Lucene search

K
debianDebianDEBIAN:DLA-2242-1:573AF
HistoryJun 10, 2020 - 10:48 a.m.

[SECURITY] [DLA 2242-1] linux-4.9 security update

2020-06-1010:48:38
lists.debian.org
74
linux kernel
privilege escalation
denial of service
information leaks
cve-2019-2182
arm64
cve-2019-5108
ieee 802.11
wifi
cve-2019-19319
ext4
filesystem
cve-2019-19462
debugfs
relay
cve-2019-19768
blktrace
cve-2019-20806
tw5864
media driver
cve-2020-0543
rdrand
rdseed
speculative execution
cve-2020-2732
kvm
intel processors
cve-2020-8428
filesystem core.

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.01

Percentile

83.7%

Package : linux-4.9
Version : 4.9.210-1+deb9u1~deb8u1
CVE ID : CVE-2019-2182 CVE-2019-5108 CVE-2019-19319 CVE-2019-19462
CVE-2019-19768 CVE-2019-20806 CVE-2019-20811 CVE-2020-0543
CVE-2020-2732 CVE-2020-8428 CVE-2020-8647 CVE-2020-8648
CVE-2020-8649 CVE-2020-9383 CVE-2020-10711 CVE-2020-10732
CVE-2020-10751 CVE-2020-10757 CVE-2020-10942 CVE-2020-11494
CVE-2020-11565 CVE-2020-11608 CVE-2020-11609 CVE-2020-11668
CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653
CVE-2020-12654 CVE-2020-12770 CVE-2020-13143
Debian Bug : 952660

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2019-2182

Hanjun Guo and Lei Li reported a race condition in the arm64
virtual memory management code, which could lead to an information
disclosure, denial of service (crash), or possibly privilege
escalation.

CVE-2019-5108

Mitchell Frank of Cisco discovered that when the IEEE 802.11
(WiFi) stack was used in AP mode with roaming, it would trigger
roaming for a newly associated station before the station was
authenticated.  An attacker within range of the AP could use this
to cause a denial of service, either by filling up a switching
table or by redirecting traffic away from other stations.

CVE-2019-19319

Jungyeon discovered that a crafted filesystem can cause the ext4
implementation to deallocate or reallocate journal blocks.  A user
permitted to mount filesystems could use this to cause a denial of
service (crash), or possibly for privilege escalation.

CVE-2019-19462

The syzbot tool found a missing error check in the 'relay'
library used to implement various files under debugfs.  A local
user permitted to access debugfs could use this to cause a denial
of service (crash) or possibly for privilege escalation.

CVE-2019-19768

Tristan Madani reported a race condition in the blktrace debug
facility that could result in a use-after-free.  A local user able
to trigger removal of block devices could possibly use this to
cause a denial of service (crash) or for privilege escalation.

CVE-2019-20806

A potential null pointer dereference was discovered in the tw5864
media driver.  The security impact of this is unclear.

CVE-2019-20811

The Hulk Robot tool found a reference-counting bug in an error
path in the network subsystem.  The security impact of this is
unclear.

CVE-2020-0543

Researchers at VU Amsterdam discovered that on some Intel CPUs
supporting the RDRAND and RDSEED instructions, part of a random
value generated by these instructions may be used in a later
speculative execution on any core of the same physical CPU.
Depending on how these instructions are used by applications, a
local user or VM guest could use this to obtain sensitive
information such as cryptographic keys from other users or VMs.

This vulnerability can be mitigated by a microcode update, either
as part of system firmware (BIOS) or through the intel-microcode
package in Debian's non-free archive section.  This kernel update
only provides reporting of the vulnerability and the option to
disable the mitigation if it is not needed.

CVE-2020-2732

Paulo Bonzini discovered that the KVM implementation for Intel
processors did not properly handle instruction emulation for L2
guests when nested virtualization is enabled. This could allow an
L2 guest to cause privilege escalation, denial of service, or
information leaks in the L1 guest.

CVE-2020-8428

Al Viro discovered a potential use-after-free in the filesystem
core (vfs).  A local user could exploit this to cause a denial of
service (crash) or possibly to obtain sensitive information from
the kernel.

CVE-2020-8647, CVE-2020-8649

The Hulk Robot tool found a potential MMIO out-of-bounds access in
the vgacon driver.  A local user permitted to access a virtual
terminal (/dev/tty1 etc.) on a system using the vgacon driver
could use this to cause a denial of service (crash or memory
corruption) or possibly for privilege escalation.

CVE-2020-8648

The syzbot tool found a race condition in the the virtual terminal
driver, which could result in a use-after-free.  A local user
permitted to access a virtual terminal could use this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.

CVE-2020-9383

Jordy Zomer reported an incorrect range check in the floppy driver
which could lead to a static out-of-bounds access.  A local user
permitted to access a floppy drive could use this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.

CVE-2020-10711

Matthew Sheets reported NULL pointer dereference issues in the
SELinux subsystem while receiving CIPSO packet with null category. A
remote attacker can take advantage of this flaw to cause a denial of
service (crash). Note that this issue does not affect the binary
packages distributed in Debian as CONFIG_NETLABEL is not enabled.

CVE-2020-10732

An information leak of kernel private memory to userspace was found
in the kernel's implementation of core dumping userspace processes.

CVE-2020-10751

Dmitry Vyukov reported that the SELinux subsystem did not properly
handle validating multiple messages, which could allow a privileged
attacker to bypass SELinux netlink restrictions.

CVE-2020-10757

Fan Yang reported a flaw in the way mremap handled DAX hugepages,
allowing a local user to escalate their privileges

CVE-2020-10942

It was discovered that the vhost_net driver did not properly
validate the type of sockets set as back-ends. A local user
permitted to access /dev/vhost-net could use this to cause a stack
corruption via crafted system calls, resulting in denial of
service (crash) or possibly privilege escalation.

CVE-2020-11494

It was discovered that the slcan (serial line CAN) network driver
did not fully initialise CAN headers for received packets,
resulting in an information leak from the kernel to user-space or
over the CAN network.

CVE-2020-11565

Entropy Moe reported that the shared memory filesystem (tmpfs) did
not correctly handle an "mpol" mount option specifying an empty
node list, leading to a stack-based out-of-bounds write. If user
namespaces are enabled, a local user could use this to cause a
denial of service (crash) or possibly for privilege escalation.

CVE-2020-11608, CVE-2020-11609, CVE-2020-11668

It was discovered that the ov519, stv06xx, and xirlink_cit media
drivers did not properly validate USB device descriptors.  A
physically present user with a specially constructed USB device
could use this to cause a denial-of-service (crash) or possibly
for privilege escalation.

CVE-2020-12114

Piotr Krysiuk discovered a race condition between the umount and
pivot_root operations in the filesystem core (vfs).  A local user
with the CAP_SYS_ADMIN capability in any user namespace could use
this to cause a denial of service (crash).

CVE-2020-12464

Kyungtae Kim reported a race condition in the USB core that can
result in a use-after-free.  It is not clear how this can be
exploited, but it could result in a denial of service (crash or
memory corruption) or privilege escalation.

CVE-2020-12652

Tom Hatskevich reported a bug in the mptfusion storage drivers.
An ioctl handler fetched a parameter from user memory twice,
creating a race condition which could result in incorrect locking
of internal data structures.  A local user permitted to access
/dev/mptctl could use this to cause a denial of service (crash or
memory corruption) or for privilege escalation.

CVE-2020-12653

It was discovered that the mwifiex WiFi driver did not
sufficiently validate scan requests, resulting a potential heap
buffer overflow.  A local user with CAP_NET_ADMIN capability could
use this to cause a denial of service (crash or memory corruption)
or possibly for privilege escalation.

CVE-2020-12654

It was discovered that the mwifiex WiFi driver did not
sufficiently validate WMM parameters received from an access point
(AP), resulting a potential heap buffer overflow.  A malicious AP
could use this to cause a denial of service (crash or memory
corruption) or possibly to execute code on a vulnerable system.

CVE-2020-12770

It was discovered that the sg (SCSI generic) driver did not
correctly release internal resources in a particular error case.
A local user permitted to access an sg device could possibly use
this to cause a denial of service (resource exhaustion).

CVE-2020-13143

Kyungtae Kim reported a potential heap out-of-bounds write in
the USB gadget subsystem.  A local user permitted to write to
the gadget configuration filesystem could use this to cause a
denial of service (crash or memory corruption) or potentially
for privilege escalation.

For Debian 8 "Jessie", these problems have been fixed in version
4.9.210-1+deb9u1~deb8u1. This version also fixes some related bugs
that do not have their own CVE IDs, and a regression in the macvlan
driver introduced in the previous security update (bug #952660).

We recommend that you upgrade your linux-4.9 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Ben Hutchings - Debian developer, member of kernel, installer and LTS teams
Attachment:
signature.asc
Description: This is a digitally signed message part

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.01

Percentile

83.7%