Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2217
linux security update
23 June 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: linux kernel
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Increased Privileges -- Existing Account
Access Privileged Data -- Existing Account
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-33034 CVE-2021-32399 CVE-2021-31916
CVE-2021-31829 CVE-2021-30002 CVE-2021-29650
CVE-2021-29647 CVE-2021-29265 CVE-2021-29264
CVE-2021-29155 CVE-2021-29154 CVE-2021-28971
CVE-2021-28964 CVE-2021-28950 CVE-2021-28688
CVE-2021-28660 CVE-2021-26930 CVE-2021-23134
CVE-2021-23133 CVE-2021-20292 CVE-2021-3587
CVE-2021-3573 CVE-2021-3564 CVE-2021-3506
CVE-2021-3483 CVE-2021-3428 CVE-2021-0129
CVE-2020-36322 CVE-2020-29374 CVE-2020-26558
CVE-2020-26147 CVE-2020-26139 CVE-2020-25672
CVE-2020-25671 CVE-2020-25670 CVE-2020-24588
CVE-2020-24587 CVE-2020-24586
Reference: ASB-2021.0110
ESB-2021.2184
ESB-2021.2145
ESB-2021.2136
ESB-2021.2079
Original Bulletin:
https://www.debian.org/lts/security/2021/dla-2689
https://www.debian.org/lts/security/2021/dla-2690
Comment: This bulletin contains two (2) Debian security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2689-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Ben Hutchings
June 22, 2021 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : linux
Version : 4.9.272-1
CVE ID : CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-25670
CVE-2020-25671 CVE-2020-25672 CVE-2020-26139 CVE-2020-26147
CVE-2020-26558 CVE-2020-29374 CVE-2020-36322 CVE-2021-0129
CVE-2021-3428 CVE-2021-3483 CVE-2021-3564 CVE-2021-3573
CVE-2021-3587 CVE-2021-20292 CVE-2021-23133 CVE-2021-23134
CVE-2021-28660 CVE-2021-28688 CVE-2021-28950 CVE-2021-28964
CVE-2021-28971 CVE-2021-29154 CVE-2021-29265 CVE-2021-29647
CVE-2021-29650 CVE-2021-30002 CVE-2021-31916 CVE-2021-32399
CVE-2021-33034
Several vulnerabilities have been discovered in the Linux kernel that
may lead to the execution of arbitrary code, privilege escalation,
denial of service, or information leaks.
This update is not yet available for the armel (ARM EABI soft-float)
architecture.
CVE-2020-24586, CVE-2020-24587, CVE-2020-26147
Mathy Vanhoef discovered that many Wi-Fi implementations,
including Linux's mac80211, did not correctly implement reassembly
of fragmented packets. In some circumstances, an attacker within
range of a network could exploit these flaws to forge arbitrary
packets and/or to access sensitive data on that network.
CVE-2020-24588
Mathy Vanhoef discovered that most Wi-Fi implementations,
including Linux's mac80211, did not authenticate the "is
aggregated" packet header flag. An attacker within range of a
network could exploit this to forge arbitrary packets on that
network.
CVE-2020-25670, CVE-2020-25671, CVE-2021-23134
kiyin of TenCent discovered several reference counting bugs
in the NFC LLCP implementation which could lead to use-after-free.
A local user could exploit these for denial of service (crash or
memory corruption) or possibly for privilege escalation.
Nadav Markus and Or Cohen of Palo Alto Networks discovered that
the original fixes for these introduced a new bug that could
result in use-after-free and double-free. This has also been
fixed.
CVE-2020-25672
kiyin of TenCent discovered a memory leak in the NFC LLCP
implementation. A local user could exploit this for denial of
service (memory exhaustion).
CVE-2020-26139
Mathy Vanhoef discovered that a bug in some Wi-Fi implementations,
including Linux's mac80211. When operating in AP mode, they would
forward EAPOL frames from one client to another while the sender
was not yet authenticated. An attacker within range of a network
could use this for denial of service or as an aid to exploiting
other vulnerabilities.
CVE-2020-26558, CVE-2021-0129
Researchers at ANSSI discovered vulnerabilities in the Bluetooth
Passkey authentication method, and in Linux's implementation of
it. An attacker within range of two Bluetooth devices while they
pair using Passkey authentication could exploit this to obtain the
shared secret (Passkey) and then impersonate either of the devices
to each other.
CVE-2020-29374
Jann Horn of Google reported a flaw in Linux's virtual memory
management. A parent and child process initially share all their
memory, but when either writes to a shared page, the page is
duplicated and unshared (copy-on-write). However, in case an
operation such as vmsplice() required the kernel to take an
additional reference to a shared page, and a copy-on-write occurs
during this operation, the kernel might have accessed the wrong
process's memory. For some programs, this could lead to an
information leak or data corruption.
CVE-2020-36322, CVE-2021-28950
The syzbot tool found that the FUSE (filesystem-in-user-space)
implementation did not correctly handle a FUSE server returning
invalid attributes for a file. A local user permitted to run a
FUSE server could use this to cause a denial of service (crash).
The original fix for this introduced a different potential denial
of service (infinite loop in kernel space), which has also been
fixed.
CVE-2021-3428
Wolfgang Frisch reported a potential integer overflow in the ext4
filesystem driver. A user permitted to mount arbitrary filesystem
images could use this to cause a denial of service (crash).
CVE-2021-3483
heyu Ma reported a bug in the "nosy" driver for TI
PCILynx FireWire controllers, which could lead to list corruption
and a use-after-free. On a system that uses this driver, local
users granted access to /dev/nosy could exploit this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.
CVE-2021-3564, CVE-2021-3573, CVE-2021-32399
The BlockSec team discovered several race conditions in the
Bluetooth subsystem that could lead to a use-after-free or
double-free. A local user could exploit these to caue a denial of
service (crash or memory corruption) or possibly for privilege
escalation.
CVE-2021-3587
Active Defense Lab of Venustech discovered a potential null
pointer dereference in the NFC LLCP implementation. A local user
could use this to cause a denial of service (crash).
CVE-2021-20292
It was discovered that the TTM buffer allocation API used by GPU
drivers did not handle allocation failures in the way that most
drivers expected, resulting in a double-free on failure. A local
user on a system using one of these drivers could possibly exploit
this to cause a denial of service (crash or memory corruption) or
for privilege escalation. The API has been changed to match
driver expectations.
CVE-2021-23133
Or Cohen of Palo Alto Networks discovered a race condition in the
SCTP implementation, which can lead to list corruption. A local
user could exploit this to cause a denial of service (crash or
memory corruption) or possibly for privilege escalation.
CVE-2021-28660
It was discovered that the rtl8188eu WiFi driver did not correctly
limit the length of SSIDs copied into scan results. An attacker
within WiFi range could use this to cause a denial of service
(crash or memory corruption) or possibly to execute code on a
vulnerable system.
CVE-2021-28688 (XSA-371)
It was discovered that the original fix for CVE-2021-26930
(XSA-365) introduced a potential resource leak. A malicious guest
could presumably exploit this to cause a denial of service
(resource exhaustion) within the host.
CVE-2021-28964
Zygo Blaxell reported a race condition in the Btrfs driver which
can lead to an assertion failure. On systems using Btrfs, a local
user could exploit this to cause a denial of service (crash).
CVE-2021-28971
Vince Weaver reported a bug in the performance event handler for
Intel PEBS. A workaround for a hardware bug on Intel CPUs
codenamed "Haswell" and earlier could lead to a null pointer
dereference. On systems with the affected CPUs, if users are
permitted to access performance events, a local user may exploit
this to cause a denial of service (crash).
By default, unprivileged users do not have access to performance
events, which mitigates this issue. This is controlled by the
kernel.perf_event_paranoid sysctl.
CVE-2021-29154
It was discovered that the Extended BPF (eBPF) JIT compiler
for x86_64 generated incorrect branch instructions in some
cases. On systems where eBPF JIT is enabled, users could
exploit this to execute arbitrary code in the kernel.
By default, eBPF JIT is disabled, mitigating this issue. This is
controlled by the net.core.bpf_jit_enable sysctl.
CVE-2021-29265
The syzbot tool found a race condition in the USB/IP host
(server) implementation which can lead to a null pointer
dereference. On a system acting as a USB/IP host, a client
can exploit this to cause a denial of service (crash).
CVE-2021-29647
The syzbot tool found an information leak in the Qualcomm IPC
Router (qrtr) implementation.
This protocol is not enabled in Debian's official kernel
configurations.
CVE-2021-29650
It was discovered that a data race in the netfilter subsystem
could lead to a null pointer dereference during replacement of a
table. A local user with CAP_NET_ADMIN capability in any user
namespace could use this to cause a denial of service (crash).
By default, unprivileged users cannot create user namespaces,
which mitigates this issue. This is controlled by the
kernel.unprivileged_userns_clone sysctl.
CVE-2021-30002
Arnd Bergmann and the syzbot tool found a memory leak in the
Video4Linux (v4l) subsystem. A local user permitted to access
video devices (by default, any member of the "video" group) could
exploit this to cause a denial of service (memory exhaustion).
CVE-2021-31916
Dan Carpenter reported incorrect parameter validation in the
device-mapper (dm) subsystem, which could lead to a heap buffer
overrun. However, only users with CAP_SYS_ADMIN capability
(i.e. root-equivalent) could trigger this bug, so it did not
have any security impact in this kernel version.
CVE-2021-33034
The syzbot tool found a bug in the Bluetooth subsystem that could
lead to a use-after-free. A local user could use this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.
For Debian 9 stretch, these problems have been fixed in version
4.9.272-1. This update additionally includes many more bug fixes from
stable updates 4.9.259-4.9.272 inclusive.
We recommend that you upgrade your linux packages.
For the detailed security status of linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams
- -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmDSfEUACgkQ57/I7JWG
EQmlZxAAwr+uj8BfiY52pmOwrAAA2Z903KQKvnEKpZeurco42zc93umwqMOeYxcA
dmxpgCImdaxqeln7Gpg9oT335IL5wa2E7DFyJsdT1XoQSLK5vUfI7H6+wp/HNp/U
TQWlNpVv7NeADZfWMNIMeEBAJfPUw6bh7WYQHg+mNL0K/2FZlFEGzzUcu0LcNFHl
B3H0qZl0WGUMx5/TT0RCtBuUvMbbO0PR8LLCj/hK/b+/cmXiVS5dxZTikS7HF8pH
KPhIc+dQQnVLc9RhGraem2cGkfmZxECrIzMa79rvewUh7k/HDIuvbxPpYeSYOs6K
MwyeB+4dIB2kFJNyAWyWCBrMVpfo1nPFLS4aAEOigDY1+tXA6kBJig9iPL/cC3Hf
e/XsnvUvzzxNaqDVSalz1kGrrQ1intojdDDWqA8gRBHr/LLUHBDmvD4lqBh+J1dv
Sz+6Ao+sGW+BnVC9JNztpA8s21QROhSFcwKWLjqe64vmMtoiLjGYjU2/68CeiaGI
9N7KUt7FKhdzfcvTkhyBrKmhx9yycq2on4co4lURB8cOyjCdOSaByeIHRBKq7lnV
4aTGhZZJUXqQvMw7wGlewKBo0NVtGzJrSZG8xPz6CQ7JSSwbq9RVi+rcHEqx9RC/
FqbtwNxqua1rBUBqBYl8ZVGxjmXSPSCRz8Re+bfW7EI0IEdSllg=
=tDmh
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2690-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Ben Hutchings
June 22, 2021 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : linux-4.19
Version : 4.19.194-1~deb9u1
CVE ID : CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-25670
CVE-2020-25671 CVE-2020-25672 CVE-2020-26139 CVE-2020-26147
CVE-2020-26558 CVE-2020-29374 CVE-2021-0129 CVE-2021-3483
CVE-2021-3506 CVE-2021-3564 CVE-2021-3573 CVE-2021-3587
CVE-2021-23133 CVE-2021-23134 CVE-2021-28688 CVE-2021-28964
CVE-2021-28971 CVE-2021-29154 CVE-2021-29155 CVE-2021-29264
CVE-2021-29647 CVE-2021-29650 CVE-2021-31829 CVE-2021-31916
CVE-2021-32399 CVE-2021-33034
Debian Bug : 986949 988352 989451
Several vulnerabilities have been discovered in the Linux kernel that
may lead to the execution of arbitrary code, privilege escalation,
denial of service, or information leaks.
CVE-2020-24586, CVE-2020-24587, CVE-2020-26147
Mathy Vanhoef discovered that many Wi-Fi implementations,
including Linux's mac80211, did not correctly implement reassembly
of fragmented packets. In some circumstances, an attacker within
range of a network could exploit these flaws to forge arbitrary
packets and/or to access sensitive data on that network.
CVE-2020-24588
Mathy Vanhoef discovered that most Wi-Fi implementations,
including Linux's mac80211, did not authenticate the "is
aggregated" packet header flag. An attacker within range of a
network could exploit this to forge arbitrary packets on that
network.
CVE-2020-25670, CVE-2020-25671, CVE-2021-23134
kiyin of TenCent discovered several reference counting bugs
in the NFC LLCP implementation which could lead to use-after-free.
A local user could exploit these for denial of service (crash or
memory corruption) or possibly for privilege escalation.
Nadav Markus and Or Cohen of Palo Alto Networks discovered that
the original fixes for these introduced a new bug that could
result in use-after-free and double-free. This has also been
fixed.
CVE-2020-25672
kiyin of TenCent discovered a memory leak in the NFC LLCP
implementation. A local user could exploit this for denial of
service (memory exhaustion).
CVE-2020-26139
Mathy Vanhoef discovered that a bug in some Wi-Fi implementations,
including Linux's mac80211. When operating in AP mode, they would
forward EAPOL frames from one client to another while the sender
was not yet authenticated. An attacker within range of a network
could use this for denial of service or as an aid to exploiting
other vulnerabilities.
CVE-2020-26558, CVE-2021-0129
Researchers at ANSSI discovered vulnerabilities in the Bluetooth
Passkey authentication method, and in Linux's implementation of
it. An attacker within range of two Bluetooth devices while they
pair using Passkey authentication could exploit this to obtain the
shared secret (Passkey) and then impersonate either of the devices
to each other.
CVE-2020-29374
Jann Horn of Google reported a flaw in Linux's virtual memory
management. A parent and child process initially share all their
memory, but when either writes to a shared page, the page is
duplicated and unshared (copy-on-write). However, in case an
operation such as vmsplice() required the kernel to take an
additional reference to a shared page, and a copy-on-write occurs
during this operation, the kernel might have accessed the wrong
process's memory. For some programs, this could lead to an
information leak or data corruption.
CVE-2021-3483
Zheyu Ma reported a bug in the "nosy" driver for TI
PCILynx FireWire controllers, which could lead to list corruption
and a use-after-free. On a system that uses this driver, local
users granted access to /dev/nosy could exploit this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.
CVE-2021-3506
The ADLab of venustech discovered a bug in the F2FS driver which
could lead to an out-of-bounds read when accessing a crafted
filesystem. A local user permitted to mount arbitrary filesystems
could exploit this to cause a denial of service (crash) or other
security impact.
CVE-2021-3564, CVE-2021-3573, CVE-2021-32399
The BlockSec team discovered several race conditions in the
Bluetooth subsystem that could lead to a use-after-free or
double-free. A local user could exploit these to caue a denial of
service (crash or memory corruption) or possibly for privilege
escalation.
CVE-2021-3587
Active Defense Lab of Venustech discovered a potential null
pointer dereference in the NFC LLCP implementation. A local user
could use this to cause a denial of service (crash).
CVE-2021-23133
Or Cohen of Palo Alto Networks discovered a race condition in the
SCTP implementation, which can lead to list corruption. A local
user could exploit this to cause a denial of service (crash or
memory corruption) or possibly for privilege escalation.
CVE-2021-28688 (XSA-371)
It was discovered that the original fix for CVE-2021-26930
(XSA-365) introduced a potential resource leak. A malicious guest
could presumably exploit this to cause a denial of service
(resource exhaustion) within the host.
CVE-2021-28964
Zygo Blaxell reported a race condition in the Btrfs driver which
can lead to an assertion failure. On systems using Btrfs, a local
user could exploit this to cause a denial of service (crash).
CVE-2021-28971
Vince Weaver reported a bug in the performance event handler for
Intel PEBS. A workaround for a hardware bug on Intel CPUs
codenamed "Haswell" and earlier could lead to a null pointer
dereference. On systems with the affected CPUs, if users are
permitted to access performance events, a local user may exploit
this to cause a denial of service (crash).
By default, unprivileged users do not have access to performance
events, which mitigates this issue. This is controlled by the
kernel.perf_event_paranoid sysctl.
CVE-2021-29154
It was discovered that the Extended BPF (eBPF) JIT compiler
for x86_64 generated incorrect branch instructions in some
cases. On systems where eBPF JIT is enabled, users could
exploit this to execute arbitrary code in the kernel.
By default, eBPF JIT is disabled, mitigating this issue. This is
controlled by the net.core.bpf_jit_enable sysctl.
CVE-2021-29155, CVE-2021-31829
Piotr Krysiuk and Benedict Schlueter discovered that the Extended
BPF (eBPF) verifier did not completely protect against information
leaks due to speculative execution. A local user could exploit
these to obtain sensitive information from kernel memory.
CVE-2021-29264
It was discovered that the "gianfar" Ethernet driver used with
some Freescale SoCs did not correctly handle a Rx queue overrun
when jumbo packets were enabled. On systems using this driver and
jumbo packets, an attacker on the network could exploit this to
cause a denial of service (crash).
This driver is not enabled in Debian's official kernel
configurations.
CVE-2021-29647
The syzbot tool found an information leak in the Qualcomm IPC
Router (qrtr) implementation.
This protocol is not enabled in Debian's official kernel
configurations.
CVE-2021-29650
It was discovered that a data race in the netfilter subsystem
could lead to a null pointer dereference during replacement of a
table. A local user with CAP_NET_ADMIN capability in any user
namespace could use this to cause a denial of service (crash).
By default, unprivileged users cannot create user namespaces,
which mitigates this issue. This is controlled by the
kernel.unprivileged_userns_clone sysctl.
CVE-2021-31916
Dan Carpenter reported incorrect parameter validation in the
device-mapper (dm) subsystem, which could lead to a heap buffer
overrun. However, only users with CAP_SYS_ADMIN capability
(i.e. root-equivalent) could trigger this bug, so it did not
have any security impact in this kernel version.
CVE-2021-33034
The syzbot tool found a bug in the Bluetooth subsystem that could
lead to a use-after-free. A local user could use this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.
For Debian 9 stretch, these problems have been fixed in version
4.19.194-1~deb9u1. This update additionally fixes Debian bug
#986949, #988352, and #989451; and includes many more bug fixes from
stable updates 4.19.182-4.19.194 inclusive.
We recommend that you upgrade your linux-4.19 packages.
For the detailed security status of linux-4.19 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux-4.19
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- --
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYNKpX+NLKJtyKPYoAQjY1Q//ZVLxJdLSeXq/7smscqIyR7iYdo86BBJR
XSLw9hqT69hDeJ2AeT/3xTnA8CITLXPBJzPvgD4dGQt/ce+1Byw8sCIPe7Ys9Hi4
NXD5SGtax2fy1pHNn7d0IDgmWVXUpcX83BE/r+dOthUjmjkwdgBjXchyMuM/zhsq
Us95Y/Dcy7Y19aAZvTcjTPRIDLepHsBrOH+f/mWWHEUIbM1Vn93gl5dmIqAsD5d+
pOumlSFvA9ULZ84HFSjpXOrEVm+o5j4MKs+oUzzK7HKr+TJgbC3QDa/Xo7dhkGGN
nwEwGubDiS1VMJVgnpRdvCuBJ3j2Z6jeY8nGTRxlHbXl1AWPThJOqMpKGijexKho
RMDCdcCYW4MFfwVHzEg6cA42aAbzxvGws8XwaaZa9TTGUuzHZ0/LrK/bAVzD8HMb
gkUmyhYJgzfOzb9W+pZkLBZNlXn/Hs/1I+mHr+PbC3ii6nBmgWGx3kOy6rWYqC6D
xPsV4hfSgwQy/rHHShS1AweXHkNP7kKNA364TpcM3O14SlMrQUSzEaIJRe5dMe5M
B72AmQl3VcFh/oylh7/RalSu4Fl6afuYjiRxhVZ1KxWiF34YIWbSUQUw+q6WycAv
s4QCZxYbu7Yy9Bl70CXr9irjtMj+Z20DCl/WMYuuN/u8D8Yd8YAs1k0vd/+ipOxP
Cn4sYEOLzQU=
=LyqY
-----END PGP SIGNATURE-----