JVN#75617741

http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html

108777

[debian-lts-announce] 20190914 [SECURITY] [DLA 1919-1] linux-4.9 security update

[debian-lts-announce] 20190915 [SECURITY] [DLA 1919-2] linux-4.9 security update

[debian-lts-announce] 20190925 [SECURITY] [DLA 1930-1] linux security update

https://support.lenovo.com/us/en/product_security/LEN-27828

USN-4115-1

USN-4118-1

USN-4145-1

USN-4147-1

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00232.html

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc. Security Fix(es):An issue was discovered     in the Linux kernel before 5.2.3. There is a     use-after-free caused by a malicious USB device in the     drivers/media/usb/dvb-usb/dvb-usb-init.c     driver.(CVE-2019-15213)An issue was discovered in the     Linux kernel before 5.2.6. There is a use-after-free     caused by a malicious USB device in the     drivers/media/usb/cpia2/cpia2_usb.c     driver.(CVE-2019-15215)An issue was discovered in the     Linux kernel before 5.2.3. There is a NULL pointer     dereference caused by a malicious USB device in the     drivers/media/usb/zr364xx/zr364xx.c     driver.(CVE-2019-15217)An issue was discovered in the     Linux kernel before 5.1.8. There is a double-free     caused by a malicious USB device in the     drivers/usb/misc/rio500.c driver.(CVE-2019-15212)An     issue was discovered in the Linux kernel before 5.0.14.
    There is a NULL pointer dereference caused by a     malicious USB device in the drivers/usb/misc/yurex.c     driver.(CVE-2019-15216)An issue was discovered in     drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before     5.1.12. In the qedi_dbg_* family of functions, there is     an out-of-bounds read.(CVE-2019-15090)An issue was     discovered in the Linux kernel before 5.0.9. There is a     NULL pointer dereference for a cd data structure if     alloc_disk fails in     drivers/block/paride/pf.c.(CVE-2019-15923)An issue was     discovered in the Linux kernel before 5.0.10.
    SMB2_negotiate in fs/cifs/smb2pdu.c has an     out-of-bounds read because data structures are     incompletely updated after a change from smb30 to     smb21.(CVE-2019-15918)An issue was discovered in the     Linux kernel before 5.0.9. There is a NULL pointer     dereference for a pf data structure if alloc_disk fails     in drivers/block/paride/pf.c.(CVE-2019-15922)An issue     was discovered in the Linux kernel before 5.2.3. Out of     bounds access exists in the functions     ath6kl_wmi_pstream_timeout_event_rx and     ath6kl_wmi_cac_event_rx in the file     driverset/wireless/ath/ath6kl/wmi.c.(CVE-2019-15926)An     issue was discovered in the Linux kernel before 5.0.11.
    fm10k_init_module in     driverset/ethernet/intel/fm10k/fm10k_main.c has a NULL     pointer dereference because there is no -ENOMEM upon an     alloc_workqueue failure.(CVE-2019-15924)A buffer     overflow flaw was found, in versions from 2.6.34 to     5.2.x, in the way Linux kernel's vhost functionality     that translates virtqueue buffers to IOVs, logged the     buffer descriptors during migration. A privileged guest     user able to pass descriptors with invalid length to     the host when migration is underway, could use this     flaw to increase their privileges on the     host.(CVE-2019-14835)In the Linux kernel through 5.2.14     on the powerpc platform, a local user can read vector     registers of other users' processes via an interrupt.
    To exploit the venerability, a local user starts a     transaction (via the hardware transactional memory     instruction tbegin) and then accesses vector registers.
    At some point, the vector registers will be corrupted     with the values from a different local Linux process,     because MSR_TM_ACTIVE is misused in     arch/powerpc/kernel/process.c.(CVE-2019-15031)In the     Linux kernel through 5.2.14 on the powerpc platform, a     local user can read vector registers of other users'     processes via a Facility Unavailable exception. To     exploit the venerability, a local user starts a     transaction (via the hardware transactional memory     instruction tbegin) and then accesses vector registers.
    At some point, the vector registers will be corrupted     with the values from a different local Linux process     because of a missing arch/powerpc/kernel/process.c     check.(CVE-2019-15030)There is heap-based buffer     overflow in kernel, all versions up to, excluding 5.3,     in the marvell wifi chip driver in Linux kernel, that     allows local users to cause a denial of service(system     crash) or possibly execute arbitrary     code.(CVE-2019-14816)A vulnerability was found in Linux     Kernel, where a Heap Overflow was found in     mwifiex_set_wmm_params() function of Marvell Wifi     Driver.(CVE-2019-14815)There is heap-based buffer     overflow in Linux kernel, all versions up to, excluding     5.3, in the marvell wifi chip driver in Linux kernel,     that allows local users to cause a denial of     service(system crash) or possibly execute arbitrary     code.(CVE-2019-14814)driverset/wireless/ath/ath10k/usb.
    c in the Linux kernel through 5.2.8 has a NULL pointer     dereference via an incomplete address in an endpoint     descriptor.(CVE-2019-15099)driverset/wireless/ath/ath6k     l/usb.c in the Linux kernel through 5.2.8 has a NULL     pointer dereference via an incomplete address in an     endpoint     descriptor.(CVE-2019-15098)driverset/wireless/rsi/rsi_9     1x_usb.c in the Linux kernel through 5.2.9 has a Double     Free via crafted USB device traffic (which may be     remote via usbip or usbredir).CVE-2019-15504)In the     Linux kernel before 5.2.14, rds6_inc_info_copy in     net/rds/recv.c allows attackers to obtain sensitive     information from kernel stack memory because tos and     flags fields are not     initialized.(CVE-2019-16714)drivers/scsi/qla2xxx/qla_os     .c in the Linux kernel 5.2.14 does not check the     alloc_workqueue return value, leading to a NULL pointer     dereference.(CVE-2019-16233)An issue was discovered in     the Linux kernel through 5.2.13. nbd_genl_status in     drivers/blockbd.c does not check the     nla_nest_start_noflag return     value.(CVE-2019-16089)llcp_sock_create in     netfc/llcp_sock.c in the AF_NFC network module in the     Linux kernel through 5.3.2 does not enforce     CAP_NET_RAW, which means that unprivileged users can     create a raw socket, aka     CID-3a359798b176.(CVE-2019-17056)base_sock_create in     drivers/isdn/mISDN/socket.c in the AF_ISDN network     module in the Linux kernel through 5.3.2 does not     enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-b91ee4aa2a21.(CVE-2019-17055)atalk_create in     net/appletalk/ddp.c in the AF_APPLETALK network module     in the Linux kernel through 5.3.2 does not enforce     CAP_NET_RAW, which means that unprivileged users can     create a raw socket, aka     CID-6cc03e8aa36c.(CVE-2019-17054)ieee802154_create in     net/ieee802154/socket.c in the AF_IEEE802154 network     module in the Linux kernel through 5.3.2 does not     enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-e69dbd4619e7.(CVE-2019-17053)ax25_create in     net/ax25/af_ax25.c in the AF_AX25 network module in the     Linux kernel through 5.3.2 does not enforce     CAP_NET_RAW, which means that unprivileged users can     create a raw socket, aka     CID-0614e2b73768.(CVE-2019-17052)An issue was     discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance.(CVE-2019-17075)rtl_p2p_noa_ie in     driverset/wireless/realtek/rtlwifi/ps.c in the Linux     kernel through 5.3.6 lacks a certain upper-bound check,     leading to a buffer overflow.(CVE-2019-17666)In the     Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid     in net/wireless/wext-sme.c does not reject a long SSID     IE, leading to a Buffer Overflow.(CVE-2019-17133)An     issue was discovered in net/wirelessl80211.c in the     Linux kernel through 5.2.17. It does not check the     length of variable elements in a beacon head, leading     to a buffer overflow.(CVE-2019-16746)Insufficient     access control in the Intel(R) PROSet/Wireless WiFi     Software driver before version 21.10 may allow an     unauthenticated user to potentially enable denial of     service via adjacent     access.(CVE-2019-0136)driverset/wireless/intel/iwlwifi/     pcie/trans.c in the Linux kernel 5.2.14 does not check     the alloc_workqueue return value, leading to a NULL     pointer dereference.(CVE-2019-16234)A memory leak in     the ql_alloc_large_buffers() function in     driverset/ethernet/qlogic/qla3xxx.c in the Linux kernel     before 5.3.5 allows local users to cause a denial of     service (memory consumption) by triggering     pci_dma_mapping_error() failures, aka     CID-1acb8f2a7a9f.(CVE-2019-18806)A memory leak in the     dwc3_pci_probe() function in     drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through     5.3.9 allows attackers to cause a denial of service     (memory consumption) by triggering     platform_device_add_properties() failures, aka     CID-9bbfceea12a8.(CVE-2019-18813)A memory leak in the     af9005_identify_state() function in     drivers/media/usb/dvb-usb/af9005.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-2289adbfa559.(CVE-2019-18809)fs/btrfs/volumes.c in     the Linux kernel before 5.1 allows a     btrfs_verify_dev_extents NULL pointer dereference via a     crafted btrfs image because fs_devices->devices is     mishandled within find_device, aka     CID-09ba3bc9dd15.(CVE-2019-18885)A memory leak in the     ccp_run_sha_cmd() function in     drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-128c66429247.(CVE-2019-18808)A memory leak in the     bfad_im_get_stats() function in     drivers/scsi/bfa/bfad_attr.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     bfa_port_get_stats() failures, aka     CID-0e62395da2bd.(CVE-2019-19066)Note:
    kernel-4.19.36-vhulk1907.1.0.h529 and earlier versions     in EulerOS Virtualization for ARM 64 3.0.2.0 return     incorrect time information when executing the uname -a     command.

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2018-13093, CVE-2018-13094

Wen Xu from SSLab at Gatech reported several NULL pointer dereference flaws that may be triggered when mounting and operating a crafted XFS volume. An attacker able to mount arbitrary XFS volumes could use this to cause a denial of service (crash).

CVE-2018-20976

It was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear.

CVE-2018-21008

It was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after- free. The security impact of this is unclear.

CVE-2019-0136

It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages.
A nearby attacker could use this for denial of service (loss of wifi connectivity).

CVE-2019-2215

The syzkaller tool discovered a use-after-free vulnerability in the Android binder driver. A local user on a system with this driver enabled could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. However, this driver is not enabled on Debian packaged kernels.

CVE-2019-10220

Various developers and researchers found that if a crafted file- system or malicious file server presented a directory with filenames including a '/' character, this could confuse and possibly defeat security checks in applications that read the directory.

The kernel will now return an error when reading such a directory, rather than passing the invalid filenames on to user-space.

CVE-2019-14615

It was discovered that Intel 9th and 10th generation GPUs did not clear user-visible state during a context switch, which resulted in information leaks between GPU tasks. This has been mitigated in the i915 driver.

The affected chips (gen9 and gen10) are listed at <https://en.wikipedia.org/wiki/List_of_Intel_graphics_proces sing_units#Gen9>.

CVE-2019-14814, CVE-2019-14815, CVE-2019-14816

Multiple bugs were discovered in the mwifiex wifi driver, which could lead to heap buffer overflows. A local user permitted to configure a device handled by this driver could probably use this for privilege escalation.

CVE-2019-14895, CVE-2019-14901

ADLab of Venustech discovered potential heap buffer overflows in the mwifiex wifi driver. On systems using this driver, a malicious Wireless Access Point or adhoc/P2P peer could use these to cause a denial of service (memory corruption or crash) or possibly for remote code execution.

CVE-2019-14896, CVE-2019-14897

ADLab of Venustech discovered potential heap and stack buffer overflows in the libertas wifi driver. On systems using this driver, a malicious Wireless Access Point or adhoc/P2P peer could use these to cause a denial of service (memory corruption or crash) or possibly for remote code execution.

CVE-2019-15098

Hui Peng and Mathias Payer reported that the ath6kl wifi driver did not properly validate USB descriptors, which could lead to a NULL pointer derefernce. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15217

The syzkaller tool discovered that the zr364xx mdia driver did not correctly handle devices without a product name string, which could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15291

The syzkaller tool discovered that the b2c2-flexcop-usb media driver did not properly validate USB descriptors, which could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15505

The syzkaller tool discovered that the technisat-usb2 media driver did not properly validate incoming IR packets, which could lead to a heap buffer over-read. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops) or to read sensitive information from kernel memory.

CVE-2019-15917

The syzkaller tool found a race condition in code supporting UART-attached Bluetooth adapters, which could lead to a use- after-free. A local user with access to a pty device or other suitable tty device could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-16746

It was discovered that the wifi stack did not validate the content of beacon heads provided by user-space for use on a wifi interface in Access Point mode, which could lead to a heap buffer overflow. A local user permitted to configure a wifi interface could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-17052, CVE-2019-17053, CVE-2019-17054, CVE-2019-17055, CVE-2019-17056

Ori Nimron reported that various network protocol implementations

  - AX.25, IEEE 802.15.4, Appletalk, ISDN, and NFC - allowed     all users to create raw sockets. A local user could use     this to send arbitrary packets on networks using those     protocols.

CVE-2019-17075

It was found that the cxgb4 Infiniband driver requested DMA (Direct Memory Access) to a stack-allocated buffer, which is not supported and on some systems can result in memory corruption of the stack. A local user might be able to use this for denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-17133

Nicholas Waisman reported that the wifi stack did not valdiate received SSID information before copying it, which could lead to a buffer overflow if it is not validated by the driver or firmware. A malicious Wireless Access Point might be able to use this to cause a denial of service (memory corruption or crash) or for remote code execution.

CVE-2019-17666

Nicholas Waisman reported that the rtlwifi wifi drivers did not properly validate received P2P information, leading to a buffer overflow. A malicious P2P peer could use this to cause a denial of service (memory corruption or crash) or for remote code execution.

CVE-2019-18282

Jonathan Berger, Amit Klein, and Benny Pinkas discovered that the generation of UDP/IPv6 flow labels used a weak hash function, 'jhash'.
This could enable tracking individual computers as they communicate with different remote servers and from different networks. The 'siphash' function is now used instead.

CVE-2019-18683

Multiple race conditions were discovered in the vivid media driver, used for testing Video4Linux2 (V4L2) applications, These race conditions could result in a use-after-free. On a system where this driver is loaded, a user with permission to access media devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-18809

Navid Emamdoost discovered a potential memory leak in the af9005 media driver if the device fails to respond to a command. The security impact of this is unclear.

CVE-2019-19037

It was discovered that the ext4 filesystem driver did not correctly handle directories with holes (unallocated regions) in them. An attacker able to mount arbitrary ext4 volumes could use this to cause a denial of service (crash).

CVE-2019-19051

Navid Emamdoost discovered a potential memory leak in the i2400m wimax driver if the software rfkill operation fails. The security impact of this is unclear.

CVE-2019-19052

Navid Emamdoost discovered a potential memory leak in the gs_usb CAN driver if the open (interface-up) operation fails. The security impact of this is unclear.

CVE-2019-19056, CVE-2019-19057

Navid Emamdoost discovered potential memory leaks in the mwifiex wifi driver if the probe operation fails. The security impact of this is unclear.

CVE-2019-19062

Navid Emamdoost discovered a potential memory leak in the AF_ALG subsystem if the CRYPTO_MSG_GETALG operation fails. A local user could possibly use this to cause a denial of service (memory exhaustion).

CVE-2019-19066

Navid Emamdoost discovered a potential memory leak in the bfa SCSI driver if the get_fc_host_stats operation fails. The security impact of this is unclear.

CVE-2019-19068

Navid Emamdoost discovered a potential memory leak in the rtl8xxxu wifi driver, in case it fails to submit an interrupt buffer to the device. The security impact of this is unclear.

CVE-2019-19227

Dan Carpenter reported missing error checks in the Appletalk protocol implementation that could lead to a NULL pointer dereference. The security impact of this is unclear.

CVE-2019-19332

The syzkaller tool discovered a missing bounds check in the KVM implementation for x86, which could lead to a heap buffer overflow. A local user permitted to use KVM could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19447

It was discovered that the ext4 filesystem driver did not safely handle unlinking of an inode that, due to filesystem corruption, already has a link count of 0. An attacker able to mount arbitrary ext4 volumes could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19523

The syzkaller tool discovered a use-after-free bug in the adutux USB driver. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19524

The syzkaller tool discovered a race condition in the ff-memless library used by input drivers. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19525

The syzkaller tool discovered a use-after-free bug in the atusb driver for IEEE 802.15.4 networking. An attacker able to add and remove USB devices could possibly use this to cause a denial of service (memory corruption or crash) or for privilege escalation.

CVE-2019-19527

The syzkaller tool discovered that the hiddev driver did not correctly handle races between a task opening the device and disconnection of the underlying hardware. A local user permitted to access hiddev devices, and able to add and remove USB devices, could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19530

The syzkaller tool discovered a potential use-after-free in the cdc-acm network driver. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19531

The syzkaller tool discovered a use-after-free bug in the yurex USB driver. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19532

The syzkaller tool discovered a potential heap buffer overflow in the hid-gaff input driver, which was also found to exist in many other input drivers. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19533

The syzkaller tool discovered that the ttusb-dec media driver was missing initialisation of a structure, which could leak sensitive information from kernel memory.

CVE-2019-19534, CVE-2019-19535, CVE-2019-19536

The syzkaller tool discovered that the peak_usb CAN driver was missing initialisation of some structures, which could leak sensitive information from kernel memory.

CVE-2019-19537

The syzkaller tool discovered race conditions in the USB stack, involving character device registration. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19767

The syzkaller tool discovered that crafted ext4 volumes could trigger a buffer overflow in the ext4 filesystem driver. An attacker able to mount such a volume could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19947

It was discovered that the kvaser_usb CAN driver was missing initialisation of some structures, which could leak sensitive information from kernel memory.

CVE-2019-19965

Gao Chuan reported a race condition in the libsas library used by SCSI host drivers, which could lead to a NULL pointer dereference. An attacker able to add and remove SCSI devices could use this to cause a denial of service (BUG/oops).

CVE-2019-20096

The Hulk Robot tool discovered a potential memory leak in the DCCP protocol implementation. This may be exploitable by local users, or by remote attackers if the system uses DCCP, to cause a denial of service (out of memory).

For Debian 8 'Jessie', these problems have been fixed in version 4.9.210-1~deb8u1. This update additionally fixes Debian bugs #869511 and 945023; and includes many more bug fixes from stable updates 4.9.190-4.9.210 inclusive.

We recommend that you upgrade your linux-4.9 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux     kernel through 5.2.9 has a Double Free via crafted USB     device traffic (which may be remote via usbip or     usbredir).(CVE-2019-15504)

  - In the Linux kernel before 5.2.14, rds6_inc_info_copy     in net/rds/recv.c allows attackers to obtain sensitive     information from kernel stack memory because tos and     flags fields are not initialized.(CVE-2019-16714)

  - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel     5.2.14 does not check the alloc_workqueue return value,     leading to a NULL pointer dereference.(CVE-2019-16233)

  - An issue was discovered in the Linux kernel through     5.2.13. nbd_genl_status in drivers/block/nbd.c does not     check the nla_nest_start_noflag return     value.(CVE-2019-16089)

  - llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC     network module in the Linux kernel through 5.3.2 does     not enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-3a359798b176.(CVE-2019-17056)

  - base_sock_create in drivers/isdn/mISDN/socket.c in the     AF_ISDN network module in the Linux kernel through     5.3.2 does not enforce CAP_NET_RAW, which means that     unprivileged users can create a raw socket, aka     CID-b91ee4aa2a21.(CVE-2019-17055)

  - atalk_create in net/appletalk/ddp.c in the AF_APPLETALK     network module in the Linux kernel through 5.3.2 does     not enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-6cc03e8aa36c.(CVE-2019-17054)

  - ieee802154_create in net/ieee802154/socket.c in the     AF_IEEE802154 network module in the Linux kernel     through 5.3.2 does not enforce CAP_NET_RAW, which means     that unprivileged users can create a raw socket, aka     CID-e69dbd4619e7.(CVE-2019-17053)

  - ax25_create in net/ax25/af_ax25.c in the AF_AX25     network module in the Linux kernel through 5.3.2 does     not enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-0614e2b73768.(CVE-2019-17052)

  - An issue was discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance.(CVE-2019-17075)

  - rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel through 5.3.6 lacks a certain upper-bound check,     leading to a buffer overflow.(CVE-2019-17666)

  - In the Linux kernel through 5.3.2,     cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c     does not reject a long SSID IE, leading to a Buffer     Overflow.(CVE-2019-17133)

  - An issue was discovered in net/wireless/nl80211.c in     the Linux kernel through 5.2.17. It does not check the     length of variable elements in a beacon head, leading     to a buffer overflow.(CVE-2019-16746)

  - Insufficient access control in the Intel(R)     PROSet/Wireless WiFi Software driver before version     21.10 may allow an unauthenticated user to potentially     enable denial of service via adjacent     access.(CVE-2019-0136)

  - drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16234)

  - A memory leak in the ql_alloc_large_buffers() function     in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux     kernel before 5.3.5 allows local users to cause a     denial of service (memory consumption) by triggering     pci_dma_mapping_error() failures, aka     CID-1acb8f2a7a9f.(CVE-2019-18806)

  - A memory leak in the dwc3_pci_probe() function in     drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through     5.3.9 allows attackers to cause a denial of service     (memory consumption) by triggering     platform_device_add_properties() failures, aka     CID-9bbfceea12a8.(CVE-2019-18813)

  - A memory leak in the af9005_identify_state() function     in drivers/media/usb/dvb-usb/af9005.c in the Linux     kernel through 5.3.9 allows attackers to cause a denial     of service (memory consumption), aka     CID-2289adbfa559.(CVE-2019-18809)

  - A memory leak in the ccp_run_sha_cmd() function in     drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-128c66429247.(CVE-2019-18808)

  - A memory leak in the bfad_im_get_stats() function in     drivers/scsi/bfa/bfad_attr.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     bfa_port_get_stats() failures, aka     CID-0e62395da2bd.(CVE-2019-19066)

  - A memory leak in the ath9k_wmi_cmd() function in     drivers/net/wireless/ath/ath9k/wmi.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption), aka     CID-728c1e2a05e4.(CVE-2019-19074)

  - A vulnerability in the web server of Cisco Integrated     Management Controller (IMC) could allow an     authenticated, remote attacker to set sensitive     configuration values and gain elevated privileges. The     vulnerability is due to improper handling of substring     comparison operations that are performed by the     affected software. An attacker could exploit this     vulnerability by sending a crafted HTTP request to the     affected software. A successful exploit could allow the     attacker with read-only privileges to gain     administrator privileges.(CVE-2019-19073)

  - Two memory leaks in the rtl_usb_probe() function in     drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux     kernel through 5.3.11 allow attackers to cause a denial     of service (memory consumption), aka     CID-3f9361695113.(CVE-2019-19063)

  - Two memory leaks in the mwifiex_pcie_init_evt_ring()     function in drivers/net/wireless/marvell/mwifiex/pcie.c     in the Linux kernel through 5.3.11 allow attackers to     cause a denial of service (memory consumption) by     triggering mwifiex_map_pci_memory() failures, aka     CID-d10dcb615c8e.(CVE-2019-19057)

  - A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf()     function in drivers/net/wireless/marvell/mwifiex/pcie.c     in the Linux kernel through 5.3.11 allows attackers to     cause a denial of service (memory consumption) by     triggering mwifiex_map_pci_memory() failures, aka     CID-db8fd2cde932.(CVE-2019-19056)

  - A memory leak in the gs_can_open() function in     drivers/net/can/usb/gs_usb.c in the Linux kernel before     5.3.11 allows attackers to cause a denial of service     (memory consumption) by triggering usb_submit_urb()     failures, aka CID-fb5be6a7b486.(CVE-2019-19052)

  - An issue was discovered in the Linux kernel through     5.3.9. There is a use-after-free when aa_label_parse()     fails in aa_audit_rule_init() in     security/apparmor/audit.c.(CVE-2019-18814)

  - Memory leaks in *clock_source_create() functions under     drivers/gpu/drm/amd/display/dc in the Linux kernel     before 5.3.8 allow attackers to cause a denial of     service (memory consumption). This affects the     dce112_clock_source_create() function in     drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c     , the dce100_clock_source_create() function in     drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c     , the dcn10_clock_source_create() function in     drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c,     the dcn20_clock_source_create() function in     drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c,     the dce120_clock_source_create() function in     drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c     , the dce110_clock_source_create() function in     drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c     , and the dce80_clock_source_create() function in     drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c,     aka CID-055e547478a1.(CVE-2019-19083)

  - Memory leaks in *create_resource_pool() functions under     drivers/gpu/drm/amd/display/dc in the Linux kernel     through 5.3.11 allow attackers to cause a denial of     service (memory consumption). This affects the     dce120_create_resource_pool() function in     drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c     , the dce110_create_resource_pool() function in     drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c     , the dce100_create_resource_pool() function in     drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c     , the dcn10_create_resource_pool() function in     drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c,     and the dce112_create_resource_pool() function in     drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c     , aka CID-104c307147ad.(CVE-2019-19082)

  - A memory leak in the nfp_flower_spawn_vnic_reprs()     function in     drivers/net/ethernet/netronome/nfp/flower/main.c in the     Linux kernel before 5.3.4 allows attackers to cause a     denial of service (memory consumption), aka     CID-8ce39eb5a67a.(CVE-2019-19081)

  - Four memory leaks in the nfp_flower_spawn_phy_reprs()     function in     drivers/net/ethernet/netronome/nfp/flower/main.c in the     Linux kernel before 5.3.4 allow attackers to cause a     denial of service (memory consumption), aka     CID-8572cea1461a.(CVE-2019-19080)

  - A memory leak in the qrtr_tun_write_iter() function in     net/qrtr/tun.c in the Linux kernel before 5.3 allows     attackers to cause a denial of service (memory     consumption), aka CID-a21b7f0cff19.(CVE-2019-19079)

  - A memory leak in the ath10k_usb_hif_tx_sg() function in     drivers/net/wireless/ath/ath10k/usb.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     usb_submit_urb() failures, aka     CID-b8d17e7d93d2.(CVE-2019-19078)

  - A memory leak in the bnxt_re_create_srq() function in     drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     copy to udata failures, aka     CID-4a9d46a9fe14.(CVE-2019-19077)

  - A memory leak in the ca8210_probe() function in     drivers/net/ieee802154/ca8210.c in the Linux kernel     before 5.3.8 allows attackers to cause a denial of     service (memory consumption) by triggering     ca8210_get_platform_data() failures, aka     CID-6402939ec86e.(CVE-2019-19075)

  - A memory leak in the rsi_send_beacon() function in     drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     rsi_prepare_beacon() failures, aka     CID-d563131ef23c.(CVE-2019-19071)

  - A memory leak in the rtl8xxxu_submit_int_urb() function     in     drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c     in the Linux kernel through 5.3.11 allows attackers to     cause a denial of service (memory consumption) by     triggering usb_submit_urb() failures, aka     CID-a2cdd07488e6.(CVE-2019-19068)

  - ** DISPUTED ** Four memory leaks in the acp_hw_init()     function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in     the Linux kernel before 5.3.8 allow attackers to cause     a denial of service (memory consumption) by triggering     mfd_add_hotplug_devices() or pm_genpd_add_device()     failures, aka CID-57be09c6e874. NOTE: third parties     dispute the relevance of this because the attacker must     already have privileges for module     loading.(CVE-2019-19067)

  - A memory leak in the sdma_init() function in     drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel     before 5.3.9 allows attackers to cause a denial of     service (memory consumption) by triggering     rhashtable_init() failures, aka     CID-34b3be18a04e.(CVE-2019-19065)

  - Multiple memory leaks in the     iwl_pcie_ctxt_info_gen3_init() function in     drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.
    c in the Linux kernel through 5.3.11 allow attackers to     cause a denial of service (memory consumption) by     triggering iwl_pcie_init_fw_sec() or     dma_alloc_coherent() failures, aka     CID-0f4f199443fa.(CVE-2019-19059)

  - A memory leak in the alloc_sgtable() function in     drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the     Linux kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     alloc_page() failures, aka     CID-b4b814fec1a5.(CVE-2019-19058)

  - A memory leak in the i2400m_op_rfkill_sw_toggle()     function in drivers/net/wimax/i2400m/op-rfkill.c in the     Linux kernel before 5.3.11 allows attackers to cause a     denial of service (memory consumption), aka     CID-6f3ef5c25cc7.(CVE-2019-19051)

  - A memory leak in the mlx5_fpga_conn_create_cq()     function in     drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c in     the Linux kernel before 5.3.11 allows attackers to     cause a denial of service (memory consumption) by     triggering mlx5_vector2eqn() failures, aka     CID-c8c2a057fdc7.(CVE-2019-19045)

  - A memory leak in the predicate_parse() function in     kernel/trace/trace_events_filter.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption), aka     CID-96c5c6e6a5b6.(CVE-2019-19072)

  - ** DISPUTED ** A memory leak in the spi_gpio_probe()     function in drivers/spi/spi-gpio.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     devm_add_action_or_reset() failures, aka     CID-d3b0ffa1d75d. NOTE: third parties dispute the     relevance of this because the system must have already     been out of memory before the probe     began.(CVE-2019-19070)

  - ** DISPUTED ** A memory leak in the unittest_data_add()     function in drivers/of/unittest.c in the Linux kernel     before 5.3.10 allows attackers to cause a denial of     service (memory consumption) by triggering     of_fdt_unflatten_tree() failures, aka CID-e13de8fe0d6a.
    NOTE: third parties dispute the relevance of this     because unittest.c can only be reached during     boot.(CVE-2019-19049)

  - In the Linux kernel through 5.3.8, f->fmt.sdr.reserved     is uninitialized in rcar_drif_g_fmt_sdr_cap in     drivers/media/platform/rcar_drif.c, which could cause a     memory disclosure problem.(CVE-2019-18786)

  - A memory leak in the cx23888_ir_probe() function in     drivers/media/pci/cx23885/cx23888-ir.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     kfifo_alloc() failures, aka     CID-a7b2df76b42b.(CVE-2019-19054)

  - An issue was discovered in drivers/media/platform/vivid     in the Linux kernel through 5.3.8. It is exploitable     for privilege escalation on some Linux distributions     where local users have /dev/video0 access, but only if     the driver happens to be loaded. There are multiple     race conditions during streaming stopping in this     driver (part of the V4L2 subsystem). These issues are     caused by wrong mutex locking in     vivid_stop_generating_vid_cap(),     vivid_stop_generating_vid_out(),     sdr_cap_stop_streaming(), and the corresponding     kthreads. At least one of these race conditions leads     to a use-after-free.(CVE-2019-18683)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):** DISPUTED ** Multiple     integer overflows in the lzo1x_decompress_safe function     in lib/lzo/lzo1x_decompress_safe.c in the LZO     decompressor in the Linux kernel before 3.15.2 allow     context-dependent attackers to cause a denial of     service (memory corruption) via a crafted Literal Run.
    NOTE: the author of the LZO algorithms says 'the Linux     kernel is *not* affected media hype.'(CVE-2014-4608)A     certain backport in the TCP Fast Open implementation     for the Linux kernel before 3.18 does not properly     maintain a count value, which allow local users to     cause a denial of service (system crash) via the Fast     Open feature, as demonstrated by visiting the     chrome://flags/#enable-tcp-fast-open URL when using     certain 3.10.x through 3.16.x kernel builds, including     longterm-maintenance releases and ckt (aka Canonical     Kernel Team) builds.(CVE-2015-3332)An elevation of     privilege vulnerability in the kernel scsi driver.
    Product: Android. Versions: Android kernel. Android ID     A-65023233.(CVE-2017-13168)An issue was discovered in     drivers/i2c/i2c-core-smbus.c in the Linux kernel before     4.14.15. There is an out of bounds write in the     function i2c_smbus_xfer_emulated.(CVE-2017-18551)An     issue was discovered in net/ipv6/ip6mr.c in the Linux     kernel before 4.11. By setting a specific socket     option, an attacker can control a pointer in kernel     land and cause an inet_csk_listen_stop general     protection fault, or potentially execute arbitrary code     under certain circumstances. The issue can be triggered     as root (e.g., inside a default LXC container or with     the CAP_NET_ADMIN capability) or after namespace     unsharing. This occurs because sk_type and protocol are     not checked in the appropriate part of the ip6_mroute_*     functions. NOTE: this affects Linux distributions that     use 4.9.x longterm kernels before     4.9.187.(CVE-2017-18509)An issue was discovered in the     Linux kernel before 4.14.11. A double free may be     caused by the function allocate_trace_buffer in the     file kernel/trace/trace.c.(CVE-2017-18595)An issue was     discovered in the Linux kernel through 4.17.10. There     is a NULL pointer dereference and panic in     hfsplus_lookup() in fs/hfsplus/dir.c when opening a     file (that is purportedly a hard link) in an hfs+     filesystem that has malformed catalog data, and is     mounted read-only without a metadata     directory.(CVE-2018-14617)An issue was discovered in     write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in     the Linux kernel through 5.3.2. The cxgb4 driver is     directly calling dma_map_single (a DMA function) from a     stack variable. This could allow an attacker to trigger     a Denial of Service, exploitable if this driver is used     on an architecture for which this stack/DMA interaction     has security relevance.(CVE-2019-17075)Double free     vulnerability in the snd_usbmidi_create function in     sound/usb/midi.c in the Linux kernel before 4.5 allows     physically proximate attackers to cause a denial of     service (panic) or possibly have unspecified other     impact via vectors involving an invalid USB     descriptor.(CVE-2016-2384)fsamespace.c in the Linux     kernel through 3.16.1 does not properly restrict     clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and     changing MNT_ATIME_MASK during a remount of a bind     mount, which allows local users to gain privileges,     interfere with backups and auditing on systems that had     atime enabled, or cause a denial of service (excessive     filesystem updating) on systems that had atime disabled     via a 'mount -o remount' command within a user     namespace.(CVE-2014-5207)fs/overlayfs/dir.c in the     OverlayFS filesystem implementation in the Linux kernel     before 4.6 does not properly verify the upper dentry     before proceeding with unlink and rename system-call     processing, which allows local users to cause a denial     of service (system crash) via a rename system call that     specifies a self-hardlink.(CVE-2016-6197)In the Linux     kernel before 4.1.4, a buffer overflow occurs when     checking userspace params in     drivers/media/dvb-frontends/cx24116.c. The maximum size     for a DiSEqC command is 6, according to the userspace     API. However, the code allows larger values such as     23.(CVE-2015-9289)In the Linux kernel through 5.3.2,     cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c     does not reject a long SSID IE, leading to a Buffer     Overflow.(CVE-2019-17133)Insufficient access control in     the Intel(R) PROSet/Wireless WiFi Software driver     before version 21.10 may allow an unauthenticated user     to potentially enable denial of service via adjacent     access.(CVE-2019-0136)Linux distributions that have not     patched their long-term kernels with     https://git.kernel.org/linus/a87938b2e246b81b4fb713edb3     71a9fa3c5c3c86 (committed on April 14, 2015). This     kernel vulnerability was fixed in April 2015 by commit     a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to     Linux 3.10.77 in May 2015), but it was not recognized     as a security threat. With     CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a     normal top-down address allocation strategy,     load_elf_binary() will attempt to map a PIE binary into     an address range immediately below mm->mmap_base.
    Unfortunately, load_elf_ binary() does not take account     of the need to allocate sufficient space for the entire     binary which means that, while the first PT_LOAD     segment is mapped below mm->mmap_base, the subsequent     PT_LOAD segment(s) end up being mapped above     mm->mmap_base into the are that is supposed to be the     'gap' between the stack and the     binary.(CVE-2017-1000253)Race condition in the     sclp_ctl_ioctl_sccb function in     drivers/s390/char/sclp_ctl.c in the Linux kernel before     4.6 allows local users to obtain sensitive information     from kernel memory by changing a certain length value,     aka a 'double fetch'     vulnerability.(CVE-2016-6130)rtl_p2p_noa_ie in drivers     et/wireless/realtek/rtlwifi/ps.c in the Linux kernel     through 5.3.6 lacks a certain upper-bound check,     leading to a buffer     overflow.(CVE-2019-17666)sound/core/timer.c in the     Linux kernel through 4.6 does not initialize certain r1     data structures, which allows local users to obtain     sensitive information from kernel stack memory via     crafted use of the ALSA timer interface, related to the     (1) snd_timer_user_ccallback and (2)     snd_timer_user_tinterrupt     functions.(CVE-2016-4578)Systems with microprocessors     utilizing speculative execution and branch prediction     may allow unauthorized disclosure of information to an     attacker with local user access via a side-channel     analysis.(CVE-2017-5753)The acm_probe function in     drivers/usb/class/cdc-acm.c in the Linux kernel before     4.5.1 allows physically proximate attackers to cause a     denial of service (NULL pointer dereference and system     crash) via a USB device without both a control and a     data endpoint descriptor.(CVE-2016-3138)The     arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel     through 4.8.2 does not restrict a certain length field,     which allows local users to gain privileges or cause a     denial of service (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control     code.(CVE-2016-7425)The ati_remote2_probe function in     drivers/input/misc/ati_remote2.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2185)The     create_fixed_stream_quirk function in     sound/usb/quirks.c in the snd-usb-audio driver in the     Linux kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (NULL pointer     dereference or double free, and system crash) via a     crafted endpoints value in a USB device     descriptor.(CVE-2016-2184)The digi_port_init function     in drivers/usb/serial/digi_acceleport.c in the Linux     kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (NULL pointer     dereference and system crash) via a crafted endpoints     value in a USB device descriptor.(CVE-2016-3140)The     do_remount function in fsamespace.c in the Linux kernel     through 3.16.1 does not maintain the MNT_LOCK_READONLY     bit across a remount of a bind mount, which allows     local users to bypass an intended read-only restriction     and defeat certain sandbox protection mechanisms via a     'mount -o remount' command within a user     namespace.(CVE-2014-5206)The gtco_probe function in     drivers/input/tablet/gtco.c in the Linux kernel through     4.5.2 allows physically proximate attackers to cause a     denial of service (NULL pointer dereference and system     crash) via a crafted endpoints value in a USB device     descriptor.(CVE-2016-2187)The hub_activate function in     drivers/usb/core/hub.c in the Linux kernel before 4.3.5     does not properly maintain a hub-interface data     structure, which allows physically proximate attackers     to cause a denial of service (invalid memory access and     system crash) or possibly have unspecified other impact     by unplugging a USB hub device.(CVE-2015-8816)The     ims_pcu_parse_cdc_data function in     drivers/input/misc/ims-pcu.c in the Linux kernel before     4.5.1 allows physically proximate attackers to cause a     denial of service (system crash) via a USB device     without both a master and a slave     interface.(CVE-2016-3689)The Linux Kernel running on     AMD64 systems will sometimes map the contents of PIE     executable, the heap or ld.so to where the stack is     mapped allowing attackers to more easily manipulate the     stack. Linux Kernel version 4.11.5 is     affected.(CVE-2017-1000379)The powermate_probe function     in drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186)The signal     implementation in the Linux kernel before 4.3.5 on     powerpc platforms does not check for an MSR with both     the S and T bits set, which allows local users to cause     a denial of service (TM Bad Thing exception and panic)     via a crafted application.(CVE-2015-8844)The     snd_timer_user_params function in sound/core/timer.c in     the Linux kernel through 4.6 does not initialize a     certain data structure, which allows local users to     obtain sensitive information from kernel stack memory     via crafted use of the ALSA timer     interface.(CVE-2016-4569)The tm_reclaim_thread function     in arch/powerpc/kernel/process.c in the Linux kernel     before 4.4.1 on powerpc platforms does not ensure that     TM suspend mode exists before proceeding with a     tm_reclaim call, which allows local users to cause a     denial of service (TM Bad Thing exception and panic)     via a crafted application.(CVE-2015-8845)The VFS     subsystem in the Linux kernel 3.x provides an     incomplete set of requirements for setattr operations     that underspecifies removing extended privilege     attributes, which allows local users to cause a denial     of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program.(CVE-2015-1350)The wacom_probe function     in drivers/input/tablet/wacom_sys.c in the Linux kernel     before 3.17 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-3139)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186)

  - The snd_compr_tstamp function in     sound/core/compress_offload.c in the Linux kernel     through 4.7, as used in Android before 2016-08-05 on     Nexus 5 and 7 (2013) devices, does not properly     initialize a timestamp data structure, which allows     attackers to obtain sensitive information via a crafted     application, aka Android internal bug 28770164 and     Qualcomm internal bug CR568717.(CVE-2014-9892)

  - A memory leak in the cx23888_ir_probe() function in     drivers/media/pci/cx23885/cx23888-ir.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     kfifo_alloc() failures, aka     CID-a7b2df76b42b.(CVE-2019-19054)

  - A memory leak in the adis_update_scan_mode() function     in drivers/iio/imu/adis_buffer.c in the Linux kernel     before 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-ab612b1daf41.(CVE-2019-19060)

  - A memory leak in the adis_update_scan_mode_burst()     function in drivers/iio/imu/adis_buffer.c in the Linux     kernel before 5.3.9 allows attackers to cause a denial     of service (memory consumption), aka     CID-9c0530e898f3.(CVE-2019-19061)

  - A memory leak in the crypto_report() function in     crypto/crypto_user_base.c in the Linux kernel through     5.3.11 allows attackers to cause a denial of service     (memory consumption) by triggering crypto_report_alg()     failures, aka CID-ffdde5932042.(CVE-2019-19062)

  - A memory leak in the ccp_run_sha_cmd() function in     drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-128c66429247.(CVE-2019-18808)

  - In ashmem_ioctl of ashmem.c, there is an out-of-bounds     write due to insufficient locking when accessing asma.
    This could lead to a local elevation of privilege     enabling code execution as a privileged process with no     additional execution privileges needed. User     interaction is not needed for exploitation. Product:
    Android. Versions: Android kernel. Android ID:
    A-66954097.(CVE-2017-13216)

  - A certain backport in the TCP Fast Open implementation     for the Linux kernel before 3.18 does not properly     maintain a count value, which allow local users to     cause a denial of service (system crash) via the Fast     Open feature, as demonstrated by visiting the     chrome://flags/#enable-tcp-fast-open URL when using     certain 3.10.x through 3.16.x kernel builds, including     longterm-maintenance releases and ckt (aka Canonical     Kernel Team) builds.(CVE-2015-3332)

  - The rtnl_fill_link_ifmap function in     net/core/rtnetlink.c in the Linux kernel before 4.5.5     does not initialize a certain data structure, which     allows local users to obtain sensitive information from     kernel stack memory by reading a Netlink     message.(CVE-2016-4486)

  - The ip6gre_err function in net/ipv6/ip6_gre.c in the     Linux kernel allows remote attackers to have     unspecified impact via vectors involving GRE flags in     an IPv6 packet, which trigger an out-of-bounds     access.(CVE-2017-5897)

  - In the Linux kernel before version 4.12, Kerberos 5     tickets decoded when using the RXRPC keys incorrectly     assumes the size of a field. This could lead to the     size-remaining variable wrapping and the data pointer     going over the end of the buffer. This could possibly     lead to memory corruption and possible privilege     escalation.(CVE-2017-7482)

  - A flaw was found in the Linux Kernel where an attacker     may be able to have an uncontrolled read to     kernel-memory from within a vm guest. A race condition     between connect() and close() function may allow an     attacker using the AF_VSOCK protocol to gather a 4 byte     information leak or possibly intercept or corrupt     AF_VSOCK messages destined to other     clients.(CVE-2018-14625)

  - drivers/net/usb/asix_devices.c in the Linux kernel     through 4.13.11 allows local users to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact via a crafted     USB device.(CVE-2017-16647)

  - A memory leak in the ql_alloc_large_buffers() function     in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux     kernel before 5.3.5 allows local users to cause a     denial of service (memory consumption) by triggering     pci_dma_mapping_error() failures, aka     CID-1acb8f2a7a9f.(CVE-2019-18806)

  - An issue was discovered in the fd_locked_ioctl function     in drivers/block/floppy.c in the Linux kernel through     4.15.7. The floppy driver will copy a kernel pointer to     user memory in response to the FDGETPRM ioctl. An     attacker can send the FDGETPRM ioctl and use the     obtained kernel pointer to discover the location of     kernel code and data and bypass kernel security     protections such as KASLR.(CVE-2018-7755)

  - The usbvision driver in the Linux kernel package     3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red     Hat Enterprise Linux (RHEL) 7.1 allows physically     proximate attackers to cause a denial of service     (panic) via a nonzero bInterfaceNumber value in a USB     device descriptor.(CVE-2015-7833)

  - A flaw that allowed an attacker to corrupt memory and     possibly escalate privileges was found in the mwifiex     kernel module while connecting to a malicious wireless     network.(CVE-2019-3846)

  - drivers/net/wireless/marvell/libertas/if_sdio.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16232)

  - drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16234)

  - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14     does not check the alloc_workqueue return value,     leading to a NULL pointer dereference.(CVE-2019-16231)

  - Insufficient access control in the Intel(R)     PROSet/Wireless WiFi Software driver before version     21.10 may allow an unauthenticated user to potentially     enable denial of service via adjacent     access.(CVE-2019-0136)

  - A flaw was found in the Linux kernel. A heap based     buffer overflow in mwifiex_uap_parse_tail_ies function     in drivers/net/wireless/marvell/mwifiex/ie.c might lead     to memory corruption and possibly other     consequences.(CVE-2019-10126)

  - The Bluetooth BR/EDR specification up to and including     version 5.1 permits sufficiently low encryption key     length and does not prevent an attacker from     influencing the key length negotiation. This allows     practical brute-force attacks (aka 'KNOB') that can     decrypt traffic and inject arbitrary ciphertext without     the victim noticing.(CVE-2019-9506)

  - An issue was discovered in net/wireless/nl80211.c in     the Linux kernel through 5.2.17. It does not check the     length of variable elements in a beacon head, leading     to a buffer overflow.(CVE-2019-16746)

  - In the hidp_process_report in bluetooth, there is an     integer overflow. This could lead to an out of bounds     write with no additional execution privileges needed.
    User interaction is not needed for exploitation.
    Product: Android Versions: Android kernel Android ID:
    A-65853588 References: Upstream kernel.(CVE-2018-9363)

  - An issue was discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance.(CVE-2019-17075)

  - rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel through 5.3.6 lacks a certain upper-bound check,     leading to a buffer overflow.(CVE-2019-17666)

  - arch/arm/mm/dma-mapping.c in the Linux kernel before     3.13 on ARM platforms, as used in Android before     2016-08-05 on Nexus 5 and 7 (2013) devices, does not     prevent executable DMA mappings, which might allow     local users to gain privileges via a crafted     application, aka Android internal bug 28803642 and     Qualcomm internal bug CR642735.(CVE-2014-9888)

  - An issue was discovered in drivers/i2c/i2c-core-smbus.c     in the Linux kernel before 4.14.15. There is an out of     bounds write in the function     i2c_smbus_xfer_emulated.(CVE-2017-18551)

  - The rds_ib_xmit function in net/rds/ib_send.c in the     Reliable Datagram Sockets (RDS) protocol implementation     in the Linux kernel 3.7.4 and earlier allows local     users to cause a denial of service (BUG_ON and kernel     panic) by establishing an RDS connection with the     source IP address equal to the IPoIB interface's own IP     address, as demonstrated by rds-ping.(CVE-2012-2372)

  - In the Linux kernel through 5.3.2,     cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c     does not reject a long SSID IE, leading to a Buffer     Overflow.(CVE-2019-17133)

  - A memory leak in the bfad_im_get_stats() function in     drivers/scsi/bfa/bfad_attr.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     bfa_port_get_stats() failures, aka     CID-0e62395da2bd.(CVE-2019-19066)

  - The kernel in Android before 2016-08-05 on Nexus 7     (2013) devices allows attackers to gain privileges via     a crafted application, aka internal bug     28522518.(CVE-2016-3857)

  - arch/arm64/kernel/sys.c in the Linux kernel before 4.0     allows local users to bypass the 'strict page     permissions' protection mechanism and modify the     system-call table, and consequently gain privileges, by     leveraging write access.(CVE-2015-8967)

  - arch/arm64/kernel/perf_event.c in the Linux kernel     before 4.1 on arm64 platforms allows local users to     gain privileges or cause a denial of service (invalid     pointer dereference) via vectors involving events that     are mishandled during a span of multiple HW     PMUs.(CVE-2015-8955)

  - The __clear_user function in     arch/arm64/lib/clear_user.S in the Linux kernel before     3.17.4 on the ARM64 platform allows local users to     cause a denial of service (system crash) by reading one     byte beyond a /dev/zero page boundary.(CVE-2014-7843)

  - The x86/fpu (Floating Point Unit) subsystem in the     Linux kernel before 4.13.5, when a processor supports     the xsave feature but not the xsaves feature, does not     correctly handle attempts to set reserved bits in the     xstate header via the ptrace() or rt_sigreturn() system     call, allowing local users to read the FPU registers of     other processes on the system, related to     arch/x86/kernel/fpu/regset.c and     arch/x86/kernel/fpu/signal.c.(CVE-2017-15537)

  - The Linux kernel before 3.11 on ARM platforms, as used     in Android before 2016-08-05 on Nexus 5 and 7 (2013)     devices, does not properly consider user-space access     to the TPIDRURW register, which allows local users to     gain privileges via a crafted application, aka Android     internal bug 28749743 and Qualcomm internal bug     CR561044.(CVE-2014-9870)

  - ** DISPUTED ** Race condition in the     store_int_with_restart() function in     arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel     through 4.15.7 allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck     directory. NOTE: a third party has indicated that this     report is not security relevant.(CVE-2018-7995)

  - arch/x86/kernel/entry_32.S in the Linux kernel through     3.15.1 on 32-bit x86 platforms, when syscall auditing     is enabled and the sep CPU feature flag is set, allows     local users to cause a denial of service (OOPS and     system crash) via an invalid syscall number, as     demonstrated by number 1000.(CVE-2014-4508)

  - arch/x86/kernel/tls.c in the Thread Local Storage (TLS)     implementation in the Linux kernel through 3.18.1     allows local users to bypass the espfix protection     mechanism, and consequently makes it easier for local     users to bypass the ASLR protection mechanism, via a     crafted application that makes a set_thread_area system     call and later reads a 16-bit value.(CVE-2014-8133)

  - arch/mips/include/asm/thread_info.h in the Linux kernel     before 3.14.8 on the MIPS platform does not configure
    _TIF_SECCOMP checks on the fast system-call path, which     allows local users to bypass intended PR_SET_SECCOMP     restrictions by executing a crafted application without     invoking a trace or audit subsystem.(CVE-2014-4157)

  - Integer signedness error in the oz_hcd_get_desc_cnf     function in drivers/staging/ozwpan/ozhcd.c in the     OZWPAN driver in the Linux kernel through 4.0.5 allows     remote attackers to cause a denial of service (system     crash) or possibly execute arbitrary code via a crafted     packet.(CVE-2015-4001)

  - drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel through 4.0.5 does not ensure that     certain length values are sufficiently large, which     allows remote attackers to cause a denial of service     (system crash or large loop) or possibly execute     arbitrary code via a crafted packet, related to the (1)     oz_usb_rx and (2) oz_usb_handle_ep_data     functions.(CVE-2015-4002)

  - The oz_usb_handle_ep_data function in     drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel through 4.0.5 allows remote     attackers to cause a denial of service (divide-by-zero     error and system crash) via a crafted     packet.(CVE-2015-4003)

  - The OZWPAN driver in the Linux kernel through 4.0.5     relies on an untrusted length field during packet     parsing, which allows remote attackers to obtain     sensitive information from kernel memory or cause a     denial of service (out-of-bounds read and system crash)     via a crafted packet.(CVE-2015-4004)

  - Race condition in the sclp_ctl_ioctl_sccb function in     drivers/s390/char/sclp_ctl.c in the Linux kernel before     4.6 allows local users to obtain sensitive information     from kernel memory by changing a certain length value,     aka a 'double fetch' vulnerability.(CVE-2016-6130)

  - The print_binder_transaction_ilocked function in     drivers/android/binder.c in the Linux kernel 4.14.90     allows local users to obtain sensitive address     information by reading '*from *code *flags' lines in a     debugfs file.(CVE-2018-20510)

  - In the Linux kernel before 4.1.4, a buffer overflow     occurs when checking userspace params in     drivers/media/dvb-frontends/cx24116.c. The maximum size     for a DiSEqC command is 6, according to the userspace     API. However, the code allows larger values such as     23.(CVE-2015-9289)

  - The saa7164_bus_get function in     drivers/media/pci/saa7164/saa7164-bus.c in the Linux     kernel through 4.11.5 allows local users to cause a     denial of service (out-of-bounds array access) or     possibly have unspecified other impact by changing a     certain sequence-number value, aka a 'double fetch'     vulnerability.(CVE-2017-8831)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A memory leak in the af9005_identify_state() function     in drivers/media/usb/dvb-usb/af9005.c in the Linux     kernel through 5.3.9 allows attackers to cause a denial     of service (memory consumption), aka     CID-2289adbfa559.(CVE-2019-18809)

  - A memory leak in the dwc3_pci_probe() function in     drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through     5.3.9 allows attackers to cause a denial of service     (memory consumption) by triggering     platform_device_add_properties() failures, aka     CID-9bbfceea12a8.(CVE-2019-18813)

  - A memory leak in the ql_alloc_large_buffers() function     in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux     kernel before 5.3.5 allows local users to cause a     denial of service (memory consumption) by triggering     pci_dma_mapping_error() failures, aka     CID-1acb8f2a7a9f.(CVE-2019-18806)

  - drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16234)

  - Insufficient access control in the Intel(R)     PROSet/Wireless WiFi Software driver before version     21.10 may allow an unauthenticated user to potentially     enable denial of service via adjacent     access.(CVE-2019-0136)

  - An issue was discovered in net/wireless/nl80211.c in     the Linux kernel through 5.2.17. It does not check the     length of variable elements in a beacon head, leading     to a buffer overflow.(CVE-2019-16746)

  - In the Linux kernel through 5.3.2,     cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c     does not reject a long SSID IE, leading to a Buffer     Overflow.(CVE-2019-17133)

  - rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel through 5.3.6 lacks a certain upper-bound check,     leading to a buffer overflow.(CVE-2019-17666)

  - An issue was discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance.(CVE-2019-17075)

  - ax25_create in net/ax25/af_ax25.c in the AF_AX25     network module in the Linux kernel through 5.3.2 does     not enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-0614e2b73768.(CVE-2019-17052)

  - ieee802154_create in net/ieee802154/socket.c in the     AF_IEEE802154 network module in the Linux kernel     through 5.3.2 does not enforce CAP_NET_RAW, which means     that unprivileged users can create a raw socket, aka     CID-e69dbd4619e7.(CVE-2019-17053)

  - atalk_create in net/appletalk/ddp.c in the AF_APPLETALK     network module in the Linux kernel through 5.3.2 does     not enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-6cc03e8aa36c.(CVE-2019-17054)

  - base_sock_create in drivers/isdn/mISDN/socket.c in the     AF_ISDN network module in the Linux kernel through     5.3.2 does not enforce CAP_NET_RAW, which means that     unprivileged users can create a raw socket, aka     CID-b91ee4aa2a21.(CVE-2019-17055)

  - llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC     network module in the Linux kernel through 5.3.2 does     not enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-3a359798b176.(CVE-2019-17056)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Intel Wi-Fi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (Wi-Fi disconnect). (CVE-2019-0136)

It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207)

It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-13631)

It was discovered that an out-of-bounds read existed in the QLogic QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-15090)

Hui Peng and Mathias Payer discovered that the USB audio driver for the Linux kernel did not properly validate device meta data. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15117)

Hui Peng and Mathias Payer discovered that the USB audio driver for the Linux kernel improperly performed recursion while handling device meta data. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15118)

It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.
(CVE-2019-15211)

It was discovered at a double-free error existed in the USB Rio 500 device driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-15212)

It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215)

It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2019-15220)

Benjamin Moody discovered that the XFS file system in the Linux kernel did not properly handle an error condition when out of disk quota. A local attacker could possibly use this to cause a denial of service.
(CVE-2019-15538)

It was discovered that the Hisilicon HNS3 ethernet device driver in the Linux kernel contained an out of bounds access vulnerability. A local attacker could use this to possibly cause a denial of service (system crash). (CVE-2019-15925)

It was discovered that the Atheros mobile chipset driver in the Linux kernel did not properly validate data in some situations. An attacker could use this to cause a denial of service (system crash).
(CVE-2019-15926)

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered that the Bluetooth protocol BR/EDR specification did not properly require sufficiently strong encryption key lengths. A physically proximate attacker could use this to expose sensitive information. (CVE-2019-9506)

It was discovered that ZR364XX Camera USB device driver for the Linux kernel did not properly initialize memory. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2019-15217)

It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel made improper assumptions about the device characteristics. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2019-15218)

It was discovered that the Line 6 POD USB device driver in the Linux kernel did not properly validate data size information from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15221)

It was discovered that the Line 6 USB driver for the Linux kernel contained a race condition when the device was disconnected. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15223).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a race condition existed in the GFS2 file system in the Linux kernel. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2016-10905)

It was discovered that the IPv6 implementation in the Linux kernel did not properly validate socket options in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18509)

It was discovered that the USB gadget Midi driver in the Linux kernel contained a double-free vulnerability when handling certain error conditions. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-20961)

It was discovered that the XFS file system in the Linux kernel did not properly handle mount failures in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2018-20976)

It was discovered that the Intel Wi-Fi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (Wi-Fi disconnect). (CVE-2019-0136)

It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207)

It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487)

It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-13631)

It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.
(CVE-2019-15211)

It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215)

It was discovered that the Atheros mobile chipset driver in the Linux kernel did not properly validate data in some situations. An attacker could use this to cause a denial of service (system crash).
(CVE-2019-15926).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2016-10905

A race condition was discovered in the GFS2 file-system implementation, which could lead to a use-after-free. On a system using GFS2, a local attacker could use this for denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2018-20976

It was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear.

CVE-2018-21008

It was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after- free. The security impact of this is unclear.

CVE-2019-0136

It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages.
A nearby attacker could use this for denial of service (loss of wifi connectivity).

CVE-2019-9506

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the 'KNOB attack'. An attacker that is nearby during pairing could use this to weaken the encryption used between the paired devices, and then to eavesdrop on and/or spoof communication between them.

This update mitigates the attack by requiring a minimum encryption key length of 56 bits.

CVE-2019-14814, CVE-2019-14815, CVE-2019-14816

Multiple bugs were discovered in the mwifiex wifi driver, which could lead to heap buffer overflows. A local user permitted to configure a device handled by this driver could probably use this for privilege escalation.

CVE-2019-14821

Matt Delco reported a race condition in KVM's coalesced MMIO facility, which could lead to out-of-bounds access in the kernel. A local attacker permitted to access /dev/kvm could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-14835

Peter Pi of Tencent Blade Team discovered a missing bounds check in vhost_net, the network back-end driver for KVM hosts, leading to a buffer overflow when the host begins live migration of a VM. An attacker in control of a VM could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation on the host.

CVE-2019-15117

Hui Peng and Mathias Payer reported a missing bounds check in the usb-audio driver's descriptor parsing code, leading to a buffer over-read. An attacker able to add USB devices could possibly use this to cause a denial of service (crash).

CVE-2019-15118

Hui Peng and Mathias Payer reported unbounded recursion in the usb-audio driver's descriptor parsing code, leading to a stack overflow. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15211

The syzkaller tool found a bug in the radio-raremono driver that could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15212

The syzkaller tool found that the rio500 driver does not work correctly if more than one device is bound to it. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15215

The syzkaller tool found a bug in the cpia2_usb driver that leads to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15218

The syzkaller tool found that the smsusb driver did not validate that USB devices have the expected endpoints, potentially leading to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15219

The syzkaller tool found that a device initialisation error in the sisusbvga driver could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15220

The syzkaller tool found a race condition in the p54usb driver which could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15221

The syzkaller tool found that the line6 driver did not validate USB devices' maximum packet sizes, which could lead to a heap buffer overrun. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15292

The Hulk Robot tool found missing error checks in the Appletalk protocol implementation, which could lead to a use-after-free. The security impact of this is unclear.

CVE-2019-15807

Jian Luo reported that the Serial Attached SCSI library (libsas) did not correctly handle failure to discover devices beyond a SAS expander. This could lead to a resource leak and crash (BUG). The security impact of this is unclear.

CVE-2019-15917

The syzkaller tool found a race condition in code supporting UART-attached Bluetooth adapters, which could lead to a use- after-free. A local user with access to a pty device or other suitable tty device could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15926

It was found that the ath6kl wifi driver did not consistently validate traffic class numbers in received control packets, leading to out-of-bounds memory accesses. A nearby attacker on the same wifi network could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.74-1.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

This updated advisory text mentions the additional non-security changes and notes the need to install new binary packages.

CVE-2019-0136

It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages.
A nearby attacker could use this for denial of service (loss of wifi connectivity).

CVE-2019-9506

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the 'KNOB attack'. An attacker that is nearby during pairing could use this to weaken the encryption used between the paired devices, and then to eavesdrop on and/or spoof communication between them.

This update mitigates the attack by requiring a minimum encryption key length of 56 bits.

CVE-2019-11487

Jann Horn discovered that the FUSE (Filesystem-in-Userspace) facility could be used to cause integer overflow in page reference counts, leading to a use-after-free. On a system with sufficient physical memory, a local user permitted to create arbitrary FUSE mounts could use this for privilege escalation.

By default, unprivileged users can only mount FUSE filesystems through fusermount, which limits the number of mounts created and should completely mitigate the issue.

CVE-2019-15211

The syzkaller tool found a bug in the radio-raremono driver that could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15212

The syzkaller tool found that the rio500 driver does not work correctly if more than one device is bound to it. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15215

The syzkaller tool found a bug in the cpia2_usb driver that leads to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15216

The syzkaller tool found a bug in the yurex driver that leads to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15218

The syzkaller tool found that the smsusb driver did not validate that USB devices have the expected endpoints, potentially leading to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15219

The syzkaller tool found that a device initialisation error in the sisusbvga driver could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15220

The syzkaller tool found a race condition in the p54usb driver which could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15221

The syzkaller tool found that the line6 driver did not validate USB devices' maximum packet sizes, which could lead to a heap buffer overrun. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15292

The Hulk Robot tool found missing error checks in the Appletalk protocol implementation, which could lead to a use-after-free. The security impact of this is unclear.

CVE-2019-15538

Benjamin Moody reported that operations on XFS hung after a chgrp command failed due to a disk quota. A local user on a system using XFS and disk quotas could use this for denial of service.

CVE-2019-15666

The Hulk Robot tool found an incorrect range check in the network transformation (xfrm) layer, leading to out-of-bounds memory accesses.
A local user with CAP_NET_ADMIN capability (in any user namespace) could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15807

Jian Luo reported that the Serial Attached SCSI library (libsas) did not correctly handle failure to discover devices beyond a SAS expander. This could lead to a resource leak and crash (BUG). The security impact of this is unclear.

CVE-2019-15924

The Hulk Robot tool found a missing error check in the fm10k Ethernet driver, which could lead to a NULL pointer dereference and crash (BUG/oops). The security impact of this is unclear.

CVE-2019-15926

It was found that the ath6kl wifi driver did not consistently validate traffic class numbers in received control packets, leading to out-of-bounds memory accesses. A nearby attacker on the same wifi network could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 4.9.189-3. This version also includes a fix for Debian bug #930904, and other fixes included in upstream stable updates.

We recommend that you upgrade your linux-4.9 and linux-latest-4.9 packages. You will need to use 'apt-get upgrade --with-new-pkgs' or 'apt upgrade' as the binary package names have changed.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN 4115-1 fixed vulnerabilities in the Linux 4.15 kernel for Ubuntu 18.04 LTS and Ubuntu 16.04 LTS. Unfortunately, as part of the update, a regression was introduced that caused a kernel crash when handling fragmented packets in some situations. This update addresses the issue.

We apologize for the inconvenience.

Original advisory details :

Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985)

Zhipeng Xie discovered that an infinite loop could triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service.
(CVE-2018-20784)

It was discovered that the Intel Wi-Fi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (Wi-Fi disconnect). (CVE-2019-0136)

It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207)

Amit Klein and Benny Pinkas discovered that the Linux kernel did not sufficiently randomize IP ID values generated for connectionless networking protocols. A remote attacker could use this to track particular Linux devices. (CVE-2019-10638)

Amit Klein and Benny Pinkas discovered that the location of kernel addresses could be exposed by the implementation of connection-less network protocols in the Linux kernel. A remote attacker could possibly use this to assist in the exploitation of another vulnerability in the Linux kernel.
(CVE-2019-10639)

It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487)

Jann Horn discovered that a race condition existed in the Linux kernel when performing core dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2019-11599)

It was discovered that a NULL pointer dereference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-11810)

It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13631)

Praveen Pandey discovered that the Linux kernel did not properly validate sent signals in some situations on PowerPC systems with transactional memory disabled. A local attacker could use this to cause a denial of service.
(CVE-2019-13648)

It was discovered that the floppy driver in the Linux kernel did not properly validate meta data, leading to a buffer overread. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14283)

It was discovered that the floppy driver in the Linux kernel did not properly validate ioctl() calls, leading to a division-by-zero. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14284)

Tuba Yavuz discovered that a race condition existed in the DesignWare USB3 DRD Controller device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-14763)

It was discovered that an out-of-bounds read existed in the QLogic QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-15090)

It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2019-15211)

It was discovered at a double-free error existed in the USB Rio 500 device driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-15212)

It was discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a potential use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15214)

It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215)

It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15220)

It was discovered that a use-after-free vulnerability existed in the AppleTalk implementation in the Linux kernel if an error occurs during initialization. A local attacker could use this to cause a denial of service (system crash).
(CVE-2019-15292)

Jason Wang discovered that an infinite loop vulnerability existed in the virtio net driver in the Linux kernel. A local attacker in a guest VM could possibly use this to cause a denial of service in the host system.
(CVE-2019-3900)

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B.
Rasmussen discovered that the Bluetooth protocol BR/EDR specification did not properly require sufficiently strong encryption key lengths. A physically proximate attacker could use this to expose sensitive information.
(CVE-2019-9506)

It was discovered that a race condition existed in the USB YUREX device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15216)

It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel made improper assumptions about the device characteristics. A physically proximate attacker could use this cause a denial of service (system crash).
(CVE-2019-15218)

It was discovered that the Line 6 POD USB device driver in the Linux kernel did not properly validate data size information from the device. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2019-15221)

Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701)

Vladis Dronov discovered that the debug interface for the Linux kernel's HID subsystem did not properly validate passed parameters in some situations. A local privileged attacker could use this to cause a denial of service (infinite loop). (CVE-2019-3819).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly track inode validations. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13093)

Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13096, CVE-2018-13097, CVE-2018-13098, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14615, CVE-2018-14616)

Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata.
An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-14609, CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613)

Wen Xu discovered that the HFS+ filesystem implementation in the Linux kernel did not properly handle malformed catalog data in some situations. An attacker could use this to construct a malicious HFS+ image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14617)

Vasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem of the Linux kernel did not properly initialize new files in some situations. A local attacker could use this to expose sensitive information. (CVE-2018-16862)

Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985)

Hui Peng and Mathias Payer discovered that the USB subsystem in the Linux kernel did not properly handle size checks when handling an extra USB descriptor. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-20169)

Zhipeng Xie discovered that an infinite loop could triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784)

It was discovered that a use-after-free error existed in the block layer subsystem of the Linux kernel when certain failure conditions occurred. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-20856)

Eli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux kernel did not properly validate elliptic curve parameters during Diffie-Hellman key exchange in some situations. An attacker could use this to expose sensitive information. (CVE-2018-5383)

It was discovered that the Intel wifi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (wifi disconnect). (CVE-2019-0136)

It was discovered that a heap buffer overflow existed in the Marvell Wireless LAN device driver for the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-10126)

It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207)

Amit Klein and Benny Pinkas discovered that the Linux kernel did not sufficiently randomize IP ID values generated for connectionless networking protocols. A remote attacker could use this to track particular Linux devices. (CVE-2019-10638)

Amit Klein and Benny Pinkas discovered that the location of kernel addresses could exposed by the implementation of connection-less network protocols in the Linux kernel. A remote attacker could possibly use this to assist in the exploitation of another vulnerability in the Linux kernel. (CVE-2019-10639)

Adam Zabrocki discovered that the Intel i915 kernel mode graphics driver in the Linux kernel did not properly restrict mmap() ranges in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-11085)

It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487)

Jann Horn discovered that a race condition existed in the Linux kernel when performing core dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information.
(CVE-2019-11599)

It was discovered that a NULL pointer dereference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash).
(CVE-2019-11810)

It was discovered that a race condition leading to a use-after-free existed in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel. The RDS protocol is blacklisted by default in Ubuntu. If enabled, a local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-11815)

It was discovered that the ext4 file system implementation in the Linux kernel did not properly zero out memory in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11833)

It was discovered that the Bluetooth Human Interface Device Protocol (HIDP) implementation in the Linux kernel did not properly verify strings were NULL terminated in certain situations. A local attacker could use this to expose sensitive information (kernel memory).
(CVE-2019-11884)

It was discovered that a NULL pointer dereference vulnerabilty existed in the Near-field communication (NFC) implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12818)

It was discovered that the MDIO bus devices subsystem in the Linux kernel improperly dropped a device reference in an error condition, leading to a use-after-free. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12819)

It was discovered that a NULL pointer dereference vulnerability existed in the Near-field communication (NFC) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-12984)

Jann Horn discovered a use-after-free vulnerability in the Linux kernel when accessing LDT entries in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13233)

Jann Horn discovered that the ptrace implementation in the Linux kernel did not properly record credentials in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2019-13272)

It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-13631)

It was discovered that the floppy driver in the Linux kernel did not properly validate meta data, leading to a buffer overread. A local attacker could use this to cause a denial of service (system crash).
(CVE-2019-14283)

It was discovered that the floppy driver in the Linux kernel did not properly validate ioctl() calls, leading to a division-by-zero. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14284)

Tuba Yavuz discovered that a race condition existed in the DesignWare USB3 DRD Controller device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service.
(CVE-2019-14763)

It was discovered that an out-of-bounds read existed in the QLogic QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-15090)

It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.
(CVE-2019-15211)

It was discovered at a double-free error existed in the USB Rio 500 device driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-15212)

It was discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a potential use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) pro possibly execute arbitrary code. (CVE-2019-15214)

It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215)

It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2019-15220)

It was discovered that a use-after-free vulnerability existed in the Appletalk implementation in the Linux kernel if an error occurs during initialization. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-15292)

It was discovered that the Empia EM28xx DVB USB device driver implementation in the Linux kernel contained a use-after-free vulnerability when disconnecting the device. An attacker could use this to cause a denial of service (system crash). (CVE-2019-2024)

It was discovered that the USB video device class implementation in the Linux kernel did not properly validate control bits, resulting in an out of bounds buffer read. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2019-2101)

It was discovered that the Marvell Wireless LAN device driver in the Linux kernel did not properly validate the BSS descriptor. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-3846)

Jason Wang discovered that an infinite loop vulnerability existed in the virtio net driver in the Linux kernel. A local attacker in a guest VM could possibly use this to cause a denial of service in the host system. (CVE-2019-3900)

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered that the Bluetooth protocol BR/EDR specification did not properly require sufficiently strong encryption key lengths. A physicall proximate attacker could use this to expose sensitive information. (CVE-2019-9506)

It was discovered that the Appletalk IP encapsulation driver in the Linux kernel did not properly prevent kernel addresses from being copied to user space. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information.
(CVE-2018-20511)

It was discovered that a race condition existed in the USB YUREX device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2019-15216)

It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel made improper assumptions about the device characteristics. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2019-15218)

It was discovered that the Line 6 POD USB device driver in the Linux kernel did not properly validate data size information from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15221)

Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701)

Vladis Dronov discovered that the debug interface for the Linux kernel's HID subsystem did not properly validate passed parameters in some situations. A local privileged attacker could use this to cause a denial of service (infinite loop). (CVE-2019-3819).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985)

Zhipeng Xie discovered that an infinite loop could triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784)

It was discovered that the Intel wifi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (wifi disconnect). (CVE-2019-0136)

It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207)

Amit Klein and Benny Pinkas discovered that the Linux kernel did not sufficiently randomize IP ID values generated for connectionless networking protocols. A remote attacker could use this to track particular Linux devices. (CVE-2019-10638)

Amit Klein and Benny Pinkas discovered that the location of kernel addresses could exposed by the implementation of connection-less network protocols in the Linux kernel. A remote attacker could possibly use this to assist in the exploitation of another vulnerability in the Linux kernel. (CVE-2019-10639)

It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487)

Jann Horn discovered that a race condition existed in the Linux kernel when performing core dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information.
(CVE-2019-11599)

It was discovered that a NULL pointer dereference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash).
(CVE-2019-11810)

It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-13631)

Praveen Pandey discovered that the Linux kernel did not properly validate sent signals in some situations on PowerPC systems with transactional memory disabled. A local attacker could use this to cause a denial of service. (CVE-2019-13648)

It was discovered that the floppy driver in the Linux kernel did not properly validate meta data, leading to a buffer overread. A local attacker could use this to cause a denial of service (system crash).
(CVE-2019-14283)

It was discovered that the floppy driver in the Linux kernel did not properly validate ioctl() calls, leading to a division-by-zero. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14284)

Tuba Yavuz discovered that a race condition existed in the DesignWare USB3 DRD Controller device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service.
(CVE-2019-14763)

It was discovered that an out-of-bounds read existed in the QLogic QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-15090)

It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.
(CVE-2019-15211)

It was discovered at a double-free error existed in the USB Rio 500 device driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-15212)

It was discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a potential use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) pro possibly execute arbitrary code. (CVE-2019-15214)

It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215)

It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2019-15220)

It was discovered that a use-after-free vulnerability existed in the Appletalk implementation in the Linux kernel if an error occurs during initialization. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-15292)

Jason Wang discovered that an infinite loop vulnerability existed in the virtio net driver in the Linux kernel. A local attacker in a guest VM could possibly use this to cause a denial of service in the host system. (CVE-2019-3900)

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered that the Bluetooth protocol BR/EDR specification did not properly require sufficiently strong encryption key lengths. A physicall proximate attacker could use this to expose sensitive information. (CVE-2019-9506)

It was discovered that a race condition existed in the USB YUREX device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2019-15216)

It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel made improper assumptions about the device characteristics. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2019-15218)

It was discovered that the Line 6 POD USB device driver in the Linux kernel did not properly validate data size information from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15221)

Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701)

Vladis Dronov discovered that the debug interface for the Linux kernel's HID subsystem did not properly validate passed parameters in some situations. A local privileged attacker could use this to cause a denial of service (infinite loop). (CVE-2019-3819).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
134486	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2020-1197)	Nessus	Huawei Local Security Checks	critical
134240	Debian DLA-2114-1 : linux-4.9 security update	Nessus	Debian Local Security Checks	critical
132796	EulerOS Virtualization for ARM 64 3.0.5.0 : kernel (EulerOS-SA-2020-1042)	Nessus	Huawei Local Security Checks	critical
132134	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2599)	Nessus	Huawei Local Security Checks	high
131845	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-2353)	Nessus	Huawei Local Security Checks	critical
131805	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2531)	Nessus	Huawei Local Security Checks	high
131349	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2019-2283)	Nessus	Huawei Local Security Checks	high
129677	Ubuntu 18.04 LTS / 19.04 : linux, linux-aws, linux-azure, linux-gcp, linux-gke-5.0, linux-hwe, (USN-4147-1)	Nessus	Ubuntu Local Security Checks	high
129491	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-4145-1)	Nessus	Ubuntu Local Security Checks	critical
129361	Debian DLA-1930-1 : linux security update	Nessus	Debian Local Security Checks	critical
128779	Debian DLA-1919-2 : linux-4.9 security update	Nessus	Debian Local Security Checks	critical
128680	Ubuntu 16.04 LTS / 18.04 LTS : linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, (USN-4115-2)	Nessus	Ubuntu Local Security Checks	critical
128478	Ubuntu 16.04 LTS / 18.04 LTS : linux-aws vulnerabilities (USN-4118-1)	Nessus	Ubuntu Local Security Checks	critical
128475	Ubuntu 16.04 LTS / 18.04 LTS : linux, linux-azure, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, (USN-4115-1)	Nessus	Ubuntu Local Security Checks	critical

CVE-2019-0136

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins