ESB-2019.1126 - [Ubuntu] linux kernel: Multiple vulnerabilities 2019-04-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1126
                USN-3932-1/2: Linux kernel vulnerabilities
                               3 April 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           linux kernel
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Access Privileged Data          -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-9213 CVE-2019-7222 CVE-2019-7221
                   CVE-2019-6974 CVE-2019-3819 CVE-2019-3701
                   CVE-2019-3460 CVE-2019-3459 CVE-2018-16884
                   CVE-2018-14616 CVE-2018-14614 CVE-2018-14613
                   CVE-2018-14612 CVE-2018-14611 CVE-2018-14610
                   CVE-2018-13100 CVE-2018-13099 CVE-2018-13097
                   CVE-2018-9517 CVE-2017-18249 

Reference:         ESB-2019.1105
                   ESB-2019.1097
                   ESB-2019.1081
                   ESB-2019.1035
                   ESB-2019.1025.2
                   ESB-2019.1005
                   ESB-2019.1004

Original Bulletin: 
   https://usn.ubuntu.com/3932-1/
   https://usn.ubuntu.com/3932-2/

Comment: This bulletin contains two (2) advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-3932-1: Linux kernel vulnerabilities

2 April 2019


A security issue affects these releases of Ubuntu and its derivatives:

  o Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

  o linux - Linux kernel
  o linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  o linux-kvm - Linux kernel for cloud environments
  o linux-raspi2 - Linux kernel for Raspberry Pi 2
  o linux-snapdragon - Linux kernel for Snapdragon processors

Details

It was discovered that a race condition existed in the f2fs file system
implementation in the Linux kernel. A local attacker could use this to cause a
denial of service. (CVE-2017-18249)

Wen Xu discovered that the f2fs file system implementation in the Linux kernel
did not properly validate metadata. An attacker could use this to construct a
malicious f2fs image that, when mounted, could cause a denial of service
(system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100,
CVE-2018-14614, CVE-2018-14616)

Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in
the Linux kernel did not properly validate metadata. An attacker could use this
to construct a malicious btrfs image that, when mounted, could cause a denial
of service (system crash). (CVE-2018-14610, CVE-2018-14611, CVE-2018-14612,
CVE-2018-14613)

Vasily Averin and Evgenii Shatokhin discovered that a use-after-free
vulnerability existed in the NFS41+ subsystem when multiple network namespaces
are in use. A local attacker in a container could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2018-16884)

It was discovered that a use-after-free vulnerability existed in the PPP over
L2TP implementation in the Linux kernel. A privileged local attacker could use
this to possibly execute arbitrary code. (CVE-2018-9517)

Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak
in the Bluetooth implementation of the Linux kernel. An attacker within
Bluetooth range could use this to expose sensitive information (kernel memory).
(CVE-2019-3459, CVE-2019-3460)

Jann Horn discovered that the KVM implementation in the Linux kernel contained
a use-after-free vulnerability. An attacker in a guest VM with access to /dev/
kvm could use this to cause a denial of service (guest VM crash).
(CVE-2019-6974)

Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the
KVM subsystem of the Linux kernel, when using nested virtual machines. A local
attacker in a guest VM could use this to cause a denial of service (system
crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221)

Felix Wilhelm discovered that an information leak vulnerability existed in the
KVM subsystem of the Linux kernel, when nested virtualization is used. A local
attacker could use this to expose sensitive information (host system memory to
a guest VM). (CVE-2019-7222)

Jann Horn discovered that the mmap implementation in the Linux kernel did not
properly check for the mmap minimum address in some situations. A local
attacker could use this to assist exploiting a kernel NULL pointer dereference
vulnerability. (CVE-2019-9213)

Muyu Yu discovered that the CAN implementation in the Linux kernel in some
situations did not properly restrict the field size when processing outgoing
frames. A local attacker with CAP_NET_ADMIN privileges could use this to
execute arbitrary code. (CVE-2019-3701)

Vladis Dronov discovered that the debug interface for the Linux kernel's HID
subsystem did not properly validate passed parameters in some situations. A
local privileged attacker could use this to cause a denial of service (infinite
loop). (CVE-2019-3819)

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 16.04 LTS
    linux-image-4.4.0-1043-kvm - 4.4.0-1043.49
    linux-image-4.4.0-1079-aws - 4.4.0-1079.89
    linux-image-4.4.0-1106-raspi2 - 4.4.0-1106.114
    linux-image-4.4.0-1110-snapdragon - 4.4.0-1110.115
    linux-image-4.4.0-145-generic - 4.4.0-145.171
    linux-image-4.4.0-145-generic-lpae - 4.4.0-145.171
    linux-image-4.4.0-145-lowlatency - 4.4.0-145.171
    linux-image-4.4.0-145-powerpc-e500mc - 4.4.0-145.171
    linux-image-4.4.0-145-powerpc-smp - 4.4.0-145.171
    linux-image-4.4.0-145-powerpc64-emb - 4.4.0-145.171
    linux-image-4.4.0-145-powerpc64-smp - 4.4.0-145.171
    linux-image-aws - 4.4.0.1079.82
    linux-image-generic - 4.4.0.145.153
    linux-image-generic-lpae - 4.4.0.145.153
    linux-image-kvm - 4.4.0.1043.43
    linux-image-lowlatency - 4.4.0.145.153
    linux-image-powerpc-e500mc - 4.4.0.145.153
    linux-image-powerpc-smp - 4.4.0.145.153
    linux-image-powerpc64-emb - 4.4.0.145.153
    linux-image-powerpc64-smp - 4.4.0.145.153
    linux-image-raspi2 - 4.4.0.1106.106
    linux-image-snapdragon - 4.4.0.1110.102
    linux-image-virtual - 4.4.0.145.153

To update your system, please follow these instructions: https://
wiki.ubuntu.com/Security/Upgrades .

After a standard system update you need to reboot your computer to make all the
necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given
a new version number, which requires you to recompile and reinstall all third
party kernel modules you might have installed. Unless you manually uninstalled
the standard kernel metapackages (e.g. linux-generic,
linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system
upgrade will automatically perform this as well.

References

  o CVE-2017-18249
  o CVE-2018-13097
  o CVE-2018-13099
  o CVE-2018-13100
  o CVE-2018-14610
  o CVE-2018-14611
  o CVE-2018-14612
  o CVE-2018-14613
  o CVE-2018-14614
  o CVE-2018-14616
  o CVE-2018-16884
  o CVE-2018-9517
  o CVE-2019-3459
  o CVE-2019-3460
  o CVE-2019-3701
  o CVE-2019-3819
  o CVE-2019-6974
  o CVE-2019-7221
  o CVE-2019-7222
  o CVE-2019-9213

- --------------------------------------------------------------------------------

USN-3932-2: Linux kernel (Xenial HWE) vulnerabilities

2 April 2019

A security issue affects these releases of Ubuntu and its derivatives:

  o Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

  o linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  o linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty

Details

USN-3932-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This
update provides the corresponding updates for the Linux Hardware Enablement
(HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that a race condition existed in the f2fs file system
implementation in the Linux kernel. A local attacker could use this to cause a
denial of service. (CVE-2017-18249)

Wen Xu discovered that the f2fs file system implementation in the Linux kernel
did not properly validate metadata. An attacker could use this to construct a
malicious f2fs image that, when mounted, could cause a denial of service
(system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100,
CVE-2018-14614, CVE-2018-14616)

Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in
the Linux kernel did not properly validate metadata. An attacker could use this
to construct a malicious btrfs image that, when mounted, could cause a denial
of service (system crash). (CVE-2018-14610, CVE-2018-14611, CVE-2018-14612,
CVE-2018-14613)

Vasily Averin and Evgenii Shatokhin discovered that a use-after-free
vulnerability existed in the NFS41+ subsystem when multiple network namespaces
are in use. A local attacker in a container could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2018-16884)

It was discovered that a use-after-free vulnerability existed in the PPP over
L2TP implementation in the Linux kernel. A privileged local attacker could use
this to possibly execute arbitrary code. (CVE-2018-9517)

Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak
in the Bluetooth implementation of the Linux kernel. An attacker within
Bluetooth range could use this to expose sensitive information (kernel memory).
(CVE-2019-3459, CVE-2019-3460)

Jann Horn discovered that the KVM implementation in the Linux kernel contained
a use-after-free vulnerability. An attacker in a guest VM with access to /dev/
kvm could use this to cause a denial of service (guest VM crash).
(CVE-2019-6974)

Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the
KVM subsystem of the Linux kernel, when using nested virtual machines. A local
attacker in a guest VM could use this to cause a denial of service (system
crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221)

Felix Wilhelm discovered that an information leak vulnerability existed in the
KVM subsystem of the Linux kernel, when nested virtualization is used. A local
attacker could use this to expose sensitive information (host system memory to
a guest VM). (CVE-2019-7222)

Jann Horn discovered that the mmap implementation in the Linux kernel did not
properly check for the mmap minimum address in some situations. A local
attacker could use this to assist exploiting a kernel NULL pointer dereference
vulnerability. (CVE-2019-9213)

Muyu Yu discovered that the CAN implementation in the Linux kernel in some
situations did not properly restrict the field size when processing outgoing
frames. A local attacker with CAP_NET_ADMIN privileges could use this to
execute arbitrary code. (CVE-2019-3701)

Vladis Dronov discovered that the debug interface for the Linux kernel's HID
subsystem did not properly validate passed parameters in some situations. A
local privileged attacker could use this to cause a denial of service (infinite
loop). (CVE-2019-3819)

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 14.04 LTS
    linux-image-4.4.0-1040-aws - 4.4.0-1040.43
    linux-image-4.4.0-144-generic - 4.4.0-144.170~14.04.1
    linux-image-4.4.0-144-generic-lpae - 4.4.0-144.170~14.04.1
    linux-image-4.4.0-144-lowlatency - 4.4.0-144.170~14.04.1
    linux-image-4.4.0-144-powerpc-e500mc - 4.4.0-144.170~14.04.1
    linux-image-4.4.0-144-powerpc-smp - 4.4.0-144.170~14.04.1
    linux-image-4.4.0-144-powerpc64-emb - 4.4.0-144.170~14.04.1
    linux-image-4.4.0-144-powerpc64-smp - 4.4.0-144.170~14.04.1
    linux-image-aws - 4.4.0.1040.41
    linux-image-generic-lpae-lts-xenial - 4.4.0.144.127
    linux-image-generic-lts-xenial - 4.4.0.144.127
    linux-image-lowlatency-lts-xenial - 4.4.0.144.127
    linux-image-powerpc-e500mc-lts-xenial - 4.4.0.144.127
    linux-image-powerpc-smp-lts-xenial - 4.4.0.144.127
    linux-image-powerpc64-emb-lts-xenial - 4.4.0.144.127
    linux-image-powerpc64-smp-lts-xenial - 4.4.0.144.127
    linux-image-virtual-lts-xenial - 4.4.0.144.127

To update your system, please follow these instructions: https://
wiki.ubuntu.com/Security/Upgrades .

After a standard system update you need to reboot your computer to make all the
necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given
a new version number, which requires you to recompile and reinstall all third
party kernel modules you might have installed. Unless you manually uninstalled
the standard kernel metapackages (e.g. linux-generic,
linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system
upgrade will automatically perform this as well.

References

  o USN-3932-1
  o CVE-2017-18249
  o CVE-2018-13097
  o CVE-2018-13099
  o CVE-2018-13100
  o CVE-2018-14610
  o CVE-2018-14611
  o CVE-2018-14612
  o CVE-2018-14613
  o CVE-2018-14614
  o CVE-2018-14616
  o CVE-2018-16884
  o CVE-2018-9517
  o CVE-2019-3459
  o CVE-2019-3460
  o CVE-2019-3701
  o CVE-2019-3819
  o CVE-2019-6974
  o CVE-2019-7221
  o CVE-2019-7222
  o CVE-2019-9213

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXKQphGaOgq3Tt24GAQh9JhAArbpK7EnykQxqZZtDXcZ51dZhrPqpsRgr
sY4yD9RH75gG9kWHw14On3YYbSnUgP5DNoNBjWw4bBdO2zJ8h1uV76mbFY7QSTig
HSTUZdvkaaIzVFUdSjQEumTxSPndQ0V2gRfXL3UweyNg70vLGf523Jc5jula6IR7
XID9aPgphZCBMyek0x/LFb1oE2w7pkHyRIYlwEOIDnQrbxp/JcOoLm6Dt43juV4o
f1n8EV/rjx9btZuSHGTH2qFQMw4j3YyWAvgYrl3ZqToZQeG0ykl+BXLAhy5t3zRV
uNgeUOaDj4fVftf3Mp0pkK2bVaXSdizzT4DtMT1jfzNC71s46ae0kMySuitZnkdK
9MuMe9UMOUkbQf++s/DsooLXmndiTwhBO80i/y7K5HMLuvw9Y8lW1fokyCe8guHx
Y0kY7/an9HupAWBOnpvbU40UMGeAsf7/flhl90ZODSmAatD1Eis9zvphVnpHFUq1
zfvhpFNOqCh6b5XwPiSHUjfPJgzPxPypW08/7O6fkVtCjqNBSq8pAtwbiCze1+OM
TF0gPU5WMUzVJbdPwyNNh1CKCCClYAnyMKCJW9LeJif+rmbphBT9q0LFSzq99ovZ
XBzpN+Tp0+9YbgflWLusDyXlslu01EzTsNE0NQ8wnxkTM2EEftYVJ3oBIG/zJpm/
zvJSOFsprrU=
=EaW7
-----END PGP SIGNATURE-----

« Back to bulletins