-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3775
linux security update
2 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: linux kernel
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-26088 CVE-2020-25643 CVE-2020-25641
CVE-2020-25285 CVE-2020-25284 CVE-2020-25220
CVE-2020-25212 CVE-2020-25211 CVE-2020-24490
CVE-2020-16166 CVE-2020-15393 CVE-2020-14390
CVE-2020-14386 CVE-2020-14356 CVE-2020-14331
CVE-2020-14314 CVE-2020-14305 CVE-2020-12888
CVE-2020-12771 CVE-2020-12655 CVE-2020-12352
CVE-2020-12351 CVE-2020-2564 CVE-2020-2521
CVE-2020-1539 CVE-2020-1433 CVE-2020-1277
CVE-2019-19448 CVE-2019-19074 CVE-2019-19073
CVE-2019-9445
Reference: ESB-2020.3710
ESB-2020.3669
ESB-2020.3341
ESB-2020.2711
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2020/10/msg00032.html
https://lists.debian.org/debian-lts-announce/2020/10/msg00034.html
Comment: This bulletin contains two (2) Debian security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2420-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Ben Hutchings
October 29, 2020 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : linux
Version : 4.9.240-1
CVE ID : CVE-2019-9445 CVE-2019-19073 CVE-2019-19074 CVE-2019-19448
CVE-2020-12351 CVE-2020-12352 CVE-2020-12655 CVE-2020-1277=
1
CVE-2020-12888 CVE-2020-14305 CVE-2020-14314 CVE-2020-1433=
1
CVE-2020-14356 CVE-2020-14386 CVE-2020-14390 CVE-2020-1539=
3
CVE-2020-16166 CVE-2020-24490 CVE-2020-25211 CVE-2020-2521=
2
CVE-2020-25220 CVE-2020-25284 CVE-2020-25285 CVE-2020-2564=
1
CVE-2020-25643 CVE-2020-26088
Several vulnerabilities have been discovered in the Linux kernel that
may lead to the execution of arbitrary code, privilege escalation,
denial of service or information leaks.
CVE-2019-9445
A potential out-of-bounds read was discovered in the F2FS
implementation. A user permitted to mount and access arbitrary
filesystems could potentially use this to cause a denial of
service (crash) or to read sensitive information.
CVE-2019-19073, CVE-2019-19074
Navid Emamdoost discovered potential memory leaks in the ath9k and
ath9k_htc drivers. The security impact of these is unclear.
CVE-2019-19448
"Team bobfuzzer" reported a bug in Btrfs that could lead to a
use-after-free, and could be triggered by crafted filesystem
images. A user permitted to mount and access arbitrary
filesystems could use this to cause a denial of service (crash or
memory corruption) or possibly for privilege escalation.
CVE-2020-12351
Andy Nguyen discovered a flaw in the Bluetooth implementation in
the way L2CAP packets with A2MP CID are handled. A remote attacker
within a short distance, knowing the victim's Bluetooth device
address, can send a malicious l2cap packet and cause a denial of
service or possibly arbitrary code execution with kernel
privileges.
CVE-2020-12352
Andy Nguyen discovered a flaw in the Bluetooth implementation.
Stack memory is not properly initialised when handling certain AMP
packets. A remote attacker within a short distance, knowing the
victim's Bluetooth device address address, can retrieve kernel
stack information.
CVE-2020-12655
Zheng Bin reported that crafted XFS volumes could trigger a system
hang. An attacker able to mount such a volume could use this to
cause a denial of service.
CVE-2020-12771
Zhiqiang Liu reported a bug in the bcache block driver that could
lead to a system hang. The security impact of this is unclear.
CVE-2020-12888
It was discovered that the PCIe Virtual Function I/O (vfio-pci)
driver allowed users to disable a device's memory space while it
was still mapped into a process. On some hardware platforms,
local users or guest virtual machines permitted to access PCIe
Virtual Functions could use this to cause a denial of service
(hardware error and crash).
CVE-2020-14305
Vasily Averin of Virtuozzo discovered a potential heap buffer
overflow in the netfilter nf_contrack_h323 module. When this
module is used to perform connection tracking for TCP/IPv6, a
remote attacker could use this to cause a denial of service (crash
or memory corruption) or possibly for remote code execution with
kernel privilege.
CVE-2020-14314
A bug was discovered in the ext4 filesystem that could lead to an
out-of-bound read. A local user permitted to mount and access
arbitrary filesystem images could use this to cause a denial of
service (crash).
CVE-2020-14331
A bug was discovered in the VGA console driver's soft-scrollback
feature that could lead to a heap buffer overflow. On a system
with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK
enabled, a local user with access to a console could use this to
cause a denial of service (crash or memory corruption) or possibly
for privilege escalation.
CVE-2020-14356, CVE-2020-25220
A bug was discovered in the cgroup subsystem's handling of socket
references to cgroups. In some cgroup configurations, this could
lead to a use-after-free. A local user might be able to use this
to cause a denial of service (crash or memory corruption) or
possibly for privilege escalation.
The original fix for this bug introudced a new security issue,
which is also addressed in this update.
CVE-2020-14386
Or Cohen discovered a bug in the packet socket (AF_PACKET)
implementation which could lead to a heap buffer overflow. A
local user with the CAP_NET_RAW capability (in any user namespace)
could use this to cause a denial of service (crash or memory
corruption) or possibly for privilege escalation.
CVE-2020-14390
Minh Yuan discovered a bug in the framebuffer console driver's
scrollback feature that could lead to a heap buffer overflow. On
a system using framebuffer consoles, a local user with access to a
console could use this to cause a denial of service (crash or
memory corruption) or possibly for privilege escalation.
The scrollback feature has been disabled for now, as no other fix
was available for this issue.
CVE-2020-15393
Kyungtae Kim reported a memory leak in the usbtest driver. The
security impact of this is unclear.
CVE-2020-16166
Amit Klein reported that the random number generator used by the
network stack might not be re-seeded for long periods of time,
making e.g. client port number allocations more predictable. This
made it easier for remote attackers to carry out some network-
based attacks such as DNS cache poisoning or device tracking.
CVE-2020-24490
Andy Nguyen discovered a flaw in the Bluetooth implementation that
can lead to a heap buffer overflow. On systems with a Bluetooth 5
hardware interface, a remote attacker within a short distance can
use this to cause a denial of service (crash or memory corruption)
or possibly for remote code execution with kernel privilege.
CVE-2020-25211
A flaw was discovered in netfilter subsystem. A local attacker
able to inject conntrack Netlink configuration can cause a denial
of service.
CVE-2020-25212
A bug was discovered in the NFSv4 client implementation that could
lead to a heap buffer overflow. A malicious NFS server could use
this to cause a denial of service (crash or memory corruption) or
possibly to execute arbitrary code on the client.
CVE-2020-25284
It was discovered that the Rados block device (rbd) driver allowed
tasks running as uid 0 to add and remove rbd devices, even if they
dropped capabilities. On a system with the rbd driver loaded,
this might allow privilege escalation from a container with a task
running as root.
CVE-2020-25285
A race condition was discovered in the hugetlb filesystem's sysctl
handlers, that could lead to stack corruption. A local user
permitted to write to hugepages sysctls could use this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation. By default only the root user can do this.
CVE-2020-25641
The syzbot tool found a bug in the block layer that could lead to
an infinite loop. A local user with access to a raw block device
could use this to cause a denial of service (unbounded CPU use and
possible system hang).
CVE-2020-25643
ChenNan Of Chaitin Security Research Lab discovered a flaw in the
hdlc_ppp module. Improper input validation in the ppp_cp_parse_cr()
function may lead to memory corruption and information disclosure.
CVE-2020-26088
It was discovered that the NFC (Near Field Communication) socket
implementation allowed any user to create raw sockets. On a
system with an NFC interface, this allowed local users to evade
local network security policy.
For Debian 9 stretch, these problems have been fixed in version
4.9.240-1. This update additionally includes many more bug fixes from
stable updates 4.9.229-4.9.240 inclusive.
We recommend that you upgrade your linux packages.
For the detailed security status of linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
- -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl+cIX8ACgkQ57/I7JWG
EQlEMxAAgA/mMPxxD28nvVXV5k20KA8T2JS5eDgL59pyvBwaLOnvadF8YRVO6BvU
Grby71nrMOuH2lvUyW7CrHCYKT2rgdYhgCZ2r73eNa4IkxDScm7SzQNXkdxyXr9y
+PRjqpZ0CrVQP4KzHw8w2Fv/mX55rlQJQdMv2r4kvLCTF9811s99H9xvEN1JVIBW
E7UOI+oCmNmye0hpP3HRScPSwRrfD3NdnAXGcSiqiFVs6FHXP4AzF4+7HJXLt/H+
lvW/7R2q4PVPbSXqMCOVFuxeHlR/uc7vym6UAL94nogXo2SYMxw+4U1BuQRKqJAE
76aaUsZuweeFxSFBaxR7+W2QbYZT8iVn3cQvqoO8fWCaG2uhz8EjZkn52A6K99oH
382tNL4H5i7byqBtjKm0jzvbgRlvu7w7YkZrRk9KMjGbTgRQtdZiHxZALr84tLSO
K4V+jUB2FXURs1fonFQPeqblsWEGn/82i3/2v4r4fGtjTSpBktMm9E0dXiuLXF3F
tLfoCSrVRAQjJOsSWjXeHycXIiWyFr+rP4wRJmwr2oy1kHN+D0hNTcTLQAaMjysk
cunB768QJvGbs8j35bky4NNgCJ1O8AJt/0XfdYIIob/pqlvPn3BUmHdUhANIbgof
wqabVdRa09vO8SfztSOeUHh7g+VxQMaKHW57z1nKjPrnopfu2AQ=
=3obT
- -----END PGP SIGNATURE-----
- ------------------------------------------------------------------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2420-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Ben Hutchings
October 31, 2020 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : linux
Version : 4.9.240-2
CVE ID : CVE-2019-9445 CVE-2019-19073 CVE-2019-19074 CVE-2019-19448
CVE-2020-12351 CVE-2020-12352 CVE-2020-12655 CVE-2020-12771
CVE-2020-12888 CVE-2020-14305 CVE-2020-14314 CVE-2020-14331
CVE-2020-14356 CVE-2020-14386 CVE-2020-14390 CVE-2020-15393
CVE-2020-16166 CVE-2020-24490 CVE-2020-25211 CVE-2020-25212
CVE-2020-25220 CVE-2020-25284 CVE-2020-25285 CVE-2020-25641
CVE-2020-25643 CVE-2020-26088
This update corrects a regression in some Xen virtual machine
environments. For reference the original advisory text follows.
Several vulnerabilities have been discovered in the Linux kernel that
may lead to the execution of arbitrary code, privilege escalation,
denial of service or information leaks.
CVE-2019-9445
A potential out-of-bounds read was discovered in the F2FS
implementation. A user permitted to mount and access arbitrary
filesystems could potentially use this to cause a denial of
service (crash) or to read sensitive information.
CVE-2019-19073, CVE-2019-19074
Navid Emamdoost discovered potential memory leaks in the ath9k and
ath9k_htc drivers. The security impact of these is unclear.
CVE-2019-19448
"Team bobfuzzer" reported a bug in Btrfs that could lead to a
use-after-free, and could be triggered by crafted filesystem
images. A user permitted to mount and access arbitrary
filesystems could use this to cause a denial of service (crash or
memory corruption) or possibly for privilege escalation.
CVE-2020-12351
Andy Nguyen discovered a flaw in the Bluetooth implementation in
the way L2CAP packets with A2MP CID are handled. A remote attacker
within a short distance, knowing the victim's Bluetooth device
address, can send a malicious l2cap packet and cause a denial of
service or possibly arbitrary code execution with kernel
privileges.
CVE-2020-12352
Andy Nguyen discovered a flaw in the Bluetooth implementation.
Stack memory is not properly initialised when handling certain AMP
packets. A remote attacker within a short distance, knowing the
victim's Bluetooth device address address, can retrieve kernel
stack information.
CVE-2020-12655
Zheng Bin reported that crafted XFS volumes could trigger a system
hang. An attacker able to mount such a volume could use this to
cause a denial of service.
CVE-2020-12771
Zhiqiang Liu reported a bug in the bcache block driver that could
lead to a system hang. The security impact of this is unclear.
CVE-2020-12888
It was discovered that the PCIe Virtual Function I/O (vfio-pci)
driver allowed users to disable a device's memory space while it
was still mapped into a process. On some hardware platforms,
local users or guest virtual machines permitted to access PCIe
Virtual Functions could use this to cause a denial of service
(hardware error and crash).
CVE-2020-14305
Vasily Averin of Virtuozzo discovered a potential heap buffer
overflow in the netfilter nf_contrack_h323 module. When this
module is used to perform connection tracking for TCP/IPv6, a
remote attacker could use this to cause a denial of service (crash
or memory corruption) or possibly for remote code execution with
kernel privilege.
CVE-2020-14314
A bug was discovered in the ext4 filesystem that could lead to an
out-of-bound read. A local user permitted to mount and access
arbitrary filesystem images could use this to cause a denial of
service (crash).
CVE-2020-14331
A bug was discovered in the VGA console driver's soft-scrollback
feature that could lead to a heap buffer overflow. On a system
with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK
enabled, a local user with access to a console could use this to
cause a denial of service (crash or memory corruption) or possibly
for privilege escalation.
CVE-2020-14356, CVE-2020-25220
A bug was discovered in the cgroup subsystem's handling of socket
references to cgroups. In some cgroup configurations, this could
lead to a use-after-free. A local user might be able to use this
to cause a denial of service (crash or memory corruption) or
possibly for privilege escalation.
The original fix for this bug introudced a new security issue,
which is also addressed in this update.
CVE-2020-14386
Or Cohen discovered a bug in the packet socket (AF_PACKET)
implementation which could lead to a heap buffer overflow. A
local user with the CAP_NET_RAW capability (in any user namespace)
could use this to cause a denial of service (crash or memory
corruption) or possibly for privilege escalation.
CVE-2020-14390
Minh Yuan discovered a bug in the framebuffer console driver's
scrollback feature that could lead to a heap buffer overflow. On
a system using framebuffer consoles, a local user with access to a
console could use this to cause a denial of service (crash or
memory corruption) or possibly for privilege escalation.
The scrollback feature has been disabled for now, as no other fix
was available for this issue.
CVE-2020-15393
Kyungtae Kim reported a memory leak in the usbtest driver. The
security impact of this is unclear.
CVE-2020-16166
Amit Klein reported that the random number generator used by the
network stack might not be re-seeded for long periods of time,
making e.g. client port number allocations more predictable. This
made it easier for remote attackers to carry out some network-
based attacks such as DNS cache poisoning or device tracking.
CVE-2020-24490
Andy Nguyen discovered a flaw in the Bluetooth implementation that
can lead to a heap buffer overflow. On systems with a Bluetooth 5
hardware interface, a remote attacker within a short distance can
use this to cause a denial of service (crash or memory corruption)
or possibly for remote code execution with kernel privilege.
CVE-2020-25211
A flaw was discovered in netfilter subsystem. A local attacker
able to inject conntrack Netlink configuration can cause a denial
of service.
CVE-2020-25212
A bug was discovered in the NFSv4 client implementation that could
lead to a heap buffer overflow. A malicious NFS server could use
this to cause a denial of service (crash or memory corruption) or
possibly to execute arbitrary code on the client.
CVE-2020-25284
It was discovered that the Rados block device (rbd) driver allowed
tasks running as uid 0 to add and remove rbd devices, even if they
dropped capabilities. On a system with the rbd driver loaded,
this might allow privilege escalation from a container with a task
running as root.
CVE-2020-25285
A race condition was discovered in the hugetlb filesystem's sysctl
handlers, that could lead to stack corruption. A local user
permitted to write to hugepages sysctls could use this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation. By default only the root user can do this.
CVE-2020-25641
The syzbot tool found a bug in the block layer that could lead to
an infinite loop. A local user with access to a raw block device
could use this to cause a denial of service (unbounded CPU use and
possible system hang).
CVE-2020-25643
ChenNan Of Chaitin Security Research Lab discovered a flaw in the
hdlc_ppp module. Improper input validation in the ppp_cp_parse_cr()
function may lead to memory corruption and information disclosure.
CVE-2020-26088
It was discovered that the NFC (Near Field Communication) socket
implementation allowed any user to create raw sockets. On a
system with an NFC interface, this allowed local users to evade
local network security policy.
For Debian 9 stretch, these problems have been fixed in version
4.9.240-1. This update additionally includes many more bug fixes from
stable updates 4.9.229-4.9.240 inclusive.
We recommend that you upgrade your linux packages.
For the detailed security status of linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- --
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX5+OeeNLKJtyKPYoAQgsTxAArKGvKc177kKBdKHueapnIa6J3/QDytt5
ai+/Z2/FGMFBm6PZcyZOePX8rxajTZmtGlU2k5mPqqLeCtyVU6OgtLqj7LlQ29xg
mHsS0ZVlWlYWt+Z+9UnwgC7FGVR2lHlzyghMrnXWajAgBc2YQK+jyDq1M/f9dBio
7d5cxCQ3GFixrou6usL7ZDoLJM1Mno93v/ul8YYlhX5mLGIrLJ9k8UNweUnmnvKn
CZQPiGxQUpI3udu34BtEUofcadY7UVD8PS4VT4UYuLTUQunJxtbQ8GGs8tbjkj7R
hqk54Bjjt1huny8/v8tZbmeDoeY6SDQnHsfqDF2sCrbe/tiGA1+kegUXhB8KVbak
j1qTgD5ar3d8ojFDsg5YBgscWhGQFPqgoL4BTcv2no4dsewbj1IwxxbOOytXvchO
+D3nrRaJbJtzad0O6L/qQnQJ1COjzsRfq5JJe6WQjzGBDp+U7l9DK/nhDFI4uG9l
3VAe5PWn2AVVFW6epJevBQai/TWuYQ5e+VUH+rcXwMw66BFXXFK+xxdWOZ3DD6m4
wHVNZrZlF+mT5gLAB21rmdtq7tS5zRu6syau9gUbLH40bfasXeUKm2tcAXuXd8Hu
o9VGff3fhXFSe6MCwnqb0AS8QocerG3eGfLSn6JzPDXf7e+tbWayTVw4bgznN2tk
6Ifu3oU2K+Q=
=lWoI
-----END PGP SIGNATURE-----
The post ESB-2020.3775 – [Debian] linux kernel: Multiple vulnerabilities appeared first on Malware Devil.
https://malwaredevil.com/2020/11/02/esb-2020-3775-debian-linux-kernel-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3775-debian-linux-kernel-multiple-vulnerabilities
No comments:
Post a Comment