https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19813

[debian-lts-announce] 20200928 [SECURITY] [DLA 2385-1] linux-4.19 security update

[debian-lts-announce] 20210309 [SECURITY] [DLA 2586-1] linux security update

https://security.netapp.com/advisory/ntap-20200103-0001/

USN-4414-1

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2019-19318, CVE-2019-19813, CVE-2019-19816

'Team bobfuzzer' reported bugs in Btrfs that could lead to a use-after-free or heap buffer overflow, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use these to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-27815

A flaw was reported in the JFS filesystem code allowing a local attacker with the ability to set extended attributes to cause a denial of service.

CVE-2020-27825

Adam 'pi3' Zabrocki reported a use-after-free flaw in the ftrace ring buffer resizing logic due to a race condition, which could result in denial of service or information leak.

CVE-2020-28374

David Disseldorp discovered that the LIO SCSI target implementation performed insufficient checking in certain XCOPY requests. An attacker with access to a LUN and knowledge of Unit Serial Number assignments can take advantage of this flaw to read and write to any LIO backstore, regardless of the SCSI transport settings.

CVE-2020-29568 (XSA-349)

Michael Kurth and Pawel Wieczorkiewicz reported that frontends can trigger OOM in backends by updating a watched path.

CVE-2020-29569 (XSA-350)

Olivier Benjamin and Pawel Wieczorkiewicz reported a use-after-free flaw which can be triggered by a block frontend in Linux blkback. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend.

CVE-2020-29660

Jann Horn reported a locking inconsistency issue in the tty subsystem which may allow a local attacker to mount a read-after-free attack against TIOCGSID.

CVE-2020-29661

Jann Horn reported a locking issue in the tty subsystem which can result in a use-after-free. A local attacker can take advantage of this flaw for memory corruption or privilege escalation.

CVE-2020-36158

A buffer overflow flaw was discovered in the mwifiex WiFi driver which could result in denial of service or the execution of arbitrary code via a long SSID value.

CVE-2021-3178

&#x5434;&#x5F02; reported an information leak in the NFSv3 server.
When only a subdirectory of a filesystem volume is exported, an NFS client listing the exported directory would obtain a file handle to the parent directory, allowing it to access files that were not meant to be exported.

Even after this update, it is still possible for NFSv3 clients to guess valid file handles and access files outside an exported subdirectory, unless the 'subtree_check' export option is enabled. It is recommended that you do not use that option but only export whole filesystem volumes.

CVE-2021-3347

It was discovered that PI futexes have a kernel stack use-after-free during fault handling. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation.

CVE-2021-26930 (XSA-365)

Olivier Benjamin, Norbert Manthey, Martin Mazein, and Jan H.
Sch&ouml;nherr discovered that the Xen block backend driver (xen-blkback) did not handle grant mapping errors correctly. A malicious guest could exploit this bug to cause a denial of service (crash), or possibly an information leak or privilege escalation, within the domain running the backend, which is typically dom0.

CVE-2021-26931 (XSA-362), CVE-2021-26932 (XSA-361), CVE-2021-28038 (XSA-367)

Jan Beulich discovered that the Xen support code and various Xen backend drivers did not handle grant mapping errors correctly. A malicious guest could exploit these bugs to cause a denial of service (crash) within the domain running the backend, which is typically dom0.

CVE-2021-27363

Adam Nichols reported that the iSCSI initiator subsystem did not properly restrict access to transport handle attributes in sysfs. On a system acting as an iSCSI initiator, this is an information leak to local users and makes it easier to exploit CVE-2021-27364.

CVE-2021-27364

Adam Nichols reported that the iSCSI initiator subsystem did not properly restrict access to its netlink management interface. On a system acting as an iSCSI initiator, a local user could use these to cause a denial of service (disconnection of storage) or possibly for privilege escalation.

CVE-2021-27365

Adam Nichols reported that the iSCSI initiator subsystem did not correctly limit the lengths of parameters or 'passthrough PDUs' sent through its netlink management interface. On a system acting as an iSCSI initiator, a local user could use these to leak the contents of kernel memory, to cause a denial of service (kernel memory corruption or crash), and probably for privilege escalation.

For Debian 9 stretch, these problems have been fixed in version 4.9.258-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4709-1 advisory.

  - An issue was discovered in fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3. There is a NULL pointer     dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted     xfs image. This occurs because of a lack of proper validation that cached inodes are free during     allocation. (CVE-2018-13093)

  - In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and     then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c.
    This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in     fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c. (CVE-2019-19813)

  - In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image and performing some operations can     cause slab-out-of-bounds write access in __btrfs_map_block in fs/btrfs/volumes.c, because a value of 1 for     the number of data stripes is mishandled. (CVE-2019-19816)

  - In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking     in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal     in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker     has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are     proxied via an attacker-selected backstore. (CVE-2020-28374)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4708-1 advisory.

  - An issue was discovered in fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3. There is a NULL pointer     dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted     xfs image. This occurs because of a lack of proper validation that cached inodes are free during     allocation. (CVE-2018-13093)

  - In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and     then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c.
    This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in     fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c. (CVE-2019-19813)

  - In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image and performing some operations can     cause slab-out-of-bounds write access in __btrfs_map_block in fs/btrfs/volumes.c, because a value of 1 for     the number of data stripes is mishandled. (CVE-2019-19816)

  - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked     down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries     platform) a root like local user could use this flaw to further increase their privileges to that of a     running kernel. (CVE-2020-27777)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of kernel installed on the remote host is prior to 4.14.214-118.339. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2021-1477 advisory.

  - In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and     then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c.
    This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in     fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c. (CVE-2019-19813)

  - In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image and performing some operations can     cause slab-out-of-bounds write access in __btrfs_map_block in fs/btrfs/volumes.c, because a value of 1 for     the number of data stripes is mishandled. (CVE-2019-19816)

  - An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are     processing watch events using a single thread. If the events are received faster than the thread is able     to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the     backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. (CVE-2020-29568)

  - An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux     kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped.
    However, the handler may not have time to run if the frontend quickly toggles between the states connect     and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving     guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege     escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
    (CVE-2020-29569)

  - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,     aka CID-c8bcd9c5be24. (CVE-2020-29660)

  - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.
    (CVE-2020-29661)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of kernel installed on the remote host is prior to 4.14.214-160.339. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1588 advisory.

  - In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and     then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c.
    This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in     fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c. (CVE-2019-19813)

  - In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image and performing some operations can     cause slab-out-of-bounds write access in __btrfs_map_block in fs/btrfs/volumes.c, because a value of 1 for     the number of data stripes is mishandled. (CVE-2019-19816)

  - An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are     processing watch events using a single thread. If the events are received faster than the thread is able     to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the     backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. (CVE-2020-29568)

  - An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux     kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped.
    However, the handler may not have time to run if the frontend quickly toggles between the states connect     and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving     guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege     escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
    (CVE-2020-29569)

  - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,     aka CID-c8bcd9c5be24. (CVE-2020-29660)

  - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.
    (CVE-2020-29661)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the linux package has been released.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak.

CVE-2019-3874

Kernel buffers allocated by the SCTP network protocol were not limited by the memory cgroup controller. A local user could potentially use this to evade container memory limits and to cause a denial of service (excessive memory use).

CVE-2019-19448, CVE-2019-19813, CVE-2019-19816

'Team bobfuzzer' reported bugs in Btrfs that could lead to a use-after-free or heap buffer overflow, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use these to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-10781

Luca Bruno of Red Hat discovered that the zram control file /sys/class/zram-control/hot_add was readable by all users. On a system with zram enabled, a local user could use this to cause a denial of service (memory exhaustion).

CVE-2020-12888

It was discovered that the PCIe Virtual Function I/O (vfio-pci) driver allowed users to disable a device's memory space while it was still mapped into a process. On some hardware platforms, local users or guest virtual machines permitted to access PCIe Virtual Functions could use this to cause a denial of service (hardware error and crash).

CVE-2020-14314

A bug was discovered in the ext4 filesystem that could lead to an out-of-bound read. A local user permitted to mount and access arbitrary filesystem images could use this to cause a denial of service (crash).

CVE-2020-14331

A bug was discovered in the VGA console driver's soft-scrollback feature that could lead to a heap buffer overflow. On a system with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK enabled, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-14356

A bug was discovered in the cgroup subsystem's handling of socket references to cgroups. In some cgroup configurations, this could lead to a use-after-free. A local user might be able to use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-14385

A bug was discovered in XFS, which could lead to an extended attribute (xattr) wrongly being detected as invalid. A local user with access to an XFS filesystem could use this to cause a denial of service (filesystem shutdown).

CVE-2020-14386

Or Cohen discovered a bug in the packet socket (AF_PACKET) implementation which could lead to a heap buffer overflow. A local user with the CAP_NET_RAW capability (in any user namespace) could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-14390

Minh Yuan discovered a bug in the framebuffer console driver's scrollback feature that could lead to a heap buffer overflow. On a system using framebuffer consoles, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

The scrollback feature has been disabled for now, as no other fix was available for this issue.

CVE-2020-16166

Amit Klein reported that the random number generator used by the network stack might not be re-seeded for long periods of time, making e.g. client port number allocations more predictable. This made it easier for remote attackers to carry out some network- based attacks such as DNS cache poisoning or device tracking.

CVE-2020-25212

A bug was discovered in the NFSv4 client implementation that could lead to a heap buffer overflow. A malicious NFS server could use this to cause a denial of service (crash or memory corruption) or possibly to execute arbitrary code on the client.

CVE-2020-25284

It was discovered that the Rados block device (rbd) driver allowed tasks running as uid 0 to add and remove rbd devices, even if they dropped capabilities. On a system with the rbd driver loaded, this might allow privilege escalation from a container with a task running as root.

CVE-2020-25285

A race condition was discovered in the hugetlb filesystem's sysctl handlers, that could lead to stack corruption. A local user permitted to write to hugepages sysctls could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. By default only the root user can do this.

CVE-2020-25641

The syzbot tool found a bug in the block layer that could lead to an infinite loop. A local user with access to a raw block device could use this to cause a denial of service (unbounded CPU use and possible system hang).

CVE-2020-26088

It was discovered that the NFC (Near Field Communication) socket implementation allowed any user to create raw sockets. On a system with an NFC interface, this allowed local users to evade local network security policy.

For Debian 9 stretch, these problems have been fixed in version 4.19.146-1~deb9u1. This update additionally fixes Debian bugs #966846, #966917, and #968567; and includes many more bug fixes from stable updates 4.19.133-4.19.146 inclusive.

We recommend that you upgrade your linux-4.19 packages.

For the detailed security status of linux-4.19 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux-4.19

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the network block device (nbd) implementation in the Linux kernel did not properly check for error conditions in some situations. An attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16089) It was discovered that the btrfs file system implementation in the Linux kernel did not properly validate file system metadata in some situations. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2019-19036, CVE-2019-19318, CVE-2019-19813, CVE-2019-19816) It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377) It was discovered that the kernel->user space relay implementation in the Linux kernel did not properly check return values in some situations.
A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-19462) Matthew Sheets discovered that the SELinux network label handling implementation in the Linux kernel could be coerced into de-referencing a NULL pointer. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2020-10711) It was discovered that the SCSI generic (sg) driver in the Linux kernel did not properly handle certain error conditions correctly. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2020-12770) It was discovered that the USB Gadget device driver in the Linux kernel did not validate arguments passed from configfs in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2020-13143) It was discovered that the efi subsystem in the Linux kernel did not handle memory allocation failures during early boot in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-12380) It was discovered that the btrfs file system in the Linux kernel in some error conditions could report register information to the dmesg buffer. A local attacker could possibly use this to expose sensitive information. (CVE-2019-19039).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):** DISPUTED ** In     kernel/compat.c in the Linux kernel before 3.17, as     used in Google Chrome OS and other products, there is a     possible out-of-bounds read. restart_syscall uses     uninitialized data when restarting     compat_sys_nanosleep. NOTE: this is disputed because     the code path is unreachable.(CVE-2014-3180)A heap     overflow flaw was found in the Linux kernel, all     versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi     chip driver. The vulnerability allows a remote attacker     to cause a system crash, resulting in a denial of     service, or execute arbitrary code. The highest threat     with this vulnerability is with the availability of the     system. If code execution occurs, the code will run     with the permissions of root. This will affect both     confidentiality and integrity of files on the     system.(CVE-2019-14901)A heap-based buffer overflow     vulnerability was found in the Linux kernel, version     kernel-2.6.32, in Marvell WiFi chip driver. A remote     attacker could cause a denial of service (system crash)     or, possibly execute arbitrary code, when the     lbs_ibss_join_existing function is called after a STA     connects to an AP.(CVE-2019-14896)A memory leak in the     ath10k_usb_hif_tx_sg() function in drivers/     net/wireless/ath/ath10k/usb.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     usb_submit_urb() failures, aka     CID-b8d17e7d93d2.(CVE-2019-19078)A memory leak in the     mlx5_fpga_conn_create_cq() function in drivers/     net/ethernet/mellanox/mlx5/core/fpga/conn.c in the     Linux kernel before 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     mlx5_vector2eqn() failures, aka     CID-c8c2a057fdc7.(CVE-2019-19045)A stack-based buffer     overflow was found in the Linux kernel, version     kernel-2.6.32, in Marvell WiFi chip driver. An attacker     is able to cause a denial of service (system crash) or,     possibly execute arbitrary code, when a STA works in     IBSS mode (allows connecting stations together without     the use of an AP) and connects to another     STA.(CVE-2019-14897)An out-of-bounds memory write issue     was found in the Linux Kernel, version 3.13 through     5.4, in the way the Linux kernel's KVM hypervisor     handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request     to get CPUID features emulated by the KVM hypervisor. A     user or process able to access the '/dev/kvm' device     could use this flaw to crash the system, resulting in a     denial of service.(CVE-2019-19332)Improper invalidation     for page table updates by a virtual guest operating     system for multiple Intel(R) Processors may allow an     authenticated user to potentially enable denial of     service of the host system via local     access.(CVE-2018-12207)In the Android kernel in the     video driver there is a use after free due to a race     condition. This could lead to local escalation of     privilege with no additional execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2019-9458)In the AppleTalk subsystem     in the Linux kernel before 5.1, there is a potential     NULL pointer dereference because register_snap_client     may return NULL. This will lead to denial of service in     net/appletalk/aarp.c and net/appletalk/ddp.c, as     demonstrated by unregister_snap_client, aka     CID-9804501fa122.(CVE-2019-19227)In the Linux kernel     5.0.21, mounting a crafted btrfs filesystem image,     performing some operations, and then making a syncfs     system call can lead to a use-after-free in
    __mutex_lock in kernel/locking/mutex.c. This is related     to mutex_can_spin_on_owner in kernel/locking/mutex.c,
    __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and     btrfs_insert_delayed_items in     fs/btrfs/delayed-inode.c.(CVE-2019-19813)In the Linux     kernel 5.4.0-rc2, there is a use-after-free (read) in     the __blk_add_trace function in kernel/trace/blktrace.c     (which is used to fill out a blk_io_trace structure and     place it in a per-cpu sub-buffer).(CVE-2019-19768)In     the Linux kernel before 5.0.6, there is a NULL pointer     dereference in drop_sysctl_table() in     fs/proc/proc_sysctl.c, related to put_links, aka     CID-23da9588037e.(CVE-2019-20054)In the Linux kernel     before 5.2.9, there is an info-leak bug that can be     caused by a malicious USB device in the drivers/     net/can/usb/peak_usb/pcan_usb_pro.c driver, aka     CID-ead16e53c2f0.(CVE-2019-19536)In the Linux kernel     before 5.3.11, there is an info-leak bug that can be     caused by a malicious USB device in the drivers/     net/can/usb/peak_usb/pcan_usb_core.c driver, aka     CID-f7a1337f0d29.(CVE-2019-19534)In the Linux kernel     before 5.3.6, there is a use-after-free bug that can be     caused by a malicious USB device in the drivers/     net/ieee802154/atusb.c driver, aka     CID-7fd25e6fc035.(CVE-2019-19525)Insufficient access     control in a subsystem for Intel (R) processor graphics     in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM)     Processor Families Intel(R) Pentium(R) Processor J, N,     Silver and Gold Series Intel(R) Celeron(R) Processor J,     N, G3900 and G4900 Series Intel(R) Atom(R) Processor A     and E3900 Series Intel(R) Xeon(R) Processor E3-1500 v5     and v6, E-2100 and E-2200 Processor Families Intel(R)     Graphics Driver for Windows before 26.20.100.6813 (DCH)     or 26.20.100.6812 and before 21.20.x.5077     (aka15.45.5077), i915 Linux Driver for Intel(R)     Processor Graphics before versions 5.4-rc7, 5.3.11,     4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an     authenticated user to potentially enable escalation of     privilege via local access.(CVE-2019-0155)Insufficient     input validation in Kernel Mode Driver in Intel(R) i915     Graphics for Linux before version 5.0 may allow an     authenticated user to potentially enable escalation of     privilege via local     access.(CVE-2019-11085)kernel/sched/fair.c in the Linux     kernel before 5.3.9, when cpu.cfs_quota_us is used     (e.g., with Kubernetes), allows attackers to cause a     denial of service against non-cpu-bound applications by     generating a workload that triggers unwanted slice     expiration, aka CID-de53fd7aedb1. (In other words,     although this slice expiration would typically be seen     with benign workloads, it is possible that an attacker     could calculate how many stray requests are required to     force an entire Kubernetes cluster into a     low-performance state caused by slice expiration, and     ensure that a DDoS attack sent that number of stray     requests. An attack does not affect the stability of     the kernel it only causes mismanagement of application     execution.)(CVE-2019-19922)The evm_verify_hmac function     in security/integrity/evm/evm_main.c in the Linux     kernel before 4.5 does not properly copy data, which     makes it easier for local users to forge MAC values via     a timing side-channel attack.(CVE-2016-2085)The     pcpu_embed_first_chunk function in mm/percpu.c in the     Linux kernel through 4.14.14 allows local users to     obtain sensitive address information by reading dmesg     data from a 'pages/cpu' printk call.(CVE-2018-5995)TSX     Asynchronous Abort condition on some CPUs utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access.(CVE-2019-11135)An issue was     discovered in drivers/scsi/aacraid/commctrl.c in the     Linux kernel before 4.13. There is potential exposure     of kernel stack memory because aac_send_raw_srb does     not initialize the reply structure.(CVE-2017-18549)An     issue was discovered in drivers/scsi/aacraid/commctrl.c     in the Linux kernel before 4.13. There is potential     exposure of kernel stack memory because     aac_get_hba_info does not initialize the hbainfo     structure.(CVE-2017-18550)In the Linux kernel through     4.15.4, the floppy driver reveals the addresses of     kernel functions and global variables using printk     calls within the function show_floppy in     drivers/block/floppy.c. An attacker can read this     information from dmesg and use the addresses to find     the locations of kernel code and data and bypass kernel     security protections such as KASLR.(CVE-2018-7273)A     heap-based buffer overflow was discovered in the Linux     kernel, all versions 3.x.x and 4.x.x before 4.18.0, in     Marvell WiFi chip driver. The flaw could occur when the     station attempts a connection negotiation during the     handling of the remote devices country settings. This     could allow the remote device to cause a denial of     service (system crash) or possibly execute arbitrary     code.(CVE-2019-14895)The Linux kernel before 5.4.1 on     powerpc allows Information Exposure because the     Spectre-RSB mitigation is not in place for all     applicable CPUs, aka CID-39e72bf96f58. This is related     to arch/powerpc/kernel/entry_64.S and     arch/powerpc/kernel/security.c.(CVE-2019-18660)In the     Linux kernel 5.0.21, mounting a crafted ext4 filesystem     image, performing some operations, and unmounting can     lead to a use-after-free in ext4_put_super in     fs/ext4/super.c, related to dump_orphan_list in     fs/ext4/super.c.(CVE-2019-19447)In the Linux kernel     through 5.4.6, there is a NULL pointer dereference in     drivers/scsi/libsas/sas_discover.c because of     mishandling of port disconnection during discovery,     related to a PHY down race condition, aka     CID-f70267f379b5.(CVE-2019-19965)In the Linux kernel     before 5.1.6, there is a use-after-free in cpia2_exit()     in drivers/media/usb/cpia2/cpia2_v4l.c that will cause     denial of service, aka     CID-dea37a972655.(CVE-2019-19966)An exploitable     denial-of-service vulnerability exists in the Linux     kernel prior to mainline 5.3. An attacker could exploit     this vulnerability by triggering AP to send IAPP     location updates for stations before the required     authentication process has completed. This could lead     to different denial-of-service scenarios, either by     causing CAM table attacks, or by leading to traffic     flapping if faking already existing clients in other     nearby APs of the same wireless infrastructure. An     attacker can forge Authentication and Association     Request packets to trigger this     vulnerability.(CVE-2019-5108)mwifiex_tm_cmd in drivers/     net/wireless/marvell/mwifiex/cfg80211.c in the Linux     kernel before 5.1.6 has some error-handling cases that     did not free allocated hostcmd memory, aka     CID-003b686ace82. This will cause a memory leak and     denial of service.(CVE-2019-20095)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
147532	Debian DLA-2586-1 : linux security update	Nessus	Debian Local Security Checks	high
145516	Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4709-1)	Nessus	Ubuntu Local Security Checks	high
145510	Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4708-1)	Nessus	Ubuntu Local Security Checks	high
145458	Amazon Linux AMI : kernel (ALAS-2021-1477)	Nessus	Amazon Linux Local Security Checks	high
145456	Amazon Linux 2 : kernel (ALAS-2021-1588)	Nessus	Amazon Linux Local Security Checks	high
141098	Photon OS 2.0: Linux PHSA-2020-2.0-0287	Nessus	PhotonOS Local Security Checks	high
141094	Photon OS 3.0: Linux PHSA-2020-3.0-0145	Nessus	PhotonOS Local Security Checks	high
141091	Photon OS 1.0: Linux PHSA-2020-1.0-0329	Nessus	PhotonOS Local Security Checks	high
140933	Debian DLA-2385-1 : linux-4.19 security update	Nessus	Debian Local Security Checks	high
138139	Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4414-1)	Nessus	Ubuntu Local Security Checks	high
133913	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2020-1112)	Nessus	Huawei Local Security Checks	critical

CVE-2019-19813

HIGH

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Configuration 6

Configuration 7

Configuration 8

Configuration 9

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

critical