logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: Vyatta 5600 vRouter Software Patches - Release 1801-ze

Description

## Summary AT&T has released versions 1801-ze for the Vyatta 5600. Details of these releases can be found at https://cloud.ibm.com/docs/infrastructure/virtual-router-appliance?topic=virtual-router-appliance-at-t-vyatta-5600-vrouter-software-patches#at-t-vyatta-5600-vrouter-software-patches ## Vulnerability Details ** CVEID: **[CVE-2019-14821](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14821>) ** DESCRIPTION: **An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system. CVSS Base score: 3.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167325](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167325>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2019-14284](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14284>) ** DESCRIPTION: **In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default. CVSS Base score: 4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165351](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165351>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2019-14283](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14283>) ** DESCRIPTION: **In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default. CVSS Base score: 8.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165352](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165352>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-13648](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13648>) ** DESCRIPTION: **In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c. CVSS Base score: 6.2 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/164506](<https://exchange.xforce.ibmcloud.com/vulnerabilities/164506>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2019-13631](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13631>) ** DESCRIPTION: **In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages. CVSS Base score: 6.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163955](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163955>) for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-10639](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10639>) ** DESCRIPTION: **The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to have a dependency on an address associated with a network namespace. CVSS Base score: 5.9 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167414](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167414>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2019-10638](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10638>) ** DESCRIPTION: **In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses. CVSS Base score: 6.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163731](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163731>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2019-10207](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10207>) ** DESCRIPTION: **A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash. CVSS Base score: 6.2 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/164305](<https://exchange.xforce.ibmcloud.com/vulnerabilities/164305>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2019-3900](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3900>) ** DESCRIPTION: **An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160135](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160135>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2019-3882](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3882>) ** DESCRIPTION: **A flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable. CVSS Base score: 4.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/158984](<https://exchange.xforce.ibmcloud.com/vulnerabilities/158984>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2019-1125](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1125>) ** DESCRIPTION: **An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1071, CVE-2019-1073. CVSS Base score: 5.9 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162990](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162990>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) ** CVEID: **[CVE-2018-20856](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20856>) ** DESCRIPTION: **An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled. CVSS Base score: 7.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169658](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169658>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2018-20836](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20836>) ** DESCRIPTION: **An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free. CVSS Base score: 4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/161631](<https://exchange.xforce.ibmcloud.com/vulnerabilities/161631>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2018-5995](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5995>) ** DESCRIPTION: **The pcpu_embed_first_chunk function in mm/percpu.c in the Linux kernel through 4.14.14 allows local users to obtain sensitive address information by reading dmesg data from a "pages/cpu" printk call. CVSS Base score: 4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148122](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148122>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2015-8553](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8553>) ** DESCRIPTION: **Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling memory and I/O decoding control bits.NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0777. CVSS Base score: 2.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/112537](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112537>) for the current score. CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) ** CVEID: **[CVE-2019-15902](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15902>) ** DESCRIPTION: **A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped. CVSS Base score: 8.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166561](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166561>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-15118](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15118>) ** DESCRIPTION: **check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion. CVSS Base score: 8.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165426>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-15117](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15117>) ** DESCRIPTION: **parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short descriptor, leading to out-of-bounds memory access. CVSS Base score: 7.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165425](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165425>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) ** CVEID: **[CVE-2019-14835](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14835>) ** DESCRIPTION: **A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host. CVSS Base score: 7.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167170](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167170>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ## Affected Products and Versions Affected Product(s)| Version(s) ---|--- Vyatta 5600| All ## Remediation/Fixes Please contact IBM Cloud Support to request that the ISO for the 1801-ze be pushed to your Vyatta system. Users will need to apply the upgraded code according to their defined processes (for example during a defined maintenance window). ## Workarounds and Mitigations None ## Get Notified about Future Security Bulletins Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this. ### References [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> "Link resides outside of ibm.com" ) [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> "Link resides outside of ibm.com" ) Off ## Related Information [IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) [IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>) ## Change History 24 Jan 2020: Initial Publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. ## Disclaimer Review the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/bulletin/#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment. ## Document Location Worldwide [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSH5QD","label":"Vyatta 5600"},"Component":"","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"Vyatta 5600","Edition":"","Line of Business":{"code":"","label":""}}]


Affected Software


CPE Name Name Version
vyatta 5600 5600

Related