SB2019110674 - Red Hat Enterprise Linux 8 update for kernel-rt

Description

This security bulletin contains information about 21 secuirty vulnerabilities.

1) Use-after-free error (CVE-ID: CVE-2018-16884)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to bc_svc_process() use wrong back-channel id when NFS41+ shares mounted in different network namespaces at the same time. A remote attacker can use a malicious container to trigger use-after-free error and cause a system panic.

2) Memory leak (CVE-ID: CVE-2018-19854)

The vulnerability allows a local attacker to perform DoS attack on the target system.

The vulnerability exists due to crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace. A local attacker can trigger memory leak and perform denial of service attack.

3) Out-of-bounds read (CVE-ID: CVE-2018-19985)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when the function "hso_get_config_data" in "drivers/net/usb/hso.c" reads "if_num" from the USB device (as a u8) and uses it to index a small array. An authenticated local user with physical access to the system can use a malicious USB, trigger out-of-bounds read error and read contents of memory on the system.

4) Memory corruption (CVE-ID: CVE-2018-20169)

The vulnerability allows a local attacker to cause DoS condition or execute arbitrary code on the target system.

The vulnerability exists in the USB subsystem due to improper checks on the minimum and maximum size of data allowed when reading an extra descriptor by the USB subsystem of the affected software, related to the __usb_get_extra_descriptor in the drivers/usb/core/usb.c source code file. A local attacker can insert a USB device designed to submit malicious input, trigger memory corruption and cause the service to crash or execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

5) Heap-based buffer overflow (CVE-ID: CVE-2019-10126)

The vulnerability allows a local user to perform a denial of service (DoS) condition or execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the Marvell Wireless LAN device driver in "mwifiex_uap_parse_tail_ies" function in "drivers/net/wireless/marvell/mwifiex/ie.c". A local authenticated user can trigger heap-based buffer overflow and cause a denial of service (system crash) or possibly execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) NULL pointer dereference (CVE-ID: CVE-2019-10207)

The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.

A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.

7) Information disclosure (CVE-ID: CVE-2019-10638)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the software uses the IP ID values that the kernel produces for connectionless protocols. A remote attacker with a crafted web page can forge the targeted system to send UDP traffic to an attacker-controlled IP address to gain unauthorized access to sensitive information on the system.

8) Race condition (CVE-ID: CVE-2019-11599)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition with mmget_not_zero or get_task_mm calls and is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c due to kernel does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.

9) Information disclosure (CVE-ID: CVE-2019-11833)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the Linux kernel does not zero out the unused memory region in the extent tree block within the fs/ext4/extents.c. A local user can gain unauthorized access to sensitive information on the system.

10) Information disclosure (CVE-ID: CVE-2019-11884)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability in the "do_hidp_sock_ioctl" function in "net/bluetooth/hidp/sock.c" exists due to the Bluetooth Human Interface Device Protocol (HIDP) implementation did not properly verify strings were NULL terminated in certain situations. A local authenticated user can gain unauthorized access to sensitive information from kernel stack memory via a "HIDPCONNADD" command, because a name field may not end with a '' character. 

11) Use-after-free (CVE-ID: CVE-2019-13233)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the arch/x86/lib/insn-eval.c file due to a race condition between modify_ldt() and a #BR exception for an MPX bounds violation when accessing LDT entry. A local user can create a specially crafted application and escalate privileges on the system.

12) Out-of-bounds write (CVE-ID: CVE-2019-14821)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the KVM coalesced MMIO support functionality due to incorrect processing of shared indexes. A local user can run a specially crafted application to trigger an out-of-bounds write error and write data to arbitrary address in the kernel memory.

Successful vulnerability exploitation may allow an attacker to execute arbitrary code on the system with root privileges.

13) Memory leak (CVE-ID: CVE-2019-15916)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within register_queue_kobjects() function in net/core/net-sysfs.c, which will cause denial of service. A local user can perform a denial of service attack.

14) Memory leak (CVE-ID: CVE-2019-3459)

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due heap address infoleak in use of l2cap_get_conf_opt. A local attacker can trigger memory leak and access important data.

15) Memory leak (CVE-ID: CVE-2019-3460)

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due heap address infoleak in multiple locations including function l2cap_parse_conf_rsp. A local attacker can trigger memory leak and access important data.

16) Input validation error (CVE-ID: CVE-2019-3874)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to the SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. A local user can perform a denial of service (DoS) attack.

17) Resource exhaustion (CVE-ID: CVE-2019-3882)

The vulnerability allows a local user to perform denial of service (DoS) attack.

The vulnerability exists within Linux kernel's vfio interface implementation, related to incorrect permission management. A local user with administrative privileges of the device, connected to vfio-pci interface can exhaust all system resources and perform denial of service attack.

18) Infinite loop (CVE-ID: CVE-2019-3900)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in vhost_net kernel module when processing incoming packets in handle_rx(). A remote attacker with access to guest operating system can stall the vhost_net kernel thread and cause denial of service conditions.

19) Information disclosure (CVE-ID: CVE-2019-5489)

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to a flaw in the mincore() implementation in mm/mincore.c. A local attacker can observe page cache access patterns of other processes on the same system and sniff secret information.

20) Memory leak (CVE-ID: CVE-2019-7222)

The vulnerability allows an adjacent attacker to obtain potentially sensitive information.

The weakness exists due to exists due to memory leak in kvm_inject_page_fault. An adjacent attacker can gain access to important data and conduct further attacks.

21) Cryptographic issues (CVE-ID: CVE-2019-9506)

The vulnerability allows an attacker to gain access to sensitive information.

The vulnerability exists due to a weakness in Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) protocol core specification that allows an attacker with close proximity to the affected system to perform a man-in-the-middle attack on an encrypted Bluetooth connection.

Successful exploitation of the vulnerability may allow an attacker to gain access to sensitive information or perform unauthorized actions.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2019:3309