89937

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3901

[debian-lts-announce] 20190528 [SECURITY] [DLA 1799-1] linux security update

[debian-lts-announce] 20190528 [SECURITY] [DLA 1799-2] linux security update

https://security.netapp.com/advisory/ntap-20190517-0005/

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An integer overflow flaw was found in the way the Linux     kernel's networking subsystem processed TCP Selective     Acknowledgment (SACK) segments. While processing SACK     segments, the Linux kernel's socket buffer (SKB) data     structure becomes fragmented. Each fragment is about     TCP maximum segment size (MSS) bytes. To efficiently     process SACK blocks, the Linux kernel merges multiple     fragmented SKBs into one, potentially overflowing the     variable holding the number of segments. A remote     attacker could use this flaw to crash the Linux kernel     by sending a crafted sequence of SACK segments on a TCP     connection with small value of TCP MSS, resulting in a     denial of service (DoS). (CVE-2019-11477)

  - Kernel: tcp: excessive resource consumption while     processing SACK blocks allows remote denial of service     (CVE-2019-11478)

  - Kernel: tcp: excessive resource consumption for TCP     connections with low MSS allows remote denial of     service (CVE-2019-11479)

  - In the tun subsystem in the Linux kernel before     4.13.14, dev_get_valid_name is not called before     register_netdevice. This allows local users to cause a     denial of service (NULL pointer dereference and panic)     via an ioctl(TUNSETIFF) call with a dev name containing     a / character. This is similar to     CVE-2013-4343.(CVE-2018-7191)

  - A flaw was found in the Linux kernel where the coredump     implementation does not use locking or other mechanisms     to prevent vma layout or vma flags changes while it     runs. This allows local users to obtain sensitive     information, cause a denial of service (DoS), or     possibly have unspecified other impact by triggering a     race condition with mmget_not_zero or get_task_mm     calls.(CVE-2019-11599)

  - An issue was discovered in the Linux kernel before     4.20. There is a race condition in smp_task_timedout()     and smp_task_done() in     drivers/scsi/libsas/sas_expander.c, leading to a     use-after-free.(CVE-2018-20836)

  - A race condition in perf_event_open() allows local     attackers to leak sensitive data from setuid programs.
    As no relevant locks (in particular the     cred_guard_mutex) are held during the     ptrace_may_access() call, it is possible for the     specified target task to perform an execve() syscall     with setuid execution before perf_event_alloc()     actually attaches to it, allowing an attacker to bypass     the ptrace_may_access() check and the     perf_event_exit_task(current) call that is performed in     install_exec_creds() during privileged execve()     calls.(CVE-2019-3901)

  - A flaw was found in the Linux kernel, prior to version     5.0.7, in drivers/scsi/megaraid/megaraid_sas_base.c,     where a NULL pointer dereference can occur when     megasas_create_frame_pool() fails in     megasas_alloc_cmds(). An attacker can crash the system     if they were able to load the megaraid_sas kernel     module and groom memory beforehand, leading to a denial     of service (DoS), related to a     use-after-free.(CVE-2019-11810)

  - A vulnerability was found in polkit. When     authentication is performed by a non-root user to     perform an administrative task, the authentication is     temporarily cached in such a way that a local attacker     could impersonate the authorized process, thus gaining     access to elevated privileges.(CVE-2019-6133)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An integer overflow flaw was found in the way the Linux     kernel's networking subsystem processed TCP Selective     Acknowledgment (SACK) segments. While processing SACK     segments, the Linux kernel's socket buffer (SKB) data     structure becomes fragmented. Each fragment is about     TCP maximum segment size (MSS) bytes. To efficiently     process SACK blocks, the Linux kernel merges multiple     fragmented SKBs into one, potentially overflowing the     variable holding the number of segments. A remote     attacker could use this flaw to crash the Linux kernel     by sending a crafted sequence of SACK segments on a TCP     connection with small value of TCP MSS, resulting in a     denial of service (DoS). (CVE-2019-11477)

  - Kernel: tcp: excessive resource consumption while     processing SACK blocks allows remote denial of service     (CVE-2019-11478)

  - Kernel: tcp: excessive resource consumption for TCP     connections with low MSS allows remote denial of     service (CVE-2019-11479)

  - The Linux kernel is vulnerable to an out-of-bounds read     in ext4/balloc.c:ext4_valid_block_bitmap() function. An     attacker could trick a legitimate user or a privileged     attacker could exploit this by mounting a crafted ext4     image to cause a crash.(CVE-2018-1093)

  - The Siemens R3964 line discipline driver in     drivers/tty/n_r3964.c in the Linux kernel before 5.0.8     has multiple race conditions.(CVE-2019-11486)

  - A flaw was found in the Linux kernel where the coredump     implementation does not use locking or other mechanisms     to prevent vma layout or vma flags changes while it     runs. This allows local users to obtain sensitive     information, cause a denial of service (DoS), or     possibly have unspecified other impact by triggering a     race condition with mmget_not_zero or get_task_mm     calls.(CVE-2019-11599)

  - A race condition in perf_event_open() allows local     attackers to leak sensitive data from setuid programs.
    As no relevant locks (in particular the     cred_guard_mutex) are held during the     ptrace_may_access() call, it is possible for the     specified target task to perform an execve() syscall     with setuid execution before perf_event_alloc()     actually attaches to it, allowing an attacker to bypass     the ptrace_may_access() check and the     perf_event_exit_task(current) call that is performed in     install_exec_creds() during privileged execve()     calls.(CVE-2019-3901)

  - In the tun subsystem in the Linux kernel before     4.13.14, dev_get_valid_name is not called before     register_netdevice. This allows local users to cause a     denial of service (NULL pointer dereference and panic)     via an ioctl(TUNSETIFF) call with a dev name containing     a / character. This is similar to     CVE-2013-4343.(CVE-2018-7191)

  - An issue was discovered in the Linux kernel before     4.20. There is a race condition in smp_task_timedout()     and smp_task_done() in     drivers/scsi/libsas/sas_expander.c, leading to a     use-after-free.(CVE-2018-20836)

  - A flaw was found in the Linux kernel, prior to version     5.0.7, in drivers/scsi/megaraid/megaraid_sas_base.c,     where a NULL pointer dereference can occur when     megasas_create_frame_pool() fails in     megasas_alloc_cmds(). An attacker can crash the system     if they were able to load the megaraid_sas kernel     module and groom memory beforehand, leading to a denial     of service (DoS), related to a     use-after-free.(CVE-2019-11810)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in rds_tcp_kill_sock in     net/rds/tcp.c in the Linux kernel before 5.0.8. There     is a race condition leading to a use-after-free,     related to net namespace cleanup.(CVE-2019-11815)

  - A flaw was found in the Linux kernel's handle_rx()     function in the vhost_net driver. A malicious virtual     guest, under specific conditions, can trigger an     out-of-bounds write in a kmalloc-8 slab on a virtual     host which may lead to a kernel memory corruption and a     system panic. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out.(CVE-2018-16880)

  - A NULL pointer dereference security flaw was found in     the Linux kernel in kvm_pv_send_ipi() in     arch/x86/kvm/lapic.c. This allows local users with     certain privileges to cause a denial of service via a     crafted system call to the KVM     subsystem.(CVE-2018-19406)

  - The function hso_get_config_data in     drivers/net/usb/hso.c in the Linux kernel through     4.19.8 reads if_num from the USB device (as a u8) and     uses it to index a small array, resulting in an object     out-of-bounds (OOB) read that potentially allows     arbitrary read in the kernel address     space.(CVE-2018-19985)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2019-3459)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2019-3460)

  - A flaw was found in the Linux kernel in the function     hid_debug_events_read() in the drivers/hid/hid-debug.c     file which may enter an infinite loop with certain     parameters passed from a userspace. A local privileged     user ('root') can cause a system lock up and a denial     of service.(CVE-2019-3819)

  - In the Linux kernel before 4.20.14, expand_downwards in     mm/mmap.c lacks a check for the mmap minimum address,     which makes it easier for attackers to exploit kernel     NULL pointer dereferences on non-SMAP platforms. This     is related to a capability check for the wrong     task.(CVE-2019-9213)

  - A flaw was found in the Linux kernel's vfio interface     implementation that permits violation of the user's     locked memory limit. If a device is bound to a vfio     driver, such as vfio-pci, and the local attacker is     administratively granted ownership of the device, it     may cause a system memory exhaustion and thus a denial     of service (DoS). Versions 3.10, 4.14 and 4.18 are     vulnerable.(CVE-2019-3882)

  - An infinite loop issue was found in the vhost_net     kernel module in Linux Kernel up to and including     v5.1-rc6, while handling incoming packets in     handle_rx(). It could occur if one end sends packets     faster than the other end can process them. A guest     user, maybe remote one, could use this flaw to stall     the vhost_net kernel thread, resulting in a DoS     scenario.(CVE-2019-3900)

  - It was found that the net_dma code in tcp_recvmsg() in     the 2.6.32 kernel as shipped in RHEL6 is thread-unsafe.
    So an unprivileged multi-threaded userspace application     calling recvmsg() for the same network socket in     parallel executed on ioatdma-enabled hardware with     net_dma enabled can leak the memory, crash the host     leading to a denial-of-service or cause a random memory     corruption.(CVE-2019-3837)

  - A race condition in perf_event_open() allows local     attackers to leak sensitive data from setuid programs.
    As no relevant locks (in particular the     cred_guard_mutex) are held during the     ptrace_may_access() call, it is possible for the     specified target task to perform an execve() syscall     with setuid execution before perf_event_alloc()     actually attaches to it, allowing an attacker to bypass     the ptrace_may_access() check and the     perf_event_exit_task(current) call that is performed in     install_exec_creds() during privileged execve() calls.
    This issue affects kernel versions before 4.8.
    (CVE-2019-3901)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2019-8956)

  - cipso_v4_validate in include/net/cipso_ipv4.h in the     Linux kernel before 3.11.7, when CONFIG_NETLABEL is     disabled, allows attackers to cause a denial of service     (infinite loop and crash), as demonstrated by icmpsic,     a different vulnerability than     CVE-2013-0310.(CVE-2013-7470)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in polkit. When     authentication is performed by a non-root user to     perform an administrative task, the authentication is     temporarily cached in such a way that a local attacker     could impersonate the authorized process, thus gaining     access to elevated privileges.(CVE-2019-6133)

  - A race condition in perf_event_open() allows local     attackers to leak sensitive data from setuid programs.
    As no relevant locks (in particular the     cred_guard_mutex) are held during the     ptrace_may_access() call, it is possible for the     specified target task to perform an execve() syscall     with setuid execution before perf_event_alloc()     actually attaches to it, allowing an attacker to bypass     the ptrace_may_access() check and the     perf_event_exit_task(current) call that is performed in     install_exec_creds() during privileged execve()     calls.(CVE-2019-3901)

  - A race condition was found between between     mmget_not_zero()/get_task_mm() when core dumping tasks.
    A local attacker is able to exploit race condition     where locking of semaphore would allow an attacker to     leak kernel memory to userspace.(CVE-2019-3892)

  - A flaw was found in the Linux kernel where the coredump     implementation does not use locking or other mechanisms     to prevent vma layout or vma flags changes while it     runs. This allows local users to obtain sensitive     information, cause a denial of service (DoS), or     possibly have unspecified other impact by triggering a     race condition with mmget_not_zero or get_task_mm     calls.(CVE-2019-11599)

  - An issue was discovered in the Linux kernel before     4.20. There is a race condition in smp_task_timedout()     and smp_task_done() in     drivers/scsi/libsas/sas_expander.c, leading to a     use-after-free.(CVE-2018-20836)

  - A flaw was found in the Linux kernel, prior to version     5.0.7, in drivers/scsi/megaraid/megaraid_sas_base.c,     where a NULL pointer dereference can occur when     megasas_create_frame_pool() fails in     megasas_alloc_cmds(). An attacker can crash the system     if they were able to load the megaraid_sas kernel     module and groom memory beforehand, leading to a denial     of service (DoS), related to a     use-after-free.(CVE-2019-11810)

  - A flaw was found in the Linux kernel's implementation     of RDS over TCP. A system that has the rds_tcp kernel     module loaded (either through autoload via local     process running listen(), or manual loading) could     possibly cause a use after free (UAF) in which an     attacker who is able to manipulate socket state while a     network namespace is being torn down. This can lead to     possible memory corruption and privilege     escalation.(CVE-2019-11815)

  - Modern Intel microprocessors implement hardware-level     micro-optimizations to improve the performance of     writing data back to CPU caches. The write operation is     split into STA (STore Address) and STD (STore Data)     sub-operations. These sub-operations allow the     processor to hand-off address generation logic into     these sub-operations for optimized writes. Both of     these sub-operations write to a shared distributed     processor structure called the 'processor store     buffer'. As a result, an unprivileged attacker could     use this flaw to read private data resident within the     CPU's processor store buffer.(CVE-2018-12126)

  - A flaw was found in the implementation of the 'fill     buffer', a mechanism used by modern CPUs when a     cache-miss is made on L1 CPU cache. If an attacker can     generate a load operation that would create a page     fault, the execution will continue speculatively with     incorrect data from the fill buffer while the data is     fetched from higher level caches. This response time     can be measured to infer data in the fill     buffer.(CVE-2018-12130)

  - Microprocessors use a 'load port' subcomponent to     perform load operations from memory or IO. During a     load operation, the load port receives data from the     memory or IO subsystem and then provides the data to     the CPU registers and operations in the CPU's     pipelines. Stale load operations results are stored in     the 'load port' table until overwritten by newer     operations. Certain load-port operations triggered by     an attacker can be used to reveal data about previous     stale requests leaking data back to the attacker via a     timing side-channel.(CVE-2018-12127)

  - Uncacheable memory on some microprocessors utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access.(CVE-2019-11091)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel where the coredump     implementation does not use locking or other mechanisms     to prevent vma layout or vma flags changes while it     runs. This allows local users to obtain sensitive     information, cause a denial of service (DoS), or     possibly have unspecified other impact by triggering a     race condition with mmget_not_zero or get_task_mm     calls.(CVE-2019-11599)

  - The Siemens R3964 line discipline driver in     drivers/tty/n_r3964.c in the Linux kernel before 5.0.8     has multiple race conditions.(CVE-2019-11486)

  - A race condition in perf_event_open() allows local     attackers to leak sensitive data from setuid programs.
    As no relevant locks (in particular the     cred_guard_mutex) are held during the     ptrace_may_access() call, it is possible for the     specified target task to perform an execve() syscall     with setuid execution before perf_event_alloc()     actually attaches to it, allowing an attacker to bypass     the ptrace_may_access() check and the     perf_event_exit_task(current) call that is performed in     install_exec_creds() during privileged execve()     calls.(CVE-2019-3901)

  - The atyfb_ioctl function in     drivers/video/fbdev/aty/atyfb_base.c in the Linux     kernel through 4.12.10 does not initialize a certain     data structure, which allows local users to obtain     sensitive information from kernel stack memory by     reading locations associated with padding     bytes.(CVE-2017-14156)

  - A flaw was found in the Linux kernel's ext4 filesystem     code. A use-after-free is possible in     ext4_ext_remove_space() function when mounting and     operating a crafted ext4 image.(CVE-2018-10876)

  - A flaw was found in the implementation of the 'fill     buffer', a mechanism used by modern CPUs when a     cache-miss is made on L1 CPU cache. If an attacker can     generate a load operation that would create a page     fault, the execution will continue speculatively with     incorrect data from the fill buffer while the data is     fetched from higher level caches. This response time     can be measured to infer data in the fill buffer.
    (CVE-2018-12130)

  - Modern Intel microprocessors implement hardware-level     micro-optimizations to improve the performance of     writing data back to CPU caches. The write operation is     split into STA (STore Address) and STD (STore Data)     sub-operations. These sub-operations allow the     processor to hand-off address generation logic into     these sub-operations for optimized writes. Both of     these sub-operations write to a shared distributed     processor structure called the 'processor store     buffer'. As a result, an unprivileged attacker could     use this flaw to read private data resident within the     CPU's processor store buffer. (CVE-2018-12126)

  - Microprocessors use a 'load port' subcomponent to     perform load operations from memory or IO. During a     load operation, the load port receives data from the     memory or IO subsystem and then provides the data to     the CPU registers and operations in the CPU's     pipelines. Stale load operations results are stored in     the 'load port' table until overwritten by newer     operations. Certain load-port operations triggered by     an attacker can be used to reveal data about previous     stale requests leaking data back to the attacker via a     timing side-channel. (CVE-2018-12127)

  - Uncacheable memory on some microprocessors utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access. (CVE-2019-11091)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

This updated advisory text adds a note about the need to install new binary packages.

CVE-2018-5995

ADLab of VenusTech discovered that the kernel logged the virtual addresses assigned to per-CPU data, which could make it easier to exploit other vulnerabilities.

CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

Multiple researchers have discovered vulnerabilities in the way that Intel processor designs implement speculative forwarding of data filled into temporary microarchitectural structures (buffers). This flaw could allow an attacker controlling an unprivileged process to read sensitive information, including from the kernel and all other processes running on the system, or across guest/host boundaries to read host memory.

See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/m ds.html for more details.

To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode. An updated intel-microcode package (only available in Debian non-free) was provided via DLA-1789-1. The updated CPU microcode may also be available as part of a system firmware ('BIOS') update.

CVE-2019-2024

A use-after-free bug was discovered in the em28xx video capture driver. Local users might be able to use this for denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-3459, CVE-2019-3460

Shlomi Oberman, Yuli Shapiro, and Karamba Security Ltd. research team discovered missing range checks in the Bluetooth L2CAP implementation.
If Bluetooth is enabled, a nearby attacker could use these to read sensitive information from the kernel.

CVE-2019-3882

It was found that the vfio implementation did not limit the number of DMA mappings to device memory. A local user granted ownership of a vfio device could use this to cause a denial of service (out-of-memory condition).

CVE-2019-3901

Jann Horn of Google reported a race condition that would allow a local user to read performance events from a task after it executes a setuid program. This could leak sensitive information processed by setuid programs. Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue.

CVE-2019-6133

Jann Horn of Google found that Policykit's authentication check could be bypassed by a local user creating a process with the same start time and process ID as an older authenticated process. PolicyKit was already updated to fix this in DLA-1644-1. The kernel has additionally been updated to avoid a delay between assigning start time and process ID, which should make the attack impractical.

CVE-2019-9503

Hugues Anguelkov and others at Quarkslab discovered that the brcmfmac (Broadcom wifi FullMAC) driver did not correctly distinguish messages sent by the wifi firmware from other packets. An attacker using the same wifi network could use this for denial of service or to exploit other vulnerabilities in the driver.

CVE-2019-11190

Robert &#x15A;wi&#x119;cki reported that when a setuid program was executed it was still possible to read performance events while the kernel set up the program's address space. A local user could use this to defeat ASLR in a setuid program, making it easier to exploit other vulnerabilities in the program. Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue.

CVE-2019-11486

Jann Horn of Google reported numerous race conditions in the Siemens R3964 line discipline. A local user could use these to cause unspecified security impact. This module has therefore been disabled.

CVE-2019-11599

Jann Horn of Google reported a race condition in the core dump implementation which could lead to a use-after-free. A local user could use this to read sensitive information, to cause a denial of service (memory corruption), or for privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.68-1. This version also includes a fix for Debian bug #927781, and other fixes included in upstream stable updates.

We recommend that you upgrade your linux and linux-latest packages.
You will need to use 'apt-get upgrade --with-new-pkgs' or 'apt upgrade' as the binary package names have changed.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
126299	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-1672)	Nessus	Huawei Local Security Checks	high
126266	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-1639)	Nessus	Huawei Local Security Checks	high
125588	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1636)	Nessus	Huawei Local Security Checks	high
125564	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1612)	Nessus	Huawei Local Security Checks	high
125515	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-1588)	Nessus	Huawei Local Security Checks	medium
125478	Debian DLA-1799-2 : linux security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)	Nessus	Debian Local Security Checks	high

CVE-2019-3901

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins