Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2593
SUSE-SU-2019:1823-1 Security update for the Linux Kernel
15 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Linux Kernel
Publisher: SUSE
Operating System: SUSE
Impact/Access: Increased Privileges -- Remote with User Interaction
Denial of Service -- Existing Account
Reduced Security -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-12819 CVE-2019-12818 CVE-2019-12614
CVE-2019-12456 CVE-2019-12380 CVE-2019-11599
CVE-2019-11487 CVE-2019-10639 CVE-2019-10638
CVE-2019-10126 CVE-2018-20836
Reference: ESB-2019.2499
ESB-2019.2498
ESB-2019.2497
ESB-2019.2469
Original Bulletin:
https://www.suse.com/support/update/announcement/2019/suse-su-20191823-1.html
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________
Announcement ID: SUSE-SU-2019:1823-1
Rating: important
References: #1096254 #1108382 #1109137 #1127155 #1133190 #1133738
#1134395 #1134701 #1136922 #1136935 #1137194 #1138291
#1140575
Cross-References: CVE-2018-20836 CVE-2019-10126 CVE-2019-10638 CVE-2019-10639
CVE-2019-11487 CVE-2019-11599 CVE-2019-12380 CVE-2019-12456
CVE-2019-12614 CVE-2019-12818 CVE-2019-12819
Affected Products:
SUSE OpenStack Cloud 7
SUSE Linux Enterprise Server for SAP 12-SP2
SUSE Linux Enterprise Server 12-SP2-LTSS
SUSE Linux Enterprise Server 12-SP2-BCL
SUSE Enterprise Storage 4
______________________________________________________________________________
An update that solves 11 vulnerabilities and has two fixes is now available.
Description:
The SUSE Linux Enterprise 12 SP 2 kernel was updated to receive various
security and bugfixes.
The following security bugs were fixed:
o CVE-2019-10638: In the Linux kernel, a device could be tracked by an
attacker using the IP ID values the kernel produces for connection-less
protocols (e.g., UDP and ICMP). When such traffic was sent to multiple
destination IP addresses, it was possible to obtain hash collisions (of
indices to the counter array) and thereby obtain the hashing key (via
enumeration). An attack may be conducted by hosting a crafted web page that
uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP
addresses. (bnc#1140575)
o CVE-2019-10639: The Linux kernel allowed Information Exposure (partial
kernel address disclosure), leading to a KASLR bypass. Specifically, it was
possible to extract the KASLR kernel image offset using the IP ID values
the kernel produces for connection-less protocols (e.g., UDP and ICMP).
When such traffic was sent to multiple destination IP addresses, it was
possible to obtain hash collisions (of indices to the counter array) and
thereby obtain the hashing key (via enumeration). This key contains enough
bits from a kernel address (of a static variable) so when the key was
extracted (via enumeration), the offset of the kernel image is exposed.
This attack can be carried out remotely, by the attacker forcing the target
device to send UDP or ICMP (or certain other) traffic to
attacker-controlled IP addresses. Forcing a server to send UDP traffic is
trivial if the server is a DNS server. ICMP traffic is trivial if the
server answers ICMP Echo requests (ping). For client targets, if the target
visited the attacker's web page, then WebRTC or gQUIC could be used to
force UDP traffic to attacker-controlled IP addresses. NOTE: this attack
against KASLR became viable because IP ID generation was changed to have a
dependency on an address associated with a network namespace. (bnc#)
o CVE-2019-10126: A flaw was found in the Linux kernel that might lead to
memory corruption in the marvell mwifiex driver. (bnc#1136935)
o CVE-2018-20836: An issue was discovered in the Linux kernel There was a
race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/
libsas/sas_expander.c, leading to a use-after-free. (bnc#1134395)
o CVE-2019-11599: The coredump implementation in the Linux kernel did not use
locking or other mechanisms to prevent vma layout or vma flags changes
while it ran, which allowed local users to obtain sensitive information,
cause a denial of service, or possibly have unspecified other impact by
triggering a race condition with mmget_not_zero or get_task_mm calls. This
is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/
infiniband/core/uverbs_main.c. (bnc#1133738)
o CVE-2019-12614: An issue was discovered in dlpar_parse_cc_property in arch/
powerpc/platforms/pseries/dlpar.c in the Linux kernel There was an
unchecked kstrdup of prop-name, which might allow an attacker to cause a
denial of service (NULL pointer dereference and system crash). (bnc#)
o CVE-2019-12818: An issue was discovered in the Linux kernel The
nfc_llcp_build_tlv function in net/nfc/llcp_commands.c may return NULL. If
the caller did not check for this, it will trigger a NULL pointer
dereference. This will cause denial of service. This affects
nfc_llcp_build_gb in net/nfc/llcp_core.c. (bnc#1137194)
o CVE-2019-12819: An issue was discovered in the Linux kernel The function
__mdiobus_register() in drivers/net/phy/mdio_bus.c called put_device(),
which would trigger a fixed_mdio_bus_init use-after-free. This would cause
a denial of service. (bnc#1138291)
o CVE-2019-12456 a double-fetch bug in _ctl_ioctl_main() could allow local
users to create a denial of service (bsc#1136922).
o CVE-2019-12380: An issue was discovered in the efi subsystem in the Linux
kernel phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and
efi_call_phys_prolog in arch/x86/platform/efi/efi_64.c mishandle memory
allocation failures. NOTE: This id is disputed as not being an issue
because All the code touched by the referenced commit runs only at boot,
before any user processes are started. Therefore, there is no possibility
for an unprivileged user to control it. (bnc#)
o CVE-2019-11487: The Linux kernel allowed page-_refcount reference count to
overflow, with resultant use-after-free issues, if about 140 GiB of RAM
exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/
linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and
mm/hugetlb.c. It can occur with FUSE requests. (bnc#1133190)
The following non-security bugs were fixed:
o Drop multiversion(kernel) from the KMP template (bsc#1127155).
o Revert "KMPs: obsolete older KMPs of the same flavour (bsc#1127155, bsc#
1109137)." This reverts commit 4cc83da426b53d47f1fde9328112364eab1e9a19.
o sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254).
o x86/cpu: Unify CPU family, model, stepping calculation (bsc#1134701).
o x86/entry/64/compat: Fix stack switching for XEN PV (bsc#1108382).
o x86/microcode/AMD: Fix initrd loading with CONFIG_RANDOMIZE_MEMORY=y (bsc#
1134701).
o x86/microcode/AMD: Fix load of builtin microcode with randomized memory
(bsc#1134701).
o x86/microcode/AMD: Reload proper initrd start address (bsc#1134701).
o x86/microcode/amd: Hand down the CPU family (bsc#1134701).
o x86/microcode/amd: Move private inlines to .c and mark local functions
static (bsc#1134701).
o x86/microcode/intel: Drop stashed AP patch pointer optimization (bsc#
1134701).
o x86/microcode/intel: Fix allocation size of struct ucode_patch (bsc#
1134701).
o x86/microcode/intel: Fix initrd loading with CONFIG_RANDOMIZE_MEMORY=y (bsc
#1134701).
o x86/microcode/intel: Remove intel_lib.c (bsc#1134701).
o x86/microcode/intel: Remove unused arg of get_matching_model_microcode()
(bsc#1134701).
o x86/microcode/intel: Rename load_microcode_early() to find_microcode_patch
() (bsc#1134701).
o x86/microcode/intel: Rename local variables of type struct mc_saved_data
(bsc#1134701).
o x86/microcode/intel: Rename mc_intel variable to mc (bsc#1134701).
o x86/microcode/intel: Rename mc_saved_in_initrd (bsc#1134701).
o x86/microcode/intel: Simplify generic_load_microcode() (bsc#1134701).
o x86/microcode/intel: Unexport save_mc_for_early() (bsc#1134701).
o x86/microcode/intel: Use correct buffer size for saving microcode data (bsc
#1134701).
o x86/microcode: Collect CPU info on resume (bsc#1134701).
o x86/microcode: Export the microcode cache linked list (bsc#1134701).
o x86/microcode: Fix loading precedence (bsc#1134701).
o x86/microcode: Get rid of find_cpio_data()'s dummy offset arg (bsc#
1134701).
o x86/microcode: Issue the debug printk on resume only on success (bsc#
1134701).
o x86/microcode: Rework microcode loading (bsc#1134701).
o x86/microcode: Run the AP-loading routine only on the application
processors (bsc#1134701).
Special Instructions and Notes:
Please reboot the system after installing this update.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE OpenStack Cloud 7:
zypper in -t patch SUSE-OpenStack-Cloud-7-2019-1823=1
o SUSE Linux Enterprise Server for SAP 12-SP2:
zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-1823=1
o SUSE Linux Enterprise Server 12-SP2-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-1823=1
o SUSE Linux Enterprise Server 12-SP2-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-1823=1
o SUSE Enterprise Storage 4:
zypper in -t patch SUSE-Storage-4-2019-1823=1
Package List:
o SUSE OpenStack Cloud 7 (s390x x86_64):
kernel-default-4.4.121-92.117.1
kernel-default-base-4.4.121-92.117.1
kernel-default-base-debuginfo-4.4.121-92.117.1
kernel-default-debuginfo-4.4.121-92.117.1
kernel-default-debugsource-4.4.121-92.117.1
kernel-default-devel-4.4.121-92.117.1
kernel-syms-4.4.121-92.117.1
o SUSE OpenStack Cloud 7 (noarch):
kernel-devel-4.4.121-92.117.1
kernel-macros-4.4.121-92.117.1
kernel-source-4.4.121-92.117.1
o SUSE OpenStack Cloud 7 (x86_64):
kgraft-patch-4_4_121-92_117-default-1-3.3.1
o SUSE OpenStack Cloud 7 (s390x):
kernel-default-man-4.4.121-92.117.1
o SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64):
kernel-default-4.4.121-92.117.1
kernel-default-base-4.4.121-92.117.1
kernel-default-base-debuginfo-4.4.121-92.117.1
kernel-default-debuginfo-4.4.121-92.117.1
kernel-default-debugsource-4.4.121-92.117.1
kernel-default-devel-4.4.121-92.117.1
kernel-syms-4.4.121-92.117.1
kgraft-patch-4_4_121-92_117-default-1-3.3.1
o SUSE Linux Enterprise Server for SAP 12-SP2 (noarch):
kernel-devel-4.4.121-92.117.1
kernel-macros-4.4.121-92.117.1
kernel-source-4.4.121-92.117.1
o SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64):
kernel-default-4.4.121-92.117.1
kernel-default-base-4.4.121-92.117.1
kernel-default-base-debuginfo-4.4.121-92.117.1
kernel-default-debuginfo-4.4.121-92.117.1
kernel-default-debugsource-4.4.121-92.117.1
kernel-default-devel-4.4.121-92.117.1
kernel-syms-4.4.121-92.117.1
o SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64):
kgraft-patch-4_4_121-92_117-default-1-3.3.1
o SUSE Linux Enterprise Server 12-SP2-LTSS (noarch):
kernel-devel-4.4.121-92.117.1
kernel-macros-4.4.121-92.117.1
kernel-source-4.4.121-92.117.1
o SUSE Linux Enterprise Server 12-SP2-LTSS (s390x):
kernel-default-man-4.4.121-92.117.1
o SUSE Linux Enterprise Server 12-SP2-BCL (noarch):
kernel-devel-4.4.121-92.117.1
kernel-macros-4.4.121-92.117.1
kernel-source-4.4.121-92.117.1
o SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
kernel-default-4.4.121-92.117.1
kernel-default-base-4.4.121-92.117.1
kernel-default-base-debuginfo-4.4.121-92.117.1
kernel-default-debuginfo-4.4.121-92.117.1
kernel-default-debugsource-4.4.121-92.117.1
kernel-default-devel-4.4.121-92.117.1
kernel-syms-4.4.121-92.117.1
o SUSE Enterprise Storage 4 (noarch):
kernel-devel-4.4.121-92.117.1
kernel-macros-4.4.121-92.117.1
kernel-source-4.4.121-92.117.1
o SUSE Enterprise Storage 4 (x86_64):
kernel-default-4.4.121-92.117.1
kernel-default-base-4.4.121-92.117.1
kernel-default-base-debuginfo-4.4.121-92.117.1
kernel-default-debuginfo-4.4.121-92.117.1
kernel-default-debugsource-4.4.121-92.117.1
kernel-default-devel-4.4.121-92.117.1
kernel-syms-4.4.121-92.117.1
kgraft-patch-4_4_121-92_117-default-1-3.3.1
References:
o https://www.suse.com/security/cve/CVE-2018-20836.html
o https://www.suse.com/security/cve/CVE-2019-10126.html
o https://www.suse.com/security/cve/CVE-2019-10638.html
o https://www.suse.com/security/cve/CVE-2019-10639.html
o https://www.suse.com/security/cve/CVE-2019-11487.html
o https://www.suse.com/security/cve/CVE-2019-11599.html
o https://www.suse.com/security/cve/CVE-2019-12380.html
o https://www.suse.com/security/cve/CVE-2019-12456.html
o https://www.suse.com/security/cve/CVE-2019-12614.html
o https://www.suse.com/security/cve/CVE-2019-12818.html
o https://www.suse.com/security/cve/CVE-2019-12819.html
o https://bugzilla.suse.com/1096254
o https://bugzilla.suse.com/1108382
o https://bugzilla.suse.com/1109137
o https://bugzilla.suse.com/1127155
o https://bugzilla.suse.com/1133190
o https://bugzilla.suse.com/1133738
o https://bugzilla.suse.com/1134395
o https://bugzilla.suse.com/1134701
o https://bugzilla.suse.com/1136922
o https://bugzilla.suse.com/1136935
o https://bugzilla.suse.com/1137194
o https://bugzilla.suse.com/1138291
o https://bugzilla.suse.com/1140575
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXSvymmaOgq3Tt24GAQiF6g/9GI5m4Jlv6JmgzG1gSRXnv8NRTsgK1dbY
UsqNezZskMY1+to3q9HDBzqSJDl+NAq+Ba1AOmIz4b7b9MCWxKcSZ4qGpidmGTl1
9ZF8gIYuk5xFfiSvVxY3F6ZESlfNltZxEQhq6xXV/43HtIr3qpPILMqcdGZmL4jN
XasmSNMLG9W1QDSVahxlDBl2WT4S17iVxJPZTBBXLxGgAgNiIFVlWr1S0HS+62Fo
56Z9wljW60dl+OEjOnLpOjCpeFpPpd328Fwh9BA7t/oO8xlEHiquzHVrlk+T/kJi
zuwe/0Bpr6WaRqLTiU1YitEa85uXzh1KlVUiY5qSun3gv2MlKiBhIETR1VCBjM1f
xEP0Y2TDAW6Q3uQNDBE1BVsqtDQMcDFSBVIuZIw4FOKLsed8ngmwASaw0/FW5RDI
CDcVskrEqfGJtRuOM3TElGnKCGMez6Aemv4bHsESy10NB6PUZtwTsHYrUuukK+DN
wTIAdHjHVNmTUI03oT5/22OQc/kSvlJShWWu/Vsnwjelw0WZw+wG185ScXI4J/Ng
JaKpgAQ3Dc94SfzmK4vU2E5S1rMvMLJgUbjYSyQgwCiXoIH7QjXLG+qpgWAlv6/r
7CBWZPPdfVBdStNGygfrvBIW0LSp9SwQQWgxRzICXkWT4oQ4nkxvix9PH4Sqf6Sm
324V7Zpsq3Q=
=JusU
-----END PGP SIGNATURE-----