Main Vulnerability Database SB2019080902

SB2019080902 - Red Hat update for kernel

Published: August 9, 2019

Security Bulletin ID SB2019080902

Severity

Low

Patch available

YES

Number of vulnerabilities 25

Exploitation vector Adjecent network

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 25 secuirty vulnerabilities.

1) Security restrictions bypass (CVE-ID: CVE-2018-7755)

The vulnerability allows a local unauthenticated attacker to bypass security restrictions on the target system.

The weakness exists in the drivers/block/floppy.c source code in the fd_locked_ioctl function due to insufficient security restrictions. A local attacker can bypass security restrictions through the system floppy drive and obtain kernel code and data from the system.

2) Memory corruption (CVE-ID: CVE-2018-8087)

The vulnerability allows a local attacker to cause DoS condition on the target system.

The weakness exists in the hwsim_new_radio_nl function due to memory leak. A local attacker can trigger memory corruption and cause the service the crash.

3) Buffer overflow (CVE-ID: CVE-2018-9363)

The vulnerability allows an attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error within the hidp_process_report when processing Bluetooth packets. An attacker with physical proximity to the system can send specially crafted traffic, trigger memory corruption and perform denial of service attack or execute arbitrary code.

4) Out-of-bounds write (CVE-ID: CVE-2018-9516)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to out-of-bounds write in hid_debug_events_read of drivers/hid/hid-debug.c when a missing bounds check. A local attacker can trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

5) Use-after-free (CVE-ID: CVE-2018-9517)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in pppol2tp_connect. A local user can trigger memory corruption and escalate privileges on the system.

6) Permissions, privileges, and access controls (CVE-ID: CVE-2018-10853)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists in the way Linux kernel KVM hypervisor emulates instructions, such as sgdt/sidt/fxsave/fxrstor. A local unprivileged user on a guest system can gain write access to kernel space on the same guest system.

7) Integer overflow (CVE-ID: CVE-2018-13053)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists in kernel/time/alarmtimer.c within the alarm_timer_nsleep function. A local user can trigger integer overflow due to ktime_add_safe is not used and escalate privileges on the system.

8) Null pointer dereference (CVE-ID: CVE-2018-13093)

The vulnerability allows a local attacker to cause DoS condition on the target system.

The vulnerability exists in the lookup_slow() function in the Extended File System (XFS) component, as defined in the source code file fs/xfs/xfs_icache.c due to boundary error when mounting XFS filesystems. A local attacker can mount an XFS filesystem that submits malicious input, trigger NULL pointer dereference memory error and cause the affected software to terminate abnormally.

9) Null pointer dereference (CVE-ID: CVE-2018-13094)

The vulnerability allows a local attacker to cause DoS condition on the target system.

The vulnerability exists due to NULL pointer dereference in the fs/xfs/libxfs/xfs_attr_leaf.c source code file in the Extended File System (XFS) component when the xfs_da_shrink_inode() function is called with a NULL byte pointer. A local attacker can mount and perform operations on a crafted XFS image, trigger a NULL pointer dereference condition in the xfs_trans_binval() function and cause the service to crash.

10) Null pointer dereference (CVE-ID: CVE-2018-13095)

The vulnerability allows a local attacker to cause DoS condition on the target system.

The vulnerability exists in the xfs_bmap_extents_to_btree() function in the Extended File System (XFS) component, as defined in the source code file fs/xfs/libxfs/xfs_inode_buf.c due to boundary error when mounting XFS filesystems. A local attacker can access the system, mount an XFS filesystem that submits malicious input, trigger a NULL pointer dereference memory error and cause the affected software to terminate abnormally.

11) Race condition (CVE-ID: CVE-2018-14625)

The vulnerability allows a local attacker to obtain potentially sensitive information.

The weakness exists due to a race condition between connect() and close() function. A local attacker can use the AF_VSOCK protocol to obtain sensitive information possibly intercept or corrupt AF_VSOCK messages destined to other clients.

12) Use-after-free error (CVE-ID: CVE-2018-14734)

The vulnerability allows a local attacker to cause DoS condition on the target system.

The vulnerability exists due to the ucma_leave_multicast() function, as defined in the drivers/infiniband/core/ucma.c source code file of the affected software, could allow access to a certain data structure after it has been allocated and freed in the ucma_process_join() function. A local attacker can send a specially request that submits malicious input, trigger use-after-free error and cause the service to crash.

13) Information disclosure (CVE-ID: CVE-2018-15594)

The vulnerability allows an adjacent attacker to conduct Spectre version 2 (Spectre-v2) attacks.

The vulnerability exists in the arch/x86/kernel/paravirt.c source code file due to improper handling of indirect calls to CALLEE_SAVE paravirtual functions. A remote attacker can access the system and execute an application that submits malicious input to access sensitive information, which could be used to conduct additional attacks.

14) Buffer over-read (CVE-ID: CVE-2018-16658)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in cdrom_ioctl_drive_status() function in drivers/cdrom/cdrom.c. A local unprivileged user can create a specially crafted application, trigger out-of-bounds read error and read contents of kernel memory.

15) Out-of-bounds read (CVE-ID: CVE-2018-16885)

The vulnerability allows a local attacker to cause DoS condition on the target system.

The vulnerability exists due to out-of-bounds read. A local attacker can call memcpy_fromiovecend() and similar functions with a zero offset and buffer length, cause a memory access fault and a system halt by accessing invalid memory address.

16) Improper access control (CVE-ID: CVE-2018-18281)

The vulnerability allows a local user to bypass certain security restrictions.

The vulnerability exists due to improper access restrictions to memory when performing TLB flushes after dropping pagetable locks with mremap() syscall, A local user can access a physical page of a stale TLB entry after ftruncate() syscall is called to remove entries from the pagetables of a task that is in the middle of mremap() syscall.

Successful exploitation of the vulnerability may allow an attacker to gain access to sensitive information, stored in process memory.

17) Memory leak (CVE-ID: CVE-2019-3459)

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due heap address infoleak in use of l2cap_get_conf_opt. A local attacker can trigger memory leak and access important data.

18) Memory leak (CVE-ID: CVE-2019-3460)

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due heap address infoleak in multiple locations including function l2cap_parse_conf_rsp. A local attacker can trigger memory leak and access important data.

19) Resource exhaustion (CVE-ID: CVE-2019-3882)

The vulnerability allows a local user to perform denial of service (DoS) attack.

The vulnerability exists within Linux kernel's vfio interface implementation, related to incorrect permission management. A local user with administrative privileges of the device, connected to vfio-pci interface can exhaust all system resources and perform denial of service attack.

20) Infinite loop (CVE-ID: CVE-2019-3900)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in vhost_net kernel module when processing incoming packets in handle_rx(). A remote attacker with access to guest operating system can stall the vhost_net kernel thread and cause denial of service conditions.

21) Information disclosure (CVE-ID: CVE-2019-5489)

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to a flaw in the mincore() implementation in mm/mincore.c. A local attacker can observe page cache access patterns of other processes on the same system and sniff secret information.

22) Memory leak (CVE-ID: CVE-2019-7222)

The vulnerability allows an adjacent attacker to obtain potentially sensitive information.

The weakness exists due to exists due to memory leak in kvm_inject_page_fault. An adjacent attacker can gain access to important data and conduct further attacks.

23) Race condition (CVE-ID: CVE-2019-11599)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition with mmget_not_zero or get_task_mm calls and is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c due to kernel does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.

24) NULL pointer dereference (CVE-ID: CVE-2019-11810)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. A local user can perform a denial of service (DoS) attack.

25) Information disclosure (CVE-ID: CVE-2019-11833)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the Linux kernel does not zero out the unused memory region in the extent tree block within the fs/ext4/extents.c. A local user can gain unauthorized access to sensitive information on the system.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2019:2029