Amazon Linux AMI update for kernel

Published: 2019-03-05

Risk	Medium
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2019-6974 CVE-2019-7221 CVE-2019-7222
CWE-ID	CWE-362 CWE-416 CWE-401
Exploitation vector	Local network
Public exploit	Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available.
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Race condition

EUVDB-ID: #VU17555

Risk: Low

CVSSv4.0: 7.4 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2019-6974

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to gain elevated privileges or cause a denial of service (DoS) condition.

The weakness exists due to exists due to a race condition that causes the kvm_ioctl_create_device function, as defined in the virt/kvm/kvm_main.c source code file of the affected software, to improperly handle reference counting. An adjacent attacker can access the system and execute an application that submits malicious input, trigger a use-after-free condition and cause a targeted guest virtual machine to crash, resulting in a DoS condition. In addition, a successful exploit could allow the attacker to gain elevated privileges on a targeted system.

Mitigation

Update the affected packages:

i686:
    kernel-4.14.101-75.76.amzn1.i686
    kernel-tools-devel-4.14.101-75.76.amzn1.i686
    kernel-tools-debuginfo-4.14.101-75.76.amzn1.i686
    kernel-debuginfo-4.14.101-75.76.amzn1.i686
    kernel-headers-4.14.101-75.76.amzn1.i686
    perf-debuginfo-4.14.101-75.76.amzn1.i686
    kernel-tools-4.14.101-75.76.amzn1.i686
    perf-4.14.101-75.76.amzn1.i686
    kernel-debuginfo-common-i686-4.14.101-75.76.amzn1.i686
    kernel-devel-4.14.101-75.76.amzn1.i686

src:
    kernel-4.14.101-75.76.amzn1.src

x86_64:
    kernel-debuginfo-common-x86_64-4.14.101-75.76.amzn1.x86_64
    perf-debuginfo-4.14.101-75.76.amzn1.x86_64
    kernel-tools-debuginfo-4.14.101-75.76.amzn1.x86_64
    kernel-tools-devel-4.14.101-75.76.amzn1.x86_64
    kernel-headers-4.14.101-75.76.amzn1.x86_64
    kernel-debuginfo-4.14.101-75.76.amzn1.x86_64
    kernel-4.14.101-75.76.amzn1.x86_64
    perf-4.14.101-75.76.amzn1.x86_64
    kernel-devel-4.14.101-75.76.amzn1.x86_64
    kernel-tools-4.14.101-75.76.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2019-1165.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Use-after-free

EUVDB-ID: #VU17760

Risk: Medium

CVSSv4.0: 7.4 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2019-7221

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to cause DoS condition or execute arbitrary code.

The weakness exists due to exists due to use-after-free error when using emulated vmx preemption timer. An adjacent attacker can cause the service to crash or execute arbitrary code with elevated privileges.

Mitigation

Update the affected packages:

i686:
    kernel-4.14.101-75.76.amzn1.i686
    kernel-tools-devel-4.14.101-75.76.amzn1.i686
    kernel-tools-debuginfo-4.14.101-75.76.amzn1.i686
    kernel-debuginfo-4.14.101-75.76.amzn1.i686
    kernel-headers-4.14.101-75.76.amzn1.i686
    perf-debuginfo-4.14.101-75.76.amzn1.i686
    kernel-tools-4.14.101-75.76.amzn1.i686
    perf-4.14.101-75.76.amzn1.i686
    kernel-debuginfo-common-i686-4.14.101-75.76.amzn1.i686
    kernel-devel-4.14.101-75.76.amzn1.i686

src:
    kernel-4.14.101-75.76.amzn1.src

x86_64:
    kernel-debuginfo-common-x86_64-4.14.101-75.76.amzn1.x86_64
    perf-debuginfo-4.14.101-75.76.amzn1.x86_64
    kernel-tools-debuginfo-4.14.101-75.76.amzn1.x86_64
    kernel-tools-devel-4.14.101-75.76.amzn1.x86_64
    kernel-headers-4.14.101-75.76.amzn1.x86_64
    kernel-debuginfo-4.14.101-75.76.amzn1.x86_64
    kernel-4.14.101-75.76.amzn1.x86_64
    perf-4.14.101-75.76.amzn1.x86_64
    kernel-devel-4.14.101-75.76.amzn1.x86_64
    kernel-tools-4.14.101-75.76.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2019-1165.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Memory leak

EUVDB-ID: #VU17759

Risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2019-7222

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to obtain potentially sensitive information.

The weakness exists due to exists due to memory leak in kvm_inject_page_fault. An adjacent attacker can gain access to important data and conduct further attacks.

Mitigation

Update the affected packages:

i686:
    kernel-4.14.101-75.76.amzn1.i686
    kernel-tools-devel-4.14.101-75.76.amzn1.i686
    kernel-tools-debuginfo-4.14.101-75.76.amzn1.i686
    kernel-debuginfo-4.14.101-75.76.amzn1.i686
    kernel-headers-4.14.101-75.76.amzn1.i686
    perf-debuginfo-4.14.101-75.76.amzn1.i686
    kernel-tools-4.14.101-75.76.amzn1.i686
    perf-4.14.101-75.76.amzn1.i686
    kernel-debuginfo-common-i686-4.14.101-75.76.amzn1.i686
    kernel-devel-4.14.101-75.76.amzn1.i686

src:
    kernel-4.14.101-75.76.amzn1.src

x86_64:
    kernel-debuginfo-common-x86_64-4.14.101-75.76.amzn1.x86_64
    perf-debuginfo-4.14.101-75.76.amzn1.x86_64
    kernel-tools-debuginfo-4.14.101-75.76.amzn1.x86_64
    kernel-tools-devel-4.14.101-75.76.amzn1.x86_64
    kernel-headers-4.14.101-75.76.amzn1.x86_64
    kernel-debuginfo-4.14.101-75.76.amzn1.x86_64
    kernel-4.14.101-75.76.amzn1.x86_64
    perf-4.14.101-75.76.amzn1.x86_64
    kernel-devel-4.14.101-75.76.amzn1.x86_64
    kernel-tools-4.14.101-75.76.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2019-1165.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.