安全公告详情

NS-SA-2019-0266

2019-12-31 11:29:41

简介

important: kernel-rt/tcpdump security update

严重级别

important

主题

An update for kernel-rt/tcpdump is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

kernel-rt: The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. This variant of the kernel has numerous debugging options enabled. It should only be installed when trying to gather additional information on kernel bugs, as some of these options impact performance noticably.
tcpdump: Tcpdump is a command-line tool for monitoring network traffic. Tcpdump can capture and display the packet headers on a particular network interface or on all interfaces. Tcpdump can display all of the packet headers, or just the ones that match particular criteria. Install tcpdump if you need a program to monitor network traffic.


Security Fix(es):
kernel-rt: The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux kernel before 2.6.39 does not ensure that a certain device field ends with a '\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory, or cause a denial of service (BUG and system crash), via a BNEPCONNADD command.(CVE-2011-1079)
kernel-rt: An issue was discovered in fs/gfs2/rgrp.c in the Linux kernel before 4.8. A use-after-free is caused by the functions gfs2_clear_rgrpd and read_rindex_entry.(CVE-2016-10905)
kernel-rt: An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.(CVE-2017-18550)
kernel-rt: An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c.(CVE-2017-18595)
kernel-rt: A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries. A privileged guest user may use this flaw to induce a hardware Machine Check Error on the host processor, resulting in a severe DoS scenario by halting the processor. System software like OS OR Virtual Machine Monitor (VMM) use virtual memory system for storing program instructions and data in memory. Virtual Memory system uses Paging structures like Page Tables and Page Directories to manage system memory. The processor's Memory Management Unit (MMU) uses Paging structure entries to translate program's virtual memory addresses to physical memory addresses. The processor stores these address translations into its local cache buffer called - Translation Lookaside Buffer (TLB). TLB has two parts, one for instructions and other for data addresses. System software can modify its Paging structure entries to change address mappings OR certain attributes like page size etc. Upon such Paging structure alterations in memory, system software must invalidate the corresponding address translations in the processor's TLB cache. But before this TLB invalidation takes place, a privileged guest user may trigger an instruction fetch operation, which could use an already cached, but now invalid, virtual to physical address translation from Instruction TLB (ITLB). Thus accessing an invalid physical memory address and resulting in halting the processor due to the Machine Check Error (MCE) on Page Size Change.(CVE-2018-12207)
kernel-rt: An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.(CVE-2018-20836)
kernel-rt: A flaw was discovered in the Linux kernel's implementation of InfiniBand. A local attacker who is able to execute a read from the InfiniBand device could trigger an information leak of kernel memory to userspace which can be used to further attack the system.(CVE-2018-20855)
kernel-rt: A flaw was found in the Linux kernel's implementation of the XFS filesystem. A key data structure (sb->s_fs_info) may not be de-allocated when the system is under memory pressure. This same data structure is then used at a later time during filesystem operations. This could allow a local attacker who is able to groom memory to place an attacker-controlled data structure in this location and create a use-after-free situation which can result in memory corruption or privilege escalation.(CVE-2018-20976)
kernel-rt: A flaw was found in the Linux kernel's implementation of networking tunnel device ioctl. A local attacker can cause a denial of service (NULL pointer dereference and panic) via an ioctl (TUNSETIFF) call with a dev name containing a / character.(CVE-2018-7191)
kernel-rt: A flaw was found in Intel graphics hardware (GPU) where a local attacker with the ability to issue an ioctl could trigger a hardware level crash if MMIO registers were read while the graphics card was in a low-power state. This creates a denial of service situation and the GPU and connected displays will remain unusable until a reboot occurs.(CVE-2019-0154)
kernel-rt: A flaw was found in the Intel graphics hardware (GPU), where a local attacker with the ability to issue commands to the GPU could inadvertently lead to memory corruption and possible privilege escalation. The attacker could use the GPU blitter to perform privilege MMIO operations, not limited to the address space required to function correctly.(CVE-2019-0155)
kernel-rt: A flaw was found in the way Intel CPUs handle speculative execution of instructions when the TSX Asynchronous Abort (TAA) error occurs. A local authenticated attacker with the ability to monitor execution times could infer the TSX memory state by comparing abort execution times. This could allow information disclosure via this observed side-channel for any TSX transaction being executed while an attacker is able to observe abort timing. Intel's Transactional Synchronisation Extensions (TSX) are set of instructions which enable transactional memory support to improve performance of the multi-threaded applications, in the lock-protected critical sections. The CPU executes instructions in the critical-sections as transactions, while ensuring their atomic state. When such transaction execution is unsuccessful, the processor cannot ensure atomic updates to the transaction memory, so the processor rolls back or aborts such transaction execution. While TSX Asynchronous Abort (TAA) is pending, CPU may continue to read data from architectural buffers and pass it to the dependent speculative operations. This may cause information leakage via speculative side-channel means, which is quite similar to the Microarchitectural Data Sampling (MDS) issue.(CVE-2019-11135)
kernel-rt: The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests.(CVE-2019-11487)
kernel-rt: A flaw was found in the Linux kernel's implementation of the Bluetooth Human Interface Device Protocol (HIDP). A local attacker with access permissions to the Bluetooth device can issue an IOCTL which will trigger the do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c.c. This function can leak potentially sensitive information from the kernel stack memory via a HIDPCONNADD command because a name field may not be correctly NULL terminated.(CVE-2019-11884)
kernel-rt: A flaw was found in the Linux kernel’s implementation of Extended Display Identification Data (EDID) technology. A firmware identifier string is duplicated with the kstrdup function, and the allocation may fail under very low memory conditions. An attacker could abuse this flaw by causing a Denial of Service and crashing the system.(CVE-2019-12382)
kernel-rt: An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver.(CVE-2019-15213)
kernel-rt: An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.(CVE-2019-15538)
kernel-rt: In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service.(CVE-2019-15807)
kernel-rt: A flaw that allowed an attacker to leak kernel memory was found in the network subsystem where an attacker with permissions to create tun/tap devices can create a denial of service and panic the system.(CVE-2019-15916)
kernel-rt: An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.(CVE-2019-16413)
kernel-rt: An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel through 5.3.2. The cxgb4 driver is directly calling dma_map_single (a DMA function) from a stack variable. This could allow an attacker to trigger a Denial of Service, exploitable if this driver is used on an architecture for which this stack/DMA interaction has security relevance.(CVE-2019-17075)
kernel-rt: The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack.(CVE-2019-3874)
kernel-rt: bugfix
tcpdump: In tcpdump 4.9.2, a stack-based buffer over-read exists in the print_prefix function of print-hncp.c via crafted packet data because of missing initialization.(CVE-2018-19519)
tcpdump: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F21.

影响组件

  • kernel-rt
  • tcpdump

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["kernel-rt-debug-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-debug-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-debug-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-doc-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.noarch.rpm","kernel-rt-debug-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-debug-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-debuginfo-common-x86_64-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-trace-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-trace-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-trace-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-trace-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-trace-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm"],"source":"kernel-rt-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.src.rpm"},{"binary":["tcpdump-4.9.2-4.el7_7.1.x86_64.rpm","tcpdump-debuginfo-4.9.2-4.el7_7.1.x86_64.rpm"],"source":"tcpdump-4.9.2-4.el7_7.1.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["kernel-rt-debug-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-debug-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-debug-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-debug-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-debug-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-debuginfo-common-x86_64-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-doc-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.noarch.rpm","kernel-rt-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-trace-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-trace-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-trace-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-trace-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm","kernel-rt-trace-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.x86_64.rpm"],"source":"kernel-rt-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.28.389.gdaa53e1.src.rpm"},{"binary":["tcpdump-4.9.2-4.el7_7.1.x86_64.rpm","tcpdump-debuginfo-4.9.2-4.el7_7.1.x86_64.rpm"],"source":"tcpdump-4.9.2-4.el7_7.1.src.rpm"}]}]}

CVE

参考