89937

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3901

[debian-lts-announce] 20190528 [SECURITY] [DLA 1799-1] linux security update

[debian-lts-announce] 20190528 [SECURITY] [DLA 1799-2] linux security update

https://security.netapp.com/advisory/ntap-20190517-0005/

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2851 advisory.

  - kernel: usb: missing size check in the
    __usb_get_extra_descriptor() leading to DoS     (CVE-2018-20169)

  - kernel: denial of service via ioctl call in network tun     handling (CVE-2018-7191)

  - kernel: Count overflow in FUSE request leading to use-     after-free issues. (CVE-2019-11487)

  - kernel: use-after-free in arch/x86/lib/insn-eval.c     (CVE-2019-13233)

  - Kernel: KVM: OOB memory access via mmio ring buffer     (CVE-2019-14821)

  - kernel: memory leak in register_queue_kobjects() in     net/core/net-sysfs.c leads to denial of service     (CVE-2019-15916)

  - kernel: powerpc: incomplete Spectre-RSB mitigation leads     to information exposure (CVE-2019-18660)

  - kernel: perf_event_open() and execve() race in setuid     programs allows a data leak (CVE-2019-3901)

  - Kernel: vfio: access to disabled MMIO space of some     devices may lead to DoS scenario (CVE-2020-12888)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2522 advisory.

  - kernel: double free may be caused by the function     allocate_trace_buffer in the file kernel/trace/trace.c     (CVE-2017-18595)

  - kernel: usb: missing size check in the
    __usb_get_extra_descriptor() leading to DoS     (CVE-2018-20169)

  - kernel: denial of service via ioctl call in network tun     handling (CVE-2018-7191)

  - Kernel: net: using kernel space address bits to derive     IP ID may potentially break KASLR (CVE-2019-10639)

  - kernel: unchecked kstrdup of fwstr in     drm_load_edid_firmware leads to denial of service     (CVE-2019-12382)

  - kernel: use-after-free in arch/x86/lib/insn-eval.c     (CVE-2019-13233)

  - kernel: integer overflow and OOB read in     drivers/block/floppy.c (CVE-2019-14283)

  - kernel: memory leak in register_queue_kobjects() in     net/core/net-sysfs.c leads to denial of service     (CVE-2019-15916)

  - kernel: use-after-free in __blk_add_trace in     kernel/trace/blktrace.c (CVE-2019-19768)

  - kernel: perf_event_open() and execve() race in setuid     programs allows a data leak (CVE-2019-3901)

  - kernel: brcmfmac frame validation bypass (CVE-2019-9503)

  - Kernel: NetLabel: null pointer dereference while     receiving CIPSO packet with null category may cause     kernel panic (CVE-2020-10711)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

* kernel: out of bound read in DVB connexant driver. * kernel: Missing permissions check for request_key() destination allows local attackers to add keys to keyring without Write permission * kernel: denial of service via ioctl call in network tun handling * kernel: usb: missing size check in the __usb_get_extra_descriptor() * kernel:
perf_event_open() and execve() race in setuid programs allows a data leak * kernel: brcmfmac frame validation bypass * kernel: NULL pointer dereference in hci_uart_set_flow_control * kernel: sensitive information disclosure from kernel stack memory via HIDPCONNADD command * kernel: unchecked kstrdup of fwstr in drm_load_edid_firmware leads to denial of service * kernel: use-after-free in arch/x86/lib/insn-eval.c * kernel: denial of service in arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c via sigreturn() system call * kernel: integer overflow and OOB read in drivers/block/floppy.c * kernel: memory leak in register_queue_kobjects() in net/core/net-sysfs.c leads to denial of service * kernel: buffer-overflow hardening in WiFi beacon validation code. * kernel: (powerpc) incomplete Spectre-RSB mitigation leads to information exposure * kernel: oob memory read in hso_probe in drivers/net/usb/hso.c * Kernel: net: weak IP ID generation leads to remote device tracking * Kernel: net: using kernel space address bits to derive IP ID may potentially break KASLR * kernel: ASLR bypass for setuid binaries due to late install_exec_creds()

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1016 advisory.

  - kernel: out of bound read in DVB connexant driver.
    (CVE-2015-9289)

  - kernel: Missing permissions check for request_key()     destination allows local attackers to add keys to     keyring without Write permission (CVE-2017-17807)

  - kernel: oob memory read in hso_probe in     drivers/net/usb/hso.c (CVE-2018-19985)

  - kernel: usb: missing size check in the
    __usb_get_extra_descriptor() leading to DoS     (CVE-2018-20169)

  - kernel: denial of service via ioctl call in network tun     handling (CVE-2018-7191)

  - kernel: null-pointer dereference in     hci_uart_set_flow_control (CVE-2019-10207)

  - Kernel: net: weak IP ID generation leads to remote     device tracking (CVE-2019-10638)

  - Kernel: net: using kernel space address bits to derive     IP ID may potentially break KASLR (CVE-2019-10639)

  - kernel: ASLR bypass for setuid binaries due to late     install_exec_creds() (CVE-2019-11190)

  - kernel: sensitive information disclosure from kernel     stack memory via HIDPCONNADD command (CVE-2019-11884)

  - kernel: unchecked kstrdup of fwstr in     drm_load_edid_firmware leads to denial of service     (CVE-2019-12382)

  - kernel: use-after-free in arch/x86/lib/insn-eval.c     (CVE-2019-13233)

  - kernel: denial of service in     arch/powerpc/kernel/signal_32.c and     arch/powerpc/kernel/signal_64.c via sigreturn() system     call (CVE-2019-13648)

  - kernel: integer overflow and OOB read in     drivers/block/floppy.c (CVE-2019-14283)

  - kernel: memory leak in register_queue_kobjects() in     net/core/net-sysfs.c leads to denial of service     (CVE-2019-15916)

  - kernel: buffer-overflow hardening in WiFi beacon     validation code. (CVE-2019-16746)

  - kernel: (powerpc) incomplete Spectre-RSB mitigation     leads to information exposure (CVE-2019-18660)

  - kernel: perf_event_open() and execve() race in setuid     programs allows a data leak (CVE-2019-3901)

  - kernel: brcmfmac frame validation bypass (CVE-2019-9503)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1070 advisory.

  - kernel: out of bound read in DVB connexant driver.
    (CVE-2015-9289)

  - kernel: Missing permissions check for request_key()     destination allows local attackers to add keys to     keyring without Write permission (CVE-2017-17807)

  - kernel: oob memory read in hso_probe in     drivers/net/usb/hso.c (CVE-2018-19985)

  - kernel: usb: missing size check in the
    __usb_get_extra_descriptor() leading to DoS     (CVE-2018-20169)

  - kernel: denial of service via ioctl call in network tun     handling (CVE-2018-7191)

  - kernel: null-pointer dereference in     hci_uart_set_flow_control (CVE-2019-10207)

  - Kernel: net: weak IP ID generation leads to remote     device tracking (CVE-2019-10638)

  - Kernel: net: using kernel space address bits to derive     IP ID may potentially break KASLR (CVE-2019-10639)

  - kernel: ASLR bypass for setuid binaries due to late     install_exec_creds() (CVE-2019-11190)

  - kernel: sensitive information disclosure from kernel     stack memory via HIDPCONNADD command (CVE-2019-11884)

  - kernel: unchecked kstrdup of fwstr in     drm_load_edid_firmware leads to denial of service     (CVE-2019-12382)

  - kernel: use-after-free in arch/x86/lib/insn-eval.c     (CVE-2019-13233)

  - kernel: integer overflow and OOB read in     drivers/block/floppy.c (CVE-2019-14283)

  - kernel: memory leak in register_queue_kobjects() in     net/core/net-sysfs.c leads to denial of service     (CVE-2019-15916)

  - kernel: buffer-overflow hardening in WiFi beacon     validation code. (CVE-2019-16746)

  - kernel: perf_event_open() and execve() race in setuid     programs allows a data leak (CVE-2019-3901)

  - kernel: brcmfmac frame validation bypass (CVE-2019-9503)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An integer overflow flaw was found in the way the Linux     kernel's networking subsystem processed TCP Selective     Acknowledgment (SACK) segments. While processing SACK     segments, the Linux kernel's socket buffer (SKB) data     structure becomes fragmented. Each fragment is about     TCP maximum segment size (MSS) bytes. To efficiently     process SACK blocks, the Linux kernel merges multiple     fragmented SKBs into one, potentially overflowing the     variable holding the number of segments. A remote     attacker could use this flaw to crash the Linux kernel     by sending a crafted sequence of SACK segments on a TCP     connection with small value of TCP MSS, resulting in a     denial of service (DoS). (CVE-2019-11477)

  - Kernel: tcp: excessive resource consumption while     processing SACK blocks allows remote denial of service     (CVE-2019-11478)

  - Kernel: tcp: excessive resource consumption for TCP     connections with low MSS allows remote denial of     service (CVE-2019-11479)

  - In the tun subsystem in the Linux kernel before     4.13.14, dev_get_valid_name is not called before     register_netdevice. This allows local users to cause a     denial of service (NULL pointer dereference and panic)     via an ioctl(TUNSETIFF) call with a dev name containing     a / character. This is similar to     CVE-2013-4343.(CVE-2018-7191)

  - A flaw was found in the Linux kernel where the coredump     implementation does not use locking or other mechanisms     to prevent vma layout or vma flags changes while it     runs. This allows local users to obtain sensitive     information, cause a denial of service (DoS), or     possibly have unspecified other impact by triggering a     race condition with mmget_not_zero or get_task_mm     calls.(CVE-2019-11599)

  - An issue was discovered in the Linux kernel before     4.20. There is a race condition in smp_task_timedout()     and smp_task_done() in     drivers/scsi/libsas/sas_expander.c, leading to a     use-after-free.(CVE-2018-20836)

  - A race condition in perf_event_open() allows local     attackers to leak sensitive data from setuid programs.
    As no relevant locks (in particular the     cred_guard_mutex) are held during the     ptrace_may_access() call, it is possible for the     specified target task to perform an execve() syscall     with setuid execution before perf_event_alloc()     actually attaches to it, allowing an attacker to bypass     the ptrace_may_access() check and the     perf_event_exit_task(current) call that is performed in     install_exec_creds() during privileged execve()     calls.(CVE-2019-3901)

  - A flaw was found in the Linux kernel, prior to version     5.0.7, in drivers/scsi/megaraid/megaraid_sas_base.c,     where a NULL pointer dereference can occur when     megasas_create_frame_pool() fails in     megasas_alloc_cmds(). An attacker can crash the system     if they were able to load the megaraid_sas kernel     module and groom memory beforehand, leading to a denial     of service (DoS), related to a     use-after-free.(CVE-2019-11810)

  - A vulnerability was found in polkit. When     authentication is performed by a non-root user to     perform an administrative task, the authentication is     temporarily cached in such a way that a local attacker     could impersonate the authorized process, thus gaining     access to elevated privileges.(CVE-2019-6133)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An integer overflow flaw was found in the way the Linux     kernel's networking subsystem processed TCP Selective     Acknowledgment (SACK) segments. While processing SACK     segments, the Linux kernel's socket buffer (SKB) data     structure becomes fragmented. Each fragment is about     TCP maximum segment size (MSS) bytes. To efficiently     process SACK blocks, the Linux kernel merges multiple     fragmented SKBs into one, potentially overflowing the     variable holding the number of segments. A remote     attacker could use this flaw to crash the Linux kernel     by sending a crafted sequence of SACK segments on a TCP     connection with small value of TCP MSS, resulting in a     denial of service (DoS). (CVE-2019-11477)

  - Kernel: tcp: excessive resource consumption while     processing SACK blocks allows remote denial of service     (CVE-2019-11478)

  - Kernel: tcp: excessive resource consumption for TCP     connections with low MSS allows remote denial of     service (CVE-2019-11479)

  - The Linux kernel is vulnerable to an out-of-bounds read     in ext4/balloc.c:ext4_valid_block_bitmap() function. An     attacker could trick a legitimate user or a privileged     attacker could exploit this by mounting a crafted ext4     image to cause a crash.(CVE-2018-1093)

  - The Siemens R3964 line discipline driver in     drivers/tty/n_r3964.c in the Linux kernel before 5.0.8     has multiple race conditions.(CVE-2019-11486)

  - A flaw was found in the Linux kernel where the coredump     implementation does not use locking or other mechanisms     to prevent vma layout or vma flags changes while it     runs. This allows local users to obtain sensitive     information, cause a denial of service (DoS), or     possibly have unspecified other impact by triggering a     race condition with mmget_not_zero or get_task_mm     calls.(CVE-2019-11599)

  - A race condition in perf_event_open() allows local     attackers to leak sensitive data from setuid programs.
    As no relevant locks (in particular the     cred_guard_mutex) are held during the     ptrace_may_access() call, it is possible for the     specified target task to perform an execve() syscall     with setuid execution before perf_event_alloc()     actually attaches to it, allowing an attacker to bypass     the ptrace_may_access() check and the     perf_event_exit_task(current) call that is performed in     install_exec_creds() during privileged execve()     calls.(CVE-2019-3901)

  - In the tun subsystem in the Linux kernel before     4.13.14, dev_get_valid_name is not called before     register_netdevice. This allows local users to cause a     denial of service (NULL pointer dereference and panic)     via an ioctl(TUNSETIFF) call with a dev name containing     a / character. This is similar to     CVE-2013-4343.(CVE-2018-7191)

  - An issue was discovered in the Linux kernel before     4.20. There is a race condition in smp_task_timedout()     and smp_task_done() in     drivers/scsi/libsas/sas_expander.c, leading to a     use-after-free.(CVE-2018-20836)

  - A flaw was found in the Linux kernel, prior to version     5.0.7, in drivers/scsi/megaraid/megaraid_sas_base.c,     where a NULL pointer dereference can occur when     megasas_create_frame_pool() fails in     megasas_alloc_cmds(). An attacker can crash the system     if they were able to load the megaraid_sas kernel     module and groom memory beforehand, leading to a denial     of service (DoS), related to a     use-after-free.(CVE-2019-11810)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):An issue was discovered in     rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel     before 5.0.8. There is a race condition leading to a     use-after-free, related to net namespace     cleanup.(CVE-2019-11815)A flaw was found in the Linux     kernel's handle_rx() function in the vhost_net driver.
    A malicious virtual guest, under specific conditions,     can trigger an out-of-bounds write in a kmalloc-8 slab     on a virtual host which may lead to a kernel memory     corruption and a system panic. Due to the nature of the     flaw, privilege escalation cannot be fully ruled     out.(CVE-2018-16880)A NULL pointer dereference security     flaw was found in the Linux kernel in kvm_pv_send_ipi()     in arch/x86/kvm/lapic.c. This allows local users with     certain privileges to cause a denial of service via a     crafted system call to the KVM     subsystem.(CVE-2018-19406)The function     hso_get_config_data in driverset/usb/hso.c in the Linux     kernel through 4.19.8 reads if_num from the USB device     (as a u8) and uses it to index a small array, resulting     in an object out-of-bounds (OOB) read that potentially     allows arbitrary read in the kernel address     space.(CVE-2018-19985)** RESERVED ** This candidate has     been reserved by an organization or individual that     will use it when announcing a new security problem.
    When the candidate has been publicized, the details for     this candidate will be provided.(CVE-2019-3459)**     RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2019-3460)A flaw was found in the     Linux kernel in the function hid_debug_events_read() in     the drivers/hid/hid-debug.c file which may enter an     infinite loop with certain parameters passed from a     userspace. A local privileged user ('root') can cause a     system lock up and a denial of     service.(CVE-2019-3819)In the Linux kernel before     4.20.14, expand_downwards in mm/mmap.c lacks a check     for the mmap minimum address, which makes it easier for     attackers to exploit kernel NULL pointer dereferences     on non-SMAP platforms. This is related to a capability     check for the wrong task.(CVE-2019-9213)A flaw was     found in the Linux kernel's vfio interface     implementation that permits violation of the user's     locked memory limit. If a device is bound to a vfio     driver, such as vfio-pci, and the local attacker is     administratively granted ownership of the device, it     may cause a system memory exhaustion and thus a denial     of service (DoS). Versions 3.10, 4.14 and 4.18 are     vulnerable.(CVE-2019-3882)An infinite loop issue was     found in the vhost_net kernel module in Linux Kernel up     to and including v5.1-rc6, while handling incoming     packets in handle_rx(). It could occur if one end sends     packets faster than the other end can process them. A     guest user, maybe remote one, could use this flaw to     stall the vhost_net kernel thread, resulting in a DoS     scenario.(CVE-2019-3900)It was found that the net_dma     code in tcp_recvmsg() in the 2.6.32 kernel as shipped     in RHEL6 is thread-unsafe. So an unprivileged     multi-threaded userspace application calling recvmsg()     for the same network socket in parallel executed on     ioatdma-enabled hardware with net_dma enabled can leak     the memory, crash the host leading to a     denial-of-service or cause a random memory     corruption.(CVE-2019-3837)A race condition in     perf_event_open() allows local attackers to leak     sensitive data from setuid programs. As no relevant     locks (in particular the cred_guard_mutex) are held     during the ptrace_may_access() call, it is possible for     the specified target task to perform an execve()     syscall with setuid execution before perf_event_alloc()     actually attaches to it, allowing an attacker to bypass     the ptrace_may_access() check and the     perf_event_exit_task(current) call that is performed in     install_exec_creds() during privileged execve() calls.
    This issue affects kernel versions before 4.8.
    (CVE-2019-3901)** RESERVED ** This candidate has been     reserved by an organization or individual that will use     it when announcing a new security problem. When the     candidate has been publicized, the details for this     candidate will be     provided.(CVE-2019-8956)cipso_v4_validate in     includeet/cipso_ipv4.h in the Linux kernel before     3.11.7, when CONFIG_NETLABEL is disabled, allows     attackers to cause a denial of service (infinite loop     and crash), as demonstrated by icmpsic, a different     vulnerability than CVE-2013-0310.(CVE-2013-7470)Note1:
    kernel-4.19.36-vhulk1907.1.0.h529 and earlier versions     in EulerOS Virtualization for ARM 64 3.0.2.0 return     incorrect time information when executing the uname -a     command.Note2: The kernel version number naming format     has been changed after 4.19.36-1.2.184.aarch64, the new     version format is 4.19.36-vhulk1907.1.0.hxxx.aarch64,     which may lead to false positives of this security     advisory.

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in polkit. When     authentication is performed by a non-root user to     perform an administrative task, the authentication is     temporarily cached in such a way that a local attacker     could impersonate the authorized process, thus gaining     access to elevated privileges.(CVE-2019-6133)

  - A race condition in perf_event_open() allows local     attackers to leak sensitive data from setuid programs.
    As no relevant locks (in particular the     cred_guard_mutex) are held during the     ptrace_may_access() call, it is possible for the     specified target task to perform an execve() syscall     with setuid execution before perf_event_alloc()     actually attaches to it, allowing an attacker to bypass     the ptrace_may_access() check and the     perf_event_exit_task(current) call that is performed in     install_exec_creds() during privileged execve()     calls.(CVE-2019-3901)

  - A race condition was found between between     mmget_not_zero()/get_task_mm() when core dumping tasks.
    A local attacker is able to exploit race condition     where locking of semaphore would allow an attacker to     leak kernel memory to userspace.(CVE-2019-3892)

  - A flaw was found in the Linux kernel where the coredump     implementation does not use locking or other mechanisms     to prevent vma layout or vma flags changes while it     runs. This allows local users to obtain sensitive     information, cause a denial of service (DoS), or     possibly have unspecified other impact by triggering a     race condition with mmget_not_zero or get_task_mm     calls.(CVE-2019-11599)

  - An issue was discovered in the Linux kernel before     4.20. There is a race condition in smp_task_timedout()     and smp_task_done() in     drivers/scsi/libsas/sas_expander.c, leading to a     use-after-free.(CVE-2018-20836)

  - A flaw was found in the Linux kernel, prior to version     5.0.7, in drivers/scsi/megaraid/megaraid_sas_base.c,     where a NULL pointer dereference can occur when     megasas_create_frame_pool() fails in     megasas_alloc_cmds(). An attacker can crash the system     if they were able to load the megaraid_sas kernel     module and groom memory beforehand, leading to a denial     of service (DoS), related to a     use-after-free.(CVE-2019-11810)

  - A flaw was found in the Linux kernel's implementation     of RDS over TCP. A system that has the rds_tcp kernel     module loaded (either through autoload via local     process running listen(), or manual loading) could     possibly cause a use after free (UAF) in which an     attacker who is able to manipulate socket state while a     network namespace is being torn down. This can lead to     possible memory corruption and privilege     escalation.(CVE-2019-11815)

  - Modern Intel microprocessors implement hardware-level     micro-optimizations to improve the performance of     writing data back to CPU caches. The write operation is     split into STA (STore Address) and STD (STore Data)     sub-operations. These sub-operations allow the     processor to hand-off address generation logic into     these sub-operations for optimized writes. Both of     these sub-operations write to a shared distributed     processor structure called the 'processor store     buffer'. As a result, an unprivileged attacker could     use this flaw to read private data resident within the     CPU's processor store buffer.(CVE-2018-12126)

  - A flaw was found in the implementation of the 'fill     buffer', a mechanism used by modern CPUs when a     cache-miss is made on L1 CPU cache. If an attacker can     generate a load operation that would create a page     fault, the execution will continue speculatively with     incorrect data from the fill buffer while the data is     fetched from higher level caches. This response time     can be measured to infer data in the fill     buffer.(CVE-2018-12130)

  - Microprocessors use a aEUR~load portaEURtm subcomponent to     perform load operations from memory or IO. During a     load operation, the load port receives data from the     memory or IO subsystem and then provides the data to     the CPU registers and operations in the CPUaEURtms     pipelines. Stale load operations results are stored in     the 'load port' table until overwritten by newer     operations. Certain load-port operations triggered by     an attacker can be used to reveal data about previous     stale requests leaking data back to the attacker via a     timing side-channel.(CVE-2018-12127)

  - Uncacheable memory on some microprocessors utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access.(CVE-2019-11091)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel where the coredump     implementation does not use locking or other mechanisms     to prevent vma layout or vma flags changes while it     runs. This allows local users to obtain sensitive     information, cause a denial of service (DoS), or     possibly have unspecified other impact by triggering a     race condition with mmget_not_zero or get_task_mm     calls.(CVE-2019-11599)

  - The Siemens R3964 line discipline driver in     drivers/tty/n_r3964.c in the Linux kernel before 5.0.8     has multiple race conditions.(CVE-2019-11486)

  - A race condition in perf_event_open() allows local     attackers to leak sensitive data from setuid programs.
    As no relevant locks (in particular the     cred_guard_mutex) are held during the     ptrace_may_access() call, it is possible for the     specified target task to perform an execve() syscall     with setuid execution before perf_event_alloc()     actually attaches to it, allowing an attacker to bypass     the ptrace_may_access() check and the     perf_event_exit_task(current) call that is performed in     install_exec_creds() during privileged execve()     calls.(CVE-2019-3901)

  - The atyfb_ioctl function in     drivers/video/fbdev/aty/atyfb_base.c in the Linux     kernel through 4.12.10 does not initialize a certain     data structure, which allows local users to obtain     sensitive information from kernel stack memory by     reading locations associated with padding     bytes.(CVE-2017-14156)

  - A flaw was found in the Linux kernel's ext4 filesystem     code. A use-after-free is possible in     ext4_ext_remove_space() function when mounting and     operating a crafted ext4 image.(CVE-2018-10876)

  - A flaw was found in the implementation of the 'fill     buffer', a mechanism used by modern CPUs when a     cache-miss is made on L1 CPU cache. If an attacker can     generate a load operation that would create a page     fault, the execution will continue speculatively with     incorrect data from the fill buffer while the data is     fetched from higher level caches. This response time     can be measured to infer data in the fill buffer.
    (CVE-2018-12130)

  - Modern Intel microprocessors implement hardware-level     micro-optimizations to improve the performance of     writing data back to CPU caches. The write operation is     split into STA (STore Address) and STD (STore Data)     sub-operations. These sub-operations allow the     processor to hand-off address generation logic into     these sub-operations for optimized writes. Both of     these sub-operations write to a shared distributed     processor structure called the 'processor store     buffer'. As a result, an unprivileged attacker could     use this flaw to read private data resident within the     CPU's processor store buffer. (CVE-2018-12126)

  - Microprocessors use a aEUR~load portaEURtm subcomponent to     perform load operations from memory or IO. During a     load operation, the load port receives data from the     memory or IO subsystem and then provides the data to     the CPU registers and operations in the CPUaEURtms     pipelines. Stale load operations results are stored in     the 'load port' table until overwritten by newer     operations. Certain load-port operations triggered by     an attacker can be used to reveal data about previous     stale requests leaking data back to the attacker via a     timing side-channel. (CVE-2018-12127)

  - Uncacheable memory on some microprocessors utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access. (CVE-2019-11091)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

This updated advisory text adds a note about the need to install new binary packages.

CVE-2018-5995

ADLab of VenusTech discovered that the kernel logged the virtual addresses assigned to per-CPU data, which could make it easier to exploit other vulnerabilities.

CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

Multiple researchers have discovered vulnerabilities in the way that Intel processor designs implement speculative forwarding of data filled into temporary microarchitectural structures (buffers). This flaw could allow an attacker controlling an unprivileged process to read sensitive information, including from the kernel and all other processes running on the system, or across guest/host boundaries to read host memory.

See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/m ds.html for more details.

To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode. An updated intel-microcode package (only available in Debian non-free) was provided via DLA-1789-1. The updated CPU microcode may also be available as part of a system firmware ('BIOS') update.

CVE-2019-2024

A use-after-free bug was discovered in the em28xx video capture driver. Local users might be able to use this for denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-3459, CVE-2019-3460

Shlomi Oberman, Yuli Shapiro, and Karamba Security Ltd. research team discovered missing range checks in the Bluetooth L2CAP implementation.
If Bluetooth is enabled, a nearby attacker could use these to read sensitive information from the kernel.

CVE-2019-3882

It was found that the vfio implementation did not limit the number of DMA mappings to device memory. A local user granted ownership of a vfio device could use this to cause a denial of service (out-of-memory condition).

CVE-2019-3901

Jann Horn of Google reported a race condition that would allow a local user to read performance events from a task after it executes a setuid program. This could leak sensitive information processed by setuid programs. Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue.

CVE-2019-6133

Jann Horn of Google found that Policykit's authentication check could be bypassed by a local user creating a process with the same start time and process ID as an older authenticated process. PolicyKit was already updated to fix this in DLA-1644-1. The kernel has additionally been updated to avoid a delay between assigning start time and process ID, which should make the attack impractical.

CVE-2019-9503

Hugues Anguelkov and others at Quarkslab discovered that the brcmfmac (Broadcom wifi FullMAC) driver did not correctly distinguish messages sent by the wifi firmware from other packets. An attacker using the same wifi network could use this for denial of service or to exploit other vulnerabilities in the driver.

CVE-2019-11190

Robert &#x15A;wi&#x119;cki reported that when a setuid program was executed it was still possible to read performance events while the kernel set up the program's address space. A local user could use this to defeat ASLR in a setuid program, making it easier to exploit other vulnerabilities in the program. Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue.

CVE-2019-11486

Jann Horn of Google reported numerous race conditions in the Siemens R3964 line discipline. A local user could use these to cause unspecified security impact. This module has therefore been disabled.

CVE-2019-11599

Jann Horn of Google reported a race condition in the core dump implementation which could lead to a use-after-free. A local user could use this to read sensitive information, to cause a denial of service (memory corruption), or for privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.68-1. This version also includes a fix for Debian bug #927781, and other fixes included in upstream stable updates.

We recommend that you upgrade your linux and linux-latest packages.
You will need to use 'apt-get upgrade --with-new-pkgs' or 'apt upgrade' as the binary package names have changed.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
138171	RHEL 7 : kernel (RHSA-2020:2851)	Nessus	Red Hat Local Security Checks	high
137363	RHEL 7 : kernel (RHSA-2020:2522)	Nessus	Red Hat Local Security Checks	high
135813	Scientific Linux Security Update : kernel on SL7.x x86_64 (20200407)	Nessus	Scientific Linux Local Security Checks	high
135316	CentOS 7 : kernel (CESA-2020:1016)	Nessus	CentOS Local Security Checks	high
135080	RHEL 7 : kernel (RHSA-2020:1016)	Nessus	Red Hat Local Security Checks	high
135078	RHEL 7 : kernel-rt (RHSA-2020:1070)	Nessus	Red Hat Local Security Checks	high
126299	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-1672)	Nessus	Huawei Local Security Checks	high
126266	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-1639)	Nessus	Huawei Local Security Checks	high
125588	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1636)	Nessus	Huawei Local Security Checks	high
125564	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1612)	Nessus	Huawei Local Security Checks	high
125515	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-1588)	Nessus	Huawei Local Security Checks	medium
125478	Debian DLA-1799-2 : linux security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)	Nessus	Debian Local Security Checks	high

CVE-2019-3901

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins