Vulnerabilities > CVE-2018-5953 - Information Exposure vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
The swiotlb_print_info function in lib/swiotlb.c in the Linux kernel through 4.14.14 allows local users to obtain sensitive address information by reading dmesg data from a "software IO TLB" printk call.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-5642.NASL description Description of changes: [4.1.12-124.38.1.el7uek] - rds: transport module should be auto loaded when transport is set (Rao Shoaib) [Orabug: 31031928] - KVM: X86: Fix NULL deref in vcpu_scan_ioapic (Wanpeng Li) [Orabug: 31078882] - vhost: Check docket sk_family instead of call getname (Eugenio Pé rez) [Orabug: 31085993] {CVE-2020-10942} - Revert last seen 2020-05-03 modified 2020-04-10 plugin id 135381 published 2020-04-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135381 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5642) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Oracle Linux Security Advisory ELSA-2020-5642. # include("compat.inc"); if (description) { script_id(135381); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/30"); script_cve_id("CVE-2018-5953", "CVE-2019-18806", "CVE-2020-10942"); script_name(english:"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5642)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Description of changes: [4.1.12-124.38.1.el7uek] - rds: transport module should be auto loaded when transport is set (Rao Shoaib) [Orabug: 31031928] - KVM: X86: Fix NULL deref in vcpu_scan_ioapic (Wanpeng Li) [Orabug: 31078882] - vhost: Check docket sk_family instead of call getname (Eugenio Pé rez) [Orabug: 31085993] {CVE-2020-10942} - Revert 'oled: give panic handler chance to run before kexec' (Wengang Wang) [Orabug: 31098797] [4.1.12-124.37.3.el7uek] - kernel: cpu.c: fix return in void function cpu_smt_disable (Mihai Carabas) [Orabug: 31047871] - net: qlogic: Fix memory leak in ql_alloc_large_buffers (Navid Emamdoost) [Orabug: 31055327] {CVE-2019-18806} - swiotlb: clean up reporting (Kees Cook) [Orabug: 31085017] {CVE-2018-5953} - KVM: x86: Expose more Intel AVX512 feature to guest (Luwei Kang) [Orabug: 31085086] - x86/cpufeature: Enable new AVX-512 features (Fenghua Yu) [Orabug: 31085086] [4.1.12-124.37.2.el7uek] - xenbus: req->err should be updated before req->state (Dongli Zhang) [Orabug: 30705030] - xenbus: req->body should be updated before req->state (Dongli Zhang) [Orabug: 30705030]" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2020-April/009775.html" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2020-April/009776.html" ); script_set_attribute( attribute:"solution", value:"Update the affected unbreakable enterprise kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-10942"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/07"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/10"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2018-5953", "CVE-2019-18806", "CVE-2020-10942"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2020-5642"); } else { __rpm_report = ksplice_reporting_text(); } } kernel_major_minor = get_kb_item("Host/uname/major_minor"); if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level."); expected_kernel_major_minor = "4.1"; if (kernel_major_minor != expected_kernel_major_minor) audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor); flag = 0; if (rpm_exists(release:"EL6", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-4.1.12-124.38.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-124.38.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-124.38.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-124.38.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-124.38.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-124.38.1.el6uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-4.1.12-124.38.1.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-124.38.1.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-124.38.1.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-124.38.1.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-124.38.1.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-124.38.1.el7uek")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel"); }
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2020-0019.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - KVM: x86: Remove spurious semicolon (Joao Martins) [Orabug: 31413782] - genirq: Use rcu in kstat_irqs_usr (Eric Dumazet) - genirq: Make sparse_irq_lock protect what it should protect (Thomas Gleixner) [Orabug: 30953676] - genirq: Free irq_desc with rcu (Thomas Gleixner) [Orabug: 30953676] - qla2xxx: Update driver version to 9.00.00.00.42.0-k1-v2 (Arun Easi) [Orabug: 30372266] - qla2xxx: Fix device discovery when FCP2 device is lost. (Arun Easi) [Orabug: 30372266] - brcmfmac: add subtype check for event handling in data path (John Donnelly) [Orabug: 30776354] (CVE-2019-9503) - percpu-refcount: fix reference leak during percpu-atomic transition (Douglas Miller) [Orabug: 30867060] - blk-mq: Allow timeouts to run while queue is freezing (Gabriel Krisman Bertazi) [Orabug: 30867060] - fs/dcache.c: fix spin lockup issue on nlru->lock (Junxiao Bi) [Orabug: 30953290] - jbd2: disable CONFIG_JBD2_DEBUG (Junxiao Bi) [Orabug: 31234664] - mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf (Navid Emamdoost) [Orabug: 31246302] (CVE-2019-19056) - drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl (Vladis Dronov) [Orabug: 31262557] (CVE-2017-7346) - i40e: Increment the driver version for FW API update (Jack Vogel) [Orabug: 31051191] (CVE-2019-0140) (CVE-2019-0139) (CVE-2019-0144) - i40e: Update FW API version to 1.9 (Piotr Azarewicz) [Orabug: 31051191] (CVE-2019-0140) (CVE-2019-0139) (CVE-2019-0144) - i40e: Changed maximum supported FW API version to 1.8 (Adam Ludkiewicz) [Orabug: 31051191] (CVE-2019-0140) (CVE-2019-0139) (CVE-2019-0144) - i40e: Stop dropping 802.1ad tags - eth proto 0x88a8 (Scott Peterson) [Orabug: 31051191] (CVE-2019-0140) (CVE-2019-0139) (CVE-2019-0144) - i40e: fix reading LLDP configuration (Mariusz Stachura) [Orabug: 31051191] (CVE-2019-0140) (CVE-2019-0139) (CVE-2019-0144) - i40e: Add capability flag for stopping FW LLDP (Krzysztof Galazka) [Orabug: 31051191] (CVE-2019-0140) (CVE-2019-0139) (CVE-2019-0144) - i40e: refactor FW version checking (Mitch Williams) [Orabug: 31051191] (CVE-2019-0140) (CVE-2019-0139) (CVE-2019-0144) - i40e: shutdown all IRQs and disable MSI-X when suspended (Jacob Keller) [Orabug: 31051191] (CVE-2019-0140) (CVE-2019-0139) (CVE-2019-0144) - i40e: prevent service task from running while we last seen 2020-06-10 modified 2020-06-04 plugin id 137128 published 2020-06-04 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137128 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2020-0019) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1524.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.(CVE-2018-18559i1/4%0 - The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump. A local users could obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.(CVE-2017-11472i1/4%0 - Race condition in net/packet/af_packet.c in the Linux kernel allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that makes PACKET_FANOUT setsockopt system calls.(CVE-2017-6346i1/4%0 - Multiple race conditions in ipc/shm.c in the Linux kernel before 3.12.2 allow local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted application that uses shmctl IPC_RMID operations in conjunction with other shm system calls.(CVE-2013-7026i1/4%0 - An issue was discovered in the Linux kernel. A NULL pointer dereference and panic in hfsplus_lookup() in the fs/hfsplus/dir.c function can occur when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory.(CVE-2018-14617i1/4%0 - The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint.(CVE-2016-2782i1/4%0 - An information-exposure flaw was found in the Linux kernel where the pcpu_embed_first_chunk() function in mm/percpu.c allows local users to obtain kernel-object address information by reading the kernel log (dmesg). However, this address is not static and cannot be used to commit a further attack.(CVE-2018-5995i1/4%0 - Buffer overflow in net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, allows remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a long unencrypted auth ticket.(CVE-2014-6416i1/4%0 - It was found that the Linux kernel last seen 2020-03-19 modified 2019-05-14 plugin id 124977 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124977 title EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1524) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-5644.NASL description Description of changes: kernel-uek [3.8.13-118.44.1.el7uek] - net: qlogic: Fix memory leak in ql_alloc_large_buffers (Navid Emamdoost) [Orabug: 31055328] {CVE-2019-18806} - swiotlb: clean up reporting (Kees Cook) [Orabug: 31085018] {CVE-2018-5953} last seen 2020-04-17 modified 2020-04-14 plugin id 135432 published 2020-04-14 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135432 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5644) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1731.NASL description The linux update issued as DLA-1731-1 caused a regression in the vmxnet3 (VMware virtual network adapter) driver. This update corrects that regression, and an earlier regression in the CIFS network filesystem implementation introduced in DLA-1422-1. For reference the original advisory text follows. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2016-10741 A race condition was discovered in XFS that would result in a crash (BUG). A local user permitted to write to an XFS volume could use this for denial of service. CVE-2017-5753 Further instances of code that was vulnerable to Spectre variant 1 (bounds-check bypass) have been mitigated. CVE-2017-13305 A memory over-read was discovered in the keys subsystem last seen 2020-06-01 modified 2020-06-02 plugin id 123420 published 2019-03-28 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123420 title Debian DLA-1731-2 : linux regression update (Spectre) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-5649.NASL description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s). last seen 2020-05-03 modified 2020-04-15 plugin id 135574 published 2020-04-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135574 title Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2020-5649)
References
- http://www.securityfocus.com/bid/105045
- http://www.securityfocus.com/bid/105045
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d63fb3af87aa67aa7d24466e792f9d7c57d8e79
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d63fb3af87aa67aa7d24466e792f9d7c57d8e79
- https://github.com/johnsonwangqize/cve-linux/blob/master/%20CVE-2018-5953.md
- https://github.com/johnsonwangqize/cve-linux/blob/master/%20CVE-2018-5953.md
- https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html
- https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html
- https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html
- https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html