Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3505.3
[SECURITY] [DLA 1919-1] linux-4.9 security update
26 September 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: linux-4.9
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-15926 CVE-2019-15924 CVE-2019-15807
CVE-2019-15666 CVE-2019-15538 CVE-2019-15292
CVE-2019-15221 CVE-2019-15220 CVE-2019-15219
CVE-2019-15218 CVE-2019-15216 CVE-2019-15215
CVE-2019-15212 CVE-2019-15211 CVE-2019-11487
CVE-2019-9506 CVE-2019-0136
Reference: ESB-2019.2742.2
ESB-2019.2155
ESB-2019.2100
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2019/09/msg00014.html
https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html
Comment: This bulletin contains three (3) Debian security advisories.
This advisory references vulnerabilities in the Linux kernel that
also affect distributions other than Debian. It is recommended that
administrators running Linux check for an updated version of the
kernel for their system.
Revision History: September 26 2019: Vendor released updated announcement DLA 1930-1
September 24 2019: Remove CVE-2019-1591, CVE-2019-1592 and CVE-2019-1529 which were erroneously included.
September 16 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Package : linux-4.9
Version : 4.9.189-3~deb8u1
CVE ID : CVE-2019-0136 CVE-2019-9506 CVE-2019-11487 CVE-2019-15211
CVE-2019-15212 CVE-2019-15215 CVE-2019-15216 CVE-2019-15218
CVE-2019-15219 CVE-2019-15220 CVE-2019-15221 CVE-2019-15292
CVE-2019-15538 CVE-2019-15666 CVE-2019-15807 CVE-2019-15924
CVE-2019-15926
Debian Bug : 930904
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
CVE-2019-0136
It was discovered that the wifi soft-MAC implementation (mac80211)
did not properly authenticate Tunneled Direct Link Setup (TDLS)
messages. A nearby attacker could use this for denial of service
(loss of wifi connectivity).
CVE-2019-9506
Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen
discovered a weakness in the Bluetooth pairing protocols, dubbed
the "KNOB attack". An attacker that is nearby during pairing
could use this to weaken the encryption used between the paired
devices, and then to eavesdrop on and/or spoof communication
between them.
This update mitigates the attack by requiring a minimum encryption
key length of 56 bits.
CVE-2019-11487
Jann Horn discovered that the FUSE (Filesystem-in-Userspace)
facility could be used to cause integer overflow in page reference
counts, leading to a use-after-free. On a system with sufficient
physical memory, a local user permitted to create arbitrary FUSE
mounts could use this for privilege escalation.
By default, unprivileged users can only mount FUSE filesystems
through fusermount, which limits the number of mounts created and
should completely mitigate the issue.
CVE-2019-15211
The syzkaller tool found a bug in the radio-raremono driver that
could lead to a use-after-free. An attacker able to add and
remove USB devices could use this to cause a denial of service
(memory corruption or crash) or possibly for privilege escalation.
CVE-2019-15212
The syzkaller tool found that the rio500 driver does not work
correctly if more than one device is bound to it. An attacker
able to add USB devices could use this to cause a denial of
service (memory corruption or crash) or possibly for privilege
escalation.
CVE-2019-15215
The syzkaller tool found a bug in the cpia2_usb driver that leads
to a use-after-free. An attacker able to add and remove USB
devices could use this to cause a denial of service (memory
corruption or crash) or possibly for privilege escalation.
CVE-2019-15216
The syzkaller tool found a bug in the yurex driver that leads to
a use-after-free. An attacker able to add and remove USB
devices could use this to cause a denial of service (memory
corruption or crash) or possibly for privilege escalation.
CVE-2019-15218
The syzkaller tool found that the smsusb driver did not validate
that USB devices have the expected endpoints, potentially leading
to a null pointer dereference. An attacker able to add USB
devices could use this to cause a denial of service (BUG/oops).
CVE-2019-15219
The syzkaller tool found that a device initialisation error in the
sisusbvga driver could lead to a null pointer dereference. An
attacker able to add USB devices could use this to cause a denial
of service (BUG/oops).
CVE-2019-15220
The syzkaller tool found a race condition in the p54usb driver
which could lead to a use-after-free. An attacker able to add and
remove USB devices could use this to cause a denial of service
(memory corruption or crash) or possibly for privilege escalation.
CVE-2019-15221
The syzkaller tool found that the line6 driver did not validate
USB devices' maximum packet sizes, which could lead to a heap
buffer overrun. An attacker able to add USB devices could use
this to cause a denial of service (memory corruption or crash) or
possibly for privilege escalation.
CVE-2019-15292
The Hulk Robot tool found missing error checks in the Appletalk
protocol implementation, which could lead to a use-after-free.
The security impact of this is unclear.
CVE-2019-15538
Benjamin Moody reported that operations on XFS hung after a
chgrp command failed due to a disk quota. A local user on a
system using XFS and disk quotas could use this for denial of
service.
CVE-2019-15666
The Hulk Robot tool found an incorrect range check in the network
transformation (xfrm) layer, leading to out-of-bounds memory
accesses. A local user with CAP_NET_ADMIN capability (in any user
namespace) could use this to cause a denial of service (memory
corruption or crash) or possibly for privilege escalation.
CVE-2019-15807
Jian Luo reported that the Serial Attached SCSI library (libsas)
did not correctly handle failure to discover devices beyond a SAS
expander. This could lead to a resource leak and crash (BUG).
The security impact of this is unclear.
CVE-2019-15924
The Hulk Robot tool found a missing error check in the fm10k
Ethernet driver, which could lead to a null pointer dereference
and crash (BUG/oops). The security impact of this is unclear.
CVE-2019-15926
It was found that the ath6kl wifi driver did not consistently
validate traffic class numbers in received control packets,
leading to out-of-bounds memory accesses. A nearby attacker on
the same wifi network could use this to cause a denial of service
(memory corruption or crash) or possibly for privilege escalation.
For Debian 8 "Jessie", these problems have been fixed in version
4.9.189-3~deb8u1.
We recommend that you upgrade your linux-4.9 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams
=============================================================================
ackage : linux
Version : 3.16.74-1
CVE ID : CVE-2016-10905 CVE-2018-20976 CVE-2018-21008 CVE-2019-0136
CVE-2019-9506 CVE-2019-14814 CVE-2019-14815 CVE-2019-14816
CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118
CVE-2019-15211 CVE-2019-15212 CVE-2019-15215 CVE-2019-15218
CVE-2019-15219 CVE-2019-15220 CVE-2019-15221 CVE-2019-15292
CVE-2019-15807 CVE-2019-15917 CVE-2019-15926
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
CVE-2016-10905
A race condition was discovered in the GFS2 file-system
implementation, which could lead to a use-after-free. On a system
using GFS2, a local attacker could use this for denial of service
(memory corruption or crash) or possibly for privilege escalation.
CVE-2018-20976
It was discovered that the XFS file-system implementation did not
correctly handle some mount failure conditions, which could lead
to a use-after-free. The security impact of this is unclear.
CVE-2018-21008
It was discovered that the rsi wifi driver did not correctly
handle some failure conditions, which could lead to a use-after-
free. The security impact of this is unclear.
CVE-2019-0136
It was discovered that the wifi soft-MAC implementation (mac80211)
did not properly authenticate Tunneled Direct Link Setup (TDLS)
messages. A nearby attacker could use this for denial of service
(loss of wifi connectivity).
CVE-2019-9506
Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen
discovered a weakness in the Bluetooth pairing protocols, dubbed
the "KNOB attack". An attacker that is nearby during pairing
could use this to weaken the encryption used between the paired
devices, and then to eavesdrop on and/or spoof communication
between them.
This update mitigates the attack by requiring a minimum encryption
key length of 56 bits.
CVE-2019-14814, CVE-2019-14815, CVE-2019-14816
Multiple bugs were discovered in the mwifiex wifi driver, which
could lead to heap buffer overflows. A local user permitted to
configure a device handled by this driver could probably use this
for privilege escalation.
CVE-2019-14821
Matt Delco reported a race condition in KVM's coalesced MMIO
facility, which could lead to out-of-bounds access in the kernel.
A local attacker permitted to access /dev/kvm could use this to
cause a denial of service (memory corruption or crash) or possibly
for privilege escalation.
CVE-2019-14835
Peter Pi of Tencent Blade Team discovered a missing bounds check
in vhost_net, the network back-end driver for KVM hosts, leading
to a buffer overflow when the host begins live migration of a VM.
An attacker in control of a VM could use this to cause a denial of
service (memory corruption or crash) or possibly for privilege
escalation on the host.
CVE-2019-15117
Hui Peng and Mathias Payer reported a missing bounds check in the
usb-audio driver's descriptor parsing code, leading to a buffer
over-read. An attacker able to add USB devices could possibly use
this to cause a denial of service (crash).
CVE-2019-15118
Hui Peng and Mathias Payer reported unbounded recursion in the
usb-audio driver's descriptor parsing code, leading to a stack
overflow. An attacker able to add USB devices could use this to
cause a denial of service (memory corruption or crash) or possibly
for privilege escalation.
CVE-2019-15211
The syzkaller tool found a bug in the radio-raremono driver that
could lead to a use-after-free. An attacker able to add and
remove USB devices could use this to cause a denial of service
(memory corruption or crash) or possibly for privilege escalation.
CVE-2019-15212
The syzkaller tool found that the rio500 driver does not work
correctly if more than one device is bound to it. An attacker
able to add USB devices could use this to cause a denial of
service (memory corruption or crash) or possibly for privilege
escalation.
CVE-2019-15215
The syzkaller tool found a bug in the cpia2_usb driver that leads
to a use-after-free. An attacker able to add and remove USB
devices could use this to cause a denial of service (memory
corruption or crash) or possibly for privilege escalation.
CVE-2019-15218
The syzkaller tool found that the smsusb driver did not validate
that USB devices have the expected endpoints, potentially leading
to a null pointer dereference. An attacker able to add USB
devices could use this to cause a denial of service (BUG/oops).
CVE-2019-15219
The syzkaller tool found that a device initialisation error in the
sisusbvga driver could lead to a null pointer dereference. An
attacker able to add USB devices could use this to cause a denial
of service (BUG/oops).
CVE-2019-15220
The syzkaller tool found a race condition in the p54usb driver
which could lead to a use-after-free. An attacker able to add and
remove USB devices could use this to cause a denial of service
(memory corruption or crash) or possibly for privilege escalation.
CVE-2019-15221
The syzkaller tool found that the line6 driver did not validate
USB devices' maximum packet sizes, which could lead to a heap
buffer overrun. An attacker able to add USB devices could use
this to cause a denial of service (memory corruption or crash) or
possibly for privilege escalation.
CVE-2019-15292
The Hulk Robot tool found missing error checks in the Appletalk
protocol implementation, which could lead to a use-after-free.
The security impact of this is unclear.
CVE-2019-15807
Jian Luo reported that the Serial Attached SCSI library (libsas)
did not correctly handle failure to discover devices beyond a SAS
expander. This could lead to a resource leak and crash (BUG).
The security impact of this is unclear.
CVE-2019-15917
The syzkaller tool found a race condition in code supporting
UART-attached Bluetooth adapters, which could lead to a use-
after-free. A local user with access to a pty device or other
suitable tty device could use this to cause a denial of service
(memory corruption or crash) or possibly for privilege escalation.
CVE-2019-15926
It was found that the ath6kl wifi driver did not consistently
validate traffic class numbers in received control packets,
leading to out-of-bounds memory accesses. A nearby attacker on
the same wifi network could use this to cause a denial of service
(memory corruption or crash) or possibly for privilege escalation.
For Debian 8 "Jessie", these problems have been fixed in version
3.16.74-1.
We recommend that you upgrade your linux packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- --
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXYxLs2aOgq3Tt24GAQj9QRAAobuggqppIcBBnm59QG16wewZgNUUU5NN
1l9TJYLf36LkehgFbAKWsV+nJFJz+4nNWv9jQgIHTwXT34IVa26GqoGyiJ1md8N4
XGQMi7rDLrdzF/nWgIvhYcoiUxjKU3FkGAo6EgTPfeMCA/UmdIahrmelYOOypVVW
gxGVKLHxYEIHO+nxxLa+yAXC1lM17BKGc8J7uxfrtcAMmRmweZjPzIXzKWpLhxHm
7moejRovj1hBz16OzrNt28cehsBkXVGSOfMhVbpEiHVGZSx5XmUNzhTSBk3A/rCz
Ja8fIWev2+shbU6MWwieDgRzNsgtZLe2Cqq3wWrB8rm/JZc35A8fAYCgGA71x8L7
AbhHn0fXXPhYzBT83BFuad+JUT2EXaPvz1bR2Nk0mJ2VfA4iR9C4HzndBsskp5CF
rNIvTdpxreWKYvSfWHN5F/b3kp1g2h57mXbjCiWKj8xkahqvmPxuUHk3lRU3pOXG
68UoMTq1hfHyXRDi6LljXdA4iSFe/A3KNipTHfwIo8GJwqxBhJRSGtHfk5KC7z8W
T2F8SDCPBHiGn9fLMcMdetXOM4OojTWe+qJ+lrPv1EMZivgobYwjqj3YooH+XHYi
ujBNS4lmjTjV5SXRj4W98CySmvIak0r/D6QWmV45ByOcynCFaSIvHcPGddAleGw9
uqF4aUiWDNE=
=Cvuy
-----END PGP SIGNATURE-----