Vulnerabilities > CVE-2020-9391 - Out-of-bounds Write vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcde237319e6. This has been observed to cause heap corruption with the GNU C Library malloc implementation.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 16 | |
| OS | 1 | |
| OS | 1 | |
| Application | 6 | |
| Hardware | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2020-3CD64D683C.NASL description The 5.5.6 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2020-03-02 plugin id 134187 published 2020-03-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134187 title Fedora 31 : kernel / kernel-headers / kernel-tools (2020-3cd64d683c) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2020-3cd64d683c. # include("compat.inc"); if (description) { script_id(134187); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/10"); script_cve_id("CVE-2020-9391"); script_xref(name:"FEDORA", value:"2020-3cd64d683c"); script_name(english:"Fedora 31 : kernel / kernel-headers / kernel-tools (2020-3cd64d683c)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The 5.5.6 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2020-3cd64d683c" ); script_set_attribute( attribute:"solution", value: "Update the affected kernel, kernel-headers and / or kernel-tools packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:31"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/25"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/02"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^31([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 31", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2020-9391"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2020-3cd64d683c"); } else { __rpm_report = ksplice_reporting_text(); } } flag = 0; if (rpm_check(release:"FC31", reference:"kernel-5.5.6-201.fc31")) flag++; if (rpm_check(release:"FC31", reference:"kernel-headers-5.5.6-200.fc31")) flag++; if (rpm_check(release:"FC31", reference:"kernel-tools-5.5.6-200.fc31")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-headers / kernel-tools"); }NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-5691.NASL description Description of changes: Description of changes: [5.4.17-2011.2.2.el8uek] - scsi: qla2xxx: Move free of fcport out of interrupt context (Joe Carnuccio) [Orabug: 31225231] - xfs: move inode flush to the sync workqueue (Darrick J. Wong) [Orabug: 31132665] - arm64: Kconfig: Enable NODES_SPAN_OTHER_NODES config for NUMA (Hoan Tran) [Orabug: 31049202] - scsi: bnx2fc: timeout calculation invalid for bnx2fc_eh_abort() (Laurence Oberman) [Orabug: 31207643] - jbd2: disable CONFIG_JBD2_DEBUG (Junxiao Bi) [Orabug: 31264694] [5.4.17-2011.2.1.el8uek] - x86/mce: Restart the system when LMCE UE error occurs (Thomas Tai) [Orabug: 31218859] - media: xirlink_cit: add missing descriptor sanity checks (Johan Hovold) [Orabug: 31213764] {CVE-2020-11668} - media: ov519: add missing endpoint sanity checks (Johan Hovold) [Orabug: 31213755] {CVE-2020-11608} - x86/microcode/AMD: Increase microcode PATCH_MAX_SIZE (John Allen) [Orabug: 31213533] - media: stv06xx: add missing descriptor sanity checks (Johan Hovold) [Orabug: 31200576] {CVE-2020-11609} - rds: Fix use-after-free in rds_ib_free_caches (Hans Westgaard Ry) [Orabug: 31200768] - net/rds: Fix MR reference counting problem (Ka-Cheong Poon) [Orabug: 31130194] - net/rds: Replace struct rds_mr last seen 2020-05-31 modified 2020-05-20 plugin id 136727 published 2020-05-20 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136727 title Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2020-5691)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1797052
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dcde237319e626d1ec3c9d8b7613032f0fd4663a
- http://www.openwall.com/lists/oss-security/2020/02/25/6
- https://security.netapp.com/advisory/ntap-20200313-0003/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O4LH35HOPBJIKYHYFXMBBM75DN75PZHZ/