Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1909 [DLA 1799-1] [DLA 1799-2] linux security update 29 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: linux Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Increased Privileges -- Existing Account Access Privileged Data -- Existing Account Denial of Service -- Existing Account Unauthorised Access -- Existing Account Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2019-11599 CVE-2019-11486 CVE-2019-11190 CVE-2019-11091 CVE-2019-9503 CVE-2019-6133 CVE-2019-3901 CVE-2019-3882 CVE-2019-3460 CVE-2019-3459 CVE-2019-2024 CVE-2018-12130 CVE-2018-12127 CVE-2018-12126 CVE-2018-5995 Reference: ASB-2019.0138 ESB-2019.1901 ESB-2019.1879 ESB-2019.1793 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/05/msg00041.html https://lists.debian.org/debian-lts-announce/2019/05/msg00042.html Comment: This bulletin contains two (2) Debian security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Package : linux Version : 3.16.68-1 CVE ID : CVE-2018-5995 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-2024 CVE-2019-3459 CVE-2019-3460 CVE-2019-3882 CVE-2019-3901 CVE-2019-6133 CVE-2019-9503 CVE-2019-11091 CVE-2019-11190 CVE-2019-11486 CVE-2019-11599 Debian Bug : 927781 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2018-5995 ADLab of VenusTech discovered that the kernel logged the virtual addresses assigned to per-CPU data, which could make it easier to exploit other vulnerabilities. CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 Multiple researchers have discovered vulnerabilities in the way that Intel processor designs implement speculative forwarding of data filled into temporary microarchitectural structures (buffers). This flaw could allow an attacker controlling an unprivileged process to read sensitive information, including from the kernel and all other processes running on the system, or across guest/host boundaries to read host memory. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details. To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode. An updated intel-microcode package (only available in Debian non-free) was provided via DLA-1789-1. The updated CPU microcode may also be available as part of a system firmware ("BIOS") update. CVE-2019-2024 A use-after-free bug was discovered in the em28xx video capture driver. Local users might be able to use this for denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-3459, CVE-2019-3460 Shlomi Oberman, Yuli Shapiro, and Karamba Security Ltd. research team discovered missing range checks in the Bluetooth L2CAP implementation. If Bluetooth is enabled, a nearby attacker could use these to read sensitive information from the kernel. CVE-2019-3882 It was found that the vfio implementation did not limit the number of DMA mappings to device memory. A local user granted ownership of a vfio device could use this to cause a denial of service (out-of-memory condition). CVE-2019-3901 Jann Horn of Google reported a race condition that would allow a local user to read performance events from a task after it executes a setuid program. This could leak sensitive information processed by setuid programs. Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue. CVE-2019-6133 Jann Horn of Google found that Policykit's authentication check could be bypassed by a local user creating a process with the same start time and process ID as an older authenticated process. PolicyKit was already updated to fix this in DLA-1644-1. The kernel has additionally been updated to avoid a delay between assigning start time and process ID, which should make the attack impractical. CVE-2019-9503 Hugues Anguelkov and others at Quarkslab discovered that the brcmfmac (Broadcom wifi FullMAC) driver did not correctly distinguish messages sent by the wifi firmware from other packets. An attacker using the same wifi network could use this for denial of service or to exploit other vulnerabilities in the driver. CVE-2019-11190 Robert Swecki reported that when a setuid program was execut= ed it was still possible to read performance events while the kernel set up the program's address space. A local user could use this to defeat ASLR in a setuid program, making it easier to exploit other vulnerabilities in the program. Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue. CVE-2019-11486 Jann Horn of Google reported numerous race conditions in the Siemens R3964 line discipline. A local user could use these to cause unspecified security impact. This module has therefore been disabled. CVE-2019-11599 Jann Horn of Google reported a race condition in the core dump implementation which could lead to a use-after-free. A local user could use this to read sensitive information, to cause a denial of service (memory corruption), or for privilege escalation. For Debian 8 "Jessie", these problems have been fixed in version 3.16.68-1. This version also includes a fix for Debian bug #927781, and other fixes included in upstream stable updates. We recommend that you upgrade your linux packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams - ------------------------------------------------------------------------------ Package : linux Version : 3.16.68-1 CVE ID : CVE-2018-5995 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-2024 CVE-2019-3459 CVE-2019-3460 CVE-2019-3882 CVE-2019-3901 CVE-2019-6133 CVE-2019-9503 CVE-2019-11091 CVE-2019-11190 CVE-2019-11486 CVE-2019-11599 Debian Bug : 927781 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. This updated advisory text adds a note about the need to install new binary packages. CVE-2018-5995 ADLab of VenusTech discovered that the kernel logged the virtual addresses assigned to per-CPU data, which could make it easier to exploit other vulnerabilities. CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 Multiple researchers have discovered vulnerabilities in the way that Intel processor designs implement speculative forwarding of data filled into temporary microarchitectural structures (buffers). This flaw could allow an attacker controlling an unprivileged process to read sensitive information, including from the kernel and all other processes running on the system, or across guest/host boundaries to read host memory. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details. To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode. An updated intel-microcode package (only available in Debian non-free) was provided via DLA-1789-1. The updated CPU microcode may also be available as part of a system firmware ("BIOS") update. CVE-2019-2024 A use-after-free bug was discovered in the em28xx video capture driver. Local users might be able to use this for denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-3459, CVE-2019-3460 Shlomi Oberman, Yuli Shapiro, and Karamba Security Ltd. research team discovered missing range checks in the Bluetooth L2CAP implementation. If Bluetooth is enabled, a nearby attacker could use these to read sensitive information from the kernel. CVE-2019-3882 It was found that the vfio implementation did not limit the number of DMA mappings to device memory. A local user granted ownership of a vfio device could use this to cause a denial of service (out-of-memory condition). CVE-2019-3901 Jann Horn of Google reported a race condition that would allow a local user to read performance events from a task after it executes a setuid program. This could leak sensitive information processed by setuid programs. Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue. CVE-2019-6133 Jann Horn of Google found that Policykit's authentication check could be bypassed by a local user creating a process with the same start time and process ID as an older authenticated process. PolicyKit was already updated to fix this in DLA-1644-1. The kernel has additionally been updated to avoid a delay between assigning start time and process ID, which should make the attack impractical. CVE-2019-9503 Hugues Anguelkov and others at Quarkslab discovered that the brcmfmac (Broadcom wifi FullMAC) driver did not correctly distinguish messages sent by the wifi firmware from other packets. An attacker using the same wifi network could use this for denial of service or to exploit other vulnerabilities in the driver. CVE-2019-11190 Robert Swecki reported that when a setuid program was executed it was still possible to read performance events while the kernel set up the program's address space. A local user could use this to defeat ASLR in a setuid program, making it easier to exploit other vulnerabilities in the program. Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue. CVE-2019-11486 Jann Horn of Google reported numerous race conditions in the Siemens R3964 line discipline. A local user could use these to cause unspecified security impact. This module has therefore been disabled. CVE-2019-11599 Jann Horn of Google reported a race condition in the core dump implementation which could lead to a use-after-free. A local user could use this to read sensitive information, to cause a denial of service (memory corruption), or for privilege escalation. For Debian 8 "Jessie", these problems have been fixed in version 3.16.68-1. This version also includes a fix for Debian bug #927781, and other fixes included in upstream stable updates. We recommend that you upgrade your linux and linux-latest packages. You will need to use "apt-get upgrade --with-new-pkgs" or "apt upgrade" as the binary package names have changed. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXO2zyGaOgq3Tt24GAQjwnBAAqDRo9CKCk76ZUecX3eVndR892rXgO0kU 08pyrUa8OBJSpzKkCtcUKx99xAtayvikWeU0RriAygmUceAq+l//sP8bXWHVWdUr MxTH6um/VJZTacPjWVpJ+T8sD6LqkZg8N67hstD/i+vVfFeY5qC2tNgn7z729vVc dlaDOn3+UaNE6spcBrdtB8r8vOAZKyWrmuL1O2eFuS+a4aYAiaz2khioLj0+0XX1 tgWM6wz07F8lfbO7WqQSAWKYx7z+csmwx5eiw2YoJa4TRk7pthf9UsHZccXcyLUU rs8TqVfQ00pzcNMnlZcj6uRzhh58ngm4kUCZtbG/au4CbOcOcR248vvBNlRA+Dgp qVYjgENBnAqZxFY+GdEL9DtEeF0S/LmpGTjdWxb8IbTmCS8Wqco/YqmAGhkuRfPs c6zMTYlclHBwa63AoABK2sPhAhX0JtshART/8SUqRIoxqfHskvTdfkuSwbsO1aoE UyOLUA1XgswFfTLPrORkacaduoSa+837Xo+rJOyYSgTPCfFqOhy48QpykFoahUfr HxyDwJQzMoIXm7X1x1QJ3tU57EQqddP3pL9JoYZQtMXc68YMU+sRb5x7lYxKEC+U hYiMvju2ckMlOopz0j6FvhT/S6uuzeyRTzWCMc0NO09X14FpIxSDDJqFPMsAyOPY xkaMQewaAiY= =MZXb -----END PGP SIGNATURE-----