https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3874

https://security.netapp.com/advisory/ntap-20190411-0003/

USN-3979-1

USN-3980-1

USN-3980-2

USN-3981-1

USN-3981-2

USN-3982-1

USN-3982-2

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In the Linux kernel 5.0.21, mounting a crafted ext4     filesystem image, performing some operations, and     unmounting can lead to a use-after-free in     ext4_put_super in fs/ext4/super.c, related to     dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447)

  - This candidate has been reserved by an organization or     individual that will use it when announcing a new     security problem. When the candidate has been     publicized, the details for this candidate will be     provided.(CVE-2019-10220)

  - ** DISPUTED ** In kernel/compat.c in the Linux kernel     before 3.17, as used in Google Chrome OS and other     products, there is a possible out-of-bounds read.
    restart_syscall uses uninitialized data when restarting     compat_sys_nanosleep. NOTE: this is disputed because     the code path is unreachable.(CVE-2014-3180)

  - In the Linux kernel before 5.0.6, there is a NULL     pointer dereference in drop_sysctl_table() in     fs/proc/proc_sysctl.c, related to put_links, aka     CID-23da9588037e(CVE-2019-20054)

  - pointer dereference in     drivers/scsi/libsas/sas_discover.c because of     mishandling of port disconnection during discovery,     related to a PHY down race condition, aka     CID-f70267f379b5.(CVE-2019-19965)'

  - In the Linux kernel before 5.2.10, there is a race     condition bug that can be caused by a malicious USB     device in the USB character device driver layer, aka     CID-303911cfc5b9. This affects     drivers/usb/core/file.c.(CVE-2019-19537)

  - Linux Linux kernel version at least v4.8 onwards,     probably well before contains a Insufficient input     validation vulnerability in bnx2x network card driver     that can result in DoS: Network card firmware assertion     takes card off-line. This attack appear to be     exploitable via An attacker on a must pass a very     large, specially crafted packet to the bnx2x card. This     can be done from an untrusted guest     VM..(CVE-2018-1000026)

  - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel     5.2.14 does not check the alloc_workqueue return value,     leading to a NULL pointer dereference.(CVE-2019-16233)

  - The SCTP socket buffer used by a userspace application     is not accounted by the cgroups subsystem. An attacker     can use this flaw to cause a denial of service attack.
    Kernel 3.10.x and 4.18.x branches are believed to be     vulnerable.(CVE-2019-3874)

  - fs/ext4/extents.c in the Linux kernel through 5.1.2     does not zero out the unused memory region in the     extent tree block, which might allow local users to     obtain sensitive information by reading uninitialized     data in the filesystem.(CVE-2019-11833)

  - A memory leak in the ql_alloc_large_buffers() function     in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux     kernel before 5.3.5 allows local users to cause a     denial of service (memory consumption) by triggering     pci_dma_mapping_error() failures, aka     CID-1acb8f2a7a9f.(CVE-2019-18806)

  - An issue was discovered in the Linux kernel before     5.0.11. fm10k_init_module in     drivers/net/ethernet/intel/fm10k/fm10k_main.c has a     NULL pointer dereference because there is no -ENOMEM     upon an alloc_workqueue failure.(CVE-2019-15924)

  - An issue was discovered in the Linux kernel before     5.0.1. There is a memory leak in     register_queue_kobjects() in net/core/net-sysfs.c,     which will cause denial of service.(CVE-2019-15916)

  - An issue was discovered in the Linux kernel before     5.0.14. There is a NULL pointer dereference caused by a     malicious USB device in the drivers/usb/misc/yurex.c     driver.(CVE-2019-15216)

  - An issue was discovered in the Linux kernel before     5.1.8. There is a double-free caused by a malicious USB     device in the drivers/usb/misc/rio500.c     driver.(CVE-2019-15212)

  - An issue was discovered in drivers/scsi/qedi/qedi_dbg.c     in the Linux kernel before 5.1.12. In the qedi_dbg_*     family of functions, there is an out-of-bounds     read.(CVE-2019-15090)

  - An issue was discovered in the Linux kernel before 5.0.
    The function __mdiobus_register() in     drivers/net/phy/mdio_bus.c calls put_device(), which     will trigger a fixed_mdio_bus_init use-after-free. This     will cause a denial of service.(CVE-2019-12819)

  - ** DISPUTED ** An issue was discovered in the     MPT3COMMAND case in _ctl_ioctl_main in     drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux kernel     through 5.1.5. It allows local users to cause a denial     of service or possibly have unspecified other impact by     changing the value of ioc_number between two kernel     reads of that value, aka a 'double fetch'     vulnerability. NOTE: a third party reports that this is     unexploitable because the doubly fetched value is not     used.(CVE-2019-12456)

  - An issue was discovered in drm_load_edid_firmware in     drivers/gpu/drm/drm_edid_load.c in the Linux kernel     through 5.1.5. There is an unchecked kstrdup of fwstr,     which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash).
    NOTE: The vendor disputes this issues as not being a     vulnerability because kstrdup() returning NULL is     handled sufficiently and there is no chance for a NULL     pointer dereference.(CVE-2019-12382)

  - In the Linux Kernel before version 4.15.8, 4.14.25,     4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the     '_sctp_make_chunk()' function     (net/sctp/sm_make_chunk.c) when handling SCTP packets     length can be exploited to cause a kernel     crash.(CVE-2018-5803)

  - An issue was discovered in the Linux kernel before     4.14.11. A double free may be caused by the function     allocate_trace_buffer in the file     kernel/trace/trace.c.(CVE-2017-18595)

  - An issue was discovered in drivers/i2c/i2c-core-smbus.c     in the Linux kernel before 4.14.15. There is an out of     bounds write in the function     i2c_smbus_xfer_emulated.(CVE-2017-18551)

  - An issue was discovered in     drivers/scsi/aacraid/commctrl.c in the Linux kernel     before 4.13. There is potential exposure of kernel     stack memory because aac_get_hba_info does not     initialize the hbainfo structure.(CVE-2017-18550)

  - An issue was discovered in     drivers/scsi/aacraid/commctrl.c in the Linux kernel     before 4.13. There is potential exposure of kernel     stack memory because aac_send_raw_srb does not     initialize the reply structure.(CVE-2017-18549)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities:

  - The bnep_sock_ioctl function in     net/bluetooth/bnep/sock.c in the Linux kernel before     2.6.39 does not ensure that a certain device field ends     with a '\0' character, which allows local users to     obtain potentially sensitive information from kernel     stack memory, or cause a denial of service (BUG and     system crash), via a BNEPCONNADD command.
    (CVE-2011-1079)

  - An issue was discovered in fs/gfs2/rgrp.c in the Linux     kernel before 4.8. A use-after-free is caused by the     functions gfs2_clear_rgrpd and read_rindex_entry.
    (CVE-2016-10905)

  - An issue was discovered in     drivers/scsi/aacraid/commctrl.c in the Linux kernel     before 4.13. There is potential exposure of kernel stack     memory because aac_get_hba_info does not initialize the     hbainfo structure. (CVE-2017-18550)

  - An issue was discovered in the Linux kernel before     4.14.11. A double free may be caused by the function     allocate_trace_buffer in the file kernel/trace/trace.c.
    (CVE-2017-18595)

  - Improper invalidation for page table updates by a     virtual guest operating system for multiple Intel(R)     Processors may allow an authenticated user to     potentially enable denial of service of the host system     via local access. (CVE-2018-12207)

  - An issue was discovered in the Linux kernel before 4.20.
    There is a race condition in smp_task_timedout() and     smp_task_done() in drivers/scsi/libsas/sas_expander.c,     leading to a use-after-free. (CVE-2018-20836)

  - An issue was discovered in the Linux kernel before     4.18.7. In create_qp_common in     drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp     was never initialized, resulting in a leak of stack     memory to userspace. (CVE-2018-20855)

  - An issue was discovered in fs/xfs/xfs_super.c in the     Linux kernel before 4.18. A use after free exists,     related to xfs_fs_fill_super failure. (CVE-2018-20976)

  - In the tun subsystem in the Linux kernel before 4.13.14,     dev_get_valid_name is not called before     register_netdevice. This allows local users to cause a     denial of service (NULL pointer dereference and panic)     via an ioctl(TUNSETIFF) call with a dev name containing     a / character. This is similar to CVE-2013-4343.
    (CVE-2018-7191)

  - Insufficient access control in subsystem for Intel (R)     processor graphics in 6th, 7th, 8th and 9th Generation     Intel(R) Core(TM) Processor Families; Intel(R)     Pentium(R) Processor J, N, Silver and Gold Series;
    Intel(R) Celeron(R) Processor J, N, G3900 and G4900     Series; Intel(R) Atom(R) Processor A and E3900 Series;
    Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100     Processor Families may allow an authenticated user to     potentially enable denial of service via local access.
    (CVE-2019-0154)

  - Insufficient access control in a subsystem for Intel (R)     processor graphics in 6th, 7th, 8th and 9th Generation     Intel(R) Core(TM) Processor Families; Intel(R)     Pentium(R) Processor J, N, Silver and Gold Series;
    Intel(R) Celeron(R) Processor J, N, G3900 and G4900     Series; Intel(R) Atom(R) Processor A and E3900 Series;
    Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and     E-2200 Processor Families; Intel(R) Graphics Driver for     Windows before 26.20.100.6813 (DCH) or 26.20.100.6812     and before 21.20.x.5077 (aka15.45.5077), i915 Linux     Driver for Intel(R) Processor Graphics before versions     5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may     allow an authenticated user to potentially enable     escalation of privilege via local access.
    (CVE-2019-0155)

  - TSX Asynchronous Abort condition on some CPUs utilizing     speculative execution may allow an authenticated user to     potentially enable information disclosure via a side     channel with local access. (CVE-2019-11135)

  - The Linux kernel before 5.1-rc5 allows page->_refcount     reference count overflow, with resultant use-after-free     issues, if about 140 GiB of RAM exists. This is related     to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h,     kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - The do_hidp_sock_ioctl function in     net/bluetooth/hidp/sock.c in the Linux kernel before     5.0.15 allows a local user to obtain potentially     sensitive information from kernel stack memory via a     HIDPCONNADD command, because a name field may not end     with a '\0' character. (CVE-2019-11884)

  - ** DISPUTED ** An issue was discovered in     drm_load_edid_firmware in     drivers/gpu/drm/drm_edid_load.c in the Linux kernel     through 5.1.5. There is an unchecked kstrdup of fwstr,     which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash).
    NOTE: The vendor disputes this issues as not being a     vulnerability because kstrdup() returning NULL is     handled sufficiently and there is no chance for a NULL     pointer dereference. (CVE-2019-12382)

  - An issue was discovered in the Linux kernel before     5.2.3. There is a use-after-free caused by a malicious     USB device in the drivers/media/usb/dvb-usb/dvb-usb-     init.c driver. (CVE-2019-15213)

  - An issue was discovered in xfs_setattr_nonsize in     fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS     partially wedges when a chgrp fails on account of being     out of disk quota. xfs_setattr_nonsize is failing to     unlock the ILOCK after the xfs_qm_vop_chown_reserve call     fails. This is primarily a local DoS attack vector, but     it might result as well in remote DoS if the XFS     filesystem is exported for instance via NFS.
    (CVE-2019-15538)

  - In the Linux kernel before 5.1.13, there is a memory     leak in drivers/scsi/libsas/sas_expander.c when SAS     expander discovery fails. This will cause a BUG and     denial of service. (CVE-2019-15807)

  - An issue was discovered in the Linux kernel before     5.0.1. There is a memory leak in     register_queue_kobjects() in net/core/net-sysfs.c, which     will cause denial of service. (CVE-2019-15916)

  - An issue was discovered in the Linux kernel before     5.0.4. The 9p filesystem did not protect i_size_write()     properly, which causes an i_size_read() infinite loop     and denial of service on SMP systems. (CVE-2019-16413)

  - An issue was discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance. (CVE-2019-17075)

  - The SCTP socket buffer used by a userspace application     is not accounted by the cgroups subsystem. An attacker     can use this flaw to cause a denial of service attack.
    Kernel 3.10.x and 4.18.x branches are believed to be     vulnerable. (CVE-2019-3874)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities:

  - The bnep_sock_ioctl function in     net/bluetooth/bnep/sock.c in the Linux kernel before     2.6.39 does not ensure that a certain device field ends     with a '\0' character, which allows local users to     obtain potentially sensitive information from kernel     stack memory, or cause a denial of service (BUG and     system crash), via a BNEPCONNADD command.
    (CVE-2011-1079)

  - An issue was discovered in fs/gfs2/rgrp.c in the Linux     kernel before 4.8. A use-after-free is caused by the     functions gfs2_clear_rgrpd and read_rindex_entry.
    (CVE-2016-10905)

  - An issue was discovered in     drivers/scsi/aacraid/commctrl.c in the Linux kernel     before 4.13. There is potential exposure of kernel stack     memory because aac_get_hba_info does not initialize the     hbainfo structure. (CVE-2017-18550)

  - An issue was discovered in the Linux kernel before     4.14.11. A double free may be caused by the function     allocate_trace_buffer in the file kernel/trace/trace.c.
    (CVE-2017-18595)

  - Improper invalidation for page table updates by a     virtual guest operating system for multiple Intel(R)     Processors may allow an authenticated user to     potentially enable denial of service of the host system     via local access. (CVE-2018-12207)

  - An issue was discovered in the Linux kernel before 4.20.
    There is a race condition in smp_task_timedout() and     smp_task_done() in drivers/scsi/libsas/sas_expander.c,     leading to a use-after-free. (CVE-2018-20836)

  - An issue was discovered in the Linux kernel before     4.18.7. In create_qp_common in     drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp     was never initialized, resulting in a leak of stack     memory to userspace. (CVE-2018-20855)

  - An issue was discovered in fs/xfs/xfs_super.c in the     Linux kernel before 4.18. A use after free exists,     related to xfs_fs_fill_super failure. (CVE-2018-20976)

  - In the tun subsystem in the Linux kernel before 4.13.14,     dev_get_valid_name is not called before     register_netdevice. This allows local users to cause a     denial of service (NULL pointer dereference and panic)     via an ioctl(TUNSETIFF) call with a dev name containing     a / character. This is similar to CVE-2013-4343.
    (CVE-2018-7191)

  - Insufficient access control in subsystem for Intel (R)     processor graphics in 6th, 7th, 8th and 9th Generation     Intel(R) Core(TM) Processor Families; Intel(R)     Pentium(R) Processor J, N, Silver and Gold Series;
    Intel(R) Celeron(R) Processor J, N, G3900 and G4900     Series; Intel(R) Atom(R) Processor A and E3900 Series;
    Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100     Processor Families may allow an authenticated user to     potentially enable denial of service via local access.
    (CVE-2019-0154)

  - Insufficient access control in a subsystem for Intel (R)     processor graphics in 6th, 7th, 8th and 9th Generation     Intel(R) Core(TM) Processor Families; Intel(R)     Pentium(R) Processor J, N, Silver and Gold Series;
    Intel(R) Celeron(R) Processor J, N, G3900 and G4900     Series; Intel(R) Atom(R) Processor A and E3900 Series;
    Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and     E-2200 Processor Families; Intel(R) Graphics Driver for     Windows before 26.20.100.6813 (DCH) or 26.20.100.6812     and before 21.20.x.5077 (aka15.45.5077), i915 Linux     Driver for Intel(R) Processor Graphics before versions     5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may     allow an authenticated user to potentially enable     escalation of privilege via local access.
    (CVE-2019-0155)

  - TSX Asynchronous Abort condition on some CPUs utilizing     speculative execution may allow an authenticated user to     potentially enable information disclosure via a side     channel with local access. (CVE-2019-11135)

  - The Linux kernel before 5.1-rc5 allows page->_refcount     reference count overflow, with resultant use-after-free     issues, if about 140 GiB of RAM exists. This is related     to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h,     kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - The do_hidp_sock_ioctl function in     net/bluetooth/hidp/sock.c in the Linux kernel before     5.0.15 allows a local user to obtain potentially     sensitive information from kernel stack memory via a     HIDPCONNADD command, because a name field may not end     with a '\0' character. (CVE-2019-11884)

  - ** DISPUTED ** An issue was discovered in     drm_load_edid_firmware in     drivers/gpu/drm/drm_edid_load.c in the Linux kernel     through 5.1.5. There is an unchecked kstrdup of fwstr,     which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash).
    NOTE: The vendor disputes this issues as not being a     vulnerability because kstrdup() returning NULL is     handled sufficiently and there is no chance for a NULL     pointer dereference. (CVE-2019-12382)

  - An issue was discovered in the Linux kernel before     5.2.3. There is a use-after-free caused by a malicious     USB device in the drivers/media/usb/dvb-usb/dvb-usb-     init.c driver. (CVE-2019-15213)

  - An issue was discovered in xfs_setattr_nonsize in     fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS     partially wedges when a chgrp fails on account of being     out of disk quota. xfs_setattr_nonsize is failing to     unlock the ILOCK after the xfs_qm_vop_chown_reserve call     fails. This is primarily a local DoS attack vector, but     it might result as well in remote DoS if the XFS     filesystem is exported for instance via NFS.
    (CVE-2019-15538)

  - In the Linux kernel before 5.1.13, there is a memory     leak in drivers/scsi/libsas/sas_expander.c when SAS     expander discovery fails. This will cause a BUG and     denial of service. (CVE-2019-15807)

  - An issue was discovered in the Linux kernel before     5.0.1. There is a memory leak in     register_queue_kobjects() in net/core/net-sysfs.c, which     will cause denial of service. (CVE-2019-15916)

  - An issue was discovered in the Linux kernel before     5.0.4. The 9p filesystem did not protect i_size_write()     properly, which causes an i_size_read() infinite loop     and denial of service on SMP systems. (CVE-2019-16413)

  - An issue was discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance. (CVE-2019-17075)

  - The SCTP socket buffer used by a userspace application     is not accounted by the cgroups subsystem. An attacker     can use this flaw to cause a denial of service attack.
    Kernel 3.10.x and 4.18.x branches are believed to be     vulnerable. (CVE-2019-3874)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for kernel is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* kernel: nfs: use-after-free in svc_process_common() (CVE-2018-16884)

* Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900)

* Kernel: page cache side channel attacks (CVE-2019-5489)

* hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506)

* kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net /wireless/marvell/mwifiex/ie.c (CVE-2019-10126)

* Kernel: KVM: OOB memory access via mmio ring buffer (CVE-2019-14821)

* kernel: Information Disclosure in crypto_report_one in crypto/crypto_user.c (CVE-2018-19854)

* kernel: usb: missing size check in the __usb_get_extra_descriptor() leading to DoS (CVE-2018-20169)

* kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459)

* kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460)

* kernel: SCTP socket buffer memory leak leading to denial of service (CVE-2019-3874)

* kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882)

* kernel: NULL pointer dereference in hci_uart_set_flow_control (CVE-2019-10207)

* kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599)

* kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833)

* kernel: sensitive information disclosure from kernel stack memory via HIDPCONNADD command (CVE-2019-11884)

* kernel: use-after-free in arch/x86/lib/insn-eval.c (CVE-2019-13233)

* kernel: memory leak in register_queue_kobjects() in net/core/net-sysfs.c leads to denial of service (CVE-2019-15916)

* kernel: Linux stack ASLR implementation Integer overflow (CVE-2015-1593)

* kernel: oob memory read in hso_probe in drivers/net/usb/hso.c (CVE-2018-19985)

* Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222)

* Kernel: net: weak IP ID generation leads to remote device tracking (CVE-2019-10638)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* kernel: nfs: use-after-free in svc_process_common() (CVE-2018-16884)

* Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900)

* Kernel: page cache side channel attacks (CVE-2019-5489)

* hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506)

* kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net /wireless/marvell/mwifiex/ie.c (CVE-2019-10126)

* Kernel: KVM: OOB memory access via mmio ring buffer (CVE-2019-14821)

* kernel: Information Disclosure in crypto_report_one in crypto/crypto_user.c (CVE-2018-19854)

* kernel: usb: missing size check in the __usb_get_extra_descriptor() leading to DoS (CVE-2018-20169)

* kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459)

* kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460)

* kernel: SCTP socket buffer memory leak leading to denial of service (CVE-2019-3874)

* kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882)

* kernel: NULL pointer dereference in hci_uart_set_flow_control (CVE-2019-10207)

* kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599)

* kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833)

* kernel: sensitive information disclosure from kernel stack memory via HIDPCONNADD command (CVE-2019-11884)

* kernel: use-after-free in arch/x86/lib/insn-eval.c (CVE-2019-13233)

* kernel: memory leak in register_queue_kobjects() in net/core/net-sysfs.c leads to denial of service (CVE-2019-15916)

* kernel: oob memory read in hso_probe in drivers/net/usb/hso.c (CVE-2018-19985)

* Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222)

* Kernel: net: weak IP ID generation leads to remote device tracking (CVE-2019-10638)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in the Linux kernel before     4.18.7. In block/blk-core.c, there is an
    __blk_drain_queue() use-after-free because a certain     error case is mishandled.(CVE-2018-20856)

  - In the Linux kernel before 5.1.7, a device can be     tracked by an attacker using the IP ID values the     kernel produces for connection-less protocols (e.g.,     UDP and ICMP). When such traffic is sent to multiple     destination IP addresses, it is possible to obtain hash     collisions (of indices to the counter array) and     thereby obtain the hashing key (via enumeration). An     attack may be conducted by hosting a crafted web page     that uses WebRTC or gQUIC to force UDP traffic to     attacker-controlled IP addresses.(CVE-2019-10638)

  - The Linux kernel 4.x (starting from 4.1) and 5.x before     5.0.8 allows Information Exposure (partial kernel     address disclosure), leading to a KASLR bypass.
    Specifically, it is possible to extract the KASLR     kernel image offset using the IP ID values the kernel     produces for connection-less protocols (e.g., UDP and     ICMP). When such traffic is sent to multiple     destination IP addresses, it is possible to obtain hash     collisions (of indices to the counter array) and     thereby obtain the hashing key (via enumeration). This     key contains enough bits from a kernel address (of a     static variable) so when the key is extracted (via     enumeration), the offset of the kernel image is     exposed. This attack can be carried out remotely, by     the attacker forcing the target device to send UDP or     ICMP (or certain other) traffic to attacker-controlled     IP addresses. Forcing a server to send UDP traffic is     trivial if the server is a DNS server. ICMP traffic is     trivial if the server answers ICMP Echo requests     (ping). For client targets, if the target visits the     attacker's web page, then WebRTC or gQUIC can be used     to force UDP traffic to attacker-controlled IP     addresses.(CVE-2019-10639)

  - The Linux kernel was found vulnerable to an integer     overflow in the     drivers/video/fbdev/uvesafb.c:uvesafb_setcmap()     function. The vulnerability could result in local     attackers being able to crash the kernel or potentially     elevate privileges.(CVE-2018-13406)

  - The SCTP socket buffer used by a userspace application     is not accounted by the cgroups subsystem. An attacker     can use this flaw to cause a denial of service     attack.(CVE-2019-3874)

  - The Linux kernel before 5.1-rc5 allows     page-i1/4z_refcount reference count overflow, with     resultant use-after-free issues, if about 140 GiB of     RAM exists. This is related to fs/fuse/dev.c,     fs/pipe.c, fs/splice.c, include/linux/mm.h,     include/linux/pipe_fs_i.h, kernel/trace/trace.c,     mm/gup.c, and mm/hugetlb.c. It can occur with FUSE     requests.(CVE-2019-11487)

  - A flaw was found in the Linux kernel's implementation     of ext4 extent management. The kernel doesn't correctly     initialize memory regions in the extent tree block     which may be exported to a local user to obtain     sensitive information by reading empty/uninitialized     data from the filesystem.(CVE-2019-11833)

  - A flaw was found in the Linux kernel's implementation     of the Bluetooth Human Interface Device Protocol     (HIDP). A local attacker with access permissions to the     Bluetooth device can issue an IOCTL which will trigger     the do_hidp_sock_ioctl function in     net/bluetooth/hidp/sock.c.c. This function can leak     potentially sensitive information from the kernel stack     memory via a HIDPCONNADD command because a name field     may not be correctly NULL terminated.(CVE-2019-11884)

  - The Linux kernel is vulnerable to an out-of-bounds read     in ext4/balloc.c:ext4_valid_block_bitmap() function. An     attacker could trick a legitimate user or a privileged     attacker could exploit this by mounting a crafted ext4     image to cause a crash.(CVE-2018-1093)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel's NFS41+     subsystem. NFS41+ shares mounted in different network     namespaces at the same time can make bc_svc_process()     use wrong back-channel IDs and cause a use-after-free     vulnerability. Thus a malicious container user can     cause a host kernel memory corruption and a system     panic. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out.(CVE-2018-16884)

  - An elevation of privilege vulnerability in the kernel     scsi driver. Product: Android. Versions: Android     kernel. Android ID A-65023233.(CVE-2017-13168)

  - A flaw in the load_elf_binary() function in the Linux     kernel allows a local attacker to leak the base address     of .text and stack sections for setuid binaries and     bypass ASLR because install_exec_creds() is called too     late in this function.(CVE-2019-11190)

  - The SCTP socket buffer used by a userspace application     is not accounted by the cgroups subsystem. An attacker     can use this flaw to cause a denial of service     attack.(CVE-2019-3874)

  - A flaw was found in the Linux kernel ext4 filesystem.
    An out-of-bound access is possible in the     ext4_ext_drop_refs() function when operating on a     crafted ext4 filesystem image.(CVE-2018-10877)

  - Non-optimized code for key handling of shared futexes     was found in the Linux kernel in the form of unbounded     contention time due to the page lock for real-time     users. Before the fix, the page lock was an     unnecessarily heavy lock for the futex path that     protected too much. After the fix, the page lock is     only required in a specific corner case.(CVE-2018-9422)

  - A flaw was found in the Linux kernel in the     hid_debug_events_read() function in the     drivers/hid/hid-debug.c file. A lack of the certain     checks may allow a privileged user ('root') to achieve     an out-of-bounds write and thus receiving user space     buffer corruption.(CVE-2018-9516i1/4%0

  - A vulnerability was found in polkit. When     authentication is performed by a non-root user to     perform an administrative task, the authentication is     temporarily cached in such a way that a local attacker     could impersonate the authorized process, thus gaining     access to elevated privileges.(CVE-2019-6133)

  - A flaw was found in the implementation of the 'fill     buffer', a mechanism used by modern CPUs when a     cache-miss is made on L1 CPU cache. If an attacker can     generate a load operation that would create a page     fault, the execution will continue speculatively with     incorrect data from the fill buffer while the data is     fetched from higher level caches. This response time     can be measured to infer data in the fill buffer.
    (CVE-2018-12130)

  - Modern Intel microprocessors implement hardware-level     micro-optimizations to improve the performance of     writing data back to CPU caches. The write operation is     split into STA (STore Address) and STD (STore Data)     sub-operations. These sub-operations allow the     processor to hand-off address generation logic into     these sub-operations for optimized writes. Both of     these sub-operations write to a shared distributed     processor structure called the 'processor store     buffer'. As a result, an unprivileged attacker could     use this flaw to read private data resident within the     CPU's processor store buffer. (CVE-2018-12126)

  - Microprocessors use a aEUR~load portaEURtm subcomponent to     perform load operations from memory or IO. During a     load operation, the load port receives data from the     memory or IO subsystem and then provides the data to     the CPU registers and operations in the CPUaEURtms     pipelines. Stale load operations results are stored in     the 'load port' table until overwritten by newer     operations. Certain load-port operations triggered by     an attacker can be used to reveal data about previous     stale requests leaking data back to the attacker via a     timing side-channel. (CVE-2018-12127)

  - Uncacheable memory on some microprocessors utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access. (CVE-2019-11091)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3982-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 for Ubuntu 14.04 LTS.

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss discovered that memory previously stored in microarchitectural fill buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information.
(CVE-2018-12130)

Brandon Falk, Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that memory previously stored in microarchitectural load ports of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12127)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel Gruss, Berk Sunar, Frank Piessens, and Yuval Yarom discovered that memory previously stored in microarchitectural store buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12126)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Volodrmyr Pikhur, Moritz Lipp, Michael Schwarz, Daniel Gruss, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that uncacheable memory previously stored in microarchitectural buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11091)

Matteo Croce, Natale Vinto, and Andrea Spagnolo discovered that the cgroups subsystem of the Linux kernel did not properly account for SCTP socket buffers. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-3874)

Alex Williamson discovered that the vfio subsystem of the Linux kernel did not properly limit DMA mappings. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-3882).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss discovered that memory previously stored in microarchitectural fill buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information.
(CVE-2018-12130)

Brandon Falk, Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that memory previously stored in microarchitectural load ports of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12127)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel Gruss, Berk Sunar, Frank Piessens, and Yuval Yarom discovered that memory previously stored in microarchitectural store buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12126)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Volodrmyr Pikhur, Moritz Lipp, Michael Schwarz, Daniel Gruss, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that uncacheable memory previously stored in microarchitectural buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11091)

Matteo Croce, Natale Vinto, and Andrea Spagnolo discovered that the cgroups subsystem of the Linux kernel did not properly account for SCTP socket buffers. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-3874)

Alex Williamson discovered that the vfio subsystem of the Linux kernel did not properly limit DMA mappings. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-3882).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3981-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS and for the Linux Azure kernel for Ubuntu 14.04 LTS.

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss discovered that memory previously stored in microarchitectural fill buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information.
(CVE-2018-12130)

Brandon Falk, Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that memory previously stored in microarchitectural load ports of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12127)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel Gruss, Berk Sunar, Frank Piessens, and Yuval Yarom discovered that memory previously stored in microarchitectural store buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12126)

Vasily Averin and Evgenii Shatokhin discovered that a use-after-free vulnerability existed in the NFS41+ subsystem when multiple network namespaces are in use. A local attacker in a container could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16884)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Volodrmyr Pikhur, Moritz Lipp, Michael Schwarz, Daniel Gruss, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that uncacheable memory previously stored in microarchitectural buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11091)

Matteo Croce, Natale Vinto, and Andrea Spagnolo discovered that the cgroups subsystem of the Linux kernel did not properly account for SCTP socket buffers. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-3874)

Alex Williamson discovered that the vfio subsystem of the Linux kernel did not properly limit DMA mappings. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-3882)

Hugues Anguelkov discovered that the Broadcom Wifi driver in the Linux kernel contained a heap buffer overflow. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-9500)

Hugues Anguelkov discovered that the Broadcom Wifi driver in the Linux kernel did not properly prevent remote firmware events from being processed for USB Wifi devices. A physically proximate attacker could use this to send firmware events to the device. (CVE-2019-9503).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss discovered that memory previously stored in microarchitectural fill buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information.
(CVE-2018-12130)

Brandon Falk, Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that memory previously stored in microarchitectural load ports of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12127)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel Gruss, Berk Sunar, Frank Piessens, and Yuval Yarom discovered that memory previously stored in microarchitectural store buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12126)

Vasily Averin and Evgenii Shatokhin discovered that a use-after-free vulnerability existed in the NFS41+ subsystem when multiple network namespaces are in use. A local attacker in a container could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16884)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Volodrmyr Pikhur, Moritz Lipp, Michael Schwarz, Daniel Gruss, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that uncacheable memory previously stored in microarchitectural buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11091)

Matteo Croce, Natale Vinto, and Andrea Spagnolo discovered that the cgroups subsystem of the Linux kernel did not properly account for SCTP socket buffers. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-3874)

Alex Williamson discovered that the vfio subsystem of the Linux kernel did not properly limit DMA mappings. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-3882)

Hugues Anguelkov discovered that the Broadcom Wifi driver in the Linux kernel contained a heap buffer overflow. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-9500)

Hugues Anguelkov discovered that the Broadcom Wifi driver in the Linux kernel did not properly prevent remote firmware events from being processed for USB Wifi devices. A physically proximate attacker could use this to send firmware events to the device. (CVE-2019-9503).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3980-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.10.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.10 for Ubuntu 18.04 LTS.

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss discovered that memory previously stored in microarchitectural fill buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information.
(CVE-2018-12130)

Brandon Falk, Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that memory previously stored in microarchitectural load ports of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12127)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel Gruss, Berk Sunar, Frank Piessens, and Yuval Yarom discovered that memory previously stored in microarchitectural store buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12126)

Vasily Averin and Evgenii Shatokhin discovered that a use-after-free vulnerability existed in the NFS41+ subsystem when multiple network namespaces are in use. A local attacker in a container could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16884)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Volodrmyr Pikhur, Moritz Lipp, Michael Schwarz, Daniel Gruss, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that uncacheable memory previously stored in microarchitectural buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11091)

Matteo Croce, Natale Vinto, and Andrea Spagnolo discovered that the cgroups subsystem of the Linux kernel did not properly account for SCTP socket buffers. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-3874)

Alex Williamson discovered that the vfio subsystem of the Linux kernel did not properly limit DMA mappings. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-3882)

Marc Orr discovered that the KVM hypervisor implementation in the Linux kernel did not properly restrict APIC MSR register values when nested virtualization is used. An attacker in a guest vm could use this to cause a denial of service (host OS crash). (CVE-2019-3887)

Hugues Anguelkov discovered that the Broadcom Wifi driver in the Linux kernel contained a heap buffer overflow. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-9500)

Hugues Anguelkov discovered that the Broadcom Wifi driver in the Linux kernel did not properly prevent remote firmware events from being processed for USB Wifi devices. A physically proximate attacker could use this to send firmware events to the device. (CVE-2019-9503).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss discovered that memory previously stored in microarchitectural fill buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information.
(CVE-2018-12130)

Brandon Falk, Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that memory previously stored in microarchitectural load ports of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12127)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel Gruss, Berk Sunar, Frank Piessens, and Yuval Yarom discovered that memory previously stored in microarchitectural store buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12126)

Vasily Averin and Evgenii Shatokhin discovered that a use-after-free vulnerability existed in the NFS41+ subsystem when multiple network namespaces are in use. A local attacker in a container could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16884)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Volodrmyr Pikhur, Moritz Lipp, Michael Schwarz, Daniel Gruss, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that uncacheable memory previously stored in microarchitectural buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11091)

Matteo Croce, Natale Vinto, and Andrea Spagnolo discovered that the cgroups subsystem of the Linux kernel did not properly account for SCTP socket buffers. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-3874)

Alex Williamson discovered that the vfio subsystem of the Linux kernel did not properly limit DMA mappings. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-3882)

Marc Orr discovered that the KVM hypervisor implementation in the Linux kernel did not properly restrict APIC MSR register values when nested virtualization is used. An attacker in a guest vm could use this to cause a denial of service (host OS crash). (CVE-2019-3887)

Hugues Anguelkov discovered that the Broadcom Wifi driver in the Linux kernel contained a head puffer overflow. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-9500)

Hugues Anguelkov discovered that the Broadcom Wifi driver in the Linux kernel did not properly prevent remote firmware events from being processed for USB Wifi devices. A physically proximate attacker could use this to send firmware events to the device. (CVE-2019-9503).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss discovered that memory previously stored in microarchitectural fill buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information.
(CVE-2018-12130)

Brandon Falk, Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that memory previously stored in microarchitectural load ports of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12127)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel Gruss, Berk Sunar, Frank Piessens, and Yuval Yarom discovered that memory previously stored in microarchitectural store buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12126)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Volodrmyr Pikhur, Moritz Lipp, Michael Schwarz, Daniel Gruss, Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that uncacheable memory previously stored in microarchitectural buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11091)

It was discovered that the IPv4 generic receive offload (GRO) for UDP implementation in the Linux kernel did not properly handle padded packets. A remote attacker could use this to cause a denial of service (system crash). (CVE-2019-11683)

It was discovered that a race condition existed in the Binder IPC driver for the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-1999)

Matteo Croce, Natale Vinto, and Andrea Spagnolo discovered that the cgroups subsystem of the Linux kernel did not properly account for SCTP socket buffers. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-3874)

Alex Williamson discovered that the vfio subsystem of the Linux kernel did not properly limit DMA mappings. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-3882)

Marc Orr discovered that the KVM hypervisor implementation in the Linux kernel did not properly restrict APIC MSR register values when nested virtualization is used. An attacker in a guest vm could use this to cause a denial of service (host OS crash). (CVE-2019-3887)

Hugues Anguelkov discovered that the Broadcom Wifi driver in the Linux kernel contained a head puffer overflow. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-9500)

Hugues Anguelkov discovered that the Broadcom Wifi driver in the Linux kernel did not properly prevent remote firmware events from being processed for USB Wifi devices. A physically proximate attacker could use this to send firmware events to the device. (CVE-2019-9503).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
135614	EulerOS Virtualization 3.0.2.2 : kernel (EulerOS-SA-2020-1452)	Nessus	Huawei Local Security Checks	high
132499	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0266)	Nessus	NewStart CGSL Local Security Checks	high
132490	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0264)	Nessus	NewStart CGSL Local Security Checks	high
130547	RHEL 8 : kernel (RHSA-2019:3517)	Nessus	Red Hat Local Security Checks	high
130526	RHEL 8 : kernel-rt (RHSA-2019:3309)	Nessus	Red Hat Local Security Checks	high
129261	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2068)	Nessus	Huawei Local Security Checks	high
125513	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-1586)	Nessus	Huawei Local Security Checks	high
125144	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3982-2) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)	Nessus	Ubuntu Local Security Checks	medium
125143	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3982-1) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)	Nessus	Ubuntu Local Security Checks	medium
125142	Ubuntu 16.04 LTS : linux-hwe, linux-azure, linux-gcp, linux-oracle vulnerabilities (USN-3981-2) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)	Nessus	Ubuntu Local Security Checks	high
125141	Ubuntu 18.04 LTS : linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-oracle, (USN-3981-1) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)	Nessus	Ubuntu Local Security Checks	high
125140	Ubuntu 18.04 LTS : linux-hwe, linux-azure vulnerabilities (USN-3980-2) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)	Nessus	Ubuntu Local Security Checks	high
125139	Ubuntu 18.10 : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities (USN-3980-1) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)	Nessus	Ubuntu Local Security Checks	high
125138	Ubuntu 19.04 : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities (USN-3979-1) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)	Nessus	Ubuntu Local Security Checks	critical

CVE-2019-3874

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins