https://deshal3v.github.io/blog/kernel-research/mmap_exploitation

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/media/usb/cpia2/cpia2_core.c

https://security.netapp.com/advisory/ntap-20200103-0001/

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In the Linux kernel 5.4.0-rc2, there is a     use-after-free (read) in the __blk_add_trace function     in kernel/trace/blktrace.c (which is used to fill out a     blk_io_trace structure and place it in a per-cpu     sub-buffer).(CVE-2019-19768)

  - The Linux kernel through 5.3.13 has a start_offset+size     Integer Overflow in cpia2_remap_buffer in     drivers/media/usb/cpia2/cpia2_core.c because cpia2 has     its own mmap implementation. This allows local users     (with /dev/video0 access) to obtain read and write     permissions on kernel physical pages, which can     possibly result in a privilege     escalation.(CVE-2019-18675)

  - An issue was discovered in the Linux kernel through     5.5.6. set_fdc in drivers/block/floppy.c leads to a     wait_til_ready out-of-bounds read because the FDC index     is not checked for errors before assigning it, aka     CID-2e90ca68b0d2.(CVE-2020-9383)

  - There is a use-after-free vulnerability in the Linux     kernel through 5.5.2 in the vgacon_invert_region     function in     drivers/video/console/vgacon.c.(CVE-2020-8649)

  - There is a use-after-free vulnerability in the Linux     kernel through 5.5.2 in the vc_do_resize function in     drivers/tty/vt/vt.c.(CVE-2020-8647)

  - The time subsystem in the Linux kernel, when     CONFIG_TIMER_STATS is enabled, allows local users to     discover real PID values (as distinguished from PID     values inside a PID namespace) by reading the     /proc/timer_list file, related to the print_timer     function in kernel/time/timer_list.c and the
    __timer_stats_timer_set_start_info function in     kernel/time/timer.c.(CVE-2017-5967)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2014-8181)

  - ext4_protect_reserved_inode in fs/ext4/block_validity.c     in the Linux kernel through 5.5.3 allows attackers to     cause a denial of service (soft lockup) via a crafted     journal size.(CVE-2020-8992)

  - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
    ConsultIDs: CVE-2020-12826. Reason: This candidate is a     duplicate of CVE-2020-12826. Notes: All CVE users     should reference CVE-2020-12826 instead of this     candidate. All references and descriptions in this     candidate have been removed to prevent accidental     usage.(CVE-2020-10741)

  - A signal access-control issue was discovered in the     Linux kernel before 5.6.5, aka CID-7395ea4e65c2.
    Because exec_id in include/linux/sched.h is only 32     bits, an integer overflow can interfere with a     do_notify_parent protection mechanism. A child process     can send an arbitrary signal to a parent process in a     different security domain. Exploitation limitations     include the amount of elapsed time before an integer     overflow occurs, and the lack of scenarios where     signals to a parent process present a substantial     operational threat.(CVE-2020-12826)

  - gadget_dev_desc_UDC_store in     drivers/usb/gadget/configfs.c in the Linux kernel     through 5.6.13 relies on kstrdup without considering     the possibility of an internal '\0' value, which allows     attackers to trigger an out-of-bounds read, aka     CID-15753588bcd4.(CVE-2020-13143)

  - An issue was discovered in the Linux kernel through     5.6.11. sg_write lacks an sg_remove_request call in a     certain failure case, aka     CID-83c6f2390040.(CVE-2020-12770)

  - An issue was found in Linux kernel before 5.5.4.
    mwifiex_ret_wmm_get_status() in     drivers/net/wireless/marvell/mwifiex/wmm.c allows a     remote AP to trigger a heap-based buffer overflow     because of an incorrect memcpy, aka     CID-3a9b153c5591.(CVE-2020-12654)

  - An issue was found in Linux kernel before 5.5.4. The     mwifiex_cmd_append_vsie_tlv() function in     drivers/net/wireless/marvell/mwifiex/scan.c allows     local users to gain privileges or cause a denial of     service because of an incorrect memcpy and buffer     overflow, aka CID-b70261a288ea.(CVE-2020-12653)

  - usb_sg_cancel in drivers/usb/core/message.c in the     Linux kernel before 5.6.8 has a use-after-free because     a transfer occurs without a reference, aka     CID-056ad39ee925.(CVE-2020-12464)

  - The __mptctl_ioctl function in     drivers/message/fusion/mptctl.c in the Linux kernel     before 5.4.14 allows local users to hold an incorrect     lock during the ioctl operation and trigger a race     condition, i.e., a 'double fetch' vulnerability, aka     CID-28d76df18f0a. NOTE: the vendor states 'The security     impact of this bug is not as bad as it could have been     because these operations are all privileged and root     already has enormous destructive     power.'(CVE-2020-12652)

  - In the Linux kernel before 5.6.1,     drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink     camera USB driver) mishandles invalid descriptors, aka     CID-a246b4d54770.(CVE-2020-11668)

  - An issue was discovered in the stv06xx subsystem in the     Linux kernel before 5.6.1.
    drivers/media/usb/gspca/stv06xx/stv06xx.c and     drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c     mishandle invalid descriptors, as demonstrated by a     NULL pointer dereference, aka     CID-485b06aadb93.(CVE-2020-11609)

  - An issue was discovered in the Linux kernel before     5.6.1. drivers/media/usb/gspca/ov519.c allows NULL     pointer dereferences in ov511_mode_init_regs and     ov518_mode_init_regs when there are zero endpoints, aka     CID-998912346c0d.(CVE-2020-11608)

  - ** DISPUTED ** An issue was discovered in the Linux     kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c     has a stack-based out-of-bounds write because an empty     nodelist is mishandled during mount option parsing, aka     CID-aa9f7d5172fa. NOTE: Someone in the security     community disagrees that this is a vulnerability     because the issue 'is a bug in parsing mount options     which can only be specified by a privileged user, so     triggering the bug does not grant any powers not     already held.'.(CVE-2020-11565)

  - In the Linux kernel before 5.4.12,     drivers/input/input.c has out-of-bounds writes via a     crafted keycode table, as demonstrated by     input_set_keycode, aka     CID-cb222aed03d7.(CVE-2019-20636)

  - In the Linux kernel before 5.5.8, get_raw_socket in     drivers/vhost/net.c lacks validation of an sk_family     field, which might allow attackers to trigger kernel     stack corruption via crafted system     calls.(CVE-2020-10942)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424).

CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629).

CVE-2020-8647: Fixed a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929).

CVE-2020-8649: Fixed a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931).

CVE-2020-9383: Fixed an issue in set_fdc in drivers/block/floppy.c, which leads to a wait_til_ready out-of-bounds read (bnc#1165111).

CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295).

CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386).

CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285).

CVE-2020-11609: Fixed a NULL pointer dereference in the stv06xx subsystem caused by mishandling invalid descriptors (bnc#1168854).

CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bnc#1170345).

CVE-2020-11608: Fixed an issue in drivers/media/usb/gspca/ov519.c caused by a NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints (bnc#1168829).

CVE-2017-18255: The perf_cpu_time_max_percent_handler function in kernel/events/core.c allowed local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation (bnc#1087813).

CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928).

CVE-2020-2732: A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest (bnc#1163971).

CVE-2019-5108: Fixed a denial-of-service vulnerability caused by triggering AP to send IAPP location updates for stations before the required authentication process has completed (bnc#1159912).

CVE-2020-8992: ext4_protect_reserved_inode in fs/ext4/block_validity.c allowed attackers to cause a denial of service (soft lockup) via a crafted journal size (bnc#1164069).

CVE-2018-21008: Fixed a use-after-free which could be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c (bnc#1149591).

CVE-2019-14896: A heap-based buffer overflow vulnerability was found in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bnc#1157157).

CVE-2019-14897: A stack-based buffer overflow was found in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bnc#1157155).

CVE-2019-18675: Fixed an integer overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allowed local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation (bnc#1157804).

CVE-2019-14615: Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may have allowed an unauthenticated user to potentially enable information disclosure via local access (bnc#1160195, bsc#1165881).

CVE-2019-19965: Fixed a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition (bnc#1159911).

CVE-2019-20054: Fixed a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bnc#1159910).

CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service (bnc#1159908).

CVE-2019-19966: Fixed a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service (bnc#1159841).

CVE-2019-19447: Fixed an issue with mounting a crafted ext4 filesystem image, performing some operations, and unmounting could lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c (bnc#1158819).

CVE-2019-19319: Fixed an issue with a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call (bnc#1158021).

CVE-2019-19767: Fixed mishandling of ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c (bnc#1159297).

CVE-2019-11091,CVE-2018-12126,CVE-2018-12130,CVE-2018-12127: Earlier mitigations for the 'MDS' Microarchitectural Data Sampling attacks were not complete. An additional fix was added to the x86_64 fast systemcall path to further mitigate these attacks. (bsc#1164846 bsc#1170847)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424).

CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629).

CVE-2020-8647: Fixed a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929).

CVE-2020-8649: Fixed a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931).

CVE-2020-9383: Fixed an issue in set_fdc in drivers/block/floppy.c, which leads to a wait_til_ready out-of-bounds read (bnc#1165111).

CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295).

CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386).

CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285).

CVE-2020-11609: Fixed a NULL pointer dereference in the stv06xx subsystem caused by mishandling invalid descriptors (bnc#1168854).

CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bnc#1170345).

CVE-2020-11608: Fixed an issue in drivers/media/usb/gspca/ov519.c caused by a NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints (bnc#1168829).

CVE-2017-18255: The perf_cpu_time_max_percent_handler function in kernel/events/core.c allowed local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation (bnc#1087813).

CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928).

CVE-2020-2732: A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest (bnc#1163971).

CVE-2019-5108: Fixed a denial-of-service vulnerability caused by triggering AP to send IAPP location updates for stations before the required authentication process has completed (bnc#1159912).

CVE-2020-8992: ext4_protect_reserved_inode in fs/ext4/block_validity.c allowed attackers to cause a denial of service (soft lockup) via a crafted journal size (bnc#1164069).

CVE-2018-21008: Fixed a use-after-free which could be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c (bnc#1149591).

CVE-2019-14896: A heap-based buffer overflow vulnerability was found in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bnc#1157157).

CVE-2019-14897: A stack-based buffer overflow was found in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bnc#1157155).

CVE-2019-18675: Fixed an integer overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allowed local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation (bnc#1157804).

CVE-2019-14615: Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may have allowed an unauthenticated user to potentially enable information disclosure via local access (bnc#1160195, bsc#1165881).

CVE-2019-19965: Fixed a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition (bnc#1159911).

CVE-2019-20054: Fixed a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bnc#1159910).

CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service (bnc#1159908).

CVE-2019-19966: Fixed a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service (bnc#1159841).

CVE-2019-19447: Fixed an issue with mounting a crafted ext4 filesystem image, performing some operations, and unmounting could lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c (bnc#1158819).

CVE-2019-19319: Fixed an issue with a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call (bnc#1158021).

CVE-2019-19767: Fixed mishandling of ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c (bnc#1159297).

CVE-2019-19066: Fixed memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c that allowed attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures (bnc#1157303).

CVE-2019-19332: There was an OOB memory write via kvm_dev_ioctl_get_cpuid (bsc#1158827).

CVE-2019-19537: There was a race condition bug that could have been caused by a malicious USB device in the USB character device driver layer (bnc#1158904).

CVE-2019-19535: There was an info-leak bug that could have been caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver (bnc#1158903).

CVE-2019-19527: There was a use-after-free bug that could have been caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver (bnc#1158900).

CVE-2019-19533: There was an info-leak bug that could have been caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver (bnc#1158834).

CVE-2019-19532: There were multiple out-of-bounds write bugs that could have been caused by a malicious USB device in the Linux kernel HID drivers (bnc#1158824).

CVE-2019-19523: There was a use-after-free bug that could have been caused by a malicious USB device in the drivers/usb/misc/adutux.c driver (bnc#1158823).

CVE-2019-15213: An issue was discovered in the Linux kernel, there was a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver (bnc#1146544).

CVE-2019-19531: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bnc#1158445).

CVE-2019-19525: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver (bnc#1158417).

CVE-2019-19530: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (bnc#1158410).

CVE-2019-19536: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver (bnc#1158394).

CVE-2019-19524: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver (bnc#1158413).

CVE-2019-19534: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (bnc#1158398).

CVE-2019-14901: A heap overflow flaw was found in the Linux kernel in Marvell WiFi chip driver. The vulnerability allowed a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system (bnc#1157042).

CVE-2019-14895: Fixed a heap-based buffer overflow in the Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158).

CVE-2019-18660: Fixed a information disclosure on powerpc related to the Spectre-RSB mitigation. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038 1157923).

CVE-2019-18683: Fixed a privilege escalation where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem) (bnc#1155897).

CVE-2019-19062: Fixed a memory leak in the crypto_report() function in crypto/crypto_user_base.c, which allowed attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures (bnc#1157333).

CVE-2019-19052: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157324).

CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c allowed attackers to cause a denial of service (memory consumption) (bnc#1157143).

CVE-2019-19073: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c allowed attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures (bnc#1157070).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - This candidate has been reserved by an organization or     individual that will use it when announcing a new     security problem. When the candidate has been     publicized, the details for this candidate will be     provided.(CVE-2019-10220)

  - A memory leak in the i2400m_op_rfkill_sw_toggle()     function in drivers/net/wimax/i2400m/op-rfkill.c in the     Linux kernel before 5.3.11 allows attackers to cause a     denial of service (memory consumption), aka     CID-6f3ef5c25cc7.(CVE-2019-19051)

  - A memory leak in the sdma_init() function in     drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel     before 5.3.9 allows attackers to cause a denial of     service (memory consumption) by triggering     rhashtable_init() failures, aka     CID-34b3be18a04e.(CVE-2019-19065)

  - ** DISPUTED ** Four memory leaks in the acp_hw_init()     function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in     the Linux kernel before 5.3.8 allow attackers to cause     a denial of service (memory consumption) by triggering     mfd_add_hotplug_devices() or pm_genpd_add_device()     failures, aka CID-57be09c6e874. NOTE: third parties     dispute the relevance of this because the attacker must     already have privileges for module     loading.(CVE-2019-19067)

  - An issue was discovered in drivers/xen/balloon.c in the     Linux kernel before 5.2.3, as used in Xen through     4.12.x, allowing guest OS users to cause a denial of     service because of unrestricted resource consumption     during the mapping of guest memory, aka     CID-6ef36ab967c7.(CVE-2019-17351)

  - The xen_biovec_phys_mergeable function in     drivers/xen/biomerge.c in Xen might allow local OS     guest users to corrupt block device data streams and     consequently obtain sensitive memory information, cause     a denial of service, or gain host OS privileges by     leveraging incorrect block IO merge-ability     calculation.(CVE-2017-12134)

  - In the Linux kernel before 5.3.7, there is a     use-after-free bug that can be caused by a malicious     USB device in the drivers/usb/misc/adutux.c driver, aka     CID-44efc269db79.(CVE-2019-19523)

  - In the Linux kernel before 5.3.7, there is a     use-after-free bug that can be caused by a malicious     USB device in the drivers/usb/misc/iowarrior.c driver,     aka CID-edc4746f253d.(CVE-2019-19528)

  - In the Linux kernel before 5.2.10, there is a     use-after-free bug that can be caused by a malicious     USB device in the drivers/usb/class/cdc-acm.c driver,     aka CID-c52873e5a1ef.(CVE-2019-19530)

  - In the Linux kernel before 5.3.4, there is an info-leak     bug that can be caused by a malicious USB device in the     drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka     CID-a10feaf8c464.(CVE-2019-19533)

  - In the Linux kernel before 5.2.10, there is a race     condition bug that can be caused by a malicious USB     device in the USB character device driver layer, aka     CID-303911cfc5b9. This affects     drivers/usb/core/file.c.(CVE-2019-19537)

  - In the Linux kernel before 5.3.12, there is a     use-after-free bug that can be caused by a malicious     USB device in the drivers/input/ff-memless.c driver,     aka CID-fa3a5a1880c9.(CVE-2019-19524)

  - In the Linux kernel before 5.2.10, there is a     use-after-free bug that can be caused by a malicious     USB device in the drivers/hid/usbhid/hiddev.c driver,     aka CID-9c09b214f30e.(CVE-2019-19527)

  - In the Linux kernel before 5.3.9, there are multiple     out-of-bounds write bugs that can be caused by a     malicious USB device in the Linux kernel HID drivers,     aka CID-d9d4b1e46d95. This affects     drivers/hid/hid-axff.c, drivers/hid/hid-dr.c,     drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c,     drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c,     drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c,     drivers/hid/hid-lgff.c,     drivers/hid/hid-logitech-hidpp.c,     drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c,     drivers/hid/hid-tmff.c, and     drivers/hid/hid-zpff.c.(CVE-2019-19532)

  - The VFS subsystem in the Linux kernel 3.x provides an     incomplete set of requirements for setattr operations     that underspecifies removing extended privilege     attributes, which allows local users to cause a denial     of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program.(CVE-2015-1350)

  - In the Linux kernel before 5.2.9, there is a     use-after-free bug that can be caused by a malicious     USB device in the drivers/usb/misc/yurex.c driver, aka     CID-fc05481b2fca.(CVE-2019-19531)

  - The Linux kernel through 5.3.13 has a start_offset+size     Integer Overflow in cpia2_remap_buffer in     drivers/media/usb/cpia2/cpia2_core.c because cpia2 has     its own mmap implementation. This allows local users     (with /dev/video0 access) to obtain read and write     permissions on kernel physical pages, which can     possibly result in a privilege     escalation.(CVE-2019-18675)

  - A flaw was found in the way signature calculation was     handled by cephx authentication protocol. An attacker     having access to ceph cluster network who is able to     alter the message payload was able to bypass signature     checks done by cephx protocol. Ceph branches master,     mimic, luminous and jewel are believed to be     vulnerable.(CVE-2018-1129)

  - A memory leak in the alloc_sgtable() function in     drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the     Linux kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     alloc_page() failures, aka     CID-b4b814fec1a5.(CVE-2019-19058)

  - A memory leak in the ath9k_wmi_cmd() function in     drivers/net/wireless/ath/ath9k/wmi.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption), aka     CID-728c1e2a05e4.(CVE-2019-19074)

  - Memory leaks in     drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux     kernel through 5.3.11 allow attackers to cause a denial     of service (memory consumption) by triggering     wait_for_completion_timeout() failures. This affects     the htc_config_pipe_credits() function, the     htc_setup_complete() function, and the     htc_connect_service() function, aka     CID-853acf7caf10.(CVE-2019-19073)

  - Two memory leaks in the rtl_usb_probe() function in     drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux     kernel through 5.3.11 allow attackers to cause a denial     of service (memory consumption), aka     CID-3f9361695113.(CVE-2019-19063)

  - A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf()     function in drivers/net/wireless/marvell/mwifiex/pcie.c     in the Linux kernel through 5.3.11 allows attackers to     cause a denial of service (memory consumption) by     triggering mwifiex_map_pci_memory() failures, aka     CID-db8fd2cde932.(CVE-2019-19056)

  - Two memory leaks in the mwifiex_pcie_init_evt_ring()     function in drivers/net/wireless/marvell/mwifiex/pcie.c     in the Linux kernel through 5.3.11 allow attackers to     cause a denial of service (memory consumption) by     triggering mwifiex_map_pci_memory() failures, aka     CID-d10dcb615c8e.(CVE-2019-19057)

  - An issue was discovered in the Linux kernel through     5.2.9. There is a NULL pointer dereference caused by a     malicious USB device in the flexcop_usb_probe function     in the drivers/media/usb/b2c2/flexcop-usb.c     driver.(CVE-2019-15291)

  - A use-after-free in binder.c allows an elevation of     privilege from an application to the Linux Kernel. No     user interaction is required to exploit this     vulnerability, however exploitation does require either     the installation of a malicious local application or a     separate vulnerability in a network facing     application.Product: AndroidAndroid ID:
    A-141720095(CVE-2019-2215)

  - In task_get_unused_fd_flags of binder.c, there is a     possible memory corruption due to a use after free.
    This could lead to local escalation of privilege with     no additional execution privileges needed. User     interaction is not needed for exploitation. Product:
    Android Versions: Android kernel Android ID: A-69164715     References: Upstream kernel.(CVE-2018-9465)

  - In the Android kernel in Pixel C USB monitor driver     there is a possible OOB write due to a missing bounds     check. This could lead to local escalation of privilege     with System execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2019-9456)

  - fs/btrfs/volumes.c in the Linux kernel before 5.1     allows a btrfs_verify_dev_extents NULL pointer     dereference via a crafted btrfs image because     fs_devices->devices is mishandled within find_device,     aka CID-09ba3bc9dd15.(CVE-2019-18885)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
137932	EulerOS Virtualization 3.0.6.0 : kernel (EulerOS-SA-2020-1713)	Nessus	Huawei Local Security Checks	high
137516	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2020-1674)	Nessus	Huawei Local Security Checks	critical
136782	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:1275-1) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)	Nessus	SuSE Local Security Checks	critical
136661	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:1255-1)	Nessus	SuSE Local Security Checks	critical
135525	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2020-1396)	Nessus	Huawei Local Security Checks	critical
132605	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1012)	Nessus	Huawei Local Security Checks	critical
132360	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693)	Nessus	Huawei Local Security Checks	high

CVE-2019-18675

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins