Lucene search

K
redhatcveRedhat.comRH:CVE-2019-19529
HistoryApr 06, 2020 - 11:04 a.m.

CVE-2019-19529

2020-04-0611:04:37
redhat.com
access.redhat.com
9

6.3 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.0005 Low

EPSS

Percentile

15.0%

A use-after-free flaw was found in the driver for the USB Microchip CAN BUS Analyzer Tool. The CAN BUS analysis hardware is not commonly found on server-grade hardware where the flaw exists while a device is removed (physical access) or a kernel module is unloaded (administrative privileges). An attacker must race the code while the device is being unplugged to take advantage of this flaw.

Mitigation

As the mcba_usb odule will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions:

echo "install mcba_usb /bin/true" >> /etc/modprobe.d/disable-mcba_usb.conf

The system will need to be restarted in the unlikely case that the modules are loaded. In most circumstances, the kernel modules will be unable to be unloaded with rmmod while any device has the software in use.

If the system requires this module to work correctly, this mitigation may not be suitable, alternative USB can analysers will not suffer this same flaw.

If you need further assistance, see KCS article <https://access.redhat.com/solutions/41278&gt; or contact Red Hat Global Support Services.

6.3 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.0005 Low

EPSS

Percentile

15.0%