https://bugs.chromium.org/p/project-zero/issues/detail?id=1790

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14898

https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.114

https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.37

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.10

https://security.netapp.com/advisory/ntap-20200608-0001/

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:0339 advisory.

  - kernel: heap overflow in mwifiex_set_uap_rates() function of Marvell Wifi Driver leading to DoS     (CVE-2019-14814)

  - kernel: heap-overflow in mwifiex_set_wmm_params() function of Marvell WiFi driver leading to DoS     (CVE-2019-14815)

  - kernel: heap overflow in mwifiex_update_vs_ie() function of Marvell WiFi driver (CVE-2019-14816)

  - kernel: heap-based buffer overflow in mwifiex_process_country_ie() function in     drivers/net/wireless/marvell/mwifiex/sta_ioctl.c (CVE-2019-14895)

  - kernel: incomplete fix  for race condition between mmget_not_zero()/get_task_mm() and core dumping in     CVE-2019-11599 (CVE-2019-14898)

  - kernel: heap overflow in marvell/mwifiex/tdls.c (CVE-2019-14901)

  - kernel: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain     upper-bound check, leading to a buffer overflow (CVE-2019-17666)

  - Kernel: KVM: export MSR_IA32_TSX_CTRL to guest - incomplete fix for TAA (CVE-2019-11135) (CVE-2019-19338)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has kernel-rt packages installed that are affected by multiple vulnerabilities:

  - The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could     use this flaw to obtain sensitive information, cause a denial of service, or possibly have other     unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.
    (CVE-2019-14898)

  - A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.
    As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it     is possible for the specified target task to perform an execve() syscall with setuid execution before     perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check     and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged     execve() calls. This issue affects kernel versions before 4.8. (CVE-2019-3901)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has kernel packages installed that are affected by multiple vulnerabilities:

  - In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in     drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the     userspace API. However, the code allows larger values such as 23. (CVE-2015-9289)

  - The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to     the current task's default request-key keyring via the request_key() system call, allowing a local user     to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write     permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.
    (CVE-2017-17807)

  - An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during     the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.
    (CVE-2018-20169)

  - In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before     register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and     panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to     CVE-2013-4343. (CVE-2018-7191)

  - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-     free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - ** DISPUTED ** An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the     Linux kernel through 5.1.5. There is an unchecked kstrdup of fwstr, which might allow an attacker to cause     a denial of service (NULL pointer dereference and system crash). NOTE: The vendor disputes this issues as     not being a vulnerability because kstrdup() returning NULL is handled sufficiently and there is no chance     for a NULL pointer dereference. (CVE-2019-12382)

  - In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an     LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds     violation. (CVE-2019-13233)

  - In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and     head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an     unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by     default. (CVE-2019-14283)

  - There is heap-based buffer overflow in kernel, all versions up to, excluding 5.3, in the marvell wifi chip     driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly     execute arbitrary code. (CVE-2019-14816)

  - A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before     4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection     negotiation during the handling of the remote devices country settings. This could allow the remote device     to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895)

  - The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could     use this flaw to obtain sensitive information, cause a denial of service, or possibly have other     unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.
    (CVE-2019-14898)

  - A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell     WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a     denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the     availability of the system. If code execution occurs, the code will run with the permissions of root. This     will affect both confidentiality and integrity of files on the system. (CVE-2019-14901)

  - An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in     register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service. (CVE-2019-15916)

  - In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a     long SSID IE, leading to a Buffer Overflow. (CVE-2019-17133)

  - rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a     certain upper-bound check, leading to a buffer overflow. (CVE-2019-17666)

  - A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where,     the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error     occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by     the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction     mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism     to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that     host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.
    (CVE-2019-19338)

  - A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.
    As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it     is possible for the specified target task to perform an execve() syscall with setuid execution before     perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check     and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged     execve() calls. This issue affects kernel versions before 4.8. (CVE-2019-3901)

  - In the Android kernel in Pixel C USB monitor driver there is a possible OOB write due to a missing bounds     check. This could lead to local escalation of privilege with System execution privileges needed. User     interaction is not needed for exploitation. (CVE-2019-9456)

  - The Broadcom brcmfmac WiFi driver prior to commit a4176ec356c73a46c07c181c6d04039fafa34a9f is vulnerable     to a frame validation bypass. If the brcmfmac driver receives a firmware event frame from a remote source,     the is_wlc_event_frame function will cause this frame to be discarded and unprocessed. If the driver     receives the firmware event frame from the host, the appropriate handler is called. This frame validation     can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event     frames from a remote source to be processed. In the worst case scenario, by sending specially-crafted WiFi     packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.
    More typically, this vulnerability will result in denial-of-service conditions. (CVE-2019-9503)

  - A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7.
    This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into     the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO     restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate     that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer     dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network     user to crash the system kernel, resulting in a denial of service. (CVE-2020-10711)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2020-0044 for details.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5866 advisory.

  - An issue was discovered in fs/gfs2/rgrp.c in the Linux kernel before 4.8. A use-after-free is caused by     the functions gfs2_clear_rgrpd and read_rindex_entry. (CVE-2016-10905)

  - An issue was discovered in drivers/net/ethernet/arc/emac_main.c in the Linux kernel before 4.5. A use-     after-free is caused by a race condition between the functions arc_emac_tx and arc_emac_tx_clean.
    (CVE-2016-10906)

  - The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel before 4.10.4 allows     local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer     underflow. (CVE-2017-8924)

  - The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel before 4.10.4 allows local     users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling.
    (CVE-2017-8925)

  - sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local users to cause a denial of service     (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a     crafted USB device. (CVE-2017-16528)

  - In driver_override_store and driver_override_show of bus.c, there is a possible double free due to     improper locking. This could lead to local escalation of privilege with System execution privileges     needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android     ID: A-69129004 References: Upstream kernel. (CVE-2018-9415)

  - A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network     namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-     free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system     panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2018-16884)

  - An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an
    __blk_drain_queue() use-after-free because a certain error case is mishandled. (CVE-2018-20856)

  - A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the     mwifiex kernel module while connecting to a malicious wireless network. (CVE-2019-3846)

  - The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An     attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are     believed to be vulnerable. (CVE-2019-3874)

  - An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An     attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations     before the required authentication process has completed. This could lead to different denial-of-service     scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already     existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge     Authentication and Association Request packets to trigger this vulnerability. (CVE-2019-5108)

  - In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference     counting because of a race condition, leading to a use-after-free. (CVE-2019-6974)

  - The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free. (CVE-2019-7221)

  - The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. (CVE-2019-7222)

  - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-     free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could     use this flaw to obtain sensitive information, cause a denial of service, or possibly have other     unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.
    (CVE-2019-14898)

  - An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a     malicious USB device in the drivers/media/usb/siano/smsusb.c driver. (CVE-2019-15218)

  - drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through 5.2.9 has an out-of-bounds read via     crafted USB device traffic (which may be remote via usbip or usbredir). (CVE-2019-15505)

  - An issue was discovered in the Linux kernel before 4.20.2. An out-of-bounds access exists in the function     build_audio_procunit in the file sound/usb/mixer.c. (CVE-2019-15927)

  - An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check     the length of variable elements in a beacon head, leading to a buffer overflow. (CVE-2019-16746)

  - An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has security relevance. (CVE-2019-17075)

  - fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer     dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka     CID-09ba3bc9dd15. (CVE-2019-18885)

  - A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel before     5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb()     failures, aka CID-fb5be6a7b486. (CVE-2019-19052)

  - Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow     attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout()     failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the     htc_connect_service() function, aka CID-853acf7caf10. (CVE-2019-19073)

  - In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in     kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-     buffer). (CVE-2019-19768)

  - In the Linux kernel through 5.4.6, there is a NULL pointer dereference in     drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related     to a PHY down race condition, aka CID-f70267f379b5. (CVE-2019-19965)

  - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in     fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)

  - In the Linux kernel before 5.1, there is a memory leak in __feat_register_sp() in net/dccp/feat.c, which     may cause denial of service, aka CID-1d3ff0950e2b. (CVE-2019-20096)

  - An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka CID-b43d1f9f7067. (CVE-2019-20812)

  - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN     and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't     correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would     allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this     vulnerability is to data confidentiality. (CVE-2020-1749)

  - A flaw was found in the Linux kernel's implementation of GRO in versions before 5.2. This flaw allows an     attacker with local access to crash the system. (CVE-2020-10720)

  - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it     incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly     only validate the first netlink message in the skb and allow or deny the rest of the messages within the     skb with the granted permission without further processing. (CVE-2020-10751)

  - A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in     crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4     bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat,     leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of     service. (CVE-2020-10769)

  - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file     system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash     the system if the directory exists. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14314)

  - A flaw was found in the Linux kernels implementation of the invert video code on VGA consoles when a     local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds     write to occur. This flaw allows a local user with access to the VGA console to crash the system,     potentially escalating their privileges on the system. The highest threat from this vulnerability is to     data confidentiality and integrity as well as system availability. (CVE-2020-14331)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

  - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap     rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)

  - A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified     other impact, aka CID-17743798d812. (CVE-2020-25285)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5845 advisory.

  - An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in     io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item     validation in check_leaf_item in fs/btrfs/tree-checker.c. (CVE-2018-14613)

  - A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network     namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-     free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system     panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2018-16884)

  - The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An     attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are     believed to be vulnerable. (CVE-2019-3874)

  - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including     v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster     than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the     vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)

  - An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An     attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations     before the required authentication process has completed. This could lead to different denial-of-service     scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already     existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge     Authentication and Association Request packets to trigger this vulnerability. (CVE-2019-5108)

  - In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel     produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple     destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and     thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page     that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses. (CVE-2019-10638)

  - The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel     address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel     image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and     ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash     collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This     key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via     enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the     attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled     IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic     is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the     attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP     addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to     have a dependency on an address associated with a network namespace. (CVE-2019-10639)

  - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-     free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could     use this flaw to obtain sensitive information, cause a denial of service, or possibly have other     unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.
    (CVE-2019-14898)

  - An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a     malicious USB device in the drivers/media/usb/siano/smsusb.c driver. (CVE-2019-15218)

  - An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check     the length of variable elements in a beacon head, leading to a buffer overflow. (CVE-2019-16746)

  - An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has security relevance. (CVE-2019-17075)

  - In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a     long SSID IE, leading to a Buffer Overflow. (CVE-2019-17133)

  - fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer     dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka     CID-09ba3bc9dd15. (CVE-2019-18885)

  - A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel before     5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb()     failures, aka CID-fb5be6a7b486. (CVE-2019-19052)

  - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the     Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka     CID-3f9361695113. (CVE-2019-19063)

  - A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering     bfa_port_get_stats() failures, aka CID-0e62395da2bd. (CVE-2019-19066)

  - Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow     attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout()     failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the     htc_connect_service() function, aka CID-853acf7caf10. (CVE-2019-19073)

  - A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
    (CVE-2019-19074)

  - A memory leak in the ath10k_usb_hif_tx_sg() function in drivers/net/wireless/ath/ath10k/usb.c in the Linux     kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering     usb_submit_urb() failures, aka CID-b8d17e7d93d2. (CVE-2019-19078)

  - In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device     in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042. (CVE-2019-19535)

  - kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with     Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by     generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words,     although this slice expiration would typically be seen with benign workloads, it is possible that an     attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a     low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray     requests. An attack does not affect the stability of the kernel; it only causes mismanagement of     application execution.) (CVE-2019-19922)

  - An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka CID-b43d1f9f7067. (CVE-2019-20812)

  - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it     incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly     only validate the first netlink message in the skb and allow or deny the rest of the messages within the     skb with the granted permission without further processing. (CVE-2020-10751)

  - A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in     crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4     bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat,     leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of     service. (CVE-2020-10769)

  - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before     4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a     denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114)

  - An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c     has a deadlock if a coalescing operation fails. (CVE-2020-12771)

  - The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive     information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to     drivers/char/random.c and kernel/time/timer.c. (CVE-2020-16166)

  - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new     filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the     current umask is not considered. (CVE-2020-24394)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In the Linux kernel 5.0.21, mounting a crafted btrfs     filesystem image, performing some operations, and     unmounting can lead to a use-after-free in     btrfs_queue_work in     fs/btrfs/async-thread.c.(CVE-2019-19377)

  - The fix for CVE-2019-11599, affecting the Linux kernel     before 5.0.10 was not complete. A local user could use     this flaw to obtain sensitive information, cause a     denial of service, or possibly have other unspecified     impacts by triggering a race condition with     mmget_not_zero or get_task_mm calls.(CVE-2019-14898)

  - A pivot_root race condition in fs/namespace.c in the     Linux kernel 4.4.x before 4.4.221, 4.9.x before     4.9.221, 4.14.x before 4.14.178, 4.19.x before     4.19.119, and 5.x before 5.3 allows local users to     cause a denial of service (panic) by corrupting a     mountpoint reference counter.(CVE-2020-12114)

  - usb_sg_cancel in drivers/usb/core/message.c in the     Linux kernel before 5.6.8 has a use-after-free because     a transfer occurs without a reference, aka     CID-056ad39ee925.(CVE-2020-12464)

  - The __mptctl_ioctl function in     drivers/message/fusion/mptctl.c in the Linux kernel     before 5.4.14 allows local users to hold an incorrect     lock during the ioctl operation and trigger a race     condition, i.e., a 'double fetch' vulnerability, aka     CID-28d76df18f0a. NOTE: the vendor states 'The security     impact of this bug is not as bad as it could have been     because these operations are all privileged and root     already has enormous destructive     power.'(CVE-2020-12652)

  - An issue was found in Linux kernel before 5.5.4. The     mwifiex_cmd_append_vsie_tlv() function in     drivers/net/wireless/marvell/mwifiex/scan.c allows     local users to gain privileges or cause a denial of     service because of an incorrect memcpy and buffer     overflow, aka CID-b70261a288ea.(CVE-2020-12653)

  - An issue was found in Linux kernel before 5.5.4.
    mwifiex_ret_wmm_get_status() in     drivers/net/wireless/marvell/mwifiex/wmm.c allows a     remote AP to trigger a heap-based buffer overflow     because of an incorrect memcpy, aka     CID-3a9b153c5591.(CVE-2020-12654)

  - An issue was discovered in xfs_agf_verify in     fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through     5.6.10. Attackers may trigger a sync of excessive     duration via an XFS v5 image with crafted metadata, aka     CID-d0c7feaf8767.(CVE-2020-12655)

  - In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there     is a possible out of bounds write due to a missing     bounds check. This could lead to local escalation of     privilege with System execution privileges needed. User     interaction is not needed for exploitation. Product:
    Android. Versions: Android kernel. Android ID:
    A-73083945.(CVE-2018-9518)

  - An issue was discovered in slc_bump in     drivers/net/can/slcan.c in the Linux kernel through     5.6.2. It allows attackers to read uninitialized     can_frame data, potentially containing sensitive     information from kernel stack memory, if the     configuration lacks CONFIG_INIT_STACK_ALL, aka     CID-b9258a2cece4.(CVE-2020-11494)

  - In the Android kernel in sync debug fs driver there is     a kernel pointer leak due to the usage of printf with     %p. This could lead to local information disclosure     with system execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2019-9444)

  - In the Linux kernel before 5.4.12,     drivers/input/input.c has out-of-bounds writes via a     crafted keycode table, as demonstrated by     input_set_keycode, aka     CID-cb222aed03d7.(CVE-2019-20636)

  - An issue was discovered in the Linux kernel through     5.6.2. mpol_parse_str in mm/mempolicy.c has a     stack-based out-of-bounds write because an empty     nodelist is mishandled during mount option parsing, aka     CID-aa9f7d5172fa. NOTE: Someone in the security     community disagrees that this is a vulnerability     because the issue 'is a bug in parsing mount options     which can only be specified by a privileged user, so     triggering the bug does not grant any powers not     already held.'.(CVE-2020-11565)

  - An issue was discovered in the Linux kernel before     5.6.1. drivers/media/usb/gspca/ov519.c allows NULL     pointer dereferences in ov511_mode_init_regs and     ov518_mode_init_regs when there are zero endpoints, aka     CID-998912346c0d.(CVE-2020-11608)

  - An issue was discovered in the stv06xx subsystem in the     Linux kernel before 5.6.1.
    drivers/media/usb/gspca/stv06xx/stv06xx.c and     drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c     mishandle invalid descriptors, as demonstrated by a     NULL pointer dereference, aka     CID-485b06aadb93.(CVE-2020-11609)

  - In the Linux kernel before 5.5.8, get_raw_socket in     drivers/vhost/net.c lacks validation of an sk_family     field, which might allow attackers to trigger kernel     stack corruption via crafted system     calls.(CVE-2020-10942)

  - drivers/gpu/drm/radeon/radeon_display.c in the Linux     kernel 5.2.14 does not check the alloc_workqueue return     value, leading to a NULL pointer dereference. NOTE: A     third-party software maintainer states that the work     queue allocation is happening during device     initialization, which for a graphics card occurs during     boot. It is not attacker controllable and OOM at that     time is highly unlikely.(CVE-2019-16230)

  - In the netlink driver, there is a possible out of     bounds write due to a race condition. This could lead     to local escalation of privilege with System execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-65025077(CVE-2020-0066)

  - The kernel in Red Hat Enterprise Linux 7 and MRG-2 does     not clear garbage data for SG_IO buffer, which may     leaking sensitive information to     userspace.(CVE-2014-8181)

  - btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel     through 5.3.12 allows a NULL pointer dereference     because rcu_dereference(root->node) can be     zero.(CVE-2019-19036)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities:

  - A vulnerability was found in the Linux kernel's Marvell     WiFi chip driver. Where, while parsing vendor-specific     informational attributes, an attacker on the same WiFi     physical network segment could cause a system crash,     resulting in a denial of service, or potentially execute     arbitrary code. This flaw affects the network interface     at the most basic level meaning the attacker only needs     to affiliate with the same network device as the     vulnerable system to create an attack path.
    (CVE-2019-14816)

  - A heap-based buffer overflow was discovered in the Linux     kernel's Marvell WiFi chip driver. The flaw could occur     when the station attempts a connection negotiation     during the handling of the remote devices country     settings. This could allow the remote device to cause a     denial of service (system crash) or possibly execute     arbitrary code. (CVE-2019-14895)

  - No description is available for this CVE.
    (CVE-2019-14898)

  - A heap overflow flaw was found in the Linux kernel's     Marvell WiFi chip driver. The vulnerability allows a     remote attacker to cause a system crash, resulting in a     denial of service, or execute arbitrary code. The     highest threat with this vulnerability is with the     availability of the system. If code execution occurs,     the code will run with the permissions of root. This     will affect both confidentiality and integrity of files     on the system. (CVE-2019-14901)

  - A vulnerability was found in the Linux kernel's generic     WiFi ESSID handling implementation. The flaw allows a     system to join a wireless network where the ESSID is     longer than the maximum length of 32 characters, which     can cause the system to crash or execute code.
    (CVE-2019-17133)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities:

  - There is heap-based buffer overflow in kernel, all     versions up to, excluding 5.3, in the marvell wifi chip     driver in Linux kernel, that allows local users to cause     a denial of service(system crash) or possibly execute     arbitrary code. (CVE-2019-14816)

  - A heap-based buffer overflow was discovered in the Linux     kernel, all versions 3.x.x and 4.x.x before 4.18.0, in     Marvell WiFi chip driver. The flaw could occur when the     station attempts a connection negotiation during the     handling of the remote devices country settings. This     could allow the remote device to cause a denial of     service (system crash) or possibly execute arbitrary     code. (CVE-2019-14895)

  - A heap overflow flaw was found in the Linux kernel, all     versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi     chip driver. The vulnerability allows a remote attacker     to cause a system crash, resulting in a denial of     service, or execute arbitrary code. The highest threat     with this vulnerability is with the availability of the     system. If code execution occurs, the code will run with     the permissions of root. This will affect both     confidentiality and integrity of files on the system.
    (CVE-2019-14901)

  - In the Linux kernel through 5.3.2,     cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c     does not reject a long SSID IE, leading to a Buffer     Overflow. (CVE-2019-17133)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* kernel: heap overflow in mwifiex_update_vs_ie() function of Marvell WiFi driver (CVE-2019-14816)

* kernel: heap-based buffer overflow in mwifiex_process_country_ie() function in drivers/net/wireless/marvell/mwifiex/sta_ioctl.c (CVE-2019-14895)

* kernel: heap overflow in marvell/mwifiex/tdls.c (CVE-2019-14901)

* kernel: buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/ wext-sme.c (CVE-2019-17133)

* kernel: incomplete fix for race condition between mmget_not_zero()/ get_task_mm() and core dumping in CVE-2019-11599 (CVE-2019-14898)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) :

* [Azure][7.8] Include patch 'PCI: hv: Avoid use of hv_pci_dev->pci_slot after freeing it' (BZ#1766089)

* [Hyper-V][RHEL7.8] When accelerated networking is enabled on RedHat, network interface(eth0) moved to new network namespace does not obtain IP address. (BZ#1766093)

* [Azure][RHEL 7.6] hv_vmbus probe pass-through GPU card failed (BZ#1766097)

* SMB3: Do not error out on large file transfers if server responds with STATUS_INSUFFICIENT_RESOURCES (BZ#1767621)

* Since RHEL commit 5330f5d09820 high load can cause dm-multipath path failures (BZ#1770113)

* Hard lockup in free_one_page()->_raw_spin_lock() because sosreport command is reading from /proc/pagetypeinfo (BZ#1770732)

* patchset for x86/atomic: Fix smp_mb__{before,after}_atomic() (BZ#1772812)

* fix compat statfs64() returning EOVERFLOW for when
_FILE_OFFSET_BITS=64 (BZ #1775678)

* Guest crash after load cpuidle-haltpoll driver (BZ#1776289)

* RHEL 7.7 long I/O stalls with bnx2fc from not masking off scope bits of retry delay value (BZ#1776290)

* Multiple 'mv' processes hung on a gfs2 filesystem (BZ#1777297)

* Moving Egress IP will result in conntrack sessions being DESTROYED (BZ# 1779564)

* core: backports from upstream (BZ#1780033)

* kernel BUG at arch/powerpc/platforms/pseries/lpar.c:482! (BZ#1780148)

* Race between tty_open() and flush_to_ldisc() using the tty_struct-> driver_data field. (BZ#1780163)

From Red Hat Security Advisory 2020:0339 :

An update for kernel is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* kernel: heap overflow in mwifiex_update_vs_ie() function of Marvell WiFi driver (CVE-2019-14816)

* kernel: heap-based buffer overflow in mwifiex_process_country_ie() function in drivers/net/wireless/marvell/mwifiex/sta_ioctl.c (CVE-2019-14895)

* kernel: heap overflow in marvell/mwifiex/tdls.c (CVE-2019-14901)

* kernel: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain upper-bound check, leading to a buffer overflow (CVE-2019-17666)

* kernel: heap overflow in mwifiex_set_uap_rates() function of Marvell Wifi Driver leading to DoS (CVE-2019-14814)

* kernel: heap-overflow in mwifiex_set_wmm_params() function of Marvell WiFi driver leading to DoS (CVE-2019-14815)

* kernel: incomplete fix for race condition between mmget_not_zero()/ get_task_mm() and core dumping in CVE-2019-11599 (CVE-2019-14898)

* Kernel: KVM: export MSR_IA32_TSX_CTRL to guest - incomplete fix for TAA (CVE-2019-11135) (CVE-2019-19338)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) :

* [Azure][8.1] Include patch 'PCI: hv: Avoid use of hv_pci_dev->pci_slot after freeing it' (BZ#1764635)

* block layer: update to v5.3 (BZ#1777766)

* backport xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT (BZ#1778692)

* Backport important bugfixes from upstream post 5.3 (BZ#1778693)

* LUN path recovery issue with Emulex LPe32002 HBA in RHEL 8.0 Server during storage side cable pull testing (BZ#1781108)

* cifs tasks enter D state and error out with 'CIFS VFS: SMB signature verification returned error = -5' (BZ#1781110)

* Update CIFS to linux 5.3 (except RDMA and conflicts) (BZ#1781113)

* RHEL8.0 - Regression to RHEL7.6 by changing force_latency found during RHEL8.0 validation for SAP HANA on POWER (BZ#1781114)

* blk-mq: overwirte performance drops on real MQ device (BZ#1782181)

Security Fix(es) :

  - kernel: heap overflow in mwifiex_update_vs_ie() function     of Marvell WiFi driver (CVE-2019-14816)

  - kernel: heap-based buffer overflow in     mwifiex_process_country_ie() function in     drivers/net/wireless/marvell/mwifiex/sta_ioctl.c     (CVE-2019-14895)

  - kernel: heap overflow in marvell/mwifiex/tdls.c     (CVE-2019-14901)

  - kernel: buffer overflow in cfg80211_mgd_wext_giwessid in     net/wireless/wext-sme.c (CVE-2019-17133)

  - kernel: incomplete fix for race condition between     mmget_not_zero()/get_task_mm() and core dumping in     CVE-2019-11599 (CVE-2019-14898)

Bug Fix(es) :

  - [Azure][7.8] Include patch 'PCI: hv: Avoid use of     hv_pci_dev->pci_slot after freeing it' (BZ#1766089)

  - [Hyper-V][RHEL7.8] When accelerated networking is     enabled on RedHat, network interface(eth0) moved to new     network namespace does not obtain IP address.
    (BZ#1766093)

  - [Azure][RHEL 7.6] hv_vmbus probe pass-through GPU card     failed (BZ#1766097)

  - SMB3: Do not error out on large file transfers if server     responds with STATUS_INSUFFICIENT_RESOURCES (BZ#1767621)

  - Since RHEL commit 5330f5d09820 high load can cause     dm-multipath path failures (BZ#1770113)

  - Hard lockup in free_one_page()->_raw_spin_lock() because     sosreport command is reading from /proc/pagetypeinfo     (BZ#1770732)

  - patchset for x86/atomic: Fix     smp_mb__{before,after}_atomic() (BZ#1772812)

  - fix compat statfs64() returning EOVERFLOW for when
    _FILE_OFFSET_BITS=64 (BZ#1775678)

  - Guest crash after load cpuidle-haltpoll driver     (BZ#1776289)

  - RHEL 7.7 long I/O stalls with bnx2fc from not masking     off scope bits of retry delay value (BZ#1776290)

  - Multiple 'mv' processes hung on a gfs2 filesystem     (BZ#1777297)

  - Moving Egress IP will result in conntrack sessions being     DESTROYED (BZ#1779564)

  - core: backports from upstream (BZ#1780033)

  - kernel BUG at arch/powerpc/platforms/pseries/lpar.c:482!     (BZ#1780148)

  - Race between tty_open() and flush_to_ldisc() using the     tty_struct->driver_data field. (BZ#1780163)

From Red Hat Security Advisory 2020:0374 :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* kernel: heap overflow in mwifiex_update_vs_ie() function of Marvell WiFi driver (CVE-2019-14816)

* kernel: heap-based buffer overflow in mwifiex_process_country_ie() function in drivers/net/wireless/marvell/mwifiex/sta_ioctl.c (CVE-2019-14895)

* kernel: heap overflow in marvell/mwifiex/tdls.c (CVE-2019-14901)

* kernel: buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/ wext-sme.c (CVE-2019-17133)

* kernel: incomplete fix for race condition between mmget_not_zero()/ get_task_mm() and core dumping in CVE-2019-11599 (CVE-2019-14898)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) :

* [Azure][7.8] Include patch 'PCI: hv: Avoid use of hv_pci_dev->pci_slot after freeing it' (BZ#1766089)

* [Hyper-V][RHEL7.8] When accelerated networking is enabled on RedHat, network interface(eth0) moved to new network namespace does not obtain IP address. (BZ#1766093)

* [Azure][RHEL 7.6] hv_vmbus probe pass-through GPU card failed (BZ#1766097)

* SMB3: Do not error out on large file transfers if server responds with STATUS_INSUFFICIENT_RESOURCES (BZ#1767621)

* Since RHEL commit 5330f5d09820 high load can cause dm-multipath path failures (BZ#1770113)

* Hard lockup in free_one_page()->_raw_spin_lock() because sosreport command is reading from /proc/pagetypeinfo (BZ#1770732)

* patchset for x86/atomic: Fix smp_mb__{before,after}_atomic() (BZ#1772812)

* fix compat statfs64() returning EOVERFLOW for when
_FILE_OFFSET_BITS=64 (BZ #1775678)

* Guest crash after load cpuidle-haltpoll driver (BZ#1776289)

* RHEL 7.7 long I/O stalls with bnx2fc from not masking off scope bits of retry delay value (BZ#1776290)

* Multiple 'mv' processes hung on a gfs2 filesystem (BZ#1777297)

* Moving Egress IP will result in conntrack sessions being DESTROYED (BZ# 1779564)

* core: backports from upstream (BZ#1780033)

* kernel BUG at arch/powerpc/platforms/pseries/lpar.c:482! (BZ#1780148)

* Race between tty_open() and flush_to_ldisc() using the tty_struct-> driver_data field. (BZ#1780163)

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* kernel: heap overflow in mwifiex_update_vs_ie() function of Marvell WiFi driver (CVE-2019-14816)

* kernel: heap-based buffer overflow in mwifiex_process_country_ie() function in drivers/net/wireless/marvell/mwifiex/sta_ioctl.c (CVE-2019-14895)

* kernel: heap overflow in marvell/mwifiex/tdls.c (CVE-2019-14901)

* kernel: buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/ wext-sme.c (CVE-2019-17133)

* kernel: incomplete fix for race condition between mmget_not_zero()/ get_task_mm() and core dumping in CVE-2019-11599 (CVE-2019-14898)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) :

* patchset for x86/atomic: Fix smp_mb__{before,after}_atomic() [kernel-rt] (BZ#1772522)

* kernel-rt: update to the RHEL7.7.z batch#4 source tree (BZ#1780322)

* kvm nx_huge_pages_recovery_ratio=0 is needed to meet KVM-RT low latency requirement (BZ#1781157)

* kernel-rt: hard lockup panic in during execution of CFS bandwidth period timer (BZ#1788057)

This plugin has been deprecated. Although RHSA-2020:0375 exists, it is for kernel-rt, which does not exist on CentOS. This CentOS copy of the advisory duplicates the CVEs and packages from the non-rt kernel in RHSA-2020:0374.

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* kernel: heap overflow in mwifiex_update_vs_ie() function of Marvell WiFi driver (CVE-2019-14816)

* kernel: heap-based buffer overflow in mwifiex_process_country_ie() function in drivers/net/wireless/marvell/mwifiex/sta_ioctl.c (CVE-2019-14895)

* kernel: heap overflow in marvell/mwifiex/tdls.c (CVE-2019-14901)

* kernel: buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/ wext-sme.c (CVE-2019-17133)

* kernel: incomplete fix for race condition between mmget_not_zero()/ get_task_mm() and core dumping in CVE-2019-11599 (CVE-2019-14898)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) :

* patchset for x86/atomic: Fix smp_mb__{before,after}_atomic() [kernel-rt] (BZ#1772522)

* kernel-rt: update to the RHEL7.7.z batch#4 source tree (BZ#1780322)

* kvm nx_huge_pages_recovery_ratio=0 is needed to meet KVM-RT low latency requirement (BZ#1781157)

* kernel-rt: hard lockup panic in during execution of CFS bandwidth period timer (BZ#1788057)

An update for kernel is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* kernel: heap overflow in mwifiex_update_vs_ie() function of Marvell WiFi driver (CVE-2019-14816)

* kernel: heap-based buffer overflow in mwifiex_process_country_ie() function in drivers/net/wireless/marvell/mwifiex/sta_ioctl.c (CVE-2019-14895)

* kernel: heap overflow in marvell/mwifiex/tdls.c (CVE-2019-14901)

* kernel: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain upper-bound check, leading to a buffer overflow (CVE-2019-17666)

* kernel: heap overflow in mwifiex_set_uap_rates() function of Marvell Wifi Driver leading to DoS (CVE-2019-14814)

* kernel: heap-overflow in mwifiex_set_wmm_params() function of Marvell WiFi driver leading to DoS (CVE-2019-14815)

* kernel: incomplete fix for race condition between mmget_not_zero()/ get_task_mm() and core dumping in CVE-2019-11599 (CVE-2019-14898)

* Kernel: KVM: export MSR_IA32_TSX_CTRL to guest - incomplete fix for TAA (CVE-2019-11135) (CVE-2019-19338)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) :

* [Azure][8.1] Include patch 'PCI: hv: Avoid use of hv_pci_dev->pci_slot after freeing it' (BZ#1764635)

* block layer: update to v5.3 (BZ#1777766)

* backport xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT (BZ#1778692)

* Backport important bugfixes from upstream post 5.3 (BZ#1778693)

* LUN path recovery issue with Emulex LPe32002 HBA in RHEL 8.0 Server during storage side cable pull testing (BZ#1781108)

* cifs tasks enter D state and error out with 'CIFS VFS: SMB signature verification returned error = -5' (BZ#1781110)

* Update CIFS to linux 5.3 (except RDMA and conflicts) (BZ#1781113)

* RHEL8.0 - Regression to RHEL7.6 by changing force_latency found during RHEL8.0 validation for SAP HANA on POWER (BZ#1781114)

* blk-mq: overwirte performance drops on real MQ device (BZ#1782181)

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* kernel: heap overflow in mwifiex_update_vs_ie() function of Marvell WiFi driver (CVE-2019-14816)

* kernel: heap-based buffer overflow in mwifiex_process_country_ie() function in drivers/net/wireless/marvell/mwifiex/sta_ioctl.c (CVE-2019-14895)

* kernel: heap overflow in marvell/mwifiex/tdls.c (CVE-2019-14901)

* kernel: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain upper-bound check, leading to a buffer overflow (CVE-2019-17666)

* kernel: heap overflow in mwifiex_set_uap_rates() function of Marvell Wifi Driver leading to DoS (CVE-2019-14814)

* kernel: heap-overflow in mwifiex_set_wmm_params() function of Marvell WiFi driver leading to DoS (CVE-2019-14815)

* kernel: incomplete fix for race condition between mmget_not_zero()/ get_task_mm() and core dumping in CVE-2019-11599 (CVE-2019-14898)

* Kernel: KVM: export MSR_IA32_TSX_CTRL to guest - incomplete fix for TAA (CVE-2019-11135) (CVE-2019-19338)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) :

* kernel-rt: update RT source tree to the RHEL-8.1.z2 source tree (BZ# 1780326)

ID	Name	Product	Family	Severity
145801	CentOS 8 : kernel (CESA-2020:0339)	Nessus	CentOS Local Security Checks	critical
144087	NewStart CGSL CORE 5.05 / MAIN 5.05 : kernel-rt Multiple Vulnerabilities (NS-SA-2020-0117)	Nessus	NewStart CGSL Local Security Checks	medium
143971	NewStart CGSL CORE 5.05 / MAIN 5.05 : kernel Multiple Vulnerabilities (NS-SA-2020-0108)	Nessus	NewStart CGSL Local Security Checks	critical
141374	OracleVM 3.4 : Unbreakable / etc (OVMSA-2020-0044)	Nessus	OracleVM Local Security Checks	critical
141207	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5866)	Nessus	Oracle Linux Local Security Checks	critical
140499	Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2020-5845)	Nessus	Oracle Linux Local Security Checks	high
137516	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2020-1674)	Nessus	Huawei Local Security Checks	critical
137024	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2020-1606)	Nessus	Huawei Local Security Checks	high
135762	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2020-0014)	Nessus	NewStart CGSL Local Security Checks	critical
134320	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2020-0010)	Nessus	NewStart CGSL Local Security Checks	critical
134087	CentOS 7 : kernel (CESA-2020:0374)	Nessus	CentOS Local Security Checks	critical
133591	Oracle Linux 8 : kernel (ELSA-2020-0339)	Nessus	Oracle Linux Local Security Checks	critical
133538	Scientific Linux Security Update : kernel on SL7.x x86_64 (20200205)	Nessus	Scientific Linux Local Security Checks	critical
133514	Oracle Linux 7 : kernel (ELSA-2020-0374)	Nessus	Oracle Linux Local Security Checks	critical
133508	CentOS 7 : kernel (CESA-2020:0375) (deprecated)	Nessus	CentOS Local Security Checks	critical
133484	RHEL 7 : kernel-rt (RHSA-2020:0375)	Nessus	Red Hat Local Security Checks	critical
133483	RHEL 7 : kernel (RHSA-2020:0374)	Nessus	Red Hat Local Security Checks	critical
133480	RHEL 8 : kernel (RHSA-2020:0339)	Nessus	Red Hat Local Security Checks	critical
133477	RHEL 8 : kernel-rt (RHSA-2020:0328)	Nessus	Red Hat Local Security Checks	critical

CVE-2019-14898

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

medium

critical

critical

critical

high

critical

high

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical