5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:N/A:C
Kernel is used by IBM Netezza Host Management. This bulletin provides mitigation for the reported CVEs.
CVEID:CVE-2019-19051
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/net/wimax/i2400m/op-rfkill.c. A remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171759 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-19055
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c. A remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171763 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Netezza Host Management | All IBM Netezza Host Management starting 5.4.9.0 |
None
Mitigation of the reported CVEs : CVE-2019-19051, CVE-2019-19055 blocklisting kernel modules** i2400m, cfg80211** to prevent them from loading automatically on PureData System for Analytics N200x and N3001 is as follows:
1. Change to user nz:
[root@nzhost1 ~]# su โ nz
2. Check to see if Call Home is enabled:
[nz@nzhost1 ~]$ nzcallhome -status
If enabled, disable it:
[nz@nzhost1 ~]$ nzcallhome โoff Note: Ensure that nzcallhome returns status as disabled. If there are errors in the callHome.txt configuration file, errors are listed in the output, and call-Home is disabled.
3. Check the state of the Netezza system:
[nz@nzhost1 ~]$ nzstate
4. If the system state is online, stop the system using the command:
[nz@nzhost1 ~]$ nzstop
5. Wait for the system to stop, using the command:
[nz@nzhos1t ~]$ nzstate
System state is โStoppedโ.
6. Exit from the nz session to return to user root:
[nz@nzhost1 ~]$ exit
7. Logged into the active host as root, type the following commands to stop the heartbeat processes:
[root@nzhost1 ~]# ssh ha2 /sbin/service heartbeat stop
[root@nzhost1 ~]# /sbin/service heartbeat stop
8. Run below commands as a root user to disable heartbeat from startup:
[root@nzhost1 ~]# ssh ha2 /sbin/chkconfig heartbeat off
[root@nzhost1 ~]# /sbin/chkconfig heartbeat off
9. Type the following commands to stop the DRBD processes:
[root@nzhost1 ~]# ssh ha2 /sbin/service drbd stop
[root@nzhost1 ~]# /sbin/service drbd stop
10. Run below commands as a root user to disable drbd from startup:
[root@nzhost1 ~]# ssh ha2 /sbin/chkconfig drbd off
[root@nzhost1 ~]# /sbin/chkconfig drbd off
Execute below steps using โrootโ user on both ha1/ha2 hosts
Step 1: Check if kernel modules i2400m, cfg80211 are loaded in the hosts
lsmod | grep i2400m lsmod | grep cfg80211
example:
[root@ nzhost1 ~]# lsmod | grep i2400m
i2400m 85954 0
wimax 27043 1 i2400m
[root@ nzhost1 ~]# lsmod | grep cfg80211
cfg80211 699840 0
rfkill 19319 2 cfg80211,wimax
Note: No output onStep 1for any module indicates, that module is not loaded hence skipStep 2for that module, and proceed withStep 3
Step 2: Unload kernel modules are i2400m, cfg80211 if they are loaded
modprobe -rv i2400m modprobe -rv cfg80211
example:
[root@nzhost1 ~]# modprobe -rv i2400m
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/net/wimax/i2400m/i2400m.ko
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/net/wimax/wimax.ko
[root@nzhost1 ~]# modprobe -rv cfg80211
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/net/wireless/cfg80211.ko
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/net/rfkill/rfkill.ko
Kernel modules and their dependent modules will be unloaded in the reverse order that they are loaded, given that no processes depend on any of the modules being unloaded.
Step 3: To prevent modules from being loaded directly you add the blocklist line to a configuration file specific to the system configuration.
echo โblocklist i2400mโ >> /etc/modprobe.d/local-blocklist.conf echo โblocklist cfg80211โ >> /etc/modprobe.d/local-blocklist.conf
example :
[root@nzhost1 ~]# echo โblocklist i2400mโ >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# echo โblocklist cfg80211โ >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep i2400m
blocklist i2400m
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep cfg80211
blocklist cfg80211
Step 4: Kernel modules can be loaded directly or loaded as a dependency from another module
To prevent installation as a dependency from another module follow below step:
echo โinstall i2400m /bin/falseโ >> /etc/modprobe.d/local-blocklist.conf echo โinstall cfg80211 /bin/falseโ >> /etc/modprobe.d/local-blocklist.conf
example:
[root@nzhost1 ~]# echo โinstall i2400m /bin/falseโ >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# echo โinstall cfg80211 /bin/falseโ >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep i2400m
blocklist i2400m
install i2400m /bin/false
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep cfg80211
blocklist cfg80211
install cfg80211 /bin/false
The install line simply causes /bin/false to be run instead of installing a module.
Step 5: Make a backup copy of your initramfs.
cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak
Example:
[root@nzhost1 ~]# cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak
[root@nzhost1 ~]# uname -r
2.6.32-754.35.1.el6.x86_64
[root@nzhost1 ~]# ll /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img.10-29-030600.bak
-rw------- 1 root root 22553648 Oct 29 03:06 /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img.10-29-030600.bak
Step 6: If the kernel module is part of the initramfs (boot configuration), rebuild your initial ramdisk image, omitting the module to be avoided
dracut --omit-drivers i2400m -f dracut --omit-drivers cfg80211 -f
example:
[root@nzhost1 ~]# dracut --omit-drivers i2400m -f
[root@nzhost1 ~]# dracut --omit-drivers cfg80211 -f
[root@nzhost1 ~]# lsinitrd /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img | grep i2400m
[root@nzhost1 ~]# lsinitrd /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img | grep cfg80211
Step 7: Append module_name.blocklist to the kernel cmdline. We give it an invalid parameter of blocklist and set it to 1 as a way to preclude the kernel from loading it.
sed --follow-symlinks -i โ/\s*kernel /vmlinuz/s/$/ i2400m.blocklist=1/โ /etc/grub.conf sed --follow-symlinks -i โ/\s*kernel /vmlinuz/s/$/ cfg80211.blocklist=1/โ /etc/grub.conf
example :
[root@nzhost1 ~]# sed --follow-symlinks -i โ/\skernel /vmlinuz/s/$/ i2400m.blocklist=1/โ /etc/grub.conf
[root@nzhost1 ~]# sed --follow-symlinks -i '/\skernel /vmlinuz/s/$/ cfg80211.blocklist=1/โ /etc/grub.conf
Step 8: blocklist the kernel module in kdumpโs configuration file.
echo โblocklist i2400mโ >> /etc/kdump.conf echo โblocklist cfg80211โ >> /etc/kdump.conf
example:
[root@nzhost1 ~]# echo โblocklist i2400mโ >> /etc/kdump.conf
[root@nzhost1 ~]# echo โblocklist cfg80211โ >> /etc/kdump.conf
[root@nzhost1 ~]# cat /etc/kdump.conf | grep i2400m
blocklist i2400m
[root@nzhost1 ~]# cat /etc/kdump.conf | grep cfg80211
blocklist cfg80211
Note: PerformStep 9if kexec-tools is installed and kdump is configured else continue withStep 10.
Perform below commands to check if kexec-tools is installed and Kdump is operational
[root@nzhost1 ~]# rpm -qa | grep kexec-tools
[root@nzhost1 ~]# service kdump status
Step 9: Restart the kdump service to pick up the changes to kdumpโs initrd.
service kdump restart
example:
[root@nzhost1 ~]# service kdump restart
Stopping kdump: [ OK ]
Detected change(s) the following file(s):
/etc/kdump.conf
Rebuilding /boot/initrd-2.6.32-754.31.1.el6.x86_64kdump.img
Starting kdump: [ OK ]
Step 10: Reboot the system at a convenient time to have the changes take effect.
Make sure the secondary host is up by pinging or logging in before rebooting the primary host.
/sbin/shutdown -r now
example:
[root@nzhost1 ~]# /sbin/shutdown -r now
Make sure the primary server comes up and is reachable before performing Mitigation steps on the secondary server.
After applying the mitigation:
1. Start the services using following:
[root@nzhost1 ~]# service heartbeat start
[root@nzhost1 ~]# ssh ha2 service heartbeat start
[root@nzhost1 ~]# service drbd start
[root@nzhost1 ~]# ssh ha2 service drbd start
2. Check the stat of the system. Type:
[root@nzhost1 ~]# crm_mon -i5
Result: When the cluster manager comes up and is ready, status appears as follows.
Make sure that nzinit has started before you proceed. (This could take a few minutes.)
Node: nps61074 (e890696b-ab7b-42c0-9e91-4c1cdacbe3f9): online
Node: nps61068 (72043b2e-9217-4666-be6f-79923aef2958): online
Resource Group: nps
drbd_exphome_device(heartbeat:drbddisk): Started nps61074
drbd_nz_device(heartbeat:drbddisk): Started nps61074
exphome_filesystem(heartbeat::ocf:Filesystem): Started nps61074
nz_filesystem (heartbeat::ocf:Filesystem): Started nps61074
fabric_ip (heartbeat::ocf:IPaddr): Started nps61074
wall_ip (heartbeat::ocf:IPaddr): Started nps61074
nzinit (lsb:nzinit): Started nps61074
fencing_route_to_ha1(stonith:apcmaster): Started nps61074
fencing_route_to_ha2(stonith:apcmaster): Started nps61068
3. From host 1 (ha1), press Ctrl+C to break out of crm_mon.
4. Turn on heartbeat and DRBD using the chkconfig:
ssh ha2 /sbin/chkconfig drbd on ** /sbin/chkconfig drbd on** ** ssh ha2 /sbin/chkconfig heartbeat on** ** /sbin/chkconfig heartbeat on**
CPE | Name | Operator | Version |
---|---|---|---|
ibm puredata system | eq | any |
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:N/A:C