Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3505.3 [SECURITY] [DLA 1919-1] linux-4.9 security update 26 September 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: linux-4.9 Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-15926 CVE-2019-15924 CVE-2019-15807 CVE-2019-15666 CVE-2019-15538 CVE-2019-15292 CVE-2019-15221 CVE-2019-15220 CVE-2019-15219 CVE-2019-15218 CVE-2019-15216 CVE-2019-15215 CVE-2019-15212 CVE-2019-15211 CVE-2019-11487 CVE-2019-9506 CVE-2019-0136 Reference: ESB-2019.2742.2 ESB-2019.2155 ESB-2019.2100 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/09/msg00014.html https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html Comment: This bulletin contains three (3) Debian security advisories. This advisory references vulnerabilities in the Linux kernel that also affect distributions other than Debian. It is recommended that administrators running Linux check for an updated version of the kernel for their system. Revision History: September 26 2019: Vendor released updated announcement DLA 1930-1 September 24 2019: Remove CVE-2019-1591, CVE-2019-1592 and CVE-2019-1529 which were erroneously included. September 16 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Package : linux-4.9 Version : 4.9.189-3~deb8u1 CVE ID : CVE-2019-0136 CVE-2019-9506 CVE-2019-11487 CVE-2019-15211 CVE-2019-15212 CVE-2019-15215 CVE-2019-15216 CVE-2019-15218 CVE-2019-15219 CVE-2019-15220 CVE-2019-15221 CVE-2019-15292 CVE-2019-15538 CVE-2019-15666 CVE-2019-15807 CVE-2019-15924 CVE-2019-15926 Debian Bug : 930904 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-0136 It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages. A nearby attacker could use this for denial of service (loss of wifi connectivity). CVE-2019-9506 Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the "KNOB attack". An attacker that is nearby during pairing could use this to weaken the encryption used between the paired devices, and then to eavesdrop on and/or spoof communication between them. This update mitigates the attack by requiring a minimum encryption key length of 56 bits. CVE-2019-11487 Jann Horn discovered that the FUSE (Filesystem-in-Userspace) facility could be used to cause integer overflow in page reference counts, leading to a use-after-free. On a system with sufficient physical memory, a local user permitted to create arbitrary FUSE mounts could use this for privilege escalation. By default, unprivileged users can only mount FUSE filesystems through fusermount, which limits the number of mounts created and should completely mitigate the issue. CVE-2019-15211 The syzkaller tool found a bug in the radio-raremono driver that could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15212 The syzkaller tool found that the rio500 driver does not work correctly if more than one device is bound to it. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15215 The syzkaller tool found a bug in the cpia2_usb driver that leads to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15216 The syzkaller tool found a bug in the yurex driver that leads to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15218 The syzkaller tool found that the smsusb driver did not validate that USB devices have the expected endpoints, potentially leading to a null pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops). CVE-2019-15219 The syzkaller tool found that a device initialisation error in the sisusbvga driver could lead to a null pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops). CVE-2019-15220 The syzkaller tool found a race condition in the p54usb driver which could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15221 The syzkaller tool found that the line6 driver did not validate USB devices' maximum packet sizes, which could lead to a heap buffer overrun. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15292 The Hulk Robot tool found missing error checks in the Appletalk protocol implementation, which could lead to a use-after-free. The security impact of this is unclear. CVE-2019-15538 Benjamin Moody reported that operations on XFS hung after a chgrp command failed due to a disk quota. A local user on a system using XFS and disk quotas could use this for denial of service. CVE-2019-15666 The Hulk Robot tool found an incorrect range check in the network transformation (xfrm) layer, leading to out-of-bounds memory accesses. A local user with CAP_NET_ADMIN capability (in any user namespace) could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15807 Jian Luo reported that the Serial Attached SCSI library (libsas) did not correctly handle failure to discover devices beyond a SAS expander. This could lead to a resource leak and crash (BUG). The security impact of this is unclear. CVE-2019-15924 The Hulk Robot tool found a missing error check in the fm10k Ethernet driver, which could lead to a null pointer dereference and crash (BUG/oops). The security impact of this is unclear. CVE-2019-15926 It was found that the ath6kl wifi driver did not consistently validate traffic class numbers in received control packets, leading to out-of-bounds memory accesses. A nearby attacker on the same wifi network could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. For Debian 8 "Jessie", these problems have been fixed in version 4.9.189-3~deb8u1. We recommend that you upgrade your linux-4.9 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Ben Hutchings - Debian developer, member of kernel, installer and LTS teams ============================================================================= ackage : linux Version : 3.16.74-1 CVE ID : CVE-2016-10905 CVE-2018-20976 CVE-2018-21008 CVE-2019-0136 CVE-2019-9506 CVE-2019-14814 CVE-2019-14815 CVE-2019-14816 CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15211 CVE-2019-15212 CVE-2019-15215 CVE-2019-15218 CVE-2019-15219 CVE-2019-15220 CVE-2019-15221 CVE-2019-15292 CVE-2019-15807 CVE-2019-15917 CVE-2019-15926 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2016-10905 A race condition was discovered in the GFS2 file-system implementation, which could lead to a use-after-free. On a system using GFS2, a local attacker could use this for denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2018-20976 It was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear. CVE-2018-21008 It was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after- free. The security impact of this is unclear. CVE-2019-0136 It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages. A nearby attacker could use this for denial of service (loss of wifi connectivity). CVE-2019-9506 Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the "KNOB attack". An attacker that is nearby during pairing could use this to weaken the encryption used between the paired devices, and then to eavesdrop on and/or spoof communication between them. This update mitigates the attack by requiring a minimum encryption key length of 56 bits. CVE-2019-14814, CVE-2019-14815, CVE-2019-14816 Multiple bugs were discovered in the mwifiex wifi driver, which could lead to heap buffer overflows. A local user permitted to configure a device handled by this driver could probably use this for privilege escalation. CVE-2019-14821 Matt Delco reported a race condition in KVM's coalesced MMIO facility, which could lead to out-of-bounds access in the kernel. A local attacker permitted to access /dev/kvm could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-14835 Peter Pi of Tencent Blade Team discovered a missing bounds check in vhost_net, the network back-end driver for KVM hosts, leading to a buffer overflow when the host begins live migration of a VM. An attacker in control of a VM could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation on the host. CVE-2019-15117 Hui Peng and Mathias Payer reported a missing bounds check in the usb-audio driver's descriptor parsing code, leading to a buffer over-read. An attacker able to add USB devices could possibly use this to cause a denial of service (crash). CVE-2019-15118 Hui Peng and Mathias Payer reported unbounded recursion in the usb-audio driver's descriptor parsing code, leading to a stack overflow. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15211 The syzkaller tool found a bug in the radio-raremono driver that could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15212 The syzkaller tool found that the rio500 driver does not work correctly if more than one device is bound to it. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15215 The syzkaller tool found a bug in the cpia2_usb driver that leads to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15218 The syzkaller tool found that the smsusb driver did not validate that USB devices have the expected endpoints, potentially leading to a null pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops). CVE-2019-15219 The syzkaller tool found that a device initialisation error in the sisusbvga driver could lead to a null pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops). CVE-2019-15220 The syzkaller tool found a race condition in the p54usb driver which could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15221 The syzkaller tool found that the line6 driver did not validate USB devices' maximum packet sizes, which could lead to a heap buffer overrun. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15292 The Hulk Robot tool found missing error checks in the Appletalk protocol implementation, which could lead to a use-after-free. The security impact of this is unclear. CVE-2019-15807 Jian Luo reported that the Serial Attached SCSI library (libsas) did not correctly handle failure to discover devices beyond a SAS expander. This could lead to a resource leak and crash (BUG). The security impact of this is unclear. CVE-2019-15917 The syzkaller tool found a race condition in code supporting UART-attached Bluetooth adapters, which could lead to a use- after-free. A local user with access to a pty device or other suitable tty device could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15926 It was found that the ath6kl wifi driver did not consistently validate traffic class numbers in received control packets, leading to out-of-bounds memory accesses. A nearby attacker on the same wifi network could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. For Debian 8 "Jessie", these problems have been fixed in version 3.16.74-1. We recommend that you upgrade your linux packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXYxLs2aOgq3Tt24GAQj9QRAAobuggqppIcBBnm59QG16wewZgNUUU5NN 1l9TJYLf36LkehgFbAKWsV+nJFJz+4nNWv9jQgIHTwXT34IVa26GqoGyiJ1md8N4 XGQMi7rDLrdzF/nWgIvhYcoiUxjKU3FkGAo6EgTPfeMCA/UmdIahrmelYOOypVVW gxGVKLHxYEIHO+nxxLa+yAXC1lM17BKGc8J7uxfrtcAMmRmweZjPzIXzKWpLhxHm 7moejRovj1hBz16OzrNt28cehsBkXVGSOfMhVbpEiHVGZSx5XmUNzhTSBk3A/rCz Ja8fIWev2+shbU6MWwieDgRzNsgtZLe2Cqq3wWrB8rm/JZc35A8fAYCgGA71x8L7 AbhHn0fXXPhYzBT83BFuad+JUT2EXaPvz1bR2Nk0mJ2VfA4iR9C4HzndBsskp5CF rNIvTdpxreWKYvSfWHN5F/b3kp1g2h57mXbjCiWKj8xkahqvmPxuUHk3lRU3pOXG 68UoMTq1hfHyXRDi6LljXdA4iSFe/A3KNipTHfwIo8GJwqxBhJRSGtHfk5KC7z8W T2F8SDCPBHiGn9fLMcMdetXOM4OojTWe+qJ+lrPv1EMZivgobYwjqj3YooH+XHYi ujBNS4lmjTjV5SXRj4W98CySmvIak0r/D6QWmV45ByOcynCFaSIvHcPGddAleGw9 uqF4aUiWDNE= =Cvuy -----END PGP SIGNATURE-----