[debian-lts-announce] 20201030 [SECURITY] [DLA 2420-1] linux security update

[debian-lts-announce] 20201031 [SECURITY] [DLA 2420-2] linux regression update

https://source.android.com/security/bulletin/pixel/2019-09-01

USN-4526-1

USN-4527-1

This update corrects a regression in some Xen virtual machine environments. For reference the original advisory text follows.

Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks.

CVE-2019-9445

A potential out-of-bounds read was discovered in the F2FS implementation. A user permitted to mount and access arbitrary filesystems could potentially use this to cause a denial of service (crash) or to read sensitive information.

CVE-2019-19073, CVE-2019-19074

Navid Emamdoost discovered potential memory leaks in the ath9k and ath9k_htc drivers. The security impact of these is unclear.

CVE-2019-19448

'Team bobfuzzer' reported a bug in Btrfs that could lead to a use-after-free, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-12351

Andy Nguyen discovered a flaw in the Bluetooth implementation in the way L2CAP packets with A2MP CID are handled. A remote attacker within a short distance, knowing the victim's Bluetooth device address, can send a malicious l2cap packet and cause a denial of service or possibly arbitrary code execution with kernel privileges.

CVE-2020-12352

Andy Nguyen discovered a flaw in the Bluetooth implementation. Stack memory is not properly initialised when handling certain AMP packets.
A remote attacker within a short distance, knowing the victim's Bluetooth device address address, can retrieve kernel stack information.

CVE-2020-12655

Zheng Bin reported that crafted XFS volumes could trigger a system hang. An attacker able to mount such a volume could use this to cause a denial of service.

CVE-2020-12771

Zhiqiang Liu reported a bug in the bcache block driver that could lead to a system hang. The security impact of this is unclear.

CVE-2020-12888

It was discovered that the PCIe Virtual Function I/O (vfio-pci) driver allowed users to disable a device's memory space while it was still mapped into a process. On some hardware platforms, local users or guest virtual machines permitted to access PCIe Virtual Functions could use this to cause a denial of service (hardware error and crash).

CVE-2020-14305

Vasily Averin of Virtuozzo discovered a potential heap buffer overflow in the netfilter nf_contrack_h323 module. When this module is used to perform connection tracking for TCP/IPv6, a remote attacker could use this to cause a denial of service (crash or memory corruption) or possibly for remote code execution with kernel privilege.

CVE-2020-14314

A bug was discovered in the ext4 filesystem that could lead to an out-of-bound read. A local user permitted to mount and access arbitrary filesystem images could use this to cause a denial of service (crash).

CVE-2020-14331

A bug was discovered in the VGA console driver's soft-scrollback feature that could lead to a heap buffer overflow. On a system with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK enabled, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-14356, CVE-2020-25220

A bug was discovered in the cgroup subsystem's handling of socket references to cgroups. In some cgroup configurations, this could lead to a use-after-free. A local user might be able to use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

The original fix for this bug introudced a new security issue, which is also addressed in this update.

CVE-2020-14386

Or Cohen discovered a bug in the packet socket (AF_PACKET) implementation which could lead to a heap buffer overflow. A local user with the CAP_NET_RAW capability (in any user namespace) could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-14390

Minh Yuan discovered a bug in the framebuffer console driver's scrollback feature that could lead to a heap buffer overflow. On a system using framebuffer consoles, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

The scrollback feature has been disabled for now, as no other fix was available for this issue.

CVE-2020-15393

Kyungtae Kim reported a memory leak in the usbtest driver. The security impact of this is unclear.

CVE-2020-16166

Amit Klein reported that the random number generator used by the network stack might not be re-seeded for long periods of time, making e.g. client port number allocations more predictable. This made it easier for remote attackers to carry out some network- based attacks such as DNS cache poisoning or device tracking.

CVE-2020-24490

Andy Nguyen discovered a flaw in the Bluetooth implementation that can lead to a heap buffer overflow. On systems with a Bluetooth 5 hardware interface, a remote attacker within a short distance can use this to cause a denial of service (crash or memory corruption) or possibly for remote code execution with kernel privilege.

CVE-2020-25211

A flaw was discovered in netfilter subsystem. A local attacker able to inject conntrack Netlink configuration can cause a denial of service.

CVE-2020-25212

A bug was discovered in the NFSv4 client implementation that could lead to a heap buffer overflow. A malicious NFS server could use this to cause a denial of service (crash or memory corruption) or possibly to execute arbitrary code on the client.

CVE-2020-25284

It was discovered that the Rados block device (rbd) driver allowed tasks running as uid 0 to add and remove rbd devices, even if they dropped capabilities. On a system with the rbd driver loaded, this might allow privilege escalation from a container with a task running as root.

CVE-2020-25285

A race condition was discovered in the hugetlb filesystem's sysctl handlers, that could lead to stack corruption. A local user permitted to write to hugepages sysctls could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. By default only the root user can do this.

CVE-2020-25641

The syzbot tool found a bug in the block layer that could lead to an infinite loop. A local user with access to a raw block device could use this to cause a denial of service (unbounded CPU use and possible system hang).

CVE-2020-25643

ChenNan Of Chaitin Security Research Lab discovered a flaw in the hdlc_ppp module. Improper input validation in the ppp_cp_parse_cr() function may lead to memory corruption and information disclosure.

CVE-2020-26088

It was discovered that the NFC (Near Field Communication) socket implementation allowed any user to create raw sockets. On a system with an NFC interface, this allowed local users to evade local network security policy.

For Debian 9 stretch, these problems have been fixed in version 4.9.240-1. This update additionally includes many more bug fixes from stable updates 4.9.229-4.9.240 inclusive.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New kernel packages are available for Slackware 14.2 to fix security issues.

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4527-1 advisory.

  - In the Android kernel in F2FS driver there is a possible out of bounds read due to a missing bounds check.
    This could lead to local information disclosure with system execution privileges needed. User interaction     is not needed for exploitation. (CVE-2019-9445)

  - In the Android kernel in F2FS touch driver there is a possible out of bounds read due to improper input     validation. This could lead to local information disclosure with system execution privileges needed. User     interaction is not needed for exploitation. (CVE-2019-9453)

  - A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux     kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering     kfifo_alloc() failures, aka CID-a7b2df76b42b. (CVE-2019-19054)

  - Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow     attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout()     failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the     htc_connect_service() function, aka CID-853acf7caf10. (CVE-2019-19073)

  - A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
    (CVE-2019-19074)

  - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and     netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.
    (CVE-2019-20811)

  - In f2fs_xattr_generic_list of xattr.c, there is a possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure with System execution privileges needed. User     interaction is not required for exploitation.Product: Android. Versions: Android kernel. Android ID:
    A-120551147. (CVE-2020-0067)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4526-1 advisory.

  - In the Android kernel in F2FS driver there is a possible out of bounds read due to a missing bounds check.
    This could lead to local information disclosure with system execution privileges needed. User interaction     is not needed for exploitation. (CVE-2019-9445)

  - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.
    (CVE-2019-18808)

  - A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux     kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering     kfifo_alloc() failures, aka CID-a7b2df76b42b. (CVE-2019-19054)

  - A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux     kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka     CID-9c0530e898f3. (CVE-2019-19061)

  - ** DISPUTED ** Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c     in the Linux kernel before 5.3.8 allow attackers to cause a denial of service (memory consumption) by     triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures, aka CID-57be09c6e874. NOTE: third     parties dispute the relevance of this because the attacker must already have privileges for module     loading. (CVE-2019-19067)

  - Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow     attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout()     failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the     htc_connect_service() function, aka CID-853acf7caf10. (CVE-2019-19073)

  - A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
    (CVE-2019-19074)

  - The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory     space. (CVE-2020-12888)

  - A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem in versions before 5.7.10 was found     in the way when reboot the system. A local user could use this flaw to crash the system or escalate their     privileges on the system. (CVE-2020-14356)

  - The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive     information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to     drivers/char/random.c and kernel/time/timer.c. (CVE-2020-16166)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc. Security Fix(es):In the Android kernel in     F2FS driver there is a possible out of bounds read due     to a missing bounds check. This could lead to local     information disclosure with system execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2019-9445)In calc_vm_may_flags of     ashmem.c, there is a possible arbitrary write to shared     memory due to a permissions bypass. This could lead to     local escalation of privilege by corrupting memory     shared between processes, with no additional execution     privileges needed. User interaction is not needed for     exploitation. Product: Android Versions: Android kernel     Android ID: A-142938932(CVE-2020-0009)A new domain     bypass transient execution attack known as Special     Register Buffer Data Sampling (SRBDS) has been found.
    This flaw allows data values from special internal     registers to be leaked by an attacker able to execute     code on any core of the CPU. An unprivileged, local     attacker can use this flaw to infer values returned by     affected instructions known to be commonly used during     cryptographic operations that rely on uniqueness,     secrecy, or both.(CVE-2020-0543)A flaw was found in the     Linux kernel's implementation of the BTRFS file system.
    A local attacker, with the ability to mount a file     system, can create a use-after-free memory fault after     the file system has been unmounted. This may lead to     memory corruption or privilege     escalation.(CVE-2019-19377)A NULL pointer dereference     flaw may occur in the Linux kernel's relay_open in     kernel/relay.c. if the alloc_percpu() function is not     validated in time of failure and used as a valid     address for access. An attacker could use this flaw to     cause a denial of service.(CVE-2019-19462)A NULL     pointer dereference flaw was found in     tw5864_handle_frame function in     drivers/media/pci/tw5864/tw5864-video.c in the TW5864     Series Video media driver. The pointer 'vb' is     assigned, but not validated before its use, and can     lead to a denial of service. This flaw allows a local     attacker with special user or root privileges to crash     the system or leak internal kernel     information.(CVE-2019-20806)go7007_snd_init in     drivers/media/usb/go7007/snd-go7007.c in the Linux     kernel before 5.6 does not call snd_card_free for a     failure path, which causes a memory leak, aka     CID-9453264ef586.(CVE-2019-20810)An issue was     discovered in the Linux kernel before 5.0.6. In     rx_queue_add_kobject() and netdev_queue_add_kobject()     in net/coreet-sysfs.c, a reference count is mishandled,     aka CID-a3e23f719f5c.(CVE-2019-20811)A flaw was found     in the way the af_packet functionality in the Linux     kernel handled the retirement timer setting for     TPACKET_v3 when getting settings from the underlying     network device errors out. This flaw allows a local     user who can open the af_packet domain socket and who     can hit the error path, to use this vulnerability to     starve the system.(CVE-2019-20812)A NULL pointer     dereference flaw was found in the Linux kernel's     SELinux subsystem. This flaw occurs while importing the     Commercial IP Security Option (CIPSO) protocol's     category bitmap into the SELinux extensible bitmap via     the' ebitmap_netlbl_import' routine. While processing     the CIPSO restricted bitmap tag in the     'cipso_v4_parsetag_rbm' routine, it sets the security     attribute to indicate that the category bitmap is     present, even if it has not been allocated. This issue     leads to a NULL pointer dereference issue while     importing the same category bitmap into SELinux. This     flaw allows a remote network user to crash the system     kernel, resulting in a denial of     service.(CVE-2020-10711)A flaw was found in the Linux     kernel's SELinux LSM hook implementation, where it     anticipated the skb would only contain a single Netlink     message. The hook incorrectly validated the first     Netlink message in the skb only, to allow or deny the     rest of the messages within the skb with the granted     permissions and without further processing. At this     time, there is no known ability for an attacker to     abuse this flaw.(CVE-2020-10751)A flaw was found in the     Linux Kernel in versions after 4.5-rc1 in the way     mremap handled DAX Huge Pages. This flaw allows a local     attacker with access to a DAX enabled storage to     escalate their privileges on the     system.(CVE-2020-10757)A logic bug flaw was found in     the Linux kernel's implementation of SSBD. A bug in the     logic handling allows an attacker with a local account     to disable SSBD protection during a context switch when     additional speculative execution mitigations are in     place. This issue was introduced when the per     task/process conditional STIPB switching was added on     top of the existing SSBD switching. The highest threat     from this vulnerability is to     confidentiality.(CVE-2020-10766)A flaw was found in the     Linux kernel's implementation of the Enhanced IBPB     (Indirect Branch Prediction Barrier). The IBPB     mitigation will be disabled when STIBP is not available     or when the Enhanced Indirect Branch Restricted     Speculation (IBRS) is available. This flaw allows a     local attacker to perform a Spectre V2 style attack     when this configuration is active. The highest threat     from this vulnerability is to     confidentiality.(CVE-2020-10767)A flaw was found in the     prctl() function, where it can be used to enable     indirect branch speculation after it has been disabled.
    This call incorrectly reports it as being 'force     disabled' when it is not and opens the system to     Spectre v2 attacks. The highest threat from this     vulnerability is to confidentiality.(CVE-2020-10768)A     flaw was found in the ZRAM kernel module, where a user     with a local account and the ability to read the     /sys/class/zram-control/hot_add file can create ZRAM     device nodes in the /dev/ directory. This read     allocates kernel memory and is not accounted for a user     that triggers the creation of that ZRAM device. With     this vulnerability, continually reading the device may     consume a large amount of system memory and cause the     Out-of-Memory (OOM) killer to activate and terminate     random userspace processes, possibly making the system     inoperable.(CVE-2020-10781)A stack buffer overflow     issue was found in the get_raw_socket() routine of the     Host kernel accelerator for virtio net (vhost-net)     driver. It could occur while doing an     ictol(VHOST_NET_SET_BACKEND) call, and retrieving     socket name in a kernel stack variable via     get_raw_socket(). A user able to perform ioctl(2) calls     on the '/dev/vhost-net' device may use this flaw to     crash the kernel resulting in DoS     issue.(CVE-2020-10942)A flaw was found in the Linux     kernel's implementation of the pivot_root syscall. This     flaw allows a local privileged user (root outside or     root inside a privileged container) to exploit a race     condition to manipulate the reference count of the root     filesystem. To be able to abuse this flaw, the process     or user calling pivot_root must have advanced     permissions. The highest threat from this vulnerability     is to system availability.(CVE-2020-12114)A     use-after-free flaw was found in usb_sg_cancel in     drivers/usb/core/message.c in the USB core subsystem.
    This flaw allows a local attacker with a special user     or root privileges to crash the system due to a race     problem in the scatter-gather cancellation and transfer     completion in usb_sg_wait. This vulnerability can also     lead to a leak of internal kernel     information.(CVE-2020-12464)A memory overflow and data     corruption flaw were found in the Mediatek MT76 driver     module for WiFi in mt76_add_fragment in     driverset/wireless/mediatek/mt76/dma.c. An oversized     packet with too many rx fragments causes an overflow     and corruption in memory of adjacent pages. A local     attacker with a special user or root privileges can     cause a denial of service or a leak of internal kernel     information.(CVE-2020-12465)A vulnerability was found     in __mptctl_ioctl in drivers/message/fusion/mptctl.c in     Fusion MPT base driver 'mptctl' in the SCSI device     module, where an incorrect lock leads to a race     problem. This flaw allows an attacker with local access     and special user (or root) privileges to cause a denial     of service.(CVE-2020-12652)A flaw was found in the way     the mwifiex_cmd_append_vsie_tlv() in Linux kernel's     Marvell WiFi-Ex driver handled vendor specific     information elements. A local user could use this flaw     to escalate their privileges on the     system.(CVE-2020-12653)A flaw was found in the Linux     kernel. The Marvell mwifiex driver allows a remote WiFi     access point to trigger a heap-based memory buffer     overflow due to an incorrect memcpy operation. The     highest threat from this vulnerability is to data     integrity and system availability.(CVE-2020-12654)A     flaw was discovered in the XFS source in the Linux     kernel. This flaw allows an attacker with the ability     to mount an XFS filesystem, to trigger a denial of     service while attempting to sync a file located on an     XFS v5 image with crafted metadata.(CVE-2020-12655)An     out-of-bounds (OOB) memory access flaw was found in the     Network XDP (the eXpress Data Path) module in the Linux     kernel's xdp_umem_reg function in net/xdp/xdp_umem.c.
    When a user with special user privilege of     CAP_NET_ADMIN (or root) calls setsockopt to register     umem ring on XDP socket, passing the headroom value     larger than the available space in the chunk, it leads     to an out-of-bounds write, causing panic or possible     memory corruption. This flaw may lead to privilege     escalation if a local end-user is granted permission to     influence the execution of code in this     manner.(CVE-2020-12659)A vulnerability was found in     sg_write in drivers/scsi/sg.c in the SCSI generic (sg)     driver subsystem. This flaw allows an attacker with     local access and special user or root privileges to     cause a denial of service if the allocated list is not     cleaned with an invalid (Sg_fd * sfp) pointer at the     time of failure, also possibly causing a kernel     internal information leak problem.(CVE-2020-12770)An     issue was discovered in the Linux kernel through     5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c     has a deadlock if a coalescing operation     fails.(CVE-2020-12771)A flaw was found in the Linux     kernel loose validation of child/parent process     identification handling while filtering signal     handlers. A local attacker is able to abuse this flaw     to bypass checks to send any signal to a privileged     process.(CVE-2020-12826)A flaw was found in the Linux     kernel, where it allows userspace processes, for     example, a guest VM, to directly access h/w devices via     its VFIO driver modules. The VFIO modules allow users     to enable or disable access to the devices' MMIO memory     address spaces. If a user attempts to access the     read/write devices' MMIO address space when it is     disabled, some h/w devices issue an interrupt to the     CPU to indicate a fatal error condition, crashing the     system. This flaw allows a guest user or process to     crash the host system resulting in a denial of     service.(CVE-2020-12888)gadget_dev_desc_UDC_store in     drivers/usb/gadget/configfs.c in the Linux kernel     through 5.6.13 relies on kstrdup without considering     the possibility of an internal '\0' value, which allows     attackers to trigger an out-of-bounds read, aka     CID-15753588bcd4.(CVE-2020-13143)** DISPUTED ** An     issue was discovered in the Linux kernel through 5.7.1.
    drivers/tty/vt/keyboard.c has an integer overflow if     k_ascii is called several times in a row, aka     CID-b86dab054059. NOTE: Members in the community argue     that the integer overflow does not lead to a security     issue in this case.(CVE-2020-13974)A use-after-free     flaw was found in slcan_write_wakeup in     driverset/can/slcan.c in the serial CAN module slcan. A     race condition occurs when communicating with can using     slcan between the write (scheduling the transmit) and     closing (flushing out any pending queues) the SLCAN     channel. This flaw allows a local attacker with special     user or root privileges to cause a denial of service or     a kernel information leak. The highest threat from this     vulnerability is to system     availability.(CVE-2020-14416)In the Linux kernel     through 5.7.6, usbtest_disconnect in     drivers/usb/misc/usbtest.c has a memory leak, aka     CID-28ebeb8db770.(CVE-2020-15393)The Linux kernel     through 5.7.11 allows remote attackers to make     observations that help to obtain sensitive information     about the internal state of the network RNG, aka     CID-f227e3ec3b5c. This is related to     drivers/char/random.c and     kernel/time/timer.c.(CVE-2020-16166)A flaw was found in     the Linux kernel's implementation of Userspace core     dumps. This flaw allows an attacker with a local     account to crash a trivial program and exfiltrate     private kernel data.(CVE-2020-10732)A flaw null pointer     dereference in the Linux kernel cgroupv2 subsystem in     versions before 5.7.10 was found in the way when reboot     the system. A local user could use this flaw to crash     the system or escalate their privileges on the     system.(CVE-2020-14356)The Linux kernel 4.9.x before     4.9.233, 4.14.x before 4.14.194, and 4.19.x before     4.19.140 has a use-after-free because skcd->no_refcnt     was not considered during a backport of a     CVE-2020-14356 patch. This is related to the cgroups     feature.(CVE-2020-25220)get_gate_page in mm/gup.c in     the Linux kernel 5.7.x and 5.8.x before 5.8.7 allows     privilege escalation because of incorrect reference     counting (caused by gate page mishandling) of the     struct page that backs the vsyscall page. The result is     a refcount underflow. This can be triggered by any     64-bit process that can use ptrace() or     process_vm_readv(), aka     CID-9fa2dd946743.(CVE-2020-25221)In the Linux kernel     through 5.8.7, local attackers able to inject conntrack     netlink configuration could overflow a local buffer,     causing crashes or triggering use of incorrect protocol     numbers in ctnetlink_parse_tuple_filter in     net/netfilter/nf_conntrack_netlink.c, aka     CID-1cc5ef91d2ff.(CVE-2020-25211)A buffer over-read     flaw was found in RH kernel versions before 5.0 in     crypto_authenc_extractkeys in crypto/authenc.c in the     IPsec Cryptographic algorithm's module, authenc. When a     payload longer than 4 bytes, and is not following     4-byte alignment boundary guidelines, it causes a     buffer over-read threat, leading to a system crash.
    This flaw allows a local attacker with user privileges     to cause a denial of service.(CVE-2020-10769)A flaw was     found in the Linux kernel's implementation of the     invert video code on VGA consoles when a local attacker     attempts to resize the console, calling an ioctl     VT_RESIZE, which causes an out-of-bounds write to     occur. This flaw allows a local user with access to the     VGA console to crash the system, potentially escalating     their privileges on the system. The highest threat from     this vulnerability is to data confidentiality and     integrity as well as system     availability.(CVE-2020-14331)In cdev_get of char_dev.c,     there is a possible use-after-free due to a race     condition. This could lead to local escalation of     privilege with System execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android-10Android ID:
    A-153467744(CVE-2020-0305)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - In calc_vm_may_flags of ashmem.c, there is a possible     arbitrary write to shared memory due to a permissions     bypass. This could lead to local escalation of     privilege by corrupting memory shared between     processes, with no additional execution privileges     needed. User interaction is not needed for     exploitation. Product: Android Versions: Android kernel     Android ID: A-142938932(CVE-2020-0009)

  - A flaw was found in the Linux Kernel in versions after     4.5-rc1 in the way mremap handled DAX Huge Pages. This     flaw allows a local attacker with access to a DAX     enabled storage to escalate their privileges on the     system.(CVE-2020-10757)

  - go7007_snd_init in     drivers/media/usb/go7007/snd-go7007.c in the Linux     kernel before 5.6 does not call snd_card_free for a     failure path, which causes a memory leak, aka     CID-9453264ef586.(CVE-2019-20810)

  - In the Android kernel in F2FS driver there is a     possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure     with system execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2019-9445)

  - A flaw was found in the Linux kernels SELinux LSM hook     implementation before version 5.7, where it incorrectly     assumed that an skb would only contain a single netlink     message. The hook would incorrectly only validate the     first netlink message in the skb and allow or deny the     rest of the messages within the skb with the granted     permission without further processing.(CVE-2020-10751)

  - An issue was discovered in the Linux kernel before     5.4.7. The prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of     service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka     CID-b43d1f9f7067.(CVE-2019-20812)

  - ** DISPUTED ** An issue was discovered in the Linux     kernel through 5.7.1. drivers/tty/vt/keyboard.c has an     integer overflow if k_ascii is called several times in     a row, aka CID-b86dab054059. NOTE: Members in the     community argue that the integer overflow does not lead     to a security issue in this case.(CVE-2020-13974)

  - An issue was discovered in the Linux kernel before     5.0.6. In rx_queue_add_kobject() and     netdev_queue_add_kobject() in net/core/net-sysfs.c, a     reference count is mishandled, aka     CID-a3e23f719f5c.(CVE-2019-20811)

  - A flaw was found in the prctl() function, where it can     be used to enable indirect branch speculation after it     has been disabled. This call incorrectly reports it as     being 'force disabled' when it is not and opens the     system to Spectre v2 attacks. The highest threat from     this vulnerability is to     confidentiality.(CVE-2020-10768)

  - A flaw was found in the Linux kernel's implementation     of the Enhanced IBPB (Indirect Branch Prediction     Barrier). The IBPB mitigation will be disabled when     STIBP is not available or when the Enhanced Indirect     Branch Restricted Speculation (IBRS) is available. This     flaw allows a local attacker to perform a Spectre V2     style attack when this configuration is active. The     highest threat from this vulnerability is to     confidentiality.(CVE-2020-10767)

  - A logic bug flaw was found in the Linux kernel's     implementation of SSBD. A bug in the logic handling     allows an attacker with a local account to disable SSBD     protection during a context switch when additional     speculative execution mitigations are in place. This     issue was introduced when the per task/process     conditional STIPB switching was added on top of the     existing SSBD switching. The highest threat from this     vulnerability is to confidentiality.(CVE-2020-10766)

  - A new domain bypass transient execution attack known as     Special Register Buffer Data Sampling (SRBDS) has been     found. This flaw allows data values from special     internal registers to be leaked by an attacker able to     execute code on any core of the CPU. An unprivileged,     local attacker can use this flaw to infer values     returned by affected instructions known to be commonly     used during cryptographic operations that rely on     uniqueness, secrecy, or both.(CVE-2020-0543)

  - In the Linux kernel before 5.4.16, a race condition in     tty->disc_data handling in the slip and slcan line     discipline could lead to a use-after-free, aka     CID-0ace17d56824. This affects drivers/net/slip/slip.c     and drivers/net/can/slcan.c.(CVE-2020-14416)

  - The flow_dissector feature in the Linux kernel 4.3     through 5.x before 5.3.10 has a device tracking     vulnerability, aka CID-55667441c84f. This occurs     because the auto flowlabel of a UDP IPv6 packet relies     on a 32-bit hashrnd value as a secret, and because     jhash (instead of siphash) is used. The hashrnd value     remains the same starting from boot time, and can be     inferred by an attacker. This affects     net/core/flow_dissector.c and related     code.(CVE-2019-18282)

  - The VFIO PCI driver in the Linux kernel through 5.6.13     mishandles attempts to access disabled memory     space.(CVE-2020-12888)

  - In the Linux kernel through 5.7.6, usbtest_disconnect     in drivers/usb/misc/usbtest.c has a memory leak, aka     CID-28ebeb8db770.(CVE-2020-15393)

  - A flaw was found in the ZRAM kernel module, where a     user with a local account and the ability to read the     /sys/class/zram-control/hot_add file can create ZRAM     device nodes in the /dev/ directory. This read     allocates kernel memory and is not accounted for a user     that triggers the creation of that ZRAM device. With     this vulnerability, continually reading the device may     consume a large amount of system memory and cause the     Out-of-Memory (OOM) killer to activate and terminate     random userspace processes, possibly making the system     inoperable.(CVE-2020-10781)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2020-1480 advisory.

  - The Serial Attached SCSI (SAS) implementation in the Linux kernel through 4.15.9 mishandles a mutex within     libsas, which allows local users to cause a denial of service (deadlock) by triggering certain error-     handling code. (CVE-2017-18232)

  - The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c in the Linux kernel through 4.15.8     does not validate certain resource availability, which allows local users to cause a denial of service     (NULL pointer dereference). (CVE-2018-8043)

  - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.
    (CVE-2019-18808)

  - A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux     kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering     kfifo_alloc() failures, aka CID-a7b2df76b42b. (CVE-2019-19054)

  - A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux     kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka     CID-9c0530e898f3. (CVE-2019-19061)

  - Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow     attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout()     failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the     htc_connect_service() function, aka CID-853acf7caf10. (CVE-2019-19073)

  - A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
    (CVE-2019-19074)

  - In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory     locations from another process in the same guest. This problem is limit to the host running linux kernel     4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel     CPUs cannot be ruled out. (CVE-2019-3016)

  - In the Android kernel in F2FS driver there is a possible out of bounds read due to a missing bounds check.
    This could lead to local information disclosure with system execution privileges needed. User interaction     is not needed for exploitation. (CVE-2019-9445)

  - An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10.
    Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka     CID-d0c7feaf8767. (CVE-2020-12655)

  - In the Linux kernel through 5.7.6, usbtest_disconnect in drivers/usb/misc/usbtest.c has a memory leak, aka     CID-28ebeb8db770. (CVE-2020-15393)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):An issue was discovered in     the Linux kernel before 5.2. There is a NULL pointer     dereference in tw5864_handle_frame() in     drivers/media/pci/tw5864/tw5864-video.c, which may     cause denial of service, aka     CID-2e7682ebfc75.(CVE-2019-20806)A flaw was found in     the ZRAM kernel module, where a user with a local     account and the ability to read the     /sys/class/zram-control/hot_add file can create ZRAM     device nodes in the /dev/ directory. This read     allocates kernel memory and is not accounted for a user     that triggers the creation of that ZRAM device. With     this vulnerability, continually reading the device may     consume a large amount of system memory and cause the     Out-of-Memory (OOM) killer to activate and terminate     random userspace processes, possibly making the system     inoperable.(CVE-2020-10781)In the Linux kernel before     5.4.16, a race condition in tty->disc_data handling in     the slip and slcan line discipline could lead to a     use-after-free, aka CID-0ace17d56824. This affects     drivers/ net/slip/slip.c and drivers/     net/can/slcan.c.(CVE-2020-14416)The VFIO PCI driver in     the Linux kernel through 5.6.13 mishandles attempts to     access disabled memory space.(CVE-2020-12888)The     flow_dissector feature in the Linux kernel 4.3 through     5.x before 5.3.10 has a device tracking vulnerability,     aka CID-55667441c84f. This occurs because the auto     flowlabel of a UDP IPv6 packet relies on a 32-bit     hashrnd value as a secret, and because jhash (instead     of siphash) is used. The hashrnd value remains the same     starting from boot time, and can be inferred by an     attacker. This affects net/core/flow_dissector.c and     related code.(CVE-2019-18282)In the Linux kernel     through 5.7.6, usbtest_disconnect in     drivers/usb/misc/usbtest.c has a memory leak, aka     CID-28ebeb8db770.(CVE-2020-15393)An issue was     discovered in the Linux kernel before 5.0.6. In     rx_queue_add_kobject() and netdev_queue_add_kobject()     in net/core/ net-sysfs.c, a reference count is     mishandled, aka CID-a3e23f719f5c.(CVE-2019-20811)A flaw     was found in the Linux kernels SELinux LSM hook     implementation before version 5.7, where it incorrectly     assumed that an skb would only contain a single netlink     message. The hook would incorrectly only validate the     first netlink message in the skb and allow or deny the     rest of the messages within the skb with the granted     permission without further     processing.(CVE-2020-10751)In the Android kernel in     F2FS driver there is a possible out of bounds read due     to a missing bounds check. This could lead to local     information disclosure with system execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2019-9445)A flaw was found in the     Linux kernel's implementation of Userspace core dumps.
    This flaw allows an attacker with a local account to     crash a trivial program and exfiltrate private kernel     data.(CVE-2020-10732)go7007_snd_init in     drivers/media/usb/go7007/snd-go7007.c in the Linux     kernel before 5.6 does not call snd_card_free for a     failure path, which causes a memory leak, aka     CID-9453264ef586.(CVE-2019-20810)Legacy pairing and     secure-connections pairing authentication in Bluetooth(r)     BR/EDR Core Specification v5.2 and earlier may allow an     unauthenticated user to complete authentication without     pairing credentials via adjacent access. An     unauthenticated, adjacent attacker could impersonate a     Bluetooth BR/EDR master or slave to pair with a     previously paired remote device to successfully     complete the authentication procedure without knowing     the link key.(CVE-2020-10135)An issue was discovered in     the Linux kernel before 5.4.7. The     prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of     service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka     CID-b43d1f9f7067.(CVE-2019-20812)An issue was     discovered in the Linux kernel through 5.7.1.
    drivers/tty/vt/keyboard.c has an integer overflow if     k_ascii is called several times in a row, aka     CID-b86dab054059. NOTE: Members in the community argue     that the integer overflow does not lead to a security     issue in this case.(CVE-2020-13974)In calc_vm_may_flags     of ashmem.c, there is a possible arbitrary write to     shared memory due to a permissions bypass. This could     lead to local escalation of privilege by corrupting     memory shared between processes, with no additional     execution privileges needed. User interaction is not     needed for exploitation. Product: Android Versions:
    Android kernel Android ID: A-142938932(CVE-2020-0009)A     flaw was found in the Linux Kernel in versions after     4.5-rc1 in the way mremap handled DAX Huge Pages. This     flaw allows a local attacker with access to a DAX     enabled storage to escalate their privileges on the     system.(CVE-2020-10757)gadget_dev_desc_UDC_store in     drivers/usb/gadget/configfs.c in the Linux kernel     through 5.6.13 relies on kstrdup without considering     the possibility of an internal '\0' value, which allows     attackers to trigger an out-of-bounds read, aka     CID-15753588bcd4.(CVE-2020-13143)Incomplete cleanup     from specific special register read operations in some     Intel(R) Processors may allow an authenticated user to     potentially enable information disclosure via local     access.(CVE-2020-0543)A flaw was found in the prctl()     function, where it can be used to enable indirect     branch speculation after it has been disabled. This     call incorrectly reports it as being 'force disabled'     when it is not and opens the system to Spectre v2     attacks. The highest threat from this vulnerability is     to confidentiality.(CVE-2020-10768)A flaw was found in     the Linux kernel's implementation of the Enhanced IBPB     (Indirect Branch Prediction Barrier). The IBPB     mitigation will be disabled when STIBP is not available     or when the Enhanced Indirect Branch Restricted     Speculation (IBRS) is available. This flaw allows a     local attacker to perform a Spectre V2 style attack     when this configuration is active. The highest threat     from this vulnerability is to     confidentiality.(CVE-2020-10767)A logic bug flaw was     found in the Linux kernel's implementation of SSBD. A     bug in the logic handling allows an attacker with a     local account to disable SSBD protection during a     context switch when additional speculative execution     mitigations are in place. This issue was introduced     when the per task/process conditional STIPB switching     was added on top of the existing SSBD switching. The     highest threat from this vulnerability is to     confidentiality.(CVE-2020-10766)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
142176	Debian DLA-2420-2 : linux regression update	Nessus	Debian Local Security Checks	high
141789	Slackware 14.2 : Slackware 14.2 kernel (SSA:2020-295-01)	Nessus	Slackware Local Security Checks	high
140724	Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4527-1)	Nessus	Ubuntu Local Security Checks	high
140722	Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4526-1)	Nessus	Ubuntu Local Security Checks	high
140328	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2020-1958)	Nessus	Huawei Local Security Checks	high
139995	EulerOS Virtualization for ARM 64 3.0.6.0 : kernel (EulerOS-SA-2020-1892)	Nessus	Huawei Local Security Checks	high
139858	Amazon Linux 2 : kernel (ALAS-2020-1480)	Nessus	Amazon Linux Local Security Checks	medium
139137	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1807)	Nessus	Huawei Local Security Checks	high

CVE-2019-9445

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

medium

high