logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management

Description

## Summary Kernel is used by IBM Netezza Host Management. This bulletin provides mitigation for the reported CVEs. ## Vulnerability Details ** CVEID: **[CVE-2019-15214](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15214>) ** DESCRIPTION: **Linux Kernel could allow a physical attacker to execute arbitrary code on the system, caused by a use-after-free flaw in the sound subsystem. By performing card disconnection actions, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service on the system. CVSS Base score: 6.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165535](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165535>) for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-15217](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15217>) ** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the yurex.c driver. By using a specially-crafted USB device, a physical attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 4.6 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165538](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165538>) for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2019-15218](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15218>) ** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the smsusb.c driver. By using a specially-crafted USB device, a physical attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 4.6 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165539](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165539>) for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2019-15219](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15219>) ** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the sisusb.c driver. By using a specially-crafted USB device, a physical attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 4.6 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165540](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165540>) for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2019-15291](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15291>) ** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the flexcop_usb_probe function in the flexcop-usb.c driver. By using a specially-crafted USB device, a physical attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 4.6 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165548](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165548>) for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ## Affected Products and Versions Affected Product(s)| Version(s) ---|--- IBM Netezza Host Management| All IBM Netezza Host Management starting 5.4.9.0 ## Remediation/Fixes None ## Workarounds and Mitigations Mitigation of the reported CVEs : CVE-2019-15214, CVE-2019-15217, CVE-2019-15218, CVE-2019-15219, CVE-2019-15291 blocklisting kernel modules **snd, zr364xx, smsusb, sisusbvga, b2c2-flexcop-usb** to prevent them from loading automatically on PureData System for Analytics N200x and N3001 is as follows: 1\. Change to user nz: [root@nzhost1 ~]# **su – nz** 2\. Check to see if Call Home is enabled: [nz@nzhost1 ~]$ **nzcallhome -status** If enabled, disable it: [nz@nzhost1 ~]$ **nzcallhome –off** ** Note:** Ensure that nzcallhome returns status as disabled. If there are errors in the callHome.txt configuration file, errors are listed in the output, and call-Home is disabled. 3\. Check the state of the Netezza system: [nz@nzhost1 ~]$ **nzstate** 4\. If the system state is online, stop the system using the command: [nz@nzhost1 ~]$ **nzstop** 5\. Wait for the system to stop, using the command: [nz@nzhos1t ~]$ **nzstate** System state is 'Stopped'. 6\. Exit from the nz session to return to user root: [nz@nzhost1 ~]$ **exit** 7\. Logged into the active host as root, type the following commands to stop the heartbeat processes: [root@nzhost1 ~]# **ssh ha2 /sbin/service heartbeat stop** [root@nzhost1 ~]# **/sbin/service heartbeat stop** 8\. Run below commands as a root user to disable heartbeat from startup: [root@nzhost1 ~]# **ssh ha2 /sbin/chkconfig heartbeat off** [root@nzhost1 ~]# **/sbin/chkconfig heartbeat off** 9\. Type the following commands to stop the DRBD processes: [root@nzhost1 ~]# **ssh ha2 /sbin/service drbd stop** [root@nzhost1 ~]#** /sbin/service drbd stop** 10\. Run below commands as a root user to disable drbd from startup: [root@nzhost1 ~]# **ssh ha2 /sbin/chkconfig drbd off** [root@nzhost1 ~]# **/sbin/chkconfig drbd off** **Execute below steps using "root" user on both ha1/ha2 hosts** **Step 1:** Check if kernel modules are snd, zr364xx, smsusb, sisusbvga, b2c2-flexcop-usb loaded in the hosts **lsmod | grep snd** **lsmod | grep zr364xx** **lsmod | grep smsusb** **lsmod | grep sisusbvga** **lsmod | grep b2c2_flexcop_usb** example: [root@ nzhost1 ~]# lsmod | grep snd snd 74199 0 soundcore 7990 1 snd [root@ nzhost1 ~]# lsmod | grep zr364xx zr364xx 20096 0 videodev 76188 1 zr364xx videobuf_vmalloc 5295 1 zr364xx videobuf_core 20302 2 zr364xx,videobuf_vmalloc [root@ nzhost1 ~]# lsmod | grep smsusb smsusb 8924 0 smsmdtv 30790 1 smsusb [root@ nzhost1 ~]# lsmod | grep sisusbvga sisusbvga 51565 0 [root@ nzhost1 ~]# lsmod | grep b2c2_flexcop_usb b2c2_flexcop_usb 5306 0 b2c2_flexcop 28746 1 b2c2_flexcop_usb **Note:** No output on **Step 1** for any module indicates, that module is not loaded hence skip **Step 2** for that module, and proceed with **Step 3** **Step 2:** Unload kernel modules are snd, zr364xx, smsusb, sisusbvga, b2c2-flexcop-usb if they are loaded **modprobe -rv snd** **modprobe -rv zr364xx** **modprobe -rv smsusb** **modprobe -rv sisusbvga** **modprobe -rv b2c2-flexcop-usb** example: [root@nzhost1 ~]# modprobe -rv snd rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/sound/core/snd.ko rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/sound/soundcore.ko [root@nzhost1 ~]# modprobe -rv zr364xx rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/video/zr364xx.ko rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/video/videodev.ko rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/video/v4l2-compat-ioctl32.ko rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/video/videobuf-vmalloc.ko rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/video/videobuf-core.ko [root@nzhost1 ~]# modprobe -rv smsusb rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/siano/smsusb.ko rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/siano/smsmdtv.ko [root@nzhost1 ~]# modprobe -rv sisusbvga rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/usb/misc/sisusbvga/sisusbvga.ko [root@nzhost1 ~]# modprobe -rv b2c2-flexcop-usb rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/b2c2/b2c2-flexcop-usb.ko rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/b2c2/b2c2-flexcop.ko rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/dvb-core/dvb-core.ko rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/frontends/cx24123.ko rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/frontends/cx24113.ko rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/media/dvb/frontends/s5h1420.ko Kernel modules and their dependent modules will be unloaded in the reverse order that they are loaded, given that no processes depend on any of the modules being unloaded. **Step 3:** To prevent modules from being loaded directly you add the blocklist line to a configuration file specific to the system configuration. **echo "blocklist snd" >> /etc/modprobe.d/local-blocklist.conf** **echo "blocklist zr364xx" >> /etc/modprobe.d/local-blocklist.conf** **echo "blocklist smsusb" >> /etc/modprobe.d/local-blocklist.conf** **echo "blocklist sisusbvga" >> /etc/modprobe.d/local-blocklist.conf** **echo "blocklist b2c2-flexcop-usb" >> /etc/modprobe.d/local-blocklist.conf** example : [root@nzhost1 ~]# echo "blocklist snd" >> /etc/modprobe.d/local-blocklist.conf [root@nzhost1 ~]# echo "blocklist zr364xx" >> /etc/modprobe.d/local-blocklist.conf [root@nzhost1 ~]# echo "blocklist smsusb" >> /etc/modprobe.d/local-blocklist.conf [root@nzhost1 ~]# echo "blocklist sisusbvga" >> /etc/modprobe.d/local-blocklist.conf [root@nzhost1 ~]# echo "blocklist b2c2-flexcop-usb" >> /etc/modprobe.d/local-blocklist.conf [root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep snd blocklist snd [root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep zr364xx blocklist zr364xx [root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep smsusb blocklist smsusb [root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep sisusbvga blocklist sisusbvga [root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep b2c2-flexcop-usb blocklist b2c2-flexcop-usb **Step 4:** Kernel modules can be loaded directly or loaded as a dependency from another module To prevent installation as a dependency from another module follow below step: **echo "install snd /bin/false" >> /etc/modprobe.d/local-blocklist.conf** **echo "install zr364xx /bin/false" >> /etc/modprobe.d/local-blocklist.conf** **echo "install smsusb /bin/false" >> /etc/modprobe.d/local-blocklist.conf** **echo "install sisusbvga /bin/false" >> /etc/modprobe.d/local-blocklist.conf** **echo "install b2c2-flexcop-usb /bin/false" >> /etc/modprobe.d/local-blocklist.conf** example: [root@nzhost1 ~]# echo "install snd /bin/false" >> /etc/modprobe.d/local-blocklist.conf [root@nzhost1 ~]# echo "install zr364xx /bin/false" >> /etc/modprobe.d/local-blocklist.conf [root@nzhost1 ~]# echo "install smsusb /bin/false" >> /etc/modprobe.d/local-blocklist.conf [root@nzhost1 ~]# echo "install sisusbvga /bin/false" >> /etc/modprobe.d/local-blocklist.conf [root@nzhost1 ~]# echo "install b2c2-flexcop-usb /bin/false" >> /etc/modprobe.d/local-blocklist.conf [root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep snd blocklist snd install snd /bin/false [root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep zr364xx blocklist zr364xx install zr364xx /bin/false [root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep smsusb blocklist smsusb install smsusb /bin/false [root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep sisusbvga blocklist sisusbvga install sisusbvga /bin/false [root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep b2c2-flexcop-usb blocklist b2c2-flexcop-usb install b2c2-flexcop-usb /bin/false The install line simply causes /bin/false to be run instead of installing a module. **Step 5:** Make a backup copy of your initramfs. **cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak** Example: [root@nzhost1 ~]# cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak [root@nzhost1 ~]# uname -r 2.6.32-754.35.1.el6.x86_64 [root@nzhost1 ~]# ll /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img.10-28-041219.bak -rw------- 1 root root 22387682 Oct 28 04:12 /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img.10-28-041219.bak **Step 6:** If the kernel module is part of the initramfs (boot configuration), rebuild your initial ramdisk image, omitting the module to be avoided **dracut --omit-drivers snd -f** **dracut --omit-drivers zr364xx -f** **dracut --omit-drivers smsusb -f** **dracut --omit-drivers sisusbvga -f** **dracut --omit-drivers b2c2-flexcop-usb -f** example: [root@nzhost1 ~]# dracut --omit-drivers snd -f [root@nzhost1 ~]# dracut --omit-drivers zr364xx -f [root@nzhost1 ~]# dracut --omit-drivers smsusb -f [root@nzhost1 ~]# dracut --omit-drivers sisusbvga -f [root@nzhost1 ~]# dracut --omit-drivers b2c2-flexcop-usb -f [root@nzhost1 ~]# lsinitrd /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img | grep snd [root@nzhost1 ~]# lsinitrd /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img | grep zr364xx [root@nzhost1 ~]# lsinitrd /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img | grep smsusb [root@nzhost1 ~]# lsinitrd /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img | grep sisusbvga [root@nzhost1 ~]# lsinitrd /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img | grep b2c2-flexcop-usb **Step 7:** Append module_name.blocklist to the kernel cmdline. We give it an invalid parameter of blocklist and set it to 1 as a way to preclude the kernel from loading it. sed --follow-symlinks -i '/\s*kernel \/vmlinuz/s/$/ snd.blocklist=1/' /etc/grub.conf sed --follow-symlinks -i '/\s*kernel \/vmlinuz/s/$/ zr364xx.blocklist=1/' /etc/grub.conf sed --follow-symlinks -i '/\s*kernel \/vmlinuz/s/$/ smsusb.blocklist=1/' /etc/grub.conf sed --follow-symlinks -i '/\s*kernel \/vmlinuz/s/$/ sisusbvga.blocklist=1/' /etc/grub.conf sed --follow-symlinks -i '/\s*kernel \/vmlinuz/s/$/ b2c2-flexcop-usb.blocklist=1/' /etc/grub.conf example : [root@nzhost1 ~]# sed --follow-symlinks -i '/\s*kernel \/vmlinuz/s/$/ snd.blocklist=1/' /etc/grub.conf [root@nzhost1 ~]# sed --follow-symlinks -i '/\s*kernel \/vmlinuz/s/$/ zr364xx.blocklist=1/' /etc/grub.conf [root@nzhost1 ~]# sed --follow-symlinks -i '/\s*kernel \/vmlinuz/s/$/ smsusb.blocklist=1/' /etc/grub.conf [root@nzhost1 ~]# sed --follow-symlinks -i '/\s*kernel \/vmlinuz/s/$/ sisusbvga.blocklist=1/' /etc/grub.conf [root@nzhost1 ~]# sed --follow-symlinks -i '/\s*kernel \/vmlinuz/s/$/ b2c2-flexcop-usb.blocklist=1/' /etc/grub.conf **Step 8:** blocklist the kernel module in kdump's configuration file. **echo "blocklist snd" >> /etc/kdump.conf** **echo "blocklist zr364xx" >> /etc/kdump.conf** **echo "blocklist smsusb" >> /etc/kdump.conf** **echo "blocklist sisusbvga" >> /etc/kdump.conf** **echo "blocklist b2c2-flexcop-usb" >> /etc/kdump.conf** example: [root@nzhost1 ~]# echo "blocklist snd" >> /etc/kdump.conf [root@nzhost1 ~]# echo "blocklist zr364xx" >> /etc/kdump.conf [root@nzhost1 ~]# echo "blocklist smsusb" >> /etc/kdump.conf [root@nzhost1 ~]# echo "blocklist sisusbvga" >> /etc/kdump.conf [root@nzhost1 ~]# echo "blocklist b2c2-flexcop-usb" >> /etc/kdump.conf [root@nzhost1 ~]# cat /etc/kdump.conf | grep snd blocklist snd [root@nzhost1 ~]# cat /etc/kdump.conf | grep zr364xx blocklist zr364xx [root@nzhost1 ~]# cat /etc/kdump.conf | grep smsusb blocklist zr364xx [root@nzhost1 ~]# cat /etc/kdump.conf | grep sisusbvga blocklist sisusbvga [root@nzhost1 ~]# cat /etc/kdump.conf | grep b2c2-flexcop-usb blocklist b2c2-flexcop-usb **Note:** Perform **Step 9** if kexec-tools is installed and kdump is configured else continue with **Step 10**. Perform below commands to check if kexec-tools is installed and Kdump is operational [root@nzhost1 ~]# rpm -qa | grep kexec-tools [root@nzhost1 ~]# service kdump status **Step 9:** Restart the kdump service to pick up the changes to kdump's initrd. **service kdump restart** example: [root@nzhost1 ~]# service kdump restart Stopping kdump: [ OK ] Detected change(s) the following file(s): /etc/kdump.conf Rebuilding /boot/initrd-2.6.32-754.31.1.el6.x86_64kdump.img Starting kdump: [ OK ] **Step 10:** Reboot the system at a convenient time to have the changes take effect. Make sure the secondary host is up by pinging or logging in before rebooting the primary host. **/sbin/shutdown -r now** example: [root@nzhost1 ~]# /sbin/shutdown -r now Make sure the primary server comes up and is reachable before performing Mitigation steps on the secondary server. ** After applying the mitigation:** 1\. Start the services using following: [root@nzhost1 ~]# **service heartbeat start** [root@nzhost1 ~]#** ssh ha2 service heartbeat start** [root@nzhost1 ~]# **service drbd start** [root@nzhost1 ~]# **ssh ha2 service drbd start** 2\. Check the stat of the system. Type: [root@nzhost1 ~]# **crm_mon -i5** Result: When the cluster manager comes up and is ready, status appears as follows. Make sure that nzinit has started before you proceed. (This could take a few minutes.) Node: nps61074 (e890696b-ab7b-42c0-9e91-4c1cdacbe3f9): online Node: nps61068 (72043b2e-9217-4666-be6f-79923aef2958): online Resource Group: nps drbd_exphome_device(heartbeat:drbddisk): Started nps61074 drbd_nz_device(heartbeat:drbddisk): Started nps61074 exphome_filesystem(heartbeat::ocf:Filesystem): Started nps61074 nz_filesystem (heartbeat::ocf:Filesystem): Started nps61074 fabric_ip (heartbeat::ocf:IPaddr): Started nps61074 wall_ip (heartbeat::ocf:IPaddr): Started nps61074 nzinit (lsb:nzinit): Started nps61074 fencing_route_to_ha1(stonith:apcmaster): Started nps61074 fencing_route_to_ha2(stonith:apcmaster): Started nps61068 3\. From host 1 (ha1), press Ctrl+C to break out of crm_mon. 4\. Turn on heartbeat and DRBD using the chkconfig: ** ssh ha2 /sbin/chkconfig drbd on** ** /sbin/chkconfig drbd on** ** ssh ha2 /sbin/chkconfig heartbeat on** ** /sbin/chkconfig heartbeat on** ## Get Notified about Future Security Bulletins Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this. ### References [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> "Link resides outside of ibm.com" ) [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> "Link resides outside of ibm.com" ) Off ## Related Information [IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) [IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>) ## Acknowledgement ## Change History 28 Oct 2020: Original Publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. ## Disclaimer Review the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment. ## Document Location Worldwide [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSULQD","label":"IBM PureData System"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]


Affected Software


CPE Name Name Version
ibm netezza host management all ibm netezza host management starting 5.4.9.0

Related