http://packetstormsecurity.com/files/154911/Android-Binder-Use-After-Free.html

20191018 CVE 2019-2215 Android Binder Use After Free

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191030-01-binder-en

https://security.netapp.com/advisory/ntap-20191031-0005/

https://source.android.com/security/bulletin/2019-10-01

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2018-13093, CVE-2018-13094

Wen Xu from SSLab at Gatech reported several NULL pointer dereference flaws that may be triggered when mounting and operating a crafted XFS volume. An attacker able to mount arbitrary XFS volumes could use this to cause a denial of service (crash).

CVE-2018-20976

It was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear.

CVE-2018-21008

It was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after- free. The security impact of this is unclear.

CVE-2019-0136

It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages.
A nearby attacker could use this for denial of service (loss of wifi connectivity).

CVE-2019-2215

The syzkaller tool discovered a use-after-free vulnerability in the Android binder driver. A local user on a system with this driver enabled could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. However, this driver is not enabled on Debian packaged kernels.

CVE-2019-10220

Various developers and researchers found that if a crafted file- system or malicious file server presented a directory with filenames including a '/' character, this could confuse and possibly defeat security checks in applications that read the directory.

The kernel will now return an error when reading such a directory, rather than passing the invalid filenames on to user-space.

CVE-2019-14615

It was discovered that Intel 9th and 10th generation GPUs did not clear user-visible state during a context switch, which resulted in information leaks between GPU tasks. This has been mitigated in the i915 driver.

The affected chips (gen9 and gen10) are listed at <https://en.wikipedia.org/wiki/List_of_Intel_graphics_proces sing_units#Gen9>.

CVE-2019-14814, CVE-2019-14815, CVE-2019-14816

Multiple bugs were discovered in the mwifiex wifi driver, which could lead to heap buffer overflows. A local user permitted to configure a device handled by this driver could probably use this for privilege escalation.

CVE-2019-14895, CVE-2019-14901

ADLab of Venustech discovered potential heap buffer overflows in the mwifiex wifi driver. On systems using this driver, a malicious Wireless Access Point or adhoc/P2P peer could use these to cause a denial of service (memory corruption or crash) or possibly for remote code execution.

CVE-2019-14896, CVE-2019-14897

ADLab of Venustech discovered potential heap and stack buffer overflows in the libertas wifi driver. On systems using this driver, a malicious Wireless Access Point or adhoc/P2P peer could use these to cause a denial of service (memory corruption or crash) or possibly for remote code execution.

CVE-2019-15098

Hui Peng and Mathias Payer reported that the ath6kl wifi driver did not properly validate USB descriptors, which could lead to a NULL pointer derefernce. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15217

The syzkaller tool discovered that the zr364xx mdia driver did not correctly handle devices without a product name string, which could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15291

The syzkaller tool discovered that the b2c2-flexcop-usb media driver did not properly validate USB descriptors, which could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15505

The syzkaller tool discovered that the technisat-usb2 media driver did not properly validate incoming IR packets, which could lead to a heap buffer over-read. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops) or to read sensitive information from kernel memory.

CVE-2019-15917

The syzkaller tool found a race condition in code supporting UART-attached Bluetooth adapters, which could lead to a use- after-free. A local user with access to a pty device or other suitable tty device could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-16746

It was discovered that the wifi stack did not validate the content of beacon heads provided by user-space for use on a wifi interface in Access Point mode, which could lead to a heap buffer overflow. A local user permitted to configure a wifi interface could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-17052, CVE-2019-17053, CVE-2019-17054, CVE-2019-17055, CVE-2019-17056

Ori Nimron reported that various network protocol implementations

  - AX.25, IEEE 802.15.4, Appletalk, ISDN, and NFC - allowed     all users to create raw sockets. A local user could use     this to send arbitrary packets on networks using those     protocols.

CVE-2019-17075

It was found that the cxgb4 Infiniband driver requested DMA (Direct Memory Access) to a stack-allocated buffer, which is not supported and on some systems can result in memory corruption of the stack. A local user might be able to use this for denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-17133

Nicholas Waisman reported that the wifi stack did not valdiate received SSID information before copying it, which could lead to a buffer overflow if it is not validated by the driver or firmware. A malicious Wireless Access Point might be able to use this to cause a denial of service (memory corruption or crash) or for remote code execution.

CVE-2019-17666

Nicholas Waisman reported that the rtlwifi wifi drivers did not properly validate received P2P information, leading to a buffer overflow. A malicious P2P peer could use this to cause a denial of service (memory corruption or crash) or for remote code execution.

CVE-2019-18282

Jonathan Berger, Amit Klein, and Benny Pinkas discovered that the generation of UDP/IPv6 flow labels used a weak hash function, 'jhash'.
This could enable tracking individual computers as they communicate with different remote servers and from different networks. The 'siphash' function is now used instead.

CVE-2019-18683

Multiple race conditions were discovered in the vivid media driver, used for testing Video4Linux2 (V4L2) applications, These race conditions could result in a use-after-free. On a system where this driver is loaded, a user with permission to access media devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-18809

Navid Emamdoost discovered a potential memory leak in the af9005 media driver if the device fails to respond to a command. The security impact of this is unclear.

CVE-2019-19037

It was discovered that the ext4 filesystem driver did not correctly handle directories with holes (unallocated regions) in them. An attacker able to mount arbitrary ext4 volumes could use this to cause a denial of service (crash).

CVE-2019-19051

Navid Emamdoost discovered a potential memory leak in the i2400m wimax driver if the software rfkill operation fails. The security impact of this is unclear.

CVE-2019-19052

Navid Emamdoost discovered a potential memory leak in the gs_usb CAN driver if the open (interface-up) operation fails. The security impact of this is unclear.

CVE-2019-19056, CVE-2019-19057

Navid Emamdoost discovered potential memory leaks in the mwifiex wifi driver if the probe operation fails. The security impact of this is unclear.

CVE-2019-19062

Navid Emamdoost discovered a potential memory leak in the AF_ALG subsystem if the CRYPTO_MSG_GETALG operation fails. A local user could possibly use this to cause a denial of service (memory exhaustion).

CVE-2019-19066

Navid Emamdoost discovered a potential memory leak in the bfa SCSI driver if the get_fc_host_stats operation fails. The security impact of this is unclear.

CVE-2019-19068

Navid Emamdoost discovered a potential memory leak in the rtl8xxxu wifi driver, in case it fails to submit an interrupt buffer to the device. The security impact of this is unclear.

CVE-2019-19227

Dan Carpenter reported missing error checks in the Appletalk protocol implementation that could lead to a NULL pointer dereference. The security impact of this is unclear.

CVE-2019-19332

The syzkaller tool discovered a missing bounds check in the KVM implementation for x86, which could lead to a heap buffer overflow. A local user permitted to use KVM could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19447

It was discovered that the ext4 filesystem driver did not safely handle unlinking of an inode that, due to filesystem corruption, already has a link count of 0. An attacker able to mount arbitrary ext4 volumes could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19523

The syzkaller tool discovered a use-after-free bug in the adutux USB driver. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19524

The syzkaller tool discovered a race condition in the ff-memless library used by input drivers. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19525

The syzkaller tool discovered a use-after-free bug in the atusb driver for IEEE 802.15.4 networking. An attacker able to add and remove USB devices could possibly use this to cause a denial of service (memory corruption or crash) or for privilege escalation.

CVE-2019-19527

The syzkaller tool discovered that the hiddev driver did not correctly handle races between a task opening the device and disconnection of the underlying hardware. A local user permitted to access hiddev devices, and able to add and remove USB devices, could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19530

The syzkaller tool discovered a potential use-after-free in the cdc-acm network driver. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19531

The syzkaller tool discovered a use-after-free bug in the yurex USB driver. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19532

The syzkaller tool discovered a potential heap buffer overflow in the hid-gaff input driver, which was also found to exist in many other input drivers. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19533

The syzkaller tool discovered that the ttusb-dec media driver was missing initialisation of a structure, which could leak sensitive information from kernel memory.

CVE-2019-19534, CVE-2019-19535, CVE-2019-19536

The syzkaller tool discovered that the peak_usb CAN driver was missing initialisation of some structures, which could leak sensitive information from kernel memory.

CVE-2019-19537

The syzkaller tool discovered race conditions in the USB stack, involving character device registration. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19767

The syzkaller tool discovered that crafted ext4 volumes could trigger a buffer overflow in the ext4 filesystem driver. An attacker able to mount such a volume could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19947

It was discovered that the kvaser_usb CAN driver was missing initialisation of some structures, which could leak sensitive information from kernel memory.

CVE-2019-19965

Gao Chuan reported a race condition in the libsas library used by SCSI host drivers, which could lead to a NULL pointer dereference. An attacker able to add and remove SCSI devices could use this to cause a denial of service (BUG/oops).

CVE-2019-20096

The Hulk Robot tool discovered a potential memory leak in the DCCP protocol implementation. This may be exploitable by local users, or by remote attackers if the system uses DCCP, to cause a denial of service (out of memory).

For Debian 8 'Jessie', these problems have been fixed in version 4.9.210-1~deb8u1. This update additionally fixes Debian bugs #869511 and 945023; and includes many more bug fixes from stable updates 4.9.190-4.9.210 inclusive.

We recommend that you upgrade your linux-4.9 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak.

CVE-2019-2215

The syzkaller tool discovered a use-after-free vulnerability in the Android binder driver. A local user on a system with this driver enabled could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. However, this driver is not enabled on Debian packaged kernels.

CVE-2019-10220

Various developers and researchers found that if a crafted file- system or malicious file server presented a directory with filenames including a '/' character, this could confuse and possibly defeat security checks in applications that read the directory.

The kernel will now return an error when reading such a directory, rather than passing the invalid filenames on to user-space.

CVE-2019-14895, CVE-2019-14901

ADLab of Venustech discovered potential heap buffer overflows in the mwifiex wifi driver. On systems using this driver, a malicious Wireless Access Point or adhoc/P2P peer could use these to cause a denial of service (memory corruption or crash) or possibly for remote code execution.

CVE-2019-14896, CVE-2019-14897

ADLab of Venustech discovered potential heap and stack buffer overflows in the libertas wifi driver. On systems using this driver, a malicious Wireless Access Point or adhoc/P2P peer could use these to cause a denial of service (memory corruption or crash) or possibly for remote code execution.

CVE-2019-15098

Hui Peng and Mathias Payer reported that the ath6kl wifi driver did not properly validate USB descriptors, which could lead to a NULL pointer derefernce. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15217

The syzkaller tool discovered that the zr364xx mdia driver did not correctly handle devices without a product name string, which could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15291

The syzkaller tool discovered that the b2c2-flexcop-usb media driver did not properly validate USB descriptors, which could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15505

The syzkaller tool discovered that the technisat-usb2 media driver did not properly validate incoming IR packets, which could lead to a heap buffer over-read. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops) or to read sensitive information from kernel memory.

CVE-2019-16746

It was discovered that the wifi stack did not validate the content of beacon heads provided by user-space for use on a wifi interface in Access Point mode, which could lead to a heap buffer overflow. A local user permitted to configure a wifi interface could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-17052, CVE-2019-17053, CVE-2019-17054, CVE-2019-17055, CVE-2019-17056

Ori Nimron reported that various network protocol implementations

  - AX.25, IEEE 802.15.4, Appletalk, ISDN, and NFC - allowed     all users to create raw sockets. A local user could use     this to send arbitrary packets on networks using those     protocols.

CVE-2019-17133

Nicholas Waisman reported that the wifi stack did not valdiate received SSID information before copying it, which could lead to a buffer overflow if it is not validated by the driver or firmware. A malicious Wireless Access Point might be able to use this to cause a denial of service (memory corruption or crash) or for remote code execution.

CVE-2019-17666

Nicholas Waisman reported that the rtlwifi wifi drivers did not properly validate received P2P information, leading to a buffer overflow. A malicious P2P peer could use this to cause a denial of service (memory corruption or crash) or for remote code execution.

CVE-2019-19051

Navid Emamdoost discovered a potential memory leak in the i2400m wimax driver if the software rfkill operation fails. The security impact of this is unclear.

CVE-2019-19052

Navid Emamdoost discovered a potential memory leak in the gs_usb CAN driver if the open (interface-up) operation fails. The security impact of this is unclear.

CVE-2019-19056, CVE-2019-19057

Navid Emamdoost discovered potential memory leaks in the mwifiex wifi driver if the probe operation fails. The security impact of this is unclear.

CVE-2019-19062

Navid Emamdoost discovered a potential memory leak in the AF_ALG subsystem if the CRYPTO_MSG_GETALG operation fails. A local user could possibly use this to cause a denial of service (memory exhaustion).

CVE-2019-19066

Navid Emamdoost discovered a potential memory leak in the bfa SCSI driver if the get_fc_host_stats operation fails. The security impact of this is unclear.

CVE-2019-19227

Dan Carpenter reported missing error checks in the Appletalk protocol implementation that could lead to a NULL pointer dereference. The security impact of this is unclear.

CVE-2019-19332

The syzkaller tool discovered a missing bounds check in the KVM implementation for x86, which could lead to a heap buffer overflow. A local user permitted to use KVM could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19523

The syzkaller tool discovered a use-after-free bug in the adutux USB driver. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19524

The syzkaller tool discovered a race condition in the ff-memless library used by input drivers. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19527

The syzkaller tool discovered that the hiddev driver did not correctly handle races between a task opening the device and disconnection of the underlying hardware. A local user permitted to access hiddev devices, and able to add and remove USB devices, could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19530

The syzkaller tool discovered a potential use-after-free in the cdc-acm network driver. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19531

The syzkaller tool discovered a use-after-free bug in the yurex USB driver. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19532

The syzkaller tool discovered a potential heap buffer overflow in the hid-gaff input driver, which was also found to exist in many other input drivers. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19533

The syzkaller tool discovered that the ttusb-dec media driver was missing initialisation of a structure, which could leak sensitive information from kernel memory.

CVE-2019-19534, CVE-2019-19536

The syzkaller tool discovered that the peak_usb CAN driver was missing initialisation of some structures, which could leak sensitive information from kernel memory.

CVE-2019-19537

The syzkaller tool discovered race conditions in the USB stack, involving character device registration. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19767

The syzkaller tool discovered that crafted ext4 volumes could trigger a buffer overflow in the ext4 filesystem driver. An attacker able to mount such a volume could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19922

It was discovered that a change in Linux 3.16.61, 'sched/fair: Fix bandwidth timer clock drift condition', could lead to tasks being throttled before using their full quota of CPU time. A local user could use this bug to slow down other users' tasks. This change has been reverted.

CVE-2019-19947

It was discovered that the kvaser_usb CAN driver was missing initialisation of some structures, which could leak sensitive information from kernel memory.

CVE-2019-19965

Gao Chuan reported a race condition in the libsas library used by SCSI host drivers, which could lead to a NULL pointer dereference. An attacker able to add and remove SCSI devices could use this to cause a denial of service (BUG/oops).

CVE-2019-19966

The syzkaller tool discovered a missing error check in the cpia2 media driver, which could lead to a use-after-free. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.81-1.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - This candidate has been reserved by an organization or     individual that will use it when announcing a new     security problem. When the candidate has been     publicized, the details for this candidate will be     provided.(CVE-2019-10220)

  - A memory leak in the i2400m_op_rfkill_sw_toggle()     function in drivers/net/wimax/i2400m/op-rfkill.c in the     Linux kernel before 5.3.11 allows attackers to cause a     denial of service (memory consumption), aka     CID-6f3ef5c25cc7.(CVE-2019-19051)

  - A memory leak in the sdma_init() function in     drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel     before 5.3.9 allows attackers to cause a denial of     service (memory consumption) by triggering     rhashtable_init() failures, aka     CID-34b3be18a04e.(CVE-2019-19065)

  - ** DISPUTED ** Four memory leaks in the acp_hw_init()     function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in     the Linux kernel before 5.3.8 allow attackers to cause     a denial of service (memory consumption) by triggering     mfd_add_hotplug_devices() or pm_genpd_add_device()     failures, aka CID-57be09c6e874. NOTE: third parties     dispute the relevance of this because the attacker must     already have privileges for module     loading.(CVE-2019-19067)

  - An issue was discovered in drivers/xen/balloon.c in the     Linux kernel before 5.2.3, as used in Xen through     4.12.x, allowing guest OS users to cause a denial of     service because of unrestricted resource consumption     during the mapping of guest memory, aka     CID-6ef36ab967c7.(CVE-2019-17351)

  - The xen_biovec_phys_mergeable function in     drivers/xen/biomerge.c in Xen might allow local OS     guest users to corrupt block device data streams and     consequently obtain sensitive memory information, cause     a denial of service, or gain host OS privileges by     leveraging incorrect block IO merge-ability     calculation.(CVE-2017-12134)

  - In the Linux kernel before 5.3.7, there is a     use-after-free bug that can be caused by a malicious     USB device in the drivers/usb/misc/adutux.c driver, aka     CID-44efc269db79.(CVE-2019-19523)

  - In the Linux kernel before 5.3.7, there is a     use-after-free bug that can be caused by a malicious     USB device in the drivers/usb/misc/iowarrior.c driver,     aka CID-edc4746f253d.(CVE-2019-19528)

  - In the Linux kernel before 5.2.10, there is a     use-after-free bug that can be caused by a malicious     USB device in the drivers/usb/class/cdc-acm.c driver,     aka CID-c52873e5a1ef.(CVE-2019-19530)

  - In the Linux kernel before 5.3.4, there is an info-leak     bug that can be caused by a malicious USB device in the     drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka     CID-a10feaf8c464.(CVE-2019-19533)

  - In the Linux kernel before 5.2.10, there is a race     condition bug that can be caused by a malicious USB     device in the USB character device driver layer, aka     CID-303911cfc5b9. This affects     drivers/usb/core/file.c.(CVE-2019-19537)

  - In the Linux kernel before 5.3.12, there is a     use-after-free bug that can be caused by a malicious     USB device in the drivers/input/ff-memless.c driver,     aka CID-fa3a5a1880c9.(CVE-2019-19524)

  - In the Linux kernel before 5.2.10, there is a     use-after-free bug that can be caused by a malicious     USB device in the drivers/hid/usbhid/hiddev.c driver,     aka CID-9c09b214f30e.(CVE-2019-19527)

  - In the Linux kernel before 5.3.9, there are multiple     out-of-bounds write bugs that can be caused by a     malicious USB device in the Linux kernel HID drivers,     aka CID-d9d4b1e46d95. This affects     drivers/hid/hid-axff.c, drivers/hid/hid-dr.c,     drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c,     drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c,     drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c,     drivers/hid/hid-lgff.c,     drivers/hid/hid-logitech-hidpp.c,     drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c,     drivers/hid/hid-tmff.c, and     drivers/hid/hid-zpff.c.(CVE-2019-19532)

  - The VFS subsystem in the Linux kernel 3.x provides an     incomplete set of requirements for setattr operations     that underspecifies removing extended privilege     attributes, which allows local users to cause a denial     of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program.(CVE-2015-1350)

  - In the Linux kernel before 5.2.9, there is a     use-after-free bug that can be caused by a malicious     USB device in the drivers/usb/misc/yurex.c driver, aka     CID-fc05481b2fca.(CVE-2019-19531)

  - The Linux kernel through 5.3.13 has a start_offset+size     Integer Overflow in cpia2_remap_buffer in     drivers/media/usb/cpia2/cpia2_core.c because cpia2 has     its own mmap implementation. This allows local users     (with /dev/video0 access) to obtain read and write     permissions on kernel physical pages, which can     possibly result in a privilege     escalation.(CVE-2019-18675)

  - A flaw was found in the way signature calculation was     handled by cephx authentication protocol. An attacker     having access to ceph cluster network who is able to     alter the message payload was able to bypass signature     checks done by cephx protocol. Ceph branches master,     mimic, luminous and jewel are believed to be     vulnerable.(CVE-2018-1129)

  - A memory leak in the alloc_sgtable() function in     drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the     Linux kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     alloc_page() failures, aka     CID-b4b814fec1a5.(CVE-2019-19058)

  - A memory leak in the ath9k_wmi_cmd() function in     drivers/net/wireless/ath/ath9k/wmi.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption), aka     CID-728c1e2a05e4.(CVE-2019-19074)

  - Memory leaks in     drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux     kernel through 5.3.11 allow attackers to cause a denial     of service (memory consumption) by triggering     wait_for_completion_timeout() failures. This affects     the htc_config_pipe_credits() function, the     htc_setup_complete() function, and the     htc_connect_service() function, aka     CID-853acf7caf10.(CVE-2019-19073)

  - Two memory leaks in the rtl_usb_probe() function in     drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux     kernel through 5.3.11 allow attackers to cause a denial     of service (memory consumption), aka     CID-3f9361695113.(CVE-2019-19063)

  - A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf()     function in drivers/net/wireless/marvell/mwifiex/pcie.c     in the Linux kernel through 5.3.11 allows attackers to     cause a denial of service (memory consumption) by     triggering mwifiex_map_pci_memory() failures, aka     CID-db8fd2cde932.(CVE-2019-19056)

  - Two memory leaks in the mwifiex_pcie_init_evt_ring()     function in drivers/net/wireless/marvell/mwifiex/pcie.c     in the Linux kernel through 5.3.11 allow attackers to     cause a denial of service (memory consumption) by     triggering mwifiex_map_pci_memory() failures, aka     CID-d10dcb615c8e.(CVE-2019-19057)

  - An issue was discovered in the Linux kernel through     5.2.9. There is a NULL pointer dereference caused by a     malicious USB device in the flexcop_usb_probe function     in the drivers/media/usb/b2c2/flexcop-usb.c     driver.(CVE-2019-15291)

  - A use-after-free in binder.c allows an elevation of     privilege from an application to the Linux Kernel. No     user interaction is required to exploit this     vulnerability, however exploitation does require either     the installation of a malicious local application or a     separate vulnerability in a network facing     application.Product: AndroidAndroid ID:
    A-141720095(CVE-2019-2215)

  - In task_get_unused_fd_flags of binder.c, there is a     possible memory corruption due to a use after free.
    This could lead to local escalation of privilege with     no additional execution privileges needed. User     interaction is not needed for exploitation. Product:
    Android Versions: Android kernel Android ID: A-69164715     References: Upstream kernel.(CVE-2018-9465)

  - In the Android kernel in Pixel C USB monitor driver     there is a possible OOB write due to a missing bounds     check. This could lead to local escalation of privilege     with System execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2019-9456)

  - fs/btrfs/volumes.c in the Linux kernel before 5.1     allows a btrfs_verify_dev_extents NULL pointer     dereference via a crafted btrfs image because     fs_devices->devices is mishandled within find_device,     aka CID-09ba3bc9dd15.(CVE-2019-18885)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-4186-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems.
This update addresses the issue.

We apologize for the inconvenience.

Original advisory details :

Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in microarchitectural buffers to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11135)

It was discovered that the Intel i915 graphics chipsets allowed userspace to modify page table entries via writes to MMIO from the Blitter Command Streamer and expose kernel memory information. A local attacker could use this to expose sensitive information or possibly elevate privileges.
(CVE-2019-0155)

Deepak Gupta discovered that on certain Intel processors, the Linux kernel did not properly perform invalidation on page table updates by virtual guest operating systems. A local attacker in a guest VM could use this to cause a denial of service (host system crash). (CVE-2018-12207)

It was discovered that the Intel i915 graphics chipsets could cause a system hang when userspace performed a read from GT memory mapped input output (MMIO) when the product is in certain low power states. A local attacker could use this to cause a denial of service. (CVE-2019-0154)

Hui Peng discovered that the Atheros AR6004 USB Wi-Fi device driver for the Linux kernel did not properly validate endpoint descriptors returned by the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15098)

It was discovered that a buffer overflow existed in the 802.11 Wi-Fi configuration interface for the Linux kernel when handling beacon settings. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-16746)

Ori Nimron discovered that the AX25 network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17052)

Ori Nimron discovered that the IEEE 802.15.4 Low-Rate Wireless network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket.
(CVE-2019-17053)

Ori Nimron discovered that the Appletalk network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17054)

Ori Nimron discovered that the modular ISDN network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17055)

Ori Nimron discovered that the Near field Communication (NFC) network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket.
(CVE-2019-17056)

Nico Waisman discovered that a buffer overflow existed in the Realtek Wi-Fi driver for the Linux kernel when handling Notice of Absence frames. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-17666)

Maddie Stone discovered that the Binder IPC Driver implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-2215).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in microarchitectural buffers to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11135)

It was discovered that the Intel i915 graphics chipsets allowed userspace to modify page table entries via writes to MMIO from the Blitter Command Streamer and expose kernel memory information. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2019-0155)

Deepak Gupta discovered that on certain Intel processors, the Linux kernel did not properly perform invalidation on page table updates by virtual guest operating systems. A local attacker in a guest VM could use this to cause a denial of service (host system crash).
(CVE-2018-12207)

It was discovered that the Intel i915 graphics chipsets could cause a system hang when userspace performed a read from GT memory mapped input output (MMIO) when the product is in certain low power states. A local attacker could use this to cause a denial of service.
(CVE-2019-0154)

Hui Peng discovered that the Atheros AR6004 USB Wi-Fi device driver for the Linux kernel did not properly validate endpoint descriptors returned by the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15098)

It was discovered that a buffer overflow existed in the 802.11 Wi-Fi configuration interface for the Linux kernel when handling beacon settings. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-16746)

Ori Nimron discovered that the AX25 network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17052)

Ori Nimron discovered that the IEEE 802.15.4 Low-Rate Wireless network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17053)

Ori Nimron discovered that the Appletalk network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17054)

Ori Nimron discovered that the modular ISDN network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17055)

Ori Nimron discovered that the Near field Communication (NFC) network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17056)

Nico Waisman discovered that a buffer overflow existed in the Realtek Wi-Fi driver for the Linux kernel when handling Notice of Absence frames. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-17666)

Maddie Stone discovered that the Binder IPC Driver implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-2215).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New kernel packages are available for Slackware 14.2 to fix security issues.

ID	Name	Product	Family	Severity
137516	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2020-1674)	Nessus	Huawei Local Security Checks	critical
135525	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2020-1396)	Nessus	Huawei Local Security Checks	critical
134240	Debian DLA-2114-1 : linux-4.9 security update	Nessus	Debian Local Security Checks	critical
133101	Debian DLA-2068-1 : linux security update	Nessus	Debian Local Security Checks	critical
132360	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693)	Nessus	Huawei Local Security Checks	high
131014	Ubuntu 16.04 LTS : linux vulnerability (USN-4186-3)	Nessus	Ubuntu Local Security Checks	high
130966	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm vulnerabilities (USN-4186-1)	Nessus	Ubuntu Local Security Checks	high
130751	Slackware 14.2 : Slackware 14.2 kernel (SSA:2019-311-01)	Nessus	Slackware Local Security Checks	critical

CVE-2019-2215

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins