Vulnerabilities > CVE-2020-11884 - Race Condition vulnerability in multiple products

047910
CVSS 7.0 - HIGH
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH

Summary

In the Linux kernel 4.19 through 5.6.7 on the s390 platform, code execution may occur because of a race condition, as demonstrated by code in enable_sacf_uaccess in arch/s390/lib/uaccess.c that fails to protect against a concurrent page table upgrade, aka CID-3f777e19d171. A crash could also occur.

Vulnerable Configurations

Part Description Count
OS
Linux
467
OS
Canonical
4
OS
Debian
1
OS
Fedoraproject
3
OS
Netapp
12
Application
Netapp
6
Hardware
Netapp
13

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-2429.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2429 advisory. - kernel: powerpc: incomplete Spectre-RSB mitigation leads to information exposure (CVE-2019-18660) - Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category may cause kernel panic (CVE-2020-10711) - Kernel: s390: page table upgrade in secondary address mode may lead to privilege escalation (CVE-2020-11884) - kernel: use-after-free in block/bfq-iosched.c related to bfq_idle_slice_timer_body (CVE-2020-12657) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-12
    modified2020-06-09
    plugin id137275
    published2020-06-09
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137275
    titleRHEL 8 : kernel (RHSA-2020:2429)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4342-1.NASL
    descriptionAl Viro discovered that the Linux kernel for s390x systems did not properly perform page table upgrades for kernel sections that use secondary address mode. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-11884) It was discovered that the Intel Wi-Fi driver in the Linux kernel did not properly check for errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16234) Tristan Madani discovered that the block I/O tracing implementation in the Linux kernel contained a race condition. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2019-19768) It was discovered that the vhost net driver in the Linux kernel contained a stack buffer overflow. A local attacker with the ability to perform ioctl() calls on /dev/vhost-net could use this to cause a denial of service (system crash). (CVE-2020-10942) It was discovered that the virtual terminal implementation in the Linux kernel contained a race condition. A local attacker could possibly use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2020-8648) Shijie Luo discovered that the ext4 file system implementation in the Linux kernel did not properly check for a too-large journal size. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (soft lockup). (CVE-2020-8992) Jordy Zomer discovered that the floppy driver in the Linux kernel did not properly check for errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2020-9383). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-09
    modified2020-04-29
    plugin id136085
    published2020-04-29
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136085
    titleUbuntu 18.04 LTS / 19.10 : linux, linux-aws, linux-azure, linux-gcp, linux-gke-5.3, linux-hwe, (USN-4342-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-2102.NASL
    descriptionFrom Red Hat Security Advisory 2020:2102 : The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2102 advisory. - Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category may cause kernel panic (CVE-2020-10711) - Kernel: s390: page table upgrade in secondary address mode may lead to privilege escalation (CVE-2020-11884) - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources (CVE-2020-2732) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-05-15
    plugin id136646
    published2020-05-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136646
    titleOracle Linux 8 : kernel (ELSA-2020-2102)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4343-1.NASL
    descriptionAl Viro discovered that the Linux kernel for s390x systems did not properly perform page table upgrades for kernel sections that use secondary address mode. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-09
    modified2020-04-29
    plugin id136086
    published2020-04-29
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136086
    titleUbuntu 20.04 : linux vulnerability (USN-4343-1)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-3_0-0100_LINUX.NASL
    descriptionAn update of the linux package has been released.
    last seen2020-06-10
    modified2020-06-06
    plugin id137190
    published2020-06-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137190
    titlePhoton OS 3.0: Linux PHSA-2020-3.0-0100
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-2199.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2199 advisory. - kernel: use-after-free in __blk_add_trace in kernel/trace/blktrace.c (CVE-2019-19768) - Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category may cause kernel panic (CVE-2020-10711) - Kernel: s390: page table upgrade in secondary address mode may lead to privilege escalation (CVE-2020-11884) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-05-31
    modified2020-05-20
    plugin id136717
    published2020-05-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136717
    titleRHEL 8 : kernel (RHSA-2020:2199)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1592.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the Linux kernel
    last seen2020-06-11
    modified2020-05-26
    plugin id136870
    published2020-05-26
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136870
    titleEulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1592)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-2102.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2102 advisory. - Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category may cause kernel panic (CVE-2020-10711) - Kernel: s390: page table upgrade in secondary address mode may lead to privilege escalation (CVE-2020-11884) - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources (CVE-2020-2732) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-05-15
    modified2020-05-12
    plugin id136526
    published2020-05-12
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136526
    titleRHEL 8 : kernel (RHSA-2020:2102)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-64D46A6E29.NASL
    descriptionThe 5.6.8 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-09
    modified2020-05-04
    plugin id136295
    published2020-05-04
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136295
    titleFedora 30 : kernel (2020-64d46a6e29)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-B453269C4E.NASL
    descriptionThe 5.6.8 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-09
    modified2020-05-04
    plugin id136298
    published2020-05-04
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136298
    titleFedora 31 : kernel (2020-b453269c4e)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4345-1.NASL
    descriptionAl Viro discovered that the Linux kernel for s390x systems did not properly perform page table upgrades for kernel sections that use secondary address mode. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-11884) It was discovered that the Intel Wi-Fi driver in the Linux kernel did not properly check for errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16234) Tristan Madani discovered that the block I/O tracing implementation in the Linux kernel contained a race condition. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2019-19768) It was discovered that the vhost net driver in the Linux kernel contained a stack buffer overflow. A local attacker with the ability to perform ioctl() calls on /dev/vhost-net could use this to cause a denial of service (system crash). (CVE-2020-10942) It was discovered that the OV51x USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11608) It was discovered that the STV06XX USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11609) It was discovered that the Xirlink C-It USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11668) It was discovered that the virtual terminal implementation in the Linux kernel contained a race condition. A local attacker could possibly use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2020-8648) Jordy Zomer discovered that the floppy driver in the Linux kernel did not properly check for errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2020-9383). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-09
    modified2020-04-29
    plugin id136088
    published2020-04-29
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136088
    titleUbuntu 16.04 LTS / 18.04 LTS : linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, (USN-4345-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4667.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak. - CVE-2020-2732 Paulo Bonzini discovered that the KVM implementation for Intel processors did not properly handle instruction emulation for L2 guests when nested virtualization is enabled. This could allow an L2 guest to cause privilege escalation, denial of service, or information leaks in the L1 guest. - CVE-2020-8428 Al Viro discovered a use-after-free vulnerability in the VFS layer. This allowed local users to cause a denial-of-service (crash) or obtain sensitive information from kernel memory. - CVE-2020-10942 It was discovered that the vhost_net driver did not properly validate the type of sockets set as back-ends. A local user permitted to access /dev/vhost-net could use this to cause a stack corruption via crafted system calls, resulting in denial of service (crash) or possibly privilege escalation. - CVE-2020-11565 Entropy Moe reported that the shared memory filesystem (tmpfs) did not correctly handle an
    last seen2020-05-09
    modified2020-04-30
    plugin id136124
    published2020-04-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136124
    titleDebian DSA-4667-1 : linux - security update

Redhat

rpms
  • bpftool-0:4.18.0-193.1.2.el8_2
  • bpftool-debuginfo-0:4.18.0-193.1.2.el8_2
  • kernel-0:4.18.0-193.1.2.el8_2
  • kernel-abi-whitelists-0:4.18.0-193.1.2.el8_2
  • kernel-core-0:4.18.0-193.1.2.el8_2
  • kernel-cross-headers-0:4.18.0-193.1.2.el8_2
  • kernel-debug-0:4.18.0-193.1.2.el8_2
  • kernel-debug-core-0:4.18.0-193.1.2.el8_2
  • kernel-debug-debuginfo-0:4.18.0-193.1.2.el8_2
  • kernel-debug-devel-0:4.18.0-193.1.2.el8_2
  • kernel-debug-modules-0:4.18.0-193.1.2.el8_2
  • kernel-debug-modules-extra-0:4.18.0-193.1.2.el8_2
  • kernel-debuginfo-0:4.18.0-193.1.2.el8_2
  • kernel-debuginfo-common-aarch64-0:4.18.0-193.1.2.el8_2
  • kernel-debuginfo-common-ppc64le-0:4.18.0-193.1.2.el8_2
  • kernel-debuginfo-common-s390x-0:4.18.0-193.1.2.el8_2
  • kernel-debuginfo-common-x86_64-0:4.18.0-193.1.2.el8_2
  • kernel-devel-0:4.18.0-193.1.2.el8_2
  • kernel-doc-0:4.18.0-193.1.2.el8_2
  • kernel-headers-0:4.18.0-193.1.2.el8_2
  • kernel-modules-0:4.18.0-193.1.2.el8_2
  • kernel-modules-extra-0:4.18.0-193.1.2.el8_2
  • kernel-tools-0:4.18.0-193.1.2.el8_2
  • kernel-tools-debuginfo-0:4.18.0-193.1.2.el8_2
  • kernel-tools-libs-0:4.18.0-193.1.2.el8_2
  • kernel-tools-libs-devel-0:4.18.0-193.1.2.el8_2
  • kernel-zfcpdump-0:4.18.0-193.1.2.el8_2
  • kernel-zfcpdump-core-0:4.18.0-193.1.2.el8_2
  • kernel-zfcpdump-debuginfo-0:4.18.0-193.1.2.el8_2
  • kernel-zfcpdump-devel-0:4.18.0-193.1.2.el8_2
  • kernel-zfcpdump-modules-0:4.18.0-193.1.2.el8_2
  • kernel-zfcpdump-modules-extra-0:4.18.0-193.1.2.el8_2
  • perf-0:4.18.0-193.1.2.el8_2
  • perf-debuginfo-0:4.18.0-193.1.2.el8_2
  • python3-perf-0:4.18.0-193.1.2.el8_2
  • python3-perf-debuginfo-0:4.18.0-193.1.2.el8_2
  • bpftool-0:4.18.0-147.13.2.el8_1
  • bpftool-debuginfo-0:4.18.0-147.13.2.el8_1
  • kernel-0:4.18.0-147.13.2.el8_1
  • kernel-abi-whitelists-0:4.18.0-147.13.2.el8_1
  • kernel-core-0:4.18.0-147.13.2.el8_1
  • kernel-cross-headers-0:4.18.0-147.13.2.el8_1
  • kernel-debug-0:4.18.0-147.13.2.el8_1
  • kernel-debug-core-0:4.18.0-147.13.2.el8_1
  • kernel-debug-debuginfo-0:4.18.0-147.13.2.el8_1
  • kernel-debug-devel-0:4.18.0-147.13.2.el8_1
  • kernel-debug-modules-0:4.18.0-147.13.2.el8_1
  • kernel-debug-modules-extra-0:4.18.0-147.13.2.el8_1
  • kernel-debuginfo-0:4.18.0-147.13.2.el8_1
  • kernel-debuginfo-common-aarch64-0:4.18.0-147.13.2.el8_1
  • kernel-debuginfo-common-ppc64le-0:4.18.0-147.13.2.el8_1
  • kernel-debuginfo-common-s390x-0:4.18.0-147.13.2.el8_1
  • kernel-debuginfo-common-x86_64-0:4.18.0-147.13.2.el8_1
  • kernel-devel-0:4.18.0-147.13.2.el8_1
  • kernel-doc-0:4.18.0-147.13.2.el8_1
  • kernel-headers-0:4.18.0-147.13.2.el8_1
  • kernel-modules-0:4.18.0-147.13.2.el8_1
  • kernel-modules-extra-0:4.18.0-147.13.2.el8_1
  • kernel-tools-0:4.18.0-147.13.2.el8_1
  • kernel-tools-debuginfo-0:4.18.0-147.13.2.el8_1
  • kernel-tools-libs-0:4.18.0-147.13.2.el8_1
  • kernel-tools-libs-devel-0:4.18.0-147.13.2.el8_1
  • kernel-zfcpdump-0:4.18.0-147.13.2.el8_1
  • kernel-zfcpdump-core-0:4.18.0-147.13.2.el8_1
  • kernel-zfcpdump-debuginfo-0:4.18.0-147.13.2.el8_1
  • kernel-zfcpdump-devel-0:4.18.0-147.13.2.el8_1
  • kernel-zfcpdump-modules-0:4.18.0-147.13.2.el8_1
  • kernel-zfcpdump-modules-extra-0:4.18.0-147.13.2.el8_1
  • perf-0:4.18.0-147.13.2.el8_1
  • perf-debuginfo-0:4.18.0-147.13.2.el8_1
  • python3-perf-0:4.18.0-147.13.2.el8_1
  • python3-perf-debuginfo-0:4.18.0-147.13.2.el8_1
  • bpftool-0:4.18.0-80.23.2.el8_0
  • bpftool-debuginfo-0:4.18.0-80.23.2.el8_0
  • kernel-0:4.18.0-80.23.2.el8_0
  • kernel-abi-whitelists-0:4.18.0-80.23.2.el8_0
  • kernel-core-0:4.18.0-80.23.2.el8_0
  • kernel-cross-headers-0:4.18.0-80.23.2.el8_0
  • kernel-debug-0:4.18.0-80.23.2.el8_0
  • kernel-debug-core-0:4.18.0-80.23.2.el8_0
  • kernel-debug-debuginfo-0:4.18.0-80.23.2.el8_0
  • kernel-debug-devel-0:4.18.0-80.23.2.el8_0
  • kernel-debug-modules-0:4.18.0-80.23.2.el8_0
  • kernel-debug-modules-extra-0:4.18.0-80.23.2.el8_0
  • kernel-debuginfo-0:4.18.0-80.23.2.el8_0
  • kernel-debuginfo-common-aarch64-0:4.18.0-80.23.2.el8_0
  • kernel-debuginfo-common-ppc64le-0:4.18.0-80.23.2.el8_0
  • kernel-debuginfo-common-s390x-0:4.18.0-80.23.2.el8_0
  • kernel-debuginfo-common-x86_64-0:4.18.0-80.23.2.el8_0
  • kernel-devel-0:4.18.0-80.23.2.el8_0
  • kernel-doc-0:4.18.0-80.23.2.el8_0
  • kernel-headers-0:4.18.0-80.23.2.el8_0
  • kernel-modules-0:4.18.0-80.23.2.el8_0
  • kernel-modules-extra-0:4.18.0-80.23.2.el8_0
  • kernel-tools-0:4.18.0-80.23.2.el8_0
  • kernel-tools-debuginfo-0:4.18.0-80.23.2.el8_0
  • kernel-tools-libs-0:4.18.0-80.23.2.el8_0
  • kernel-zfcpdump-0:4.18.0-80.23.2.el8_0
  • kernel-zfcpdump-core-0:4.18.0-80.23.2.el8_0
  • kernel-zfcpdump-debuginfo-0:4.18.0-80.23.2.el8_0
  • kernel-zfcpdump-devel-0:4.18.0-80.23.2.el8_0
  • kernel-zfcpdump-modules-0:4.18.0-80.23.2.el8_0
  • kernel-zfcpdump-modules-extra-0:4.18.0-80.23.2.el8_0
  • perf-0:4.18.0-80.23.2.el8_0
  • perf-debuginfo-0:4.18.0-80.23.2.el8_0
  • python3-perf-0:4.18.0-80.23.2.el8_0
  • python3-perf-debuginfo-0:4.18.0-80.23.2.el8_0

References