Vulnerabilities > CVE-2019-19813 - Use After Free vulnerability in multiple products

047910
CVSS 7.1 - HIGH
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE

Summary

In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c. This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c.

Common Weakness Enumeration (CWE)

Nessus

NASL familyHuawei Local Security Checks
NASL idEULEROS_SA-2020-1112.NASL
descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):** DISPUTED ** In kernel/compat.c in the Linux kernel before 3.17, as used in Google Chrome OS and other products, there is a possible out-of-bounds read. restart_syscall uses uninitialized data when restarting compat_sys_nanosleep. NOTE: this is disputed because the code path is unreachable.(CVE-2014-3180)A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system.(CVE-2019-14901)A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP.(CVE-2019-14896)A memory leak in the ath10k_usb_hif_tx_sg() function in driverset/wireless/ath/ath10k/usb.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-b8d17e7d93d2.(CVE-2019-19078)A memory leak in the mlx5_fpga_conn_create_cq() function in driverset/ethernet/mellanox/mlx5/core/fpga/conn.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7.(CVE-2019-19045)A stack-based buffer overflow was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA.(CVE-2019-14897)An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel
last seen2020-05-06
modified2020-02-24
plugin id133913
published2020-02-24
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/133913
titleEulerOS 2.0 SP5 : kernel (EulerOS-SA-2020-1112)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(133913);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");

  script_cve_id(
    "CVE-2014-3180",
    "CVE-2016-2085",
    "CVE-2017-18549",
    "CVE-2017-18550",
    "CVE-2018-12207",
    "CVE-2018-5995",
    "CVE-2018-7273",
    "CVE-2019-0155",
    "CVE-2019-11085",
    "CVE-2019-11135",
    "CVE-2019-14895",
    "CVE-2019-14896",
    "CVE-2019-14897",
    "CVE-2019-14901",
    "CVE-2019-18660",
    "CVE-2019-19045",
    "CVE-2019-19078",
    "CVE-2019-19227",
    "CVE-2019-19332",
    "CVE-2019-19447",
    "CVE-2019-19525",
    "CVE-2019-19534",
    "CVE-2019-19536",
    "CVE-2019-19768",
    "CVE-2019-19813",
    "CVE-2019-19922",
    "CVE-2019-19965",
    "CVE-2019-19966",
    "CVE-2019-20054",
    "CVE-2019-20095",
    "CVE-2019-5108",
    "CVE-2019-9458"
  );

  script_name(english:"EulerOS 2.0 SP5 : kernel (EulerOS-SA-2020-1112)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),
    the core of any Linux operating system. The kernel
    handles the basic functions of the operating system:
    memory allocation, process allocation, device input and
    output, etc.Security Fix(es):** DISPUTED ** In
    kernel/compat.c in the Linux kernel before 3.17, as
    used in Google Chrome OS and other products, there is a
    possible out-of-bounds read. restart_syscall uses
    uninitialized data when restarting
    compat_sys_nanosleep. NOTE: this is disputed because
    the code path is unreachable.(CVE-2014-3180)A heap
    overflow flaw was found in the Linux kernel, all
    versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi
    chip driver. The vulnerability allows a remote attacker
    to cause a system crash, resulting in a denial of
    service, or execute arbitrary code. The highest threat
    with this vulnerability is with the availability of the
    system. If code execution occurs, the code will run
    with the permissions of root. This will affect both
    confidentiality and integrity of files on the
    system.(CVE-2019-14901)A heap-based buffer overflow
    vulnerability was found in the Linux kernel, version
    kernel-2.6.32, in Marvell WiFi chip driver. A remote
    attacker could cause a denial of service (system crash)
    or, possibly execute arbitrary code, when the
    lbs_ibss_join_existing function is called after a STA
    connects to an AP.(CVE-2019-14896)A memory leak in the
    ath10k_usb_hif_tx_sg() function in
    driverset/wireless/ath/ath10k/usb.c in the Linux kernel
    through 5.3.11 allows attackers to cause a denial of
    service (memory consumption) by triggering
    usb_submit_urb() failures, aka
    CID-b8d17e7d93d2.(CVE-2019-19078)A memory leak in the
    mlx5_fpga_conn_create_cq() function in
    driverset/ethernet/mellanox/mlx5/core/fpga/conn.c in
    the Linux kernel before 5.3.11 allows attackers to
    cause a denial of service (memory consumption) by
    triggering mlx5_vector2eqn() failures, aka
    CID-c8c2a057fdc7.(CVE-2019-19045)A stack-based buffer
    overflow was found in the Linux kernel, version
    kernel-2.6.32, in Marvell WiFi chip driver. An attacker
    is able to cause a denial of service (system crash) or,
    possibly execute arbitrary code, when a STA works in
    IBSS mode (allows connecting stations together without
    the use of an AP) and connects to another
    STA.(CVE-2019-14897)An out-of-bounds memory write issue
    was found in the Linux Kernel, version 3.13 through
    5.4, in the way the Linux kernel's KVM hypervisor
    handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request
    to get CPUID features emulated by the KVM hypervisor. A
    user or process able to access the '/dev/kvm' device
    could use this flaw to crash the system, resulting in a
    denial of service.(CVE-2019-19332)Improper invalidation
    for page table updates by a virtual guest operating
    system for multiple Intel(R) Processors may allow an
    authenticated user to potentially enable denial of
    service of the host system via local
    access.(CVE-2018-12207)In the Android kernel in the
    video driver there is a use after free due to a race
    condition. This could lead to local escalation of
    privilege with no additional execution privileges
    needed. User interaction is not needed for
    exploitation.(CVE-2019-9458)In the AppleTalk subsystem
    in the Linux kernel before 5.1, there is a potential
    NULL pointer dereference because register_snap_client
    may return NULL. This will lead to denial of service in
    net/appletalk/aarp.c and net/appletalk/ddp.c, as
    demonstrated by unregister_snap_client, aka
    CID-9804501fa122.(CVE-2019-19227)In the Linux kernel
    5.0.21, mounting a crafted btrfs filesystem image,
    performing some operations, and then making a syncfs
    system call can lead to a use-after-free in
    __mutex_lock in kernel/locking/mutex.c. This is related
    to mutex_can_spin_on_owner in kernel/locking/mutex.c,
    __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and
    btrfs_insert_delayed_items in
    fs/btrfs/delayed-inode.c.(CVE-2019-19813)In the Linux
    kernel 5.4.0-rc2, there is a use-after-free (read) in
    the __blk_add_trace function in kernel/trace/blktrace.c
    (which is used to fill out a blk_io_trace structure and
    place it in a per-cpu sub-buffer).(CVE-2019-19768)In
    the Linux kernel before 5.0.6, there is a NULL pointer
    dereference in drop_sysctl_table() in
    fs/proc/proc_sysctl.c, related to put_links, aka
    CID-23da9588037e.(CVE-2019-20054)In the Linux kernel
    before 5.2.9, there is an info-leak bug that can be
    caused by a malicious USB device in the
    driverset/can/usb/peak_usb/pcan_usb_pro.c driver, aka
    CID-ead16e53c2f0.(CVE-2019-19536)In the Linux kernel
    before 5.3.11, there is an info-leak bug that can be
    caused by a malicious USB device in the
    driverset/can/usb/peak_usb/pcan_usb_core.c driver, aka
    CID-f7a1337f0d29.(CVE-2019-19534)In the Linux kernel
    before 5.3.6, there is a use-after-free bug that can be
    caused by a malicious USB device in the
    driverset/ieee802154/atusb.c driver, aka
    CID-7fd25e6fc035.(CVE-2019-19525)Insufficient access
    control in a subsystem for Intel (R) processor graphics
    in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM)
    Processor Families Intel(R) Pentium(R) Processor J, N,
    Silver and Gold Series Intel(R) Celeron(R) Processor J,
    N, G3900 and G4900 Series Intel(R) Atom(R) Processor A
    and E3900 Series Intel(R) Xeon(R) Processor E3-1500 v5
    and v6, E-2100 and E-2200 Processor Families Intel(R)
    Graphics Driver for Windows before 26.20.100.6813 (DCH)
    or 26.20.100.6812 and before 21.20.x.5077
    (aka15.45.5077), i915 Linux Driver for Intel(R)
    Processor Graphics before versions 5.4-rc7, 5.3.11,
    4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an
    authenticated user to potentially enable escalation of
    privilege via local access.(CVE-2019-0155)Insufficient
    input validation in Kernel Mode Driver in Intel(R) i915
    Graphics for Linux before version 5.0 may allow an
    authenticated user to potentially enable escalation of
    privilege via local
    access.(CVE-2019-11085)kernel/sched/fair.c in the Linux
    kernel before 5.3.9, when cpu.cfs_quota_us is used
    (e.g., with Kubernetes), allows attackers to cause a
    denial of service against non-cpu-bound applications by
    generating a workload that triggers unwanted slice
    expiration, aka CID-de53fd7aedb1. (In other words,
    although this slice expiration would typically be seen
    with benign workloads, it is possible that an attacker
    could calculate how many stray requests are required to
    force an entire Kubernetes cluster into a
    low-performance state caused by slice expiration, and
    ensure that a DDoS attack sent that number of stray
    requests. An attack does not affect the stability of
    the kernel it only causes mismanagement of application
    execution.)(CVE-2019-19922)The evm_verify_hmac function
    in security/integrity/evm/evm_main.c in the Linux
    kernel before 4.5 does not properly copy data, which
    makes it easier for local users to forge MAC values via
    a timing side-channel attack.(CVE-2016-2085)The
    pcpu_embed_first_chunk function in mm/percpu.c in the
    Linux kernel through 4.14.14 allows local users to
    obtain sensitive address information by reading dmesg
    data from a 'pages/cpu' printk call.(CVE-2018-5995)TSX
    Asynchronous Abort condition on some CPUs utilizing
    speculative execution may allow an authenticated user
    to potentially enable information disclosure via a side
    channel with local access.(CVE-2019-11135)An issue was
    discovered in drivers/scsi/aacraid/commctrl.c in the
    Linux kernel before 4.13. There is potential exposure
    of kernel stack memory because aac_send_raw_srb does
    not initialize the reply structure.(CVE-2017-18549)An
    issue was discovered in drivers/scsi/aacraid/commctrl.c
    in the Linux kernel before 4.13. There is potential
    exposure of kernel stack memory because
    aac_get_hba_info does not initialize the hbainfo
    structure.(CVE-2017-18550)In the Linux kernel through
    4.15.4, the floppy driver reveals the addresses of
    kernel functions and global variables using printk
    calls within the function show_floppy in
    drivers/block/floppy.c. An attacker can read this
    information from dmesg and use the addresses to find
    the locations of kernel code and data and bypass kernel
    security protections such as KASLR.(CVE-2018-7273)A
    heap-based buffer overflow was discovered in the Linux
    kernel, all versions 3.x.x and 4.x.x before 4.18.0, in
    Marvell WiFi chip driver. The flaw could occur when the
    station attempts a connection negotiation during the
    handling of the remote devices country settings. This
    could allow the remote device to cause a denial of
    service (system crash) or possibly execute arbitrary
    code.(CVE-2019-14895)The Linux kernel before 5.4.1 on
    powerpc allows Information Exposure because the
    Spectre-RSB mitigation is not in place for all
    applicable CPUs, aka CID-39e72bf96f58. This is related
    to arch/powerpc/kernel/entry_64.S and
    arch/powerpc/kernel/security.c.(CVE-2019-18660)In the
    Linux kernel 5.0.21, mounting a crafted ext4 filesystem
    image, performing some operations, and unmounting can
    lead to a use-after-free in ext4_put_super in
    fs/ext4/super.c, related to dump_orphan_list in
    fs/ext4/super.c.(CVE-2019-19447)In the Linux kernel
    through 5.4.6, there is a NULL pointer dereference in
    drivers/scsi/libsas/sas_discover.c because of
    mishandling of port disconnection during discovery,
    related to a PHY down race condition, aka
    CID-f70267f379b5.(CVE-2019-19965)In the Linux kernel
    before 5.1.6, there is a use-after-free in cpia2_exit()
    in drivers/media/usb/cpia2/cpia2_v4l.c that will cause
    denial of service, aka
    CID-dea37a972655.(CVE-2019-19966)An exploitable
    denial-of-service vulnerability exists in the Linux
    kernel prior to mainline 5.3. An attacker could exploit
    this vulnerability by triggering AP to send IAPP
    location updates for stations before the required
    authentication process has completed. This could lead
    to different denial-of-service scenarios, either by
    causing CAM table attacks, or by leading to traffic
    flapping if faking already existing clients in other
    nearby APs of the same wireless infrastructure. An
    attacker can forge Authentication and Association
    Request packets to trigger this
    vulnerability.(CVE-2019-5108)mwifiex_tm_cmd in
    drivers/net/wireless/marvell/mwifiex/cfg80211.c in the
    Linux kernel before 5.1.6 has some error-handling cases
    that did not free allocated hostcmd memory, aka
    CID-003b686ace82. This will cause a memory leak and
    denial of service.(CVE-2019-20095)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1112
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?51adc7d4");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["kernel-3.10.0-862.14.1.5.h408.eulerosv2r7",
        "kernel-devel-3.10.0-862.14.1.5.h408.eulerosv2r7",
        "kernel-headers-3.10.0-862.14.1.5.h408.eulerosv2r7",
        "kernel-tools-3.10.0-862.14.1.5.h408.eulerosv2r7",
        "kernel-tools-libs-3.10.0-862.14.1.5.h408.eulerosv2r7",
        "perf-3.10.0-862.14.1.5.h408.eulerosv2r7",
        "python-perf-3.10.0-862.14.1.5.h408.eulerosv2r7"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}