openSUSE-SU-2020:0801

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2e7682ebfc750177a4944eeb56e97a3f05734528

https://github.com/torvalds/linux/commit/2e7682ebfc750177a4944eeb56e97a3f05734528

[debian-lts-announce] 20200610 [SECURITY] [DLA 2242-1] linux-4.9 security update

https://security.netapp.com/advisory/ntap-20200619-0001/

DSA-4698

The SUSE Linux Enterprise 15 SP1 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-10135: Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2 and earlier may have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key (bnc#1171988).

CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462).

CVE-2019-20908: An issue was discovered in drivers/firmware/efi/efi.c where incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032 (bnc#1173567).

CVE-2020-10781: zram sysfs resource consumption was fixed (bnc#1173074).

CVE-2020-15780: An issue was discovered in drivers/acpi/acpi_configfs.c where injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30 (bnc#1173573).

CVE-2020-15393: usbtest_disconnect in drivers/usb/misc/usbtest.c had a memory leak, aka CID-28ebeb8db770 (bnc#1173514).

CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c had a deadlock if a coalescing operation fails (bnc#1171732).

CVE-2020-12888: The VFIO PCI driver mishandled attempts to access disabled memory space (bnc#1171868).

CVE-2020-10769: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allowed a local attacker with user privileges to cause a denial of service (bnc#1173265).

CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed (bnc#1172999).

CVE-2020-14416: A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).

CVE-2020-10766: Fixed an issue which allowed an attacker with a local account to disable SSBD protection (bnc#1172781).

CVE-2020-10767: Fixed an issue where Indirect Branch Prediction Barrier was disabled in certain circumstances, leaving the system open to a spectre v2 style attack (bnc#1172782).

CVE-2020-10768: Fixed an issue with the prctl() function, where indirect branch speculation could be enabled even though it was diabled before (bnc#1172783).

CVE-2020-13974: Fixed a integer overflow in drivers/tty/vt/keyboard.c, if k_ascii is called several times in a row (bnc#1172775).

CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).

CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).

CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).

CVE-2020-12659: Fixed an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) due to improper headroom validation (bsc#1171214).

CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).

CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).

CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).

CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).

CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).

CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).

CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).

CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).

CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390).

CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).

CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).

CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).

CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

CVE-2020-10711: Fixed a NULL pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).

CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).

CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).

CVE-2019-20806: Fixed a NULL pointer dereference which may had lead to denial of service (bsc#1172199).

CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).

CVE-2019-20810: go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c did not call snd_card_free for a failure path, which caused a memory leak, aka CID-9453264ef586 (bnc#1172458).

CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc. Security Fix(es):In the Android kernel in     F2FS driver there is a possible out of bounds read due     to a missing bounds check. This could lead to local     information disclosure with system execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2019-9445)In calc_vm_may_flags of     ashmem.c, there is a possible arbitrary write to shared     memory due to a permissions bypass. This could lead to     local escalation of privilege by corrupting memory     shared between processes, with no additional execution     privileges needed. User interaction is not needed for     exploitation. Product: Android Versions: Android kernel     Android ID: A-142938932(CVE-2020-0009)A new domain     bypass transient execution attack known as Special     Register Buffer Data Sampling (SRBDS) has been found.
    This flaw allows data values from special internal     registers to be leaked by an attacker able to execute     code on any core of the CPU. An unprivileged, local     attacker can use this flaw to infer values returned by     affected instructions known to be commonly used during     cryptographic operations that rely on uniqueness,     secrecy, or both.(CVE-2020-0543)A flaw was found in the     Linux kernel's implementation of the BTRFS file system.
    A local attacker, with the ability to mount a file     system, can create a use-after-free memory fault after     the file system has been unmounted. This may lead to     memory corruption or privilege     escalation.(CVE-2019-19377)A NULL pointer dereference     flaw may occur in the Linux kernel's relay_open in     kernel/relay.c. if the alloc_percpu() function is not     validated in time of failure and used as a valid     address for access. An attacker could use this flaw to     cause a denial of service.(CVE-2019-19462)A NULL     pointer dereference flaw was found in     tw5864_handle_frame function in     drivers/media/pci/tw5864/tw5864-video.c in the TW5864     Series Video media driver. The pointer 'vb' is     assigned, but not validated before its use, and can     lead to a denial of service. This flaw allows a local     attacker with special user or root privileges to crash     the system or leak internal kernel     information.(CVE-2019-20806)go7007_snd_init in     drivers/media/usb/go7007/snd-go7007.c in the Linux     kernel before 5.6 does not call snd_card_free for a     failure path, which causes a memory leak, aka     CID-9453264ef586.(CVE-2019-20810)An issue was     discovered in the Linux kernel before 5.0.6. In     rx_queue_add_kobject() and netdev_queue_add_kobject()     in net/core/net-sysfs.c, a reference count is     mishandled, aka CID-a3e23f719f5c.(CVE-2019-20811)A flaw     was found in the way the af_packet functionality in the     Linux kernel handled the retirement timer setting for     TPACKET_v3 when getting settings from the underlying     network device errors out. This flaw allows a local     user who can open the af_packet domain socket and who     can hit the error path, to use this vulnerability to     starve the system.(CVE-2019-20812)A NULL pointer     dereference flaw was found in the Linux kernel's     SELinux subsystem. This flaw occurs while importing the     Commercial IP Security Option (CIPSO) protocol's     category bitmap into the SELinux extensible bitmap via     the' ebitmap_netlbl_import' routine. While processing     the CIPSO restricted bitmap tag in the     'cipso_v4_parsetag_rbm' routine, it sets the security     attribute to indicate that the category bitmap is     present, even if it has not been allocated. This issue     leads to a NULL pointer dereference issue while     importing the same category bitmap into SELinux. This     flaw allows a remote network user to crash the system     kernel, resulting in a denial of     service.(CVE-2020-10711)A flaw was found in the Linux     kernel's SELinux LSM hook implementation, where it     anticipated the skb would only contain a single Netlink     message. The hook incorrectly validated the first     Netlink message in the skb only, to allow or deny the     rest of the messages within the skb with the granted     permissions and without further processing. At this     time, there is no known ability for an attacker to     abuse this flaw.(CVE-2020-10751)A flaw was found in the     Linux Kernel in versions after 4.5-rc1 in the way     mremap handled DAX Huge Pages. This flaw allows a local     attacker with access to a DAX enabled storage to     escalate their privileges on the     system.(CVE-2020-10757)A logic bug flaw was found in     the Linux kernel's implementation of SSBD. A bug in the     logic handling allows an attacker with a local account     to disable SSBD protection during a context switch when     additional speculative execution mitigations are in     place. This issue was introduced when the per     task/process conditional STIPB switching was added on     top of the existing SSBD switching. The highest threat     from this vulnerability is to     confidentiality.(CVE-2020-10766)A flaw was found in the     Linux kernel's implementation of the Enhanced IBPB     (Indirect Branch Prediction Barrier). The IBPB     mitigation will be disabled when STIBP is not available     or when the Enhanced Indirect Branch Restricted     Speculation (IBRS) is available. This flaw allows a     local attacker to perform a Spectre V2 style attack     when this configuration is active. The highest threat     from this vulnerability is to     confidentiality.(CVE-2020-10767)A flaw was found in the     prctl() function, where it can be used to enable     indirect branch speculation after it has been disabled.
    This call incorrectly reports it as being 'force     disabled' when it is not and opens the system to     Spectre v2 attacks. The highest threat from this     vulnerability is to confidentiality.(CVE-2020-10768)A     flaw was found in the ZRAM kernel module, where a user     with a local account and the ability to read the     /sys/class/zram-control/hot_add file can create ZRAM     device nodes in the /dev/ directory. This read     allocates kernel memory and is not accounted for a user     that triggers the creation of that ZRAM device. With     this vulnerability, continually reading the device may     consume a large amount of system memory and cause the     Out-of-Memory (OOM) killer to activate and terminate     random userspace processes, possibly making the system     inoperable.(CVE-2020-10781)A stack buffer overflow     issue was found in the get_raw_socket() routine of the     Host kernel accelerator for virtio net (vhost-net)     driver. It could occur while doing an     ictol(VHOST_NET_SET_BACKEND) call, and retrieving     socket name in a kernel stack variable via     get_raw_socket(). A user able to perform ioctl(2) calls     on the '/dev/vhost-net' device may use this flaw to     crash the kernel resulting in DoS     issue.(CVE-2020-10942)A flaw was found in the Linux     kernel's implementation of the pivot_root syscall. This     flaw allows a local privileged user (root outside or     root inside a privileged container) to exploit a race     condition to manipulate the reference count of the root     filesystem. To be able to abuse this flaw, the process     or user calling pivot_root must have advanced     permissions. The highest threat from this vulnerability     is to system availability.(CVE-2020-12114)A     use-after-free flaw was found in usb_sg_cancel in     drivers/usb/core/message.c in the USB core subsystem.
    This flaw allows a local attacker with a special user     or root privileges to crash the system due to a race     problem in the scatter-gather cancellation and transfer     completion in usb_sg_wait. This vulnerability can also     lead to a leak of internal kernel     information.(CVE-2020-12464)A memory overflow and data     corruption flaw were found in the Mediatek MT76 driver     module for WiFi in mt76_add_fragment in     drivers/net/wireless/mediatek/mt76/dma.c. An oversized     packet with too many rx fragments causes an overflow     and corruption in memory of adjacent pages. A local     attacker with a special user or root privileges can     cause a denial of service or a leak of internal kernel     information.(CVE-2020-12465)A vulnerability was found     in __mptctl_ioctl in drivers/message/fusion/mptctl.c in     Fusion MPT base driver 'mptctl' in the SCSI device     module, where an incorrect lock leads to a race     problem. This flaw allows an attacker with local access     and special user (or root) privileges to cause a denial     of service.(CVE-2020-12652)A flaw was found in the way     the mwifiex_cmd_append_vsie_tlv() in Linux kernel's     Marvell WiFi-Ex driver handled vendor specific     information elements. A local user could use this flaw     to escalate their privileges on the     system.(CVE-2020-12653)A flaw was found in the Linux     kernel. The Marvell mwifiex driver allows a remote WiFi     access point to trigger a heap-based memory buffer     overflow due to an incorrect memcpy operation. The     highest threat from this vulnerability is to data     integrity and system availability.(CVE-2020-12654)A     flaw was discovered in the XFS source in the Linux     kernel. This flaw allows an attacker with the ability     to mount an XFS filesystem, to trigger a denial of     service while attempting to sync a file located on an     XFS v5 image with crafted metadata.(CVE-2020-12655)An     out-of-bounds (OOB) memory access flaw was found in the     Network XDP (the eXpress Data Path) module in the Linux     kernel's xdp_umem_reg function in net/xdp/xdp_umem.c.
    When a user with special user privilege of     CAP_NET_ADMIN (or root) calls setsockopt to register     umem ring on XDP socket, passing the headroom value     larger than the available space in the chunk, it leads     to an out-of-bounds write, causing panic or possible     memory corruption. This flaw may lead to privilege     escalation if a local end-user is granted permission to     influence the execution of code in this     manner.(CVE-2020-12659)A vulnerability was found in     sg_write in drivers/scsi/sg.c in the SCSI generic (sg)     driver subsystem. This flaw allows an attacker with     local access and special user or root privileges to     cause a denial of service if the allocated list is not     cleaned with an invalid (Sg_fd * sfp) pointer at the     time of failure, also possibly causing a kernel     internal information leak problem.(CVE-2020-12770)An     issue was discovered in the Linux kernel through     5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c     has a deadlock if a coalescing operation     fails.(CVE-2020-12771)A flaw was found in the Linux     kernel loose validation of child/parent process     identification handling while filtering signal     handlers. A local attacker is able to abuse this flaw     to bypass checks to send any signal to a privileged     process.(CVE-2020-12826)A flaw was found in the Linux     kernel, where it allows userspace processes, for     example, a guest VM, to directly access h/w devices via     its VFIO driver modules. The VFIO modules allow users     to enable or disable access to the devices' MMIO memory     address spaces. If a user attempts to access the     read/write devices' MMIO address space when it is     disabled, some h/w devices issue an interrupt to the     CPU to indicate a fatal error condition, crashing the     system. This flaw allows a guest user or process to     crash the host system resulting in a denial of     service.(CVE-2020-12888)gadget_dev_desc_UDC_store in     drivers/usb/gadget/configfs.c in the Linux kernel     through 5.6.13 relies on kstrdup without considering     the possibility of an internal '\0' value, which allows     attackers to trigger an out-of-bounds read, aka     CID-15753588bcd4.(CVE-2020-13143)** DISPUTED ** An     issue was discovered in the Linux kernel through 5.7.1.
    drivers/tty/vt/keyboard.c has an integer overflow if     k_ascii is called several times in a row, aka     CID-b86dab054059. NOTE: Members in the community argue     that the integer overflow does not lead to a security     issue in this case.(CVE-2020-13974)A use-after-free     flaw was found in slcan_write_wakeup in     drivers/net/can/slcan.c in the serial CAN module slcan.
    A race condition occurs when communicating with can     using slcan between the write (scheduling the transmit)     and closing (flushing out any pending queues) the SLCAN     channel. This flaw allows a local attacker with special     user or root privileges to cause a denial of service or     a kernel information leak. The highest threat from this     vulnerability is to system     availability.(CVE-2020-14416)In the Linux kernel     through 5.7.6, usbtest_disconnect in     drivers/usb/misc/usbtest.c has a memory leak, aka     CID-28ebeb8db770.(CVE-2020-15393)The Linux kernel     through 5.7.11 allows remote attackers to make     observations that help to obtain sensitive information     about the internal state of the network RNG, aka     CID-f227e3ec3b5c. This is related to     drivers/char/random.c and     kernel/time/timer.c.(CVE-2020-16166)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):An issue was discovered in     the Linux kernel before 5.2. There is a NULL pointer     dereference in tw5864_handle_frame() in     drivers/media/pci/tw5864/tw5864-video.c, which may     cause denial of service, aka     CID-2e7682ebfc75.(CVE-2019-20806)A flaw was found in     the ZRAM kernel module, where a user with a local     account and the ability to read the     /sys/class/zram-control/hot_add file can create ZRAM     device nodes in the /dev/ directory. This read     allocates kernel memory and is not accounted for a user     that triggers the creation of that ZRAM device. With     this vulnerability, continually reading the device may     consume a large amount of system memory and cause the     Out-of-Memory (OOM) killer to activate and terminate     random userspace processes, possibly making the system     inoperable.(CVE-2020-10781)In the Linux kernel before     5.4.16, a race condition in tty->disc_data handling in     the slip and slcan line discipline could lead to a     use-after-free, aka CID-0ace17d56824. This affects     drivers/ net/slip/slip.c and drivers/     net/can/slcan.c.(CVE-2020-14416)The VFIO PCI driver in     the Linux kernel through 5.6.13 mishandles attempts to     access disabled memory space.(CVE-2020-12888)The     flow_dissector feature in the Linux kernel 4.3 through     5.x before 5.3.10 has a device tracking vulnerability,     aka CID-55667441c84f. This occurs because the auto     flowlabel of a UDP IPv6 packet relies on a 32-bit     hashrnd value as a secret, and because jhash (instead     of siphash) is used. The hashrnd value remains the same     starting from boot time, and can be inferred by an     attacker. This affects net/core/flow_dissector.c and     related code.(CVE-2019-18282)In the Linux kernel     through 5.7.6, usbtest_disconnect in     drivers/usb/misc/usbtest.c has a memory leak, aka     CID-28ebeb8db770.(CVE-2020-15393)An issue was     discovered in the Linux kernel before 5.0.6. In     rx_queue_add_kobject() and netdev_queue_add_kobject()     in net/core/ net-sysfs.c, a reference count is     mishandled, aka CID-a3e23f719f5c.(CVE-2019-20811)A flaw     was found in the Linux kernels SELinux LSM hook     implementation before version 5.7, where it incorrectly     assumed that an skb would only contain a single netlink     message. The hook would incorrectly only validate the     first netlink message in the skb and allow or deny the     rest of the messages within the skb with the granted     permission without further     processing.(CVE-2020-10751)In the Android kernel in     F2FS driver there is a possible out of bounds read due     to a missing bounds check. This could lead to local     information disclosure with system execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2019-9445)A flaw was found in the     Linux kernel's implementation of Userspace core dumps.
    This flaw allows an attacker with a local account to     crash a trivial program and exfiltrate private kernel     data.(CVE-2020-10732)go7007_snd_init in     drivers/media/usb/go7007/snd-go7007.c in the Linux     kernel before 5.6 does not call snd_card_free for a     failure path, which causes a memory leak, aka     CID-9453264ef586.(CVE-2019-20810)Legacy pairing and     secure-connections pairing authentication in Bluetooth(r)     BR/EDR Core Specification v5.2 and earlier may allow an     unauthenticated user to complete authentication without     pairing credentials via adjacent access. An     unauthenticated, adjacent attacker could impersonate a     Bluetooth BR/EDR master or slave to pair with a     previously paired remote device to successfully     complete the authentication procedure without knowing     the link key.(CVE-2020-10135)An issue was discovered in     the Linux kernel before 5.4.7. The     prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of     service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka     CID-b43d1f9f7067.(CVE-2019-20812)An issue was     discovered in the Linux kernel through 5.7.1.
    drivers/tty/vt/keyboard.c has an integer overflow if     k_ascii is called several times in a row, aka     CID-b86dab054059. NOTE: Members in the community argue     that the integer overflow does not lead to a security     issue in this case.(CVE-2020-13974)In calc_vm_may_flags     of ashmem.c, there is a possible arbitrary write to     shared memory due to a permissions bypass. This could     lead to local escalation of privilege by corrupting     memory shared between processes, with no additional     execution privileges needed. User interaction is not     needed for exploitation. Product: Android Versions:
    Android kernel Android ID: A-142938932(CVE-2020-0009)A     flaw was found in the Linux Kernel in versions after     4.5-rc1 in the way mremap handled DAX Huge Pages. This     flaw allows a local attacker with access to a DAX     enabled storage to escalate their privileges on the     system.(CVE-2020-10757)gadget_dev_desc_UDC_store in     drivers/usb/gadget/configfs.c in the Linux kernel     through 5.6.13 relies on kstrdup without considering     the possibility of an internal '\0' value, which allows     attackers to trigger an out-of-bounds read, aka     CID-15753588bcd4.(CVE-2020-13143)Incomplete cleanup     from specific special register read operations in some     Intel(R) Processors may allow an authenticated user to     potentially enable information disclosure via local     access.(CVE-2020-0543)A flaw was found in the prctl()     function, where it can be used to enable indirect     branch speculation after it has been disabled. This     call incorrectly reports it as being 'force disabled'     when it is not and opens the system to Spectre v2     attacks. The highest threat from this vulnerability is     to confidentiality.(CVE-2020-10768)A flaw was found in     the Linux kernel's implementation of the Enhanced IBPB     (Indirect Branch Prediction Barrier). The IBPB     mitigation will be disabled when STIBP is not available     or when the Enhanced Indirect Branch Restricted     Speculation (IBRS) is available. This flaw allows a     local attacker to perform a Spectre V2 style attack     when this configuration is active. The highest threat     from this vulnerability is to     confidentiality.(CVE-2020-10767)A logic bug flaw was     found in the Linux kernel's implementation of SSBD. A     bug in the logic handling allows an attacker with a     local account to disable SSBD protection during a     context switch when additional speculative execution     mitigations are in place. This issue was introduced     when the per task/process conditional STIPB switching     was added on top of the existing SSBD switching. The     highest threat from this vulnerability is to     confidentiality.(CVE-2020-10766)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - In the Linux kernel 5.0.21, mounting a crafted f2fs     filesystem image can cause a NULL pointer dereference     in f2fs_recover_fsync_data in fs/f2fs/recovery.c. This     is related to F2FS_P_SB in     fs/f2fs/f2fs.h.(CVE-2019-19815)

  - ** DISPUTED ** __btrfs_free_extent in     fs/btrfs/extent-tree.c in the Linux kernel through     5.3.12 calls btrfs_print_leaf in a certain ENOENT case,     which allows local users to obtain potentially     sensitive information about register values via the     dmesg program. NOTE: The BTRFS development team     disputes this issues as not being a vulnerability     because '1) The kernel provide facilities to restrict     access to dmesg - dmesg_restrict=1 sysctl option. So     it's really up to the system administrator to judge     whether dmesg access shall be disallowed or not. 2)     WARN/WARN_ON are widely used macros in the linux     kernel. If this CVE is considered valid this would mean     there are literally thousands CVE lurking in the kernel
    - something which clearly is not the     case.'(CVE-2019-19039)

  - ext4_empty_dir in fs/ext4/namei.c in the Linux kernel     through 5.3.12 allows a NULL pointer dereference     because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be     zero.(CVE-2019-19037)

  - btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel     through 5.3.12 allows a NULL pointer dereference     because rcu_dereference(root->node) can be     zero.(CVE-2019-19036)

  - ** DISPUTED ** In the Linux kernel 4.19.83, there is a     use-after-free (read) in the debugfs_remove function in     fs/debugfs/inode.c (which is used to remove a file or     directory in debugfs that was previously created with a     call to another debugfs function such as     debugfs_create_file). NOTE: Linux kernel developers     dispute this issue as not being an issue with debugfs,     instead this is an issue with misuse of debugfs within     blktrace.(CVE-2019-19770)

  - An issue was discovered in slc_bump in     drivers/net/can/slcan.c in the Linux kernel through     5.6.2. It allows attackers to read uninitialized     can_frame data, potentially containing sensitive     information from kernel stack memory, if the     configuration lacks CONFIG_INIT_STACK_ALL, aka     CID-b9258a2cece4.(CVE-2020-11494)

  - ** DISPUTED ** An issue was discovered in the Linux     kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c     has a stack-based out-of-bounds write because an empty     nodelist is mishandled during mount option parsing, aka     CID-aa9f7d5172fa. NOTE: Someone in the security     community disagrees that this is a vulnerability     because the issue 'is a bug in parsing mount options     which can only be specified by a privileged user, so     triggering the bug does not grant any powers not     already held.'.(CVE-2020-11565)

  - A flaw was found in the Linux kernel's implementation     of some networking protocols in IPsec, such as VXLAN     and GENEVE tunnels over IPv6. When an encrypted tunnel     is created between two hosts, the kernel isn't     correctly routing tunneled data over the encrypted link     rather sending the data unencrypted. This would allow     anyone in between the two endpoints to read the traffic     unencrypted. The main threat from this vulnerability is     to data confidentiality.(CVE-2020-1749)

  - An issue was discovered in the stv06xx subsystem in the     Linux kernel before 5.6.1.
    drivers/media/usb/gspca/stv06xx/stv06xx.c and     drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c     mishandle invalid descriptors, as demonstrated by a     NULL pointer dereference, aka     CID-485b06aadb93.(CVE-2020-11609)

  - An issue was discovered in the Linux kernel before     5.6.1. drivers/media/usb/gspca/ov519.c allows NULL     pointer dereferences in ov511_mode_init_regs and     ov518_mode_init_regs when there are zero endpoints, aka     CID-998912346c0d.(CVE-2020-11608)

  - In the Linux kernel before 5.4.12,     drivers/input/input.c has out-of-bounds writes via a     crafted keycode table, as demonstrated by     input_set_keycode, aka     CID-cb222aed03d7.(CVE-2019-20636)

  - In the Linux kernel before 5.6.1,     drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink     camera USB driver) mishandles invalid descriptors, aka     CID-a246b4d54770.(CVE-2020-11668)

  - In f2fs_xattr_generic_list of xattr.c, there is a     possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure     with System execution privileges needed. User     interaction is not required for exploitation.Product:
    Android. Versions: Android kernel. Android ID:
    A-120551147.(CVE-2020-0067)

  - An issue was discovered in the Linux kernel before 5.2     on the powerpc platform.
    arch/powerpc/kernel/idle_book3s.S does not have     save/restore functionality for PNV_POWERSAVE_AMR,     PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka     CID-53a712bae5dd.(CVE-2020-11669)

  - In the Linux kernel before 5.5.8, get_raw_socket in     drivers/vhost/net.c lacks validation of an sk_family     field, which might allow attackers to trigger kernel     stack corruption via crafted system     calls.(CVE-2020-10942)

  - In the Linux kernel 5.0.21, mounting a crafted btrfs     filesystem image, performing some operations, and     unmounting can lead to a use-after-free in     btrfs_queue_work in     fs/btrfs/async-thread.c.(CVE-2019-19377)

  - relay_open in kernel/relay.c in the Linux kernel     through 5.4.1 allows local users to cause a denial of     service (such as relay blockage) by triggering a NULL     alloc_percpu result.(CVE-2019-19462)

  - An issue was discovered in xfs_agf_verify in     fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through     5.6.10. Attackers may trigger a sync of excessive     duration via an XFS v5 image with crafted metadata, aka     CID-d0c7feaf8767.(CVE-2020-12655)

  - The __mptctl_ioctl function in     drivers/message/fusion/mptctl.c in the Linux kernel     before 5.4.14 allows local users to hold an incorrect     lock during the ioctl operation and trigger a race     condition, i.e., a 'double fetch' vulnerability, aka     CID-28d76df18f0a. NOTE: the vendor states 'The security     impact of this bug is not as bad as it could have been     because these operations are all privileged and root     already has enormous destructive     power.'(CVE-2020-12652)

  - A pivot_root race condition in fs/namespace.c in the     Linux kernel 4.4.x before 4.4.221, 4.9.x before     4.9.221, 4.14.x before 4.14.178, 4.19.x before     4.19.119, and 5.x before 5.3 allows local users to     cause a denial of service (panic) by corrupting a     mountpoint reference counter.(CVE-2020-12114)

  - usb_sg_cancel in drivers/usb/core/message.c in the     Linux kernel before 5.6.8 has a use-after-free because     a transfer occurs without a reference, aka     CID-056ad39ee925.(CVE-2020-12464)

  - An issue was found in Linux kernel before 5.5.4.
    mwifiex_ret_wmm_get_status() in     drivers/net/wireless/marvell/mwifiex/wmm.c allows a     remote AP to trigger a heap-based buffer overflow     because of an incorrect memcpy, aka     CID-3a9b153c5591.(CVE-2020-12654)

  - An issue was found in Linux kernel before 5.5.4. The     mwifiex_cmd_append_vsie_tlv() function in     drivers/net/wireless/marvell/mwifiex/scan.c allows     local users to gain privileges or cause a denial of     service because of an incorrect memcpy and buffer     overflow, aka CID-b70261a288ea.(CVE-2020-12653)

  - An array overflow was discovered in mt76_add_fragment     in drivers/net/wireless/mediatek/mt76/dma.c in the     Linux kernel before 5.5.10, aka CID-b102f0c522cf. An     oversized packet with too many rx fragments can corrupt     memory of adjacent pages.(CVE-2020-12465)

  - An issue was discovered in the Linux kernel before     5.6.7. xdp_umem_reg in net/xdp/xdp_umem.c has an     out-of-bounds write (by a user with the CAP_NET_ADMIN     capability) because of a lack of headroom     validation.(CVE-2020-12659)

  - An issue was discovered in the Linux kernel through     5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c     has a deadlock if a coalescing operation     fails.(CVE-2020-12771)

  - An issue was discovered in the Linux kernel through     5.6.11. sg_write lacks an sg_remove_request call in a     certain failure case, aka     CID-83c6f2390040.(CVE-2020-12770)

  - A signal access-control issue was discovered in the     Linux kernel before 5.6.5, aka CID-7395ea4e65c2.
    Because exec_id in include/linux/sched.h is only 32     bits, an integer overflow can interfere with a     do_notify_parent protection mechanism. A child process     can send an arbitrary signal to a parent process in a     different security domain. Exploitation limitations     include the amount of elapsed time before an integer     overflow occurs, and the lack of scenarios where     signals to a parent process present a substantial     operational threat.(CVE-2020-12826)

  - A NULL pointer dereference flaw was found in the Linux     kernel's SELinux subsystem in versions before 5.7. This     flaw occurs while importing the Commercial IP Security     Option (CIPSO) protocol's category bitmap into the     SELinux extensible bitmap via the'     ebitmap_netlbl_import' routine. While processing the     CIPSO restricted bitmap tag in the     'cipso_v4_parsetag_rbm' routine, it sets the security     attribute to indicate that the category bitmap is     present, even if it has not been allocated. This issue     leads to a NULL pointer dereference issue while     importing the same category bitmap into SELinux. This     flaw allows a remote network user to crash the system     kernel, resulting in a denial of     service.(CVE-2020-10711)

  - gadget_dev_desc_UDC_store in     drivers/usb/gadget/configfs.c in the Linux kernel     through 5.6.13 relies on kstrdup without considering     the possibility of an internal '\0' value, which allows     attackers to trigger an out-of-bounds read, aka     CID-15753588bcd4.(CVE-2020-13143)

  - An issue was discovered in the Linux kernel before 5.2.
    There is a NULL pointer dereference in     tw5864_handle_frame() in     drivers/media/pci/tw5864/tw5864-video.c, which may     cause denial of service, aka     CID-2e7682ebfc75.(CVE-2019-20806)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).

CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).

CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).

CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736).

CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).

CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).

CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).

CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).

CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).

CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).

CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).

CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).

CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).

CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).

CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).

CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

CVE-2020-10711: Fixed a NULL pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).

CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).

CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).

CVE-2019-20806: Fixed a NULL pointer dereference which may had lead to denial of service (bsc#1172199).

CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).

CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).

CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).

CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).

CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736).

CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).

CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).

CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).

CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).

CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).

CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).

CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).

CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).

CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).

CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).

CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).

CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

CVE-2020-10711: Fixed a NULL pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).

CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).

CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).

CVE-2019-20806: Fixed a NULL pointer dereference which may had lead to denial of service (bsc#1172199).

CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).

CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).

CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).

CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).

CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736).

CVE-2020-12659: Fixed an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) due to improper headroom validation (bsc#1171214).

CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).

CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).

CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).

CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).

CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).

CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).

CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).

CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).

CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).

CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).

CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).

CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

CVE-2020-10711: Fixed a NULL pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).

CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).

CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).

CVE-2019-20806: Fixed a NULL pointer dereference which may had lead to denial of service (bsc#1172199).

CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).

CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).

CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).

CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).

CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736).

CVE-2020-12659: Fixed an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) due to improper headroom validation (bsc#1171214).

CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).

CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).

CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).

CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).

CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).

CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).

CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).

CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).

CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).

CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).

CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).

CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

CVE-2020-10711: Fixed a NULL pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).

CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).

CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).

CVE-2019-20806: Fixed a NULL pointer dereference which may had lead to denial of service (bsc#1172199).

CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).

CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).

CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).

CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).

CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736).

CVE-2020-12659: Fixed an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) due to improper headroom validation (bsc#1171214).

CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).

CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).

CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).

CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).

CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).

CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).

CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).

CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).

CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).

CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).

CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).

CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

CVE-2020-10711: Fixed a NULL pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).

CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).

CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).

CVE-2019-20806: Fixed a NULL pointer dereference which may had lead to denial of service (bsc#1172199).

CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).

CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2019-2182     Hanjun Guo and Lei Li reported a race condition in the     arm64 virtual memory management code, which could lead     to an information disclosure, denial of service (crash),     or possibly privilege escalation.

  - CVE-2019-5108     Mitchell Frank of Cisco discovered that when the IEEE     802.11 (WiFi) stack was used in AP mode with roaming, it     would trigger roaming for a newly associated station     before the station was authenticated. An attacker within     range of the AP could use this to cause a denial of     service, either by filling up a switching table or by     redirecting traffic away from other stations.

  - CVE-2019-19319     Jungyeon discovered that a crafted filesystem can cause     the ext4 implementation to deallocate or reallocate     journal blocks. A user permitted to mount filesystems     could use this to cause a denial of service (crash), or     possibly for privilege escalation.

  - CVE-2019-19462     The syzbot tool found a missing error check in the     'relay' library used to implement various files under     debugfs. A local user permitted to access debugfs could     use this to cause a denial of service (crash) or     possibly for privilege escalation.

  - CVE-2019-19768     Tristan Madani reported a race condition in the blktrace     debug facility that could result in a use-after-free. A     local user able to trigger removal of block devices     could possibly use this to cause a denial of service     (crash) or for privilege escalation.

  - CVE-2019-20806     A potential NULL pointer dereference was discovered in     the tw5864 media driver. The security impact of this is     unclear.

  - CVE-2019-20811     The Hulk Robot tool found a reference-counting bug in an     error path in the network subsystem. The security impact     of this is unclear.

  - CVE-2020-0543     Researchers at VU Amsterdam discovered that on some     Intel CPUs supporting the RDRAND and RDSEED     instructions, part of a random value generated by these     instructions may be used in a later speculative     execution on any core of the same physical CPU.
    Depending on how these instructions are used by     applications, a local user or VM guest could use this to     obtain sensitive information such as cryptographic keys     from other users or VMs.

  This vulnerability can be mitigated by a microcode update, either as   part of system firmware (BIOS) or through the intel-microcode   package in Debian's non-free archive section. This kernel update   only provides reporting of the vulnerability and the option to   disable the mitigation if it is not needed.

  - CVE-2020-2732     Paulo Bonzini discovered that the KVM implementation for     Intel processors did not properly handle instruction     emulation for L2 guests when nested virtualization is     enabled. This could allow an L2 guest to cause privilege     escalation, denial of service, or information leaks in     the L1 guest.

  - CVE-2020-8428     Al Viro discovered a potential use-after-free in the     filesystem core (vfs). A local user could exploit this     to cause a denial of service (crash) or possibly to     obtain sensitive information from the kernel.

  - CVE-2020-8647, CVE-2020-8649     The Hulk Robot tool found a potential MMIO out-of-bounds     access in the vgacon driver. A local user permitted to     access a virtual terminal (/dev/tty1 etc.) on a system     using the vgacon driver could use this to cause a denial     of service (crash or memory corruption) or possibly for     privilege escalation.

  - CVE-2020-8648     The syzbot tool found a race condition in the the     virtual terminal driver, which could result in a     use-after-free. A local user permitted to access a     virtual terminal could use this to cause a denial of     service (crash or memory corruption) or possibly for     privilege escalation.

  - CVE-2020-9383     Jordy Zomer reported an incorrect range check in the     floppy driver which could lead to a static out-of-bounds     access. A local user permitted to access a floppy drive     could use this to cause a denial of service (crash or     memory corruption) or possibly for privilege escalation.

  - CVE-2020-10711     Matthew Sheets reported NULL pointer dereference issues     in the SELinux subsystem while receiving CIPSO packet     with null category. A remote attacker can take advantage     of this flaw to cause a denial of service (crash). Note     that this issue does not affect the binary packages     distributed in Debian as CONFIG_NETLABEL is not enabled.

  - CVE-2020-10732     An information leak of kernel private memory to     userspace was found in the kernel's implementation of     core dumping userspace processes.

  - CVE-2020-10751     Dmitry Vyukov reported that the SELinux subsystem did     not properly handle validating multiple messages, which     could allow a privileged attacker to bypass SELinux     netlink restrictions.

  - CVE-2020-10757     Fan Yang reported a flaw in the way mremap handled DAX     hugepages, allowing a local user to escalate their     privileges

  - CVE-2020-10942     It was discovered that the vhost_net driver did not     properly validate the type of sockets set as back-ends.
    A local user permitted to access /dev/vhost-net could     use this to cause a stack corruption via crafted system     calls, resulting in denial of service (crash) or     possibly privilege escalation.

  - CVE-2020-11494     It was discovered that the slcan (serial line CAN)     network driver did not fully initialise CAN headers for     received packets, resulting in an information leak from     the kernel to user-space or over the CAN network.

  - CVE-2020-11565     Entropy Moe reported that the shared memory filesystem     (tmpfs) did not correctly handle an 'mpol' mount option     specifying an empty node list, leading to a stack-based     out-of-bounds write. If user namespaces are enabled, a     local user could use this to cause a denial of service     (crash) or possibly for privilege escalation.

  - CVE-2020-11608, CVE-2020-11609, CVE-2020-11668     It was discovered that the ov519, stv06xx, and     xirlink_cit media drivers did not properly validate USB     device descriptors. A physically present user with a     specially constructed USB device could use this to cause     a denial-of-service (crash) or possibly for privilege     escalation.

  - CVE-2020-12114     Piotr Krysiuk discovered a race condition between the     umount and pivot_root operations in the filesystem core     (vfs). A local user with the CAP_SYS_ADMIN capability in     any user namespace could use this to cause a denial of     service (crash).

  - CVE-2020-12464     Kyungtae Kim reported a race condition in the USB core     that can result in a use-after-free. It is not clear how     this can be exploited, but it could result in a denial     of service (crash or memory corruption) or privilege     escalation.

  - CVE-2020-12652     Tom Hatskevich reported a bug in the mptfusion storage     drivers. An ioctl handler fetched a parameter from user     memory twice, creating a race condition which could     result in incorrect locking of internal data structures.
    A local user permitted to access /dev/mptctl could use     this to cause a denial of service (crash or memory     corruption) or for privilege escalation.

  - CVE-2020-12653     It was discovered that the mwifiex WiFi driver did not     sufficiently validate scan requests, resulting a     potential heap buffer overflow. A local user with     CAP_NET_ADMIN capability could use this to cause a     denial of service (crash or memory corruption) or     possibly for privilege escalation.

  - CVE-2020-12654     It was discovered that the mwifiex WiFi driver did not     sufficiently validate WMM parameters received from an     access point (AP), resulting a potential heap buffer     overflow. A malicious AP could use this to cause a     denial of service (crash or memory corruption) or     possibly to execute code on a vulnerable system.

  - CVE-2020-12770     It was discovered that the sg (SCSI generic) driver did     not correctly release internal resources in a particular     error case. A local user permitted to access an sg     device could possibly use this to cause a denial of     service (resource exhaustion).

  - CVE-2020-13143     Kyungtae Kim reported a potential heap out-of-bounds     write in the USB gadget subsystem. A local user     permitted to write to the gadget configuration     filesystem could use this to cause a denial of service     (crash or memory corruption) or potentially for     privilege escalation.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2019-2182

Hanjun Guo and Lei Li reported a race condition in the arm64 virtual memory management code, which could lead to an information disclosure, denial of service (crash), or possibly privilege escalation.

CVE-2019-5108

Mitchell Frank of Cisco discovered that when the IEEE 802.11 (WiFi) stack was used in AP mode with roaming, it would trigger roaming for a newly associated station before the station was authenticated. An attacker within range of the AP could use this to cause a denial of service, either by filling up a switching table or by redirecting traffic away from other stations.

CVE-2019-19319

Jungyeon discovered that a crafted filesystem can cause the ext4 implementation to deallocate or reallocate journal blocks. A user permitted to mount filesystems could use this to cause a denial of service (crash), or possibly for privilege escalation.

CVE-2019-19462

The syzbot tool found a missing error check in the 'relay' library used to implement various files under debugfs. A local user permitted to access debugfs could use this to cause a denial of service (crash) or possibly for privilege escalation.

CVE-2019-19768

Tristan Madani reported a race condition in the blktrace debug facility that could result in a use-after-free. A local user able to trigger removal of block devices could possibly use this to cause a denial of service (crash) or for privilege escalation.

CVE-2019-20806

A potential NULL pointer dereference was discovered in the tw5864 media driver. The security impact of this is unclear.

CVE-2019-20811

The Hulk Robot tool found a reference-counting bug in an error path in the network subsystem. The security impact of this is unclear.

CVE-2020-0543

Researchers at VU Amsterdam discovered that on some Intel CPUs supporting the RDRAND and RDSEED instructions, part of a random value generated by these instructions may be used in a later speculative execution on any core of the same physical CPU. Depending on how these instructions are used by applications, a local user or VM guest could use this to obtain sensitive information such as cryptographic keys from other users or VMs.

This vulnerability can be mitigated by a microcode update, either as part of system firmware (BIOS) or through the intel-microcode package in Debian's non-free archive section. This kernel update only provides reporting of the vulnerability and the option to disable the mitigation if it is not needed.

CVE-2020-2732

Paulo Bonzini discovered that the KVM implementation for Intel processors did not properly handle instruction emulation for L2 guests when nested virtualization is enabled. This could allow an L2 guest to cause privilege escalation, denial of service, or information leaks in the L1 guest.

CVE-2020-8428

Al Viro discovered a potential use-after-free in the filesystem core (vfs). A local user could exploit this to cause a denial of service (crash) or possibly to obtain sensitive information from the kernel.

CVE-2020-8647, CVE-2020-8649

The Hulk Robot tool found a potential MMIO out-of-bounds access in the vgacon driver. A local user permitted to access a virtual terminal (/dev/tty1 etc.) on a system using the vgacon driver could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-8648

The syzbot tool found a race condition in the the virtual terminal driver, which could result in a use-after-free. A local user permitted to access a virtual terminal could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-9383

Jordy Zomer reported an incorrect range check in the floppy driver which could lead to a static out-of-bounds access. A local user permitted to access a floppy drive could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-10711

Matthew Sheets reported NULL pointer dereference issues in the SELinux subsystem while receiving CIPSO packet with null category. A remote attacker can take advantage of this flaw to cause a denial of service (crash). Note that this issue does not affect the binary packages distributed in Debian as CONFIG_NETLABEL is not enabled.

CVE-2020-10732

An information leak of kernel private memory to userspace was found in the kernel's implementation of core dumping userspace processes.

CVE-2020-10751

Dmitry Vyukov reported that the SELinux subsystem did not properly handle validating multiple messages, which could allow a privileged attacker to bypass SELinux netlink restrictions.

CVE-2020-10757

Fan Yang reported a flaw in the way mremap handled DAX hugepages, allowing a local user to escalate their privileges

CVE-2020-10942

It was discovered that the vhost_net driver did not properly validate the type of sockets set as back-ends. A local user permitted to access /dev/vhost-net could use this to cause a stack corruption via crafted system calls, resulting in denial of service (crash) or possibly privilege escalation.

CVE-2020-11494

It was discovered that the slcan (serial line CAN) network driver did not fully initialise CAN headers for received packets, resulting in an information leak from the kernel to user-space or over the CAN network.

CVE-2020-11565

Entropy Moe reported that the shared memory filesystem (tmpfs) did not correctly handle an 'mpol' mount option specifying an empty node list, leading to a stack-based out-of-bounds write. If user namespaces are enabled, a local user could use this to cause a denial of service (crash) or possibly for privilege escalation.

CVE-2020-11608, CVE-2020-11609, CVE-2020-11668

It was discovered that the ov519, stv06xx, and xirlink_cit media drivers did not properly validate USB device descriptors. A physically present user with a specially constructed USB device could use this to cause a denial of service (crash) or possibly for privilege escalation.

CVE-2020-12114

Piotr Krysiuk discovered a race condition between the umount and pivot_root operations in the filesystem core (vfs). A local user with the CAP_SYS_ADMIN capability in any user namespace could use this to cause a denial of service (crash).

CVE-2020-12464

Kyungtae Kim reported a race condition in the USB core that can result in a use-after-free. It is not clear how this can be exploited, but it could result in a denial of service (crash or memory corruption) or privilege escalation.

CVE-2020-12652

Tom Hatskevich reported a bug in the mptfusion storage drivers. An ioctl handler fetched a parameter from user memory twice, creating a race condition which could result in incorrect locking of internal data structures. A local user permitted to access /dev/mptctl could use this to cause a denial of service (crash or memory corruption) or for privilege escalation.

CVE-2020-12653

It was discovered that the mwifiex WiFi driver did not sufficiently validate scan requests, resulting a potential heap buffer overflow. A local user with CAP_NET_ADMIN capability could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-12654

It was discovered that the mwifiex WiFi driver did not sufficiently validate WMM parameters received from an access point (AP), resulting a potential heap buffer overflow. A malicious AP could use this to cause a denial of service (crash or memory corruption) or possibly to execute code on a vulnerable system.

CVE-2020-12770

It was discovered that the sg (SCSI generic) driver did not correctly release internal resources in a particular error case. A local user permitted to access an sg device could possibly use this to cause a denial of service (resource exhaustion).

CVE-2020-13143

Kyungtae Kim reported a potential heap out-of-bounds write in the USB gadget subsystem. A local user permitted to write to the gadget configuration filesystem could use this to cause a denial of service (crash or memory corruption) or potentially for privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 4.9.210-1+deb9u1~deb8u1. This version also fixes some related bugs that do not have their own CVE IDs, and a regression in the macvlan driver introduced in the previous security update (bug #952660).

We recommend that you upgrade your linux-4.9 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
140378	SUSE SLES15 Security Update : kernel (SUSE-SU-2020:2487-1)	Nessus	SuSE Local Security Checks	high
140328	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2020-1958)	Nessus	Huawei Local Security Checks	high
139137	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1807)	Nessus	Huawei Local Security Checks	high
138679	openSUSE Security Update : the Linux Kernel (openSUSE-2020-801)	Nessus	SuSE Local Security Checks	high
137805	EulerOS Virtualization for ARM 64 3.0.6.0 : kernel (EulerOS-SA-2020-1698)	Nessus	Huawei Local Security Checks	high
137617	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:1605-1)	Nessus	SuSE Local Security Checks	high
137616	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:1603-1)	Nessus	SuSE Local Security Checks	high
137615	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:1602-1)	Nessus	SuSE Local Security Checks	high
137613	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2020:1599-1)	Nessus	SuSE Local Security Checks	high
137608	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:1587-1)	Nessus	SuSE Local Security Checks	high
137340	Debian DSA-4698-1 : linux - security update	Nessus	Debian Local Security Checks	high
137339	Debian DLA-2242-1 : linux-4.9 security update	Nessus	Debian Local Security Checks	high

CVE-2019-20806

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins