018-18281)

* kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459)

* kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460)

* kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882)

* kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599)

* kernel: a NULL pointer dereference in drivers/scsi/megaraid/ megaraid_sas_base.c leading to DoS (CVE-2019-11810)

* kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833)

* kernel: Information exposure in fd_locked_ioctl function in drivers/block/ floppy.c (CVE-2018-7755)

* kernel: Memory leak in drivers/net/wireless/ mac80211_hwsim.c:hwsim_new_radio_nl() can lead to potential denial of service (CVE-2018-8087)

* kernel: HID: debug: Buffer overflow in hid_debug_events_read() in drivers/ hid/hid-debug.c (CVE-2018-9516)

* kernel: Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053)

* kernel: NULL pointer dereference in lookup_slow function (CVE-2018-13093)

* kernel: NULL pointer dereference in xfs_da_shrink_inode function (CVE-2018-13094)

* kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c (CVE-2018-13095)

* kernel: Information leak in cdrom_ioctl_drive_status (CVE-2018-16658)

* kernel: out-of-bound read in memcpy_fromiovecend() (CVE-2018-16885)

* Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Security Fix(es) :

  - Kernel: vhost_net: infinite loop while receiving packets     leads to DoS (CVE-2019-3900)

  - Kernel: page cache side channel attacks (CVE-2019-5489)

  - kernel: Buffer overflow in hidp_process_report     (CVE-2018-9363)

  - kernel: l2tp: Race condition between     pppol2tp_session_create() and l2tp_eth_create()     (CVE-2018-9517)

  - kernel: kvm: guest userspace to guest kernel write     (CVE-2018-10853)

  - kernel: use-after-free Read in vhost_transport_send_pkt     (CVE-2018-14625)

  - kernel: use-after-free in ucma_leave_multicast in     drivers/infiniband/core/ucma.c (CVE-2018-14734)

  - kernel: Mishandling of indirect calls weakens Spectre     mitigation for paravirtual guests (CVE-2018-15594)

  - kernel: TLB flush happens too late on mremap     (CVE-2018-18281)

  - kernel: Heap address information leak while using     L2CAP_GET_CONF_OPT (CVE-2019-3459)

  - kernel: Heap address information leak while using     L2CAP_PARSE_CONF_RSP (CVE-2019-3460)

  - kernel: denial of service vector through vfio DMA     mappings (CVE-2019-3882)

  - kernel: fix race condition between     mmget_not_zero()/get_task_mm() and core dumping     (CVE-2019-11599)

  - kernel: a NULL pointer dereference in     drivers/scsi/megaraid/megaraid_sas_base.c leading to DoS     (CVE-2019-11810)

  - kernel: fs/ext4/extents.c leads to information     disclosure (CVE-2019-11833)

  - kernel: Information exposure in fd_locked_ioctl function     in drivers/block/floppy.c (CVE-2018-7755)

  - kernel: Memory leak in     drivers/net/wireless/mac80211_hwsim.c:hwsim_new_radio_nl     () can lead to potential denial of service     (CVE-2018-8087)

  - kernel: HID: debug: Buffer overflow in     hid_debug_events_read() in drivers/hid/hid-debug.c     (CVE-2018-9516)

  - kernel: Integer overflow in the alarm_timer_nsleep     function (CVE-2018-13053)

  - kernel: NULL pointer dereference in lookup_slow function     (CVE-2018-13093)

  - kernel: NULL pointer dereference in xfs_da_shrink_inode     function (CVE-2018-13094)

  - kernel: NULL pointer dereference in     fs/xfs/libxfs/xfs_inode_buf.c (CVE-2018-13095)

  - kernel: Information leak in cdrom_ioctl_drive_status     (CVE-2018-16658)

  - kernel: out-of-bound read in memcpy_fromiovecend()     (CVE-2018-16885)

  - Kernel: KVM: leak of uninitialized stack contents to     guest (CVE-2019-7222)

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900)

* Kernel: page cache side channel attacks (CVE-2019-5489)

* kernel: Buffer overflow in hidp_process_report (CVE-2018-9363)

* kernel: l2tp: Race condition between pppol2tp_session_create() and l2tp_eth_create() (CVE-2018-9517)

* kernel: kvm: guest userspace to guest kernel write (CVE-2018-10853)

* kernel: use-after-free Read in vhost_transport_send_pkt (CVE-2018-14625)

* kernel: use-after-free in ucma_leave_multicast in drivers/infiniband/core/ ucma.c (CVE-2018-14734)

* kernel: Mishandling of indirect calls weakens Spectre mitigation for paravirtual guests (CVE-2018-15594)

* kernel: TLB flush happens too late on mremap (CVE-2018-18281)

* kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459)

* kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460)

* kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882)

* kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599)

* kernel: a NULL pointer dereference in drivers/scsi/megaraid/ megaraid_sas_base.c leading to DoS (CVE-2019-11810)

* kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833)

* kernel: Information exposure in fd_locked_ioctl function in drivers/block/ floppy.c (CVE-2018-7755)

* kernel: Memory leak in drivers/net/wireless/ mac80211_hwsim.c:hwsim_new_radio_nl() can lead to potential denial of service (CVE-2018-8087)

* kernel: HID: debug: Buffer overflow in hid_debug_events_read() in drivers/ hid/hid-debug.c (CVE-2018-9516)

* kernel: Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053)

* kernel: NULL pointer dereference in lookup_slow function (CVE-2018-13093)

* kernel: NULL pointer dereference in xfs_da_shrink_inode function (CVE-2018-13094)

* kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c (CVE-2018-13095)

* kernel: Information leak in cdrom_ioctl_drive_status (CVE-2018-16658)

* kernel: out-of-bound read in memcpy_fromiovecend() (CVE-2018-16885)

* Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

USN-3932-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that a race condition existed in the f2fs file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18249)

Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616)

Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata.
An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613)

Vasily Averin and Evgenii Shatokhin discovered that a use-after-free vulnerability existed in the NFS41+ subsystem when multiple network namespaces are in use. A local attacker in a container could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16884)

It was discovered that a use-after-free vulnerability existed in the PPP over L2TP implementation in the Linux kernel. A privileged local attacker could use this to possibly execute arbitrary code.
(CVE-2018-9517)

Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel.
An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460)

Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974)

Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221)

Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM).
(CVE-2019-7222)

Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213)

Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701)

Vladis Dronov discovered that the debug interface for the Linux kernel's HID subsystem did not properly validate passed parameters in some situations. A local privileged attacker could use this to cause a denial of service (infinite loop). (CVE-2019-3819).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a race condition existed in the f2fs file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18249)

Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616)

Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata.
An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613)

Vasily Averin and Evgenii Shatokhin discovered that a use-after-free vulnerability existed in the NFS41+ subsystem when multiple network namespaces are in use. A local attacker in a container could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16884)

It was discovered that a use-after-free vulnerability existed in the PPP over L2TP implementation in the Linux kernel. A privileged local attacker could use this to possibly execute arbitrary code.
(CVE-2018-9517)

Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel.
An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460)

Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974)

Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221)

Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM).
(CVE-2019-7222)

Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213)

Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701)

Vladis Dronov discovered that the debug interface for the Linux kernel's HID subsystem did not properly validate passed parameters in some situations. A local privileged attacker could use this to cause a denial of service (infinite loop). (CVE-2019-3819).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
132495	NewStart CGSL CORE 5.05 / MAIN 5.05 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0253)	Nessus	NewStart CGSL Local Security Checks	critical
132474	NewStart CGSL CORE 5.05 / MAIN 5.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0247)	Nessus	NewStart CGSL Local Security Checks	critical
129920	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0183)	Nessus	NewStart CGSL Local Security Checks	critical
129900	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0180)	Nessus	NewStart CGSL Local Security Checks	critical
128651	CentOS 7 : kernel (CESA-2019:2029)	Nessus	CentOS Local Security Checks	high
128226	Scientific Linux Security Update : kernel on SL7.x x86_64	Nessus	Scientific Linux Local Security Checks	high
127655	RHEL 7 : kernel-rt (RHSA-2019:2043)	Nessus	Red Hat Local Security Checks	high
127650	RHEL 7 : kernel (RHSA-2019:2029)	Nessus	Red Hat Local Security Checks	high
123681	Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3932-2)	Nessus	Ubuntu Local Security Checks	high
123680	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3932-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2018-9517

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins