Lucene search

K
ibmIBM3D1FD9B5927004B8B7B1CB77FE467A67DED4E5A078A791448C81D1500BA2A09E
HistoryOct 28, 2020 - 1:21 p.m.

Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management

2020-10-2813:21:38
www.ibm.com
27
ibm netezza host management
linux kernel
arbitrary code execution
denial of service
usb device

EPSS

0.002

Percentile

58.1%

Summary

Kernel is used by IBM Netezza Host Management. This bulletin provides mitigation for the reported CVEs.

Vulnerability Details

CVEID:CVE-2019-15214
**DESCRIPTION:**Linux Kernel could allow a physical attacker to execute arbitrary code on the system, caused by a use-after-free flaw in the sound subsystem. By performing card disconnection actions, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service on the system.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165535 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2019-15217
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the yurex.c driver. By using a specially-crafted USB device, a physical attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165538 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-15218
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the smsusb.c driver. By using a specially-crafted USB device, a physical attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165539 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-15219
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the sisusb.c driver. By using a specially-crafted USB device, a physical attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165540 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-15291
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the flexcop_usb_probe function in the flexcop-usb.c driver. By using a specially-crafted USB device, a physical attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165548 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Netezza Host Management All IBM Netezza Host Management starting 5.4.9.0

Remediation/Fixes

None

Workarounds and Mitigations

Mitigation of the reported CVEs : CVE-2019-15214, CVE-2019-15217, CVE-2019-15218, CVE-2019-15219, CVE-2019-15291 blocklisting kernel modules snd, zr364xx, smsusb, sisusbvga, b2c2-flexcop-usb to prevent them from loading automatically on PureData System for Analytics N200x and N3001 is as follows:

1. Change to user nz:
[root@nzhost1 ~]# su – nz

2. Check to see if Call Home is enabled:
[nz@nzhost1 ~]$ nzcallhome -status
If enabled, disable it:
[nz@nzhost1 ~]$ nzcallhome –off ** Note:** Ensure that nzcallhome returns status as disabled. If there are errors in the callHome.txt configuration file, errors are listed in the output, and call-Home is disabled.

3. Check the state of the Netezza system:
[nz@nzhost1 ~]$ nzstate

4. If the system state is online, stop the system using the command:
[nz@nzhost1 ~]$ nzstop

5. Wait for the system to stop, using the command:
[nz@nzhos1t ~]$ nzstate
System state is ‘Stopped’.

6. Exit from the nz session to return to user root:
[nz@nzhost1 ~]$ exit

7. Logged into the active host as root, type the following commands to stop the heartbeat processes:
[root@nzhost1 ~]# ssh ha2 /sbin/service heartbeat stop
[root@nzhost1 ~]# /sbin/service heartbeat stop

8. Run below commands as a root user to disable heartbeat from startup:
[root@nzhost1 ~]# ssh ha2 /sbin/chkconfig heartbeat off
[root@nzhost1 ~]# /sbin/chkconfig heartbeat off

9. Type the following commands to stop the DRBD processes:
[root@nzhost1 ~]# ssh ha2 /sbin/service drbd stop
[root@nzhost1 ~]#** /sbin/service drbd stop**

10. Run below commands as a root user to disable drbd from startup:
[root@nzhost1 ~]# ssh ha2 /sbin/chkconfig drbd off
[root@nzhost1 ~]# /sbin/chkconfig drbd off

Execute below steps using “root” user on both ha1/ha2 hosts

Step 1: Check if kernel modules are snd, zr364xx, smsusb, sisusbvga, b2c2-flexcop-usb loaded in the hosts

lsmod | grep snd lsmod | grep zr364xx lsmod | grep smsusb lsmod | grep sisusbvga lsmod | grep b2c2_flexcop_usb

example:
[root@ nzhost1 ~]# lsmod | grep snd
snd 74199 0
soundcore 7990 1 snd
[root@ nzhost1 ~]# lsmod | grep zr364xx
zr364xx 20096 0
videodev 76188 1 zr364xx
videobuf_vmalloc 5295 1 zr364xx
videobuf_core 20302 2 zr364xx,videobuf_vmalloc
[root@ nzhost1 ~]# lsmod | grep smsusb
smsusb 8924 0
smsmdtv 30790 1 smsusb
[root@ nzhost1 ~]# lsmod | grep sisusbvga
sisusbvga 51565 0
[root@ nzhost1 ~]# lsmod | grep b2c2_flexcop_usb
b2c2_flexcop_usb 5306 0
b2c2_flexcop 28746 1 b2c2_flexcop_usb

Note: No output onStep 1for any module indicates, that module is not loaded hence skipStep 2for that module, and proceed withStep 3

Step 2: Unload kernel modules are snd, zr364xx, smsusb, sisusbvga, b2c2-flexcop-usb if they are loaded

modprobe -rv snd modprobe -rv zr364xx modprobe -rv smsusb modprobe -rv sisusbvga modprobe -rv b2c2-flexcop-usb

example:
[root@nzhost1 ~]# modprobe -rv snd
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/sound/core/snd.ko
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/sound/soundcore.ko
[root@nzhost1 ~]# modprobe -rv zr364xx
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/video/zr364xx.ko
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/video/videodev.ko
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/video/v4l2-compat-ioctl32.ko
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/video/videobuf-vmalloc.ko
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/video/videobuf-core.ko
[root@nzhost1 ~]# modprobe -rv smsusb
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/siano/smsusb.ko
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/siano/smsmdtv.ko
[root@nzhost1 ~]# modprobe -rv sisusbvga
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/usb/misc/sisusbvga/sisusbvga.ko
[root@nzhost1 ~]# modprobe -rv b2c2-flexcop-usb
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/b2c2/b2c2-flexcop-usb.ko
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/b2c2/b2c2-flexcop.ko
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/dvb-core/dvb-core.ko
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/frontends/cx24123.ko
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/frontends/cx24113.ko
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/frontends/s5h1420.ko

Kernel modules and their dependent modules will be unloaded in the reverse order that they are loaded, given that no processes depend on any of the modules being unloaded.

Step 3: To prevent modules from being loaded directly you add the blocklist line to a configuration file specific to the system configuration.

echo “blocklist snd” >> /etc/modprobe.d/local-blocklist.conf echo “blocklist zr364xx” >> /etc/modprobe.d/local-blocklist.conf echo “blocklist smsusb” >> /etc/modprobe.d/local-blocklist.conf echo “blocklist sisusbvga” >> /etc/modprobe.d/local-blocklist.conf echo “blocklist b2c2-flexcop-usb” >> /etc/modprobe.d/local-blocklist.conf

example :
[root@nzhost1 ~]# echo “blocklist snd” >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# echo “blocklist zr364xx” >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# echo “blocklist smsusb” >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# echo “blocklist sisusbvga” >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# echo “blocklist b2c2-flexcop-usb” >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep snd
blocklist snd
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep zr364xx
blocklist zr364xx
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep smsusb
blocklist smsusb
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep sisusbvga
blocklist sisusbvga
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep b2c2-flexcop-usb
blocklist b2c2-flexcop-usb

Step 4: Kernel modules can be loaded directly or loaded as a dependency from another module
To prevent installation as a dependency from another module follow below step:

echo “install snd /bin/false” >> /etc/modprobe.d/local-blocklist.conf echo “install zr364xx /bin/false” >> /etc/modprobe.d/local-blocklist.conf echo “install smsusb /bin/false” >> /etc/modprobe.d/local-blocklist.conf echo “install sisusbvga /bin/false” >> /etc/modprobe.d/local-blocklist.conf echo “install b2c2-flexcop-usb /bin/false” >> /etc/modprobe.d/local-blocklist.conf

example:
[root@nzhost1 ~]# echo “install snd /bin/false” >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# echo “install zr364xx /bin/false” >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# echo “install smsusb /bin/false” >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# echo “install sisusbvga /bin/false” >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# echo “install b2c2-flexcop-usb /bin/false” >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep snd
blocklist snd
install snd /bin/false
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep zr364xx
blocklist zr364xx
install zr364xx /bin/false
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep smsusb
blocklist smsusb
install smsusb /bin/false
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep sisusbvga
blocklist sisusbvga
install sisusbvga /bin/false
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep b2c2-flexcop-usb
blocklist b2c2-flexcop-usb
install b2c2-flexcop-usb /bin/false

The install line simply causes /bin/false to be run instead of installing a module.

Step 5: Make a backup copy of your initramfs.

cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak

Example:
[root@nzhost1 ~]# cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak
[root@nzhost1 ~]# uname -r
2.6.32-754.35.1.el6.x86_64
[root@nzhost1 ~]# ll /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img.10-28-041219.bak
-rw------- 1 root root 22387682 Oct 28 04:12 /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img.10-28-041219.bak

Step 6: If the kernel module is part of the initramfs (boot configuration), rebuild your initial ramdisk image, omitting the module to be avoided

dracut --omit-drivers snd -f dracut --omit-drivers zr364xx -f dracut --omit-drivers smsusb -f dracut --omit-drivers sisusbvga -f dracut --omit-drivers b2c2-flexcop-usb -f

example:
[root@nzhost1 ~]# dracut --omit-drivers snd -f
[root@nzhost1 ~]# dracut --omit-drivers zr364xx -f
[root@nzhost1 ~]# dracut --omit-drivers smsusb -f
[root@nzhost1 ~]# dracut --omit-drivers sisusbvga -f
[root@nzhost1 ~]# dracut --omit-drivers b2c2-flexcop-usb -f
[root@nzhost1 ~]# lsinitrd /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img | grep snd
[root@nzhost1 ~]# lsinitrd /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img | grep zr364xx
[root@nzhost1 ~]# lsinitrd /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img | grep smsusb
[root@nzhost1 ~]# lsinitrd /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img | grep sisusbvga
[root@nzhost1 ~]# lsinitrd /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img | grep b2c2-flexcop-usb

Step 7: Append module_name.blocklist to the kernel cmdline. We give it an invalid parameter of blocklist and set it to 1 as a way to preclude the kernel from loading it.

sed --follow-symlinks -i ‘/\skernel /vmlinuz/s/$/ snd.blocklist=1/’ /etc/grub.conf
sed --follow-symlinks -i '/\s
kernel /vmlinuz/s/$/ zr364xx.blocklist=1/’ /etc/grub.conf
sed --follow-symlinks -i ‘/\skernel /vmlinuz/s/$/ smsusb.blocklist=1/’ /etc/grub.conf
sed --follow-symlinks -i '/\s
kernel /vmlinuz/s/$/ sisusbvga.blocklist=1/’ /etc/grub.conf
sed --follow-symlinks -i ‘/\s*kernel /vmlinuz/s/$/ b2c2-flexcop-usb.blocklist=1/’ /etc/grub.conf

example :
[root@nzhost1 ~]# sed --follow-symlinks -i ‘/\skernel /vmlinuz/s/$/ snd.blocklist=1/’ /etc/grub.conf
[root@nzhost1 ~]# sed --follow-symlinks -i '/\s
kernel /vmlinuz/s/$/ zr364xx.blocklist=1/’ /etc/grub.conf
[root@nzhost1 ~]# sed --follow-symlinks -i ‘/\skernel /vmlinuz/s/$/ smsusb.blocklist=1/’ /etc/grub.conf
[root@nzhost1 ~]# sed --follow-symlinks -i '/\s
kernel /vmlinuz/s/$/ sisusbvga.blocklist=1/’ /etc/grub.conf
[root@nzhost1 ~]# sed --follow-symlinks -i ‘/\s*kernel /vmlinuz/s/$/ b2c2-flexcop-usb.blocklist=1/’ /etc/grub.conf

Step 8: blocklist the kernel module in kdump’s configuration file.

echo “blocklist snd” >> /etc/kdump.conf echo “blocklist zr364xx” >> /etc/kdump.conf echo “blocklist smsusb” >> /etc/kdump.conf echo “blocklist sisusbvga” >> /etc/kdump.conf echo “blocklist b2c2-flexcop-usb” >> /etc/kdump.conf

example:
[root@nzhost1 ~]# echo “blocklist snd” >> /etc/kdump.conf
[root@nzhost1 ~]# echo “blocklist zr364xx” >> /etc/kdump.conf
[root@nzhost1 ~]# echo “blocklist smsusb” >> /etc/kdump.conf
[root@nzhost1 ~]# echo “blocklist sisusbvga” >> /etc/kdump.conf
[root@nzhost1 ~]# echo “blocklist b2c2-flexcop-usb” >> /etc/kdump.conf
[root@nzhost1 ~]# cat /etc/kdump.conf | grep snd
blocklist snd
[root@nzhost1 ~]# cat /etc/kdump.conf | grep zr364xx
blocklist zr364xx
[root@nzhost1 ~]# cat /etc/kdump.conf | grep smsusb
blocklist zr364xx
[root@nzhost1 ~]# cat /etc/kdump.conf | grep sisusbvga
blocklist sisusbvga
[root@nzhost1 ~]# cat /etc/kdump.conf | grep b2c2-flexcop-usb
blocklist b2c2-flexcop-usb

Note: PerformStep 9if kexec-tools is installed and kdump is configured else continue withStep 10.
Perform below commands to check if kexec-tools is installed and Kdump is operational
[root@nzhost1 ~]# rpm -qa | grep kexec-tools
[root@nzhost1 ~]# service kdump status

Step 9: Restart the kdump service to pick up the changes to kdump’s initrd.

service kdump restart

example:
[root@nzhost1 ~]# service kdump restart
Stopping kdump: [ OK ]
Detected change(s) the following file(s):

/etc/kdump.conf
Rebuilding /boot/initrd-2.6.32-754.31.1.el6.x86_64kdump.img
Starting kdump: [ OK ]

Step 10: Reboot the system at a convenient time to have the changes take effect.
Make sure the secondary host is up by pinging or logging in before rebooting the primary host.

/sbin/shutdown -r now

example:
[root@nzhost1 ~]# /sbin/shutdown -r now
Make sure the primary server comes up and is reachable before performing Mitigation steps on the secondary server.

** After applying the mitigation:**

1. Start the services using following:
[root@nzhost1 ~]# service heartbeat start
[root@nzhost1 ~]#** ssh ha2 service heartbeat start**
[root@nzhost1 ~]# service drbd start
[root@nzhost1 ~]# ssh ha2 service drbd start

2. Check the stat of the system. Type:
[root@nzhost1 ~]# crm_mon -i5

Result: When the cluster manager comes up and is ready, status appears as follows.
Make sure that nzinit has started before you proceed. (This could take a few minutes.)
Node: nps61074 (e890696b-ab7b-42c0-9e91-4c1cdacbe3f9): online
Node: nps61068 (72043b2e-9217-4666-be6f-79923aef2958): online
Resource Group: nps
drbd_exphome_device(heartbeat:drbddisk): Started nps61074
drbd_nz_device(heartbeat:drbddisk): Started nps61074
exphome_filesystem(heartbeat::ocf:Filesystem): Started nps61074
nz_filesystem (heartbeat::ocf:Filesystem): Started nps61074
fabric_ip (heartbeat::ocf:IPaddr): Started nps61074
wall_ip (heartbeat::ocf:IPaddr): Started nps61074
nzinit (lsb:nzinit): Started nps61074
fencing_route_to_ha1(stonith:apcmaster): Started nps61074
fencing_route_to_ha2(stonith:apcmaster): Started nps61068

3. From host 1 (ha1), press Ctrl+C to break out of crm_mon.

4. Turn on heartbeat and DRBD using the chkconfig:
ssh ha2 /sbin/chkconfig drbd on ** /sbin/chkconfig drbd on** ** ssh ha2 /sbin/chkconfig heartbeat on** ** /sbin/chkconfig heartbeat on**