https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19813

[debian-lts-announce] 20200928 [SECURITY] [DLA 2385-1] linux-4.19 security update

https://security.netapp.com/advisory/ntap-20200103-0001/

USN-4414-1

An update of the linux package has been released.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak.

CVE-2019-3874

Kernel buffers allocated by the SCTP network protocol were not limited by the memory cgroup controller. A local user could potentially use this to evade container memory limits and to cause a denial of service (excessive memory use).

CVE-2019-19448, CVE-2019-19813, CVE-2019-19816

'Team bobfuzzer' reported bugs in Btrfs that could lead to a use-after-free or heap buffer overflow, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use these to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-10781

Luca Bruno of Red Hat discovered that the zram control file /sys/class/zram-control/hot_add was readable by all users. On a system with zram enabled, a local user could use this to cause a denial of service (memory exhaustion).

CVE-2020-12888

It was discovered that the PCIe Virtual Function I/O (vfio-pci) driver allowed users to disable a device's memory space while it was still mapped into a process. On some hardware platforms, local users or guest virtual machines permitted to access PCIe Virtual Functions could use this to cause a denial of service (hardware error and crash).

CVE-2020-14314

A bug was discovered in the ext4 filesystem that could lead to an out-of-bound read. A local user permitted to mount and access arbitrary filesystem images could use this to cause a denial of service (crash).

CVE-2020-14331

A bug was discovered in the VGA console driver's soft-scrollback feature that could lead to a heap buffer overflow. On a system with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK enabled, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-14356

A bug was discovered in the cgroup subsystem's handling of socket references to cgroups. In some cgroup configurations, this could lead to a use-after-free. A local user might be able to use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-14385

A bug was discovered in XFS, which could lead to an extended attribute (xattr) wrongly being detected as invalid. A local user with access to an XFS filesystem could use this to cause a denial of service (filesystem shutdown).

CVE-2020-14386

Or Cohen discovered a bug in the packet socket (AF_PACKET) implementation which could lead to a heap buffer overflow. A local user with the CAP_NET_RAW capability (in any user namespace) could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-14390

Minh Yuan discovered a bug in the framebuffer console driver's scrollback feature that could lead to a heap buffer overflow. On a system using framebuffer consoles, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

The scrollback feature has been disabled for now, as no other fix was available for this issue.

CVE-2020-16166

Amit Klein reported that the random number generator used by the network stack might not be re-seeded for long periods of time, making e.g. client port number allocations more predictable. This made it easier for remote attackers to carry out some network- based attacks such as DNS cache poisoning or device tracking.

CVE-2020-25212

A bug was discovered in the NFSv4 client implementation that could lead to a heap buffer overflow. A malicious NFS server could use this to cause a denial of service (crash or memory corruption) or possibly to execute arbitrary code on the client.

CVE-2020-25284

It was discovered that the Rados block device (rbd) driver allowed tasks running as uid 0 to add and remove rbd devices, even if they dropped capabilities. On a system with the rbd driver loaded, this might allow privilege escalation from a container with a task running as root.

CVE-2020-25285

A race condition was discovered in the hugetlb filesystem's sysctl handlers, that could lead to stack corruption. A local user permitted to write to hugepages sysctls could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. By default only the root user can do this.

CVE-2020-25641

The syzbot tool found a bug in the block layer that could lead to an infinite loop. A local user with access to a raw block device could use this to cause a denial of service (unbounded CPU use and possible system hang).

CVE-2020-26088

It was discovered that the NFC (Near Field Communication) socket implementation allowed any user to create raw sockets. On a system with an NFC interface, this allowed local users to evade local network security policy.

For Debian 9 stretch, these problems have been fixed in version 4.19.146-1~deb9u1. This update additionally fixes Debian bugs #966846, #966917, and #968567; and includes many more bug fixes from stable updates 4.19.133-4.19.146 inclusive.

We recommend that you upgrade your linux-4.19 packages.

For the detailed security status of linux-4.19 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux-4.19

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the network block device (nbd) implementation in the Linux kernel did not properly check for error conditions in some situations. An attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16089) It was discovered that the btrfs file system implementation in the Linux kernel did not properly validate file system metadata in some situations. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2019-19036, CVE-2019-19318, CVE-2019-19813, CVE-2019-19816) It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377) It was discovered that the kernel->user space relay implementation in the Linux kernel did not properly check return values in some situations.
A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-19462) Matthew Sheets discovered that the SELinux network label handling implementation in the Linux kernel could be coerced into de-referencing a NULL pointer. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2020-10711) It was discovered that the SCSI generic (sg) driver in the Linux kernel did not properly handle certain error conditions correctly. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2020-12770) It was discovered that the USB Gadget device driver in the Linux kernel did not validate arguments passed from configfs in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2020-13143) It was discovered that the efi subsystem in the Linux kernel did not handle memory allocation failures during early boot in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-12380) It was discovered that the btrfs file system in the Linux kernel in some error conditions could report register information to the dmesg buffer. A local attacker could possibly use this to expose sensitive information. (CVE-2019-19039).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):** DISPUTED ** In     kernel/compat.c in the Linux kernel before 3.17, as     used in Google Chrome OS and other products, there is a     possible out-of-bounds read. restart_syscall uses     uninitialized data when restarting     compat_sys_nanosleep. NOTE: this is disputed because     the code path is unreachable.(CVE-2014-3180)A heap     overflow flaw was found in the Linux kernel, all     versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi     chip driver. The vulnerability allows a remote attacker     to cause a system crash, resulting in a denial of     service, or execute arbitrary code. The highest threat     with this vulnerability is with the availability of the     system. If code execution occurs, the code will run     with the permissions of root. This will affect both     confidentiality and integrity of files on the     system.(CVE-2019-14901)A heap-based buffer overflow     vulnerability was found in the Linux kernel, version     kernel-2.6.32, in Marvell WiFi chip driver. A remote     attacker could cause a denial of service (system crash)     or, possibly execute arbitrary code, when the     lbs_ibss_join_existing function is called after a STA     connects to an AP.(CVE-2019-14896)A memory leak in the     ath10k_usb_hif_tx_sg() function in drivers/     net/wireless/ath/ath10k/usb.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     usb_submit_urb() failures, aka     CID-b8d17e7d93d2.(CVE-2019-19078)A memory leak in the     mlx5_fpga_conn_create_cq() function in drivers/     net/ethernet/mellanox/mlx5/core/fpga/conn.c in the     Linux kernel before 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     mlx5_vector2eqn() failures, aka     CID-c8c2a057fdc7.(CVE-2019-19045)A stack-based buffer     overflow was found in the Linux kernel, version     kernel-2.6.32, in Marvell WiFi chip driver. An attacker     is able to cause a denial of service (system crash) or,     possibly execute arbitrary code, when a STA works in     IBSS mode (allows connecting stations together without     the use of an AP) and connects to another     STA.(CVE-2019-14897)An out-of-bounds memory write issue     was found in the Linux Kernel, version 3.13 through     5.4, in the way the Linux kernel's KVM hypervisor     handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request     to get CPUID features emulated by the KVM hypervisor. A     user or process able to access the '/dev/kvm' device     could use this flaw to crash the system, resulting in a     denial of service.(CVE-2019-19332)Improper invalidation     for page table updates by a virtual guest operating     system for multiple Intel(R) Processors may allow an     authenticated user to potentially enable denial of     service of the host system via local     access.(CVE-2018-12207)In the Android kernel in the     video driver there is a use after free due to a race     condition. This could lead to local escalation of     privilege with no additional execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2019-9458)In the AppleTalk subsystem     in the Linux kernel before 5.1, there is a potential     NULL pointer dereference because register_snap_client     may return NULL. This will lead to denial of service in     net/appletalk/aarp.c and net/appletalk/ddp.c, as     demonstrated by unregister_snap_client, aka     CID-9804501fa122.(CVE-2019-19227)In the Linux kernel     5.0.21, mounting a crafted btrfs filesystem image,     performing some operations, and then making a syncfs     system call can lead to a use-after-free in
    __mutex_lock in kernel/locking/mutex.c. This is related     to mutex_can_spin_on_owner in kernel/locking/mutex.c,
    __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and     btrfs_insert_delayed_items in     fs/btrfs/delayed-inode.c.(CVE-2019-19813)In the Linux     kernel 5.4.0-rc2, there is a use-after-free (read) in     the __blk_add_trace function in kernel/trace/blktrace.c     (which is used to fill out a blk_io_trace structure and     place it in a per-cpu sub-buffer).(CVE-2019-19768)In     the Linux kernel before 5.0.6, there is a NULL pointer     dereference in drop_sysctl_table() in     fs/proc/proc_sysctl.c, related to put_links, aka     CID-23da9588037e.(CVE-2019-20054)In the Linux kernel     before 5.2.9, there is an info-leak bug that can be     caused by a malicious USB device in the drivers/     net/can/usb/peak_usb/pcan_usb_pro.c driver, aka     CID-ead16e53c2f0.(CVE-2019-19536)In the Linux kernel     before 5.3.11, there is an info-leak bug that can be     caused by a malicious USB device in the drivers/     net/can/usb/peak_usb/pcan_usb_core.c driver, aka     CID-f7a1337f0d29.(CVE-2019-19534)In the Linux kernel     before 5.3.6, there is a use-after-free bug that can be     caused by a malicious USB device in the drivers/     net/ieee802154/atusb.c driver, aka     CID-7fd25e6fc035.(CVE-2019-19525)Insufficient access     control in a subsystem for Intel (R) processor graphics     in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM)     Processor Families Intel(R) Pentium(R) Processor J, N,     Silver and Gold Series Intel(R) Celeron(R) Processor J,     N, G3900 and G4900 Series Intel(R) Atom(R) Processor A     and E3900 Series Intel(R) Xeon(R) Processor E3-1500 v5     and v6, E-2100 and E-2200 Processor Families Intel(R)     Graphics Driver for Windows before 26.20.100.6813 (DCH)     or 26.20.100.6812 and before 21.20.x.5077     (aka15.45.5077), i915 Linux Driver for Intel(R)     Processor Graphics before versions 5.4-rc7, 5.3.11,     4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an     authenticated user to potentially enable escalation of     privilege via local access.(CVE-2019-0155)Insufficient     input validation in Kernel Mode Driver in Intel(R) i915     Graphics for Linux before version 5.0 may allow an     authenticated user to potentially enable escalation of     privilege via local     access.(CVE-2019-11085)kernel/sched/fair.c in the Linux     kernel before 5.3.9, when cpu.cfs_quota_us is used     (e.g., with Kubernetes), allows attackers to cause a     denial of service against non-cpu-bound applications by     generating a workload that triggers unwanted slice     expiration, aka CID-de53fd7aedb1. (In other words,     although this slice expiration would typically be seen     with benign workloads, it is possible that an attacker     could calculate how many stray requests are required to     force an entire Kubernetes cluster into a     low-performance state caused by slice expiration, and     ensure that a DDoS attack sent that number of stray     requests. An attack does not affect the stability of     the kernel it only causes mismanagement of application     execution.)(CVE-2019-19922)The evm_verify_hmac function     in security/integrity/evm/evm_main.c in the Linux     kernel before 4.5 does not properly copy data, which     makes it easier for local users to forge MAC values via     a timing side-channel attack.(CVE-2016-2085)The     pcpu_embed_first_chunk function in mm/percpu.c in the     Linux kernel through 4.14.14 allows local users to     obtain sensitive address information by reading dmesg     data from a 'pages/cpu' printk call.(CVE-2018-5995)TSX     Asynchronous Abort condition on some CPUs utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access.(CVE-2019-11135)An issue was     discovered in drivers/scsi/aacraid/commctrl.c in the     Linux kernel before 4.13. There is potential exposure     of kernel stack memory because aac_send_raw_srb does     not initialize the reply structure.(CVE-2017-18549)An     issue was discovered in drivers/scsi/aacraid/commctrl.c     in the Linux kernel before 4.13. There is potential     exposure of kernel stack memory because     aac_get_hba_info does not initialize the hbainfo     structure.(CVE-2017-18550)In the Linux kernel through     4.15.4, the floppy driver reveals the addresses of     kernel functions and global variables using printk     calls within the function show_floppy in     drivers/block/floppy.c. An attacker can read this     information from dmesg and use the addresses to find     the locations of kernel code and data and bypass kernel     security protections such as KASLR.(CVE-2018-7273)A     heap-based buffer overflow was discovered in the Linux     kernel, all versions 3.x.x and 4.x.x before 4.18.0, in     Marvell WiFi chip driver. The flaw could occur when the     station attempts a connection negotiation during the     handling of the remote devices country settings. This     could allow the remote device to cause a denial of     service (system crash) or possibly execute arbitrary     code.(CVE-2019-14895)The Linux kernel before 5.4.1 on     powerpc allows Information Exposure because the     Spectre-RSB mitigation is not in place for all     applicable CPUs, aka CID-39e72bf96f58. This is related     to arch/powerpc/kernel/entry_64.S and     arch/powerpc/kernel/security.c.(CVE-2019-18660)In the     Linux kernel 5.0.21, mounting a crafted ext4 filesystem     image, performing some operations, and unmounting can     lead to a use-after-free in ext4_put_super in     fs/ext4/super.c, related to dump_orphan_list in     fs/ext4/super.c.(CVE-2019-19447)In the Linux kernel     through 5.4.6, there is a NULL pointer dereference in     drivers/scsi/libsas/sas_discover.c because of     mishandling of port disconnection during discovery,     related to a PHY down race condition, aka     CID-f70267f379b5.(CVE-2019-19965)In the Linux kernel     before 5.1.6, there is a use-after-free in cpia2_exit()     in drivers/media/usb/cpia2/cpia2_v4l.c that will cause     denial of service, aka     CID-dea37a972655.(CVE-2019-19966)An exploitable     denial-of-service vulnerability exists in the Linux     kernel prior to mainline 5.3. An attacker could exploit     this vulnerability by triggering AP to send IAPP     location updates for stations before the required     authentication process has completed. This could lead     to different denial-of-service scenarios, either by     causing CAM table attacks, or by leading to traffic     flapping if faking already existing clients in other     nearby APs of the same wireless infrastructure. An     attacker can forge Authentication and Association     Request packets to trigger this     vulnerability.(CVE-2019-5108)mwifiex_tm_cmd in drivers/     net/wireless/marvell/mwifiex/cfg80211.c in the Linux     kernel before 5.1.6 has some error-handling cases that     did not free allocated hostcmd memory, aka     CID-003b686ace82. This will cause a memory leak and     denial of service.(CVE-2019-20095)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
141098	Photon OS 2.0: Linux PHSA-2020-2.0-0287	Nessus	PhotonOS Local Security Checks	high
141094	Photon OS 3.0: Linux PHSA-2020-3.0-0145	Nessus	PhotonOS Local Security Checks	high
141091	Photon OS 1.0: Linux PHSA-2020-1.0-0329	Nessus	PhotonOS Local Security Checks	high
140933	Debian DLA-2385-1 : linux-4.19 security update	Nessus	Debian Local Security Checks	high
138139	Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4414-1)	Nessus	Ubuntu Local Security Checks	high
133913	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2020-1112)	Nessus	Huawei Local Security Checks	critical

CVE-2019-19813

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins