Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2593 SUSE-SU-2019:1823-1 Security update for the Linux Kernel 15 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Linux Kernel Publisher: SUSE Operating System: SUSE Impact/Access: Increased Privileges -- Remote with User Interaction Denial of Service -- Existing Account Reduced Security -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-12819 CVE-2019-12818 CVE-2019-12614 CVE-2019-12456 CVE-2019-12380 CVE-2019-11599 CVE-2019-11487 CVE-2019-10639 CVE-2019-10638 CVE-2019-10126 CVE-2018-20836 Reference: ESB-2019.2499 ESB-2019.2498 ESB-2019.2497 ESB-2019.2469 Original Bulletin: https://www.suse.com/support/update/announcement/2019/suse-su-20191823-1.html - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:1823-1 Rating: important References: #1096254 #1108382 #1109137 #1127155 #1133190 #1133738 #1134395 #1134701 #1136922 #1136935 #1137194 #1138291 #1140575 Cross-References: CVE-2018-20836 CVE-2019-10126 CVE-2019-10638 CVE-2019-10639 CVE-2019-11487 CVE-2019-11599 CVE-2019-12380 CVE-2019-12456 CVE-2019-12614 CVE-2019-12818 CVE-2019-12819 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has two fixes is now available. Description: The SUSE Linux Enterprise 12 SP 2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: o CVE-2019-10638: In the Linux kernel, a device could be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic was sent to multiple destination IP addresses, it was possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses. (bnc#1140575) o CVE-2019-10639: The Linux kernel allowed Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it was possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic was sent to multiple destination IP addresses, it was possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key was extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visited the attacker's web page, then WebRTC or gQUIC could be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable because IP ID generation was changed to have a dependency on an address associated with a network namespace. (bnc#) o CVE-2019-10126: A flaw was found in the Linux kernel that might lead to memory corruption in the marvell mwifiex driver. (bnc#1136935) o CVE-2018-20836: An issue was discovered in the Linux kernel There was a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/ libsas/sas_expander.c, leading to a use-after-free. (bnc#1134395) o CVE-2019-11599: The coredump implementation in the Linux kernel did not use locking or other mechanisms to prevent vma layout or vma flags changes while it ran, which allowed local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/ infiniband/core/uverbs_main.c. (bnc#1133738) o CVE-2019-12614: An issue was discovered in dlpar_parse_cc_property in arch/ powerpc/platforms/pseries/dlpar.c in the Linux kernel There was an unchecked kstrdup of prop-name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). (bnc#) o CVE-2019-12818: An issue was discovered in the Linux kernel The nfc_llcp_build_tlv function in net/nfc/llcp_commands.c may return NULL. If the caller did not check for this, it will trigger a NULL pointer dereference. This will cause denial of service. This affects nfc_llcp_build_gb in net/nfc/llcp_core.c. (bnc#1137194) o CVE-2019-12819: An issue was discovered in the Linux kernel The function __mdiobus_register() in drivers/net/phy/mdio_bus.c called put_device(), which would trigger a fixed_mdio_bus_init use-after-free. This would cause a denial of service. (bnc#1138291) o CVE-2019-12456 a double-fetch bug in _ctl_ioctl_main() could allow local users to create a denial of service (bsc#1136922). o CVE-2019-12380: An issue was discovered in the efi subsystem in the Linux kernel phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and efi_call_phys_prolog in arch/x86/platform/efi/efi_64.c mishandle memory allocation failures. NOTE: This id is disputed as not being an issue because All the code touched by the referenced commit runs only at boot, before any user processes are started. Therefore, there is no possibility for an unprivileged user to control it. (bnc#) o CVE-2019-11487: The Linux kernel allowed page-_refcount reference count to overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/ linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests. (bnc#1133190) The following non-security bugs were fixed: o Drop multiversion(kernel) from the KMP template (bsc#1127155). o Revert "KMPs: obsolete older KMPs of the same flavour (bsc#1127155, bsc# 1109137)." This reverts commit 4cc83da426b53d47f1fde9328112364eab1e9a19. o sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254). o x86/cpu: Unify CPU family, model, stepping calculation (bsc#1134701). o x86/entry/64/compat: Fix stack switching for XEN PV (bsc#1108382). o x86/microcode/AMD: Fix initrd loading with CONFIG_RANDOMIZE_MEMORY=y (bsc# 1134701). o x86/microcode/AMD: Fix load of builtin microcode with randomized memory (bsc#1134701). o x86/microcode/AMD: Reload proper initrd start address (bsc#1134701). o x86/microcode/amd: Hand down the CPU family (bsc#1134701). o x86/microcode/amd: Move private inlines to .c and mark local functions static (bsc#1134701). o x86/microcode/intel: Drop stashed AP patch pointer optimization (bsc# 1134701). o x86/microcode/intel: Fix allocation size of struct ucode_patch (bsc# 1134701). o x86/microcode/intel: Fix initrd loading with CONFIG_RANDOMIZE_MEMORY=y (bsc #1134701). o x86/microcode/intel: Remove intel_lib.c (bsc#1134701). o x86/microcode/intel: Remove unused arg of get_matching_model_microcode() (bsc#1134701). o x86/microcode/intel: Rename load_microcode_early() to find_microcode_patch () (bsc#1134701). o x86/microcode/intel: Rename local variables of type struct mc_saved_data (bsc#1134701). o x86/microcode/intel: Rename mc_intel variable to mc (bsc#1134701). o x86/microcode/intel: Rename mc_saved_in_initrd (bsc#1134701). o x86/microcode/intel: Simplify generic_load_microcode() (bsc#1134701). o x86/microcode/intel: Unexport save_mc_for_early() (bsc#1134701). o x86/microcode/intel: Use correct buffer size for saving microcode data (bsc #1134701). o x86/microcode: Collect CPU info on resume (bsc#1134701). o x86/microcode: Export the microcode cache linked list (bsc#1134701). o x86/microcode: Fix loading precedence (bsc#1134701). o x86/microcode: Get rid of find_cpio_data()'s dummy offset arg (bsc# 1134701). o x86/microcode: Issue the debug printk on resume only on success (bsc# 1134701). o x86/microcode: Rework microcode loading (bsc#1134701). o x86/microcode: Run the AP-loading routine only on the application processors (bsc#1134701). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-1823=1 o SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-1823=1 o SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-1823=1 o SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-1823=1 o SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2019-1823=1 Package List: o SUSE OpenStack Cloud 7 (s390x x86_64): kernel-default-4.4.121-92.117.1 kernel-default-base-4.4.121-92.117.1 kernel-default-base-debuginfo-4.4.121-92.117.1 kernel-default-debuginfo-4.4.121-92.117.1 kernel-default-debugsource-4.4.121-92.117.1 kernel-default-devel-4.4.121-92.117.1 kernel-syms-4.4.121-92.117.1 o SUSE OpenStack Cloud 7 (noarch): kernel-devel-4.4.121-92.117.1 kernel-macros-4.4.121-92.117.1 kernel-source-4.4.121-92.117.1 o SUSE OpenStack Cloud 7 (x86_64): kgraft-patch-4_4_121-92_117-default-1-3.3.1 o SUSE OpenStack Cloud 7 (s390x): kernel-default-man-4.4.121-92.117.1 o SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kernel-default-4.4.121-92.117.1 kernel-default-base-4.4.121-92.117.1 kernel-default-base-debuginfo-4.4.121-92.117.1 kernel-default-debuginfo-4.4.121-92.117.1 kernel-default-debugsource-4.4.121-92.117.1 kernel-default-devel-4.4.121-92.117.1 kernel-syms-4.4.121-92.117.1 kgraft-patch-4_4_121-92_117-default-1-3.3.1 o SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): kernel-devel-4.4.121-92.117.1 kernel-macros-4.4.121-92.117.1 kernel-source-4.4.121-92.117.1 o SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): kernel-default-4.4.121-92.117.1 kernel-default-base-4.4.121-92.117.1 kernel-default-base-debuginfo-4.4.121-92.117.1 kernel-default-debuginfo-4.4.121-92.117.1 kernel-default-debugsource-4.4.121-92.117.1 kernel-default-devel-4.4.121-92.117.1 kernel-syms-4.4.121-92.117.1 o SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_117-default-1-3.3.1 o SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): kernel-devel-4.4.121-92.117.1 kernel-macros-4.4.121-92.117.1 kernel-source-4.4.121-92.117.1 o SUSE Linux Enterprise Server 12-SP2-LTSS (s390x): kernel-default-man-4.4.121-92.117.1 o SUSE Linux Enterprise Server 12-SP2-BCL (noarch): kernel-devel-4.4.121-92.117.1 kernel-macros-4.4.121-92.117.1 kernel-source-4.4.121-92.117.1 o SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): kernel-default-4.4.121-92.117.1 kernel-default-base-4.4.121-92.117.1 kernel-default-base-debuginfo-4.4.121-92.117.1 kernel-default-debuginfo-4.4.121-92.117.1 kernel-default-debugsource-4.4.121-92.117.1 kernel-default-devel-4.4.121-92.117.1 kernel-syms-4.4.121-92.117.1 o SUSE Enterprise Storage 4 (noarch): kernel-devel-4.4.121-92.117.1 kernel-macros-4.4.121-92.117.1 kernel-source-4.4.121-92.117.1 o SUSE Enterprise Storage 4 (x86_64): kernel-default-4.4.121-92.117.1 kernel-default-base-4.4.121-92.117.1 kernel-default-base-debuginfo-4.4.121-92.117.1 kernel-default-debuginfo-4.4.121-92.117.1 kernel-default-debugsource-4.4.121-92.117.1 kernel-default-devel-4.4.121-92.117.1 kernel-syms-4.4.121-92.117.1 kgraft-patch-4_4_121-92_117-default-1-3.3.1 References: o https://www.suse.com/security/cve/CVE-2018-20836.html o https://www.suse.com/security/cve/CVE-2019-10126.html o https://www.suse.com/security/cve/CVE-2019-10638.html o https://www.suse.com/security/cve/CVE-2019-10639.html o https://www.suse.com/security/cve/CVE-2019-11487.html o https://www.suse.com/security/cve/CVE-2019-11599.html o https://www.suse.com/security/cve/CVE-2019-12380.html o https://www.suse.com/security/cve/CVE-2019-12456.html o https://www.suse.com/security/cve/CVE-2019-12614.html o https://www.suse.com/security/cve/CVE-2019-12818.html o https://www.suse.com/security/cve/CVE-2019-12819.html o https://bugzilla.suse.com/1096254 o https://bugzilla.suse.com/1108382 o https://bugzilla.suse.com/1109137 o https://bugzilla.suse.com/1127155 o https://bugzilla.suse.com/1133190 o https://bugzilla.suse.com/1133738 o https://bugzilla.suse.com/1134395 o https://bugzilla.suse.com/1134701 o https://bugzilla.suse.com/1136922 o https://bugzilla.suse.com/1136935 o https://bugzilla.suse.com/1137194 o https://bugzilla.suse.com/1138291 o https://bugzilla.suse.com/1140575 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXSvymmaOgq3Tt24GAQiF6g/9GI5m4Jlv6JmgzG1gSRXnv8NRTsgK1dbY UsqNezZskMY1+to3q9HDBzqSJDl+NAq+Ba1AOmIz4b7b9MCWxKcSZ4qGpidmGTl1 9ZF8gIYuk5xFfiSvVxY3F6ZESlfNltZxEQhq6xXV/43HtIr3qpPILMqcdGZmL4jN XasmSNMLG9W1QDSVahxlDBl2WT4S17iVxJPZTBBXLxGgAgNiIFVlWr1S0HS+62Fo 56Z9wljW60dl+OEjOnLpOjCpeFpPpd328Fwh9BA7t/oO8xlEHiquzHVrlk+T/kJi zuwe/0Bpr6WaRqLTiU1YitEa85uXzh1KlVUiY5qSun3gv2MlKiBhIETR1VCBjM1f xEP0Y2TDAW6Q3uQNDBE1BVsqtDQMcDFSBVIuZIw4FOKLsed8ngmwASaw0/FW5RDI CDcVskrEqfGJtRuOM3TElGnKCGMez6Aemv4bHsESy10NB6PUZtwTsHYrUuukK+DN wTIAdHjHVNmTUI03oT5/22OQc/kSvlJShWWu/Vsnwjelw0WZw+wG185ScXI4J/Ng JaKpgAQ3Dc94SfzmK4vU2E5S1rMvMLJgUbjYSyQgwCiXoIH7QjXLG+qpgWAlv6/r 7CBWZPPdfVBdStNGygfrvBIW0LSp9SwQQWgxRzICXkWT4oQ4nkxvix9PH4Sqf6Sm 324V7Zpsq3Q= =JusU -----END PGP SIGNATURE-----