https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10142

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):An issue was discovered in     the Linux kernel before 5.2.3. Out of bounds access     exists in the functions     ath6kl_wmi_pstream_timeout_event_rx and     ath6kl_wmi_cac_event_rx in the file     driverset/wireless/ath/ath6kl/wmi.c.(CVE-2019-15926)An     issue was discovered in the Linux kernel before 5.0.6.
    There is a memory leak issue when idr_alloc() fails in     genl_register_family() in     netetlink/genetlink.c.(CVE-2019-15921)An issue was     discovered in the Linux kernel before 4.20.2. An     out-of-bounds access exists in the function     build_audio_procunit in the file     sound/usb/mixer.c.(CVE-2019-15927)An issue was     discovered in the Linux kernel before 5.0.9. There is a     use-after-free in atalk_proc_exit, related to     net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and     net/appletalk/sysctl_net_atalk.c.(CVE-2019-15292)An     issue was discovered in fs/xfs/xfs_super.c in the Linux     kernel before 4.18. A use after free exists, related to     xfs_fs_fill_super failure.(CVE-2018-20976)In the Linux     kernel before 5.1.13, there is a memory leak in     drivers/scsi/libsas/sas_expander.c when SAS expander     discovery fails. This will cause a BUG and denial of     service.(CVE-2019-15807)A vulnerability was found in     Linux kernel's, versions up to 3.10, implementation of     overlayfs. An attacker with local access can create a     denial of service situation via NULL pointer     dereference in ovl_posix_acl_create function in     fs/overlayfs/dir.c. This can allow attackers with     ability to create directories on overlayfs to crash the     kernel creating a denial of service     (DOS).(CVE-2019-10140)In the Linux kernel, a certain     net/ipv4/tcp_output.c change, which was properly     incorporated into 4.16.12, was incorrectly backported     to the earlier longterm kernels, introducing a new     vulnerability that was potentially more severe than the     issue that was intended to be fixed by backporting.
    Specifically, by adding to a write queue between     disconnection and re-connection, a local attacker can     trigger multiple use-after-free conditions. This can     result in a kernel crash, or potentially in privilege     escalation.(CVE-2019-15239)check_input_term in     sound/usb/mixer.c in the Linux kernel through 5.2.9     mishandles recursion, leading to kernel stack     exhaustion.(CVE-2019-15118)drivers     et/wireless/ath/ath10k/usb.c in the Linux kernel     through 5.2.8 has a NULL pointer dereference via an     incomplete address in an endpoint     descriptor.(CVE-2019-15099)drivers     et/wireless/ath/ath6kl/usb.c in the Linux kernel     through 5.2.9 has a NULL pointer dereference via an     incomplete address in an endpoint     descriptor.(CVE-2019-15098)A flaw was found in the     Linux kernel's Bluetooth implementation of UART. An     attacker with local access and write permissions to the     Bluetooth hardware could use this flaw to issue a     specially crafted ioctl function call and cause the     system to crash.(CVE-2019-10207)It was found that cephx     authentication protocol did not verify ceph clients     correctly and was vulnerable to replay attack. Any     attacker having access to ceph cluster network who is     able to sniff packets on network can use this     vulnerability to authenticate with ceph service and     perform actions allowed by ceph service. Ceph branches     master, mimic, luminous and jewel are believed to be     vulnerable.(CVE-2018-1128)ax25_create in     net/ax25/af_ax25.c in the AF_AX25 network module in the     Linux kernel through 5.3.2 does not enforce     CAP_NET_RAW, which means that unprivileged users can     create a raw socket, aka     CID-0614e2b73768.(CVE-2019-17052)ieee802154_create in     net/ieee802154/socket.c in the AF_IEEE802154 network     module in the Linux kernel through 5.3.2 does not     enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-e69dbd4619e7.(CVE-2019-17053)atalk_create in     net/appletalk/ddp.c in the AF_APPLETALK network module     in the Linux kernel through 5.3.2 does not enforce     CAP_NET_RAW, which means that unprivileged users can     create a raw socket, aka     CID-6cc03e8aa36c.(CVE-2019-17054)base_sock_create in     drivers/isdn/mISDN/socket.c in the AF_ISDN network     module in the Linux kernel through 5.3.2 does not     enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-b91ee4aa2a21.(CVE-2019-17055)llcp_sock_create in     net fc/llcp_sock.c in the AF_NFC network module in the     Linux kernel through 5.3.2 does not enforce     CAP_NET_RAW, which means that unprivileged users can     create a raw socket, aka     CID-3a359798b176.(CVE-2019-17056)A flaw was found in     the Linux kernel's freescale hypervisor manager     implementation, kernel versions 5.0.x up to, excluding     5.0.17. A parameter passed to an ioctl was incorrectly     validated and used in size calculations for the page     size calculation. An attacker can use this flaw to     crash the system, corrupt memory, or create other     adverse security     affects.(CVE-2019-10142)drivers/media/usb/dvb-usb/techn     isat-usb2.c in the Linux kernel through 5.2.9 has an     out-of-bounds read via crafted USB device traffic     (which may be remote via usbip or     usbredir).(CVE-2019-15505)An issue was discovered in     the Linux kernel before 5.0.4. The 9p filesystem did     not protect i_size_write() properly, which causes an     i_size_read() infinite loop and denial of service on     SMP systems.(CVE-2019-16413)An issue was discovered in     xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux     kernel through 5.2.9. XFS partially wedges when a chgrp     fails on account of being out of disk quota.
    xfs_setattr_nonsize is failing to unlock the ILOCK     after the xfs_qm_vop_chown_reserve call fails. This is     primarily a local DoS attack vector, but it might     result as well in remote DoS if the XFS filesystem is     exported for instance via NFS.(CVE-2019-15538)A buffer     overflow flaw was found, in versions from 2.6.34 to     5.2.x, in the way Linux kernel's vhost functionality     that translates virtqueue buffers to IOVs, logged the     buffer descriptors during migration. A privileged guest     user able to pass descriptors with invalid length to     the host when migration is underway, could use this     flaw to increase their privileges on the     host.(CVE-2019-14835)An out-of-bounds access issue was     found in the Linux kernel, all versions through 5.3, in     the way Linux kernel's KVM hypervisor implements the     Coalesced MMIO write operation. It operates on an MMIO     ring buffer 'struct kvm_coalesced_mmio' object, wherein     write indices 'ring->first' and 'ring->last' value     could be supplied by a host user-space process. An     unprivileged host user or process with access to     '/dev/kvm' device could use this flaw to crash the host     kernel, resulting in a denial of service or potentially     escalating privileges on the system.(CVE-2019-14821)An     information disclosure vulnerability exists when     certain central processing units (CPU) speculatively     access memory, aka 'Windows Kernel Information     Disclosure Vulnerability'.
    (CVE-2019-1125)drivers/scsi/qla2xxx/qla_os.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16233)An issue was discovered in     the Linux kernel before 5.0.11. fm10k_init_module in     drivers et/ethernet/intel/fm10k/fm10k_main.c has a NULL     pointer dereference because there is no -ENOMEM upon an     alloc_workqueue failure.(CVE-2019-15924)An issue was     discovered in the Linux kernel before 5.2.1. There is a     use-after-free caused by a malicious USB device in the     drivers et/wireless/intersil/p54/p54usb.c     driver.(CVE-2019-15220 )In the Linux kernel before     5.1.7, a device can be tracked by an attacker using the     IP ID values the kernel produces for connection-less     protocols (e.g., UDP and ICMP). When such traffic is     sent to multiple destination IP addresses, it is     possible to obtain hash collisions (of indices to the     counter array) and thereby obtain the hashing key (via     enumeration). An attack may be conducted by hosting a     crafted web page that uses WebRTC or gQUIC to force UDP     traffic to attacker-controlled IP     addresses.(CVE-2019-10638)There is heap-based buffer     overflow in Linux kernel, all versions up to, excluding     5.3, in the marvell wifi chip driver in Linux kernel,     that allows local users to cause a denial of     service(system crash) or possibly execute arbitrary     code.( CVE-2019-14814)** RESERVED ** This candidate has     been reserved by an organization or individual that     will use it when announcing a new security problem.
    When the candidate has been publicized, the details for     this candidate will be provided.( CVE-2019-14815)There     is heap-based buffer overflow in kernel, all versions     up to, excluding 5.3, in the marvell wifi chip driver     in Linux kernel, that allows local users to cause a     denial of service(system crash) or possibly execute     arbitrary code.( CVE-2019-14816)A flaw was found in the     way Linux kernel KVM hypervisor emulated instructions     such as sgdt/sidt/fxsave/fxrstor. It did not check     current privilege(CPL) level while emulating     unprivileged instructions. An unprivileged guest     user/process could use this flaw to potentially     escalate privileges inside guest.(CVE-2018-10853)A NULL     pointer dereference was found in the net/rds/rdma.c
    __rds_rdma_map() function in the Linux kernel before     4.14.7 allowing local attackers to cause a system panic     and a denial-of-service, related to RDS_GET_MR and     RDS_GET_MR_FOR_DEST.(CVE-2018-7492)An issue was     discovered in the Linux kernel before 4.20.15. The     nfc_llcp_build_tlv function in net fc/llcp_commands.c     may return NULL. If the caller does not check for this,     it will trigger a NULL pointer dereference. This will     cause denial of service. This affects nfc_llcp_build_gb     in netfc/llcp_core.c.(CVE-2019-12818)An issue was     discovered in the Linux kernel before 5.1.8. There is a     NULL pointer dereference caused by a malicious USB     device in the drivers/media/usb/siano/smsusb.c     driver.(CVE-2019-15218)An issue was discovered in the     Linux kernel before 5.1.8. There is a NULL pointer     dereference caused by a malicious USB device in the     drivers/usb/misc/sisusbvga/sisusb.c     driver.(CVE-2019-15219)An issue was discovered in the     Linux kernel before 5.1.17. There is a NULL pointer     dereference caused by a malicious USB device in the     sound/usb/line6/pcm.c driver.(CVE-2019-15221)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a race condition existed in the Serial Attached SCSI (SAS) implementation in the Linux kernel. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2018-20836)

It was discovered that the ext4 file system implementation in the Linux kernel did not properly zero out memory in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11833)

It was discovered that the Bluetooth Human Interface Device Protocol (HIDP) implementation in the Linux kernel did not properly verify strings were NULL terminated in certain situations. A local attacker could use this to expose sensitive information (kernel memory).
(CVE-2019-11884)

It was discovered that the Linux kernel on ARM processors allowed a tracing process to modify a syscall after a seccomp decision had been made on that syscall. A local attacker could possibly use this to bypass seccomp restrictions. (CVE-2019-2054)

Hugues Anguelkov discovered that the Broadcom Wifi driver in the Linux kernel did not properly prevent remote firmware events from being processed for USB Wifi devices. A physically proximate attacker could use this to send firmware events to the device. (CVE-2019-9503)

It was discovered that an integer overflow existed in the Freescale (PowerPC) hypervisor manager in the Linux kernel. A local attacker with write access to /dev/fsl-hv could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-10142).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A flaw was found in the Linux kernel's freescale hypervisor manager implementation. A parameter passed via to an ioctl was incorrectly validated and used in size calculations for the page size calculation.
An attacker can use this flaw to crash the system or corrupt memory or, possibly, create other adverse security affects. (CVE-2019-10142)

The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a '\0' character.
(CVE-2019-11884)

If the Wake-up on Wireless LAN functionality is configured in the brcmfmac driver, which only works with Broadcom FullMAC chipsets, a malicious event frame can be constructed to trigger a heap buffer overflow in the brcmf_wowl_nd_results() function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with another brcmfmac driver flaw (CVE-2019-9503), can be used remotely. This can result in a remote denial of service (DoS). Due to the nature of the flaw, a remote privilege escalation cannot be fully ruled out. (CVE-2019-9500)

A new software page cache side channel attack scenario was discovered in operating systems that implement the very common 'page cache' caching mechanism. A malicious user/process could use 'in memory' page-cache knowledge to infer access timings to shared memory and gain knowledge which can be used to reduce effectiveness of cryptographic strength by monitoring algorithmic behavior, infer access patterns of memory to determine code paths taken, and exfiltrate data to a blinded attacker through page-granularity access times as a side-channel.
(CVE-2019-5489)

A flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS).
(CVE-2019-3882)

A flaw was found in the Linux kernel's freescale hypervisor manager implementation. A parameter passed via to an ioctl was incorrectly validated and used in size calculations for the page size calculation.
An attacker can use this flaw to crash the system or corrupt memory or, possibly, create other adverse security affects.(CVE-2019-10142)

A new software page cache side channel attack scenario was discovered in operating systems that implement the very common 'page cache' caching mechanism. A malicious user/process could use 'in memory' page-cache knowledge to infer access timings to shared memory and gain knowledge which can be used to reduce effectiveness of cryptographic strength by monitoring algorithmic behavior, infer access patterns of memory to determine code paths taken, and exfiltrate data to a blinded attacker through page-granularity access times as a side-channel.
(CVE-2019-5489)

The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a '\0' character.(CVE-2019-11884)

A flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS).(CVE-2019-3882)

If the Wake-up on Wireless LAN functionality is configured in the brcmfmac driver, which only works with Broadcom FullMAC chipsets, a malicious event frame can be constructed to trigger a heap buffer overflow in the brcmf_wowl_nd_results() function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with another brcmfmac driver flaw (CVE-2019-9503), can be used remotely. This can result in a remote denial of service (DoS). Due to the nature of the flaw, a remote privilege escalation cannot be fully ruled out.(CVE-2019-9500)

A flaw was found in the Linux kernel's implementation of ext4 extent management. The kernel doesn't correctly initialize memory regions in the extent tree block which may be exported to a local user to obtain sensitive information by reading empty/uninitialized data from the filesystem. (CVE-2019-11833)

The 5.0.17 update contains a number of important fixes across the tree

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
131845	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-2353)	Nessus	Huawei Local Security Checks	critical
130736	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2274)	Nessus	Huawei Local Security Checks	critical
130663	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2201)	Nessus	Huawei Local Security Checks	critical
127097	Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4076-1)	Nessus	Ubuntu Local Security Checks	high
125605	Amazon Linux AMI : kernel (ALAS-2019-1214)	Nessus	Amazon Linux Local Security Checks	high
125598	Amazon Linux 2 : kernel (ALAS-2019-1214)	Nessus	Amazon Linux Local Security Checks	high
125429	Fedora 29 : kernel (2019-8169b57f28)	Nessus	Fedora Local Security Checks	medium
125377	Fedora 30 : kernel (2019-b318b2c6f3)	Nessus	Fedora Local Security Checks	medium

CVE-2019-10142

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins