02 July 2022
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3235 linux kernel security update 2 July 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: linux kernel Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-33981 CVE-2022-32296 CVE-2022-32250 CVE-2022-30594 CVE-2022-28390 CVE-2022-28356 CVE-2022-27223 CVE-2022-26966 CVE-2022-26490 CVE-2022-24958 CVE-2022-23960 CVE-2022-23042 CVE-2022-23041 CVE-2022-23040 CVE-2022-23039 CVE-2022-23038 CVE-2022-23037 CVE-2022-23036 CVE-2022-21166 CVE-2022-21125 CVE-2022-21123 CVE-2022-2153 CVE-2022-1975 CVE-2022-1974 CVE-2022-1734 CVE-2022-1729 CVE-2022-1516 CVE-2022-1353 CVE-2022-1199 CVE-2022-1198 CVE-2022-1016 CVE-2022-1012 CVE-2022-1011 CVE-2022-0854 CVE-2022-0812 CVE-2022-0494 CVE-2021-39713 CVE-2021-4149 CVE-2018-1108 Original Bulletin: https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html Comment: CVSS (Max): 9.8 CVE-2021-39713 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: [NVD], Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3065-1 email@example.com https://www.debian.org/lts/security/ Ben Hutchings June 30, 2022 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : linux Version : 4.9.320-2 CVE ID : CVE-2018-1108 CVE-2021-4149 CVE-2021-39713 CVE-2022-0494 CVE-2022-0812 CVE-2022-0854 CVE-2022-1011 CVE-2022-1012 CVE-2022-1016 CVE-2022-1198 CVE-2022-1199 CVE-2022-1353 CVE-2022-1516 CVE-2022-1729 CVE-2022-1734 CVE-2022-1974 CVE-2022-1975 CVE-2022-2153 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166 CVE-2022-23036 CVE-2022-23037 CVE-2022-23038 CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042 CVE-2022-23960 CVE-2022-24958 CVE-2022-26490 CVE-2022-26966 CVE-2022-27223 CVE-2022-28356 CVE-2022-28390 CVE-2022-30594 CVE-2022-32250 CVE-2022-32296 CVE-2022-33981 Debian Bug : 922204 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. This update is unfortunately not available for the armel architecture. CVE-2018-1108 It was discovered that the random driver could generate random bytes through /dev/random and the getrandom() system call before gathering enough entropy that these would be unpredictable. This could compromise the confidentiality and integrity of encrypted communications. The original fix for this issue had to be reverted because it caused the boot process to hang on many systems. In this version, the random driver has been updated, making it more effective in gathering entropy without needing a hardware RNG. CVE-2021-4149 Hao Sun reported a flaw in the Btrfs fileysstem driver. There is a potential lock imbalance in an error path. A local user might be able to exploit this for denial of service. CVE-2021-39713 The syzbot tool found a race condition in the network scheduling subsystem which could lead to a use-after-free. A local user could exploit this for denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2022-0494 The scsi_ioctl() was susceptible to an information leak only exploitable by users with CAP_SYS_ADMIN or CAP_SYS_RAWIO capabilities. CVE-2022-0812 It was discovered that the RDMA transport for NFS (xprtrdma) miscalculated the size of message headers, which could lead to a leak of sensitive information between NFS servers and clients. CVE-2022-0854 Ali Haider discovered a potential information leak in the DMA subsystem. On systems where the swiotlb feature is needed, this might allow a local user to read sensitive information. CVE-2022-1011 Jann Horn discovered a flaw in the FUSE (Filesystem in User-Space) implementation. A local user permitted to mount FUSE filesystems could exploit this to cause a use-after-free and read sensitive information. CVE-2022-1012, CVE-2022-32296 Moshe Kol, Amit Klein, and Yossi Gilad discovered a weakness in randomisation of TCP source port selection. CVE-2022-1016 David Bouman discovered a flaw in the netfilter subsystem where the nft_do_chain function did not initialize register data that nf_tables expressions can read from and write to. A local attacker can take advantage of this to read sensitive information. CVE-2022-1198 Duoming Zhou discovered a race condition in the 6pack hamradio driver, which could lead to a use-after-free. A local user could exploit this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2022-1199 Duoming Zhou discovered race conditions in the AX.25 hamradio protocol, which could lead to a use-after-free or null pointer dereference. A local user could exploit this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2022-1353 The TCS Robot tool found an information leak in the PF_KEY subsystem. A local user can receive a netlink message when an IPsec daemon registers with the kernel, and this could include sensitive information. CVE-2022-1516 A NULL pointer dereference flaw in the implementation of the X.25 set of standardized network protocols, which can result in denial of service. This driver is not enabled in Debian's official kernel configurations. CVE-2022-1729 Norbert Slusarek discovered a race condition in the perf subsystem which could result in local privilege escalation to root. The default settings in Debian prevent exploitation unless more permissive settings have been applied in the kernel.perf_event_paranoid sysctl. CVE-2022-1734 Duoming Zhou discovered race conditions in the nfcmrvl NFC driver that could lead to a use-after-free, double-free or null pointer dereference. A local user might be able to exploit these for denial of service (crash or memory corruption) or possibly for privilege escalation. This driver is not enabled in Debian's official kernel configurations. CVE-2022-1974, CVE-2022-1975 Duoming Zhou discovered that the NFC netlink interface was suspectible to denial of service. CVE-2022-2153 "kangel" reported a flaw in the KVM implementation for x86 processors which could lead to a null pointer dereference. A local user permitted to access /dev/kvm could exploit this to cause a denial of service (crash). CVE-2022-21123, CVE-2022-21125, CVE-2022-21166 Various researchers discovered flaws in Intel x86 processors, collectively referred to as MMIO Stale Data vulnerabilities. These are similar to the previously published Microarchitectural Data Sampling (MDS) issues and could be exploited by local users to leak sensitive information. For some CPUs, the mitigations for these issues require updated microcode. An updated intel-microcode package may be provided at a later date. The updated CPU microcode may also be available as part of a system firmware ("BIOS") update. Further information on the mitigation can be found at <https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html> or in the linux-doc-4.9 package. CVE-2022-23036, CVE-2022-23037, CVE-2022-23038, CVE-2022-23039, CVE-2022-23040, CVE-2022-23041, CVE-2022-23042 (XSA-396) Demi Marie Obenour and Simon Gaiser of Invisible Things Lab discovered flaws in several Xen PV device frontends. These drivers misused the Xen grant table API in a way that could be exploited by a malicious device backend to cause data corruption, leaks of sensitive information, or a denial of service (crash). CVE-2022-23960 Researchers at VUSec discovered that the Branch History Buffer in Arm processors can be exploited to create information side- channels with speculative execution. This issue is similar to Spectre variant 2, but requires additional mitigations on some processors. This can be exploited to obtain sensitive information from a different security context, such as from user-space to the kernel, or from a KVM guest to the kernel. CVE-2022-24958 A flaw was discovered that the USB gadget subsystem that could lead to a use-after-free. A local user permitted to configure USB gadgets could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-26490 Buffer overflows in the STMicroelectronics ST21NFCA core driver can result in denial of service or privilege escalation. This driver is not enabled in Debian's official kernel configurations. CVE-2022-26966 A flaw was discovered in the sr9700 USB networking driver. A local user able to attach a specially designed USB device could use this to leak sensitive information. CVE-2022-27223 A flaw was discovered in the udc-xilinx USB gadget-mode controller driver. On systems using this driver, a malicious USB host could exploit this to cause a denial of service (crash or memory corruption) or possibly to execute arbitrary code. This driver is not enabled in Debian's official kernel configurations. CVE-2022-28356 "Beraphin" discovered that the ANSI/IEEE 802.2 LLC type 2 driver did not properly perform reference counting on some error paths. A local attacker can take advantage of this flaw to cause a denial of service. CVE-2022-28390 A double free vulnerability was discovered in the EMS CPC-USB/ARM7 CAN/USB interface driver. CVE-2022-30594 Jann Horn discovered a flaw in the interaction between ptrace and seccomp subsystems. A process sandboxed using seccomp() but still permitted to use ptrace() could exploit this to remove the seccomp restrictions. CVE-2022-32250 Aaron Adams discovered a use-after-free in Netfilter which may result in local privilege escalation to root. CVE-2022-33981 Yuan Ming from Tsinghua University reported a a race condition in the floppy driver involving use of the FDRAWCMD ioctl, which could lead to a use-after-free. A local user with access to a floppy drive device could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. This ioctl is now disabled by default. For Debian 9 stretch, these problems have been fixed in version 4.9.320-2. For the armhf architecture, this update enables optimised implementations of several cryptographic and CRC algorithms. For at least AES, this should remove a timing side-channel that could lead to a leak of sensitive information. This update includes many more bug fixes from stable updates 4.9.304-4.9.320 inclusive. The random driver has been backported from Linux 5.19, fixing numerous performance and correctness issues. Some changes will be visible: - - The entropy pool size is now 256 bits instead of 4096. You may need to adjust the configuration of system monitoring or user-space entropy gathering services to allow for this. - - On systems without a hardware RNG, the kernel will log many more uses of /dev/urandom before it is fully initialised. These uses were previously under-counted and this is not a regression. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmK+3TwACgkQ57/I7JWG EQntEQ//VuOGAQLcG7Cxk8APOB0zpsQWvr0JvZ+txqfLqPWvAjDBcqGPqobr94Q4 RN/NPqgqvz5zRV3jgtTKYATcIzEgjD55JZtTHdktPIjHPu0g8w9qxNH+1fuwBR6o fvUAHBF/G+k0OWsixtC8C7mm+uZA3XYljWB7wo0QGZWDDfEc8E8x44sxg2rm0Uv8 nsmFnIokc8hc+ERWfWqemL6uihrrPgzLvIKhrPt42bR6A0+C4MZ+6vEl82illO6H 9/BGYasfCmmEQSBmnxm5RFlsEgcjoNmAlhZHRUXlixwfaoGYJEmLM+Ll+So4UgJI JtFfwIu9RC1n7B3e5swDh1tn0EtA0HnKK/BPN7z5L9uz/74uQCdCsfq34qhmbW5H IbjBNtvJVWf4oeZwjNbIDNyPYR3/RoC1zOsSQm8Dour4O/CRS0wIycUPzT+ERxXH ymgArPA12r0Ud8Sle1vsctlMSfCOnIe5D8gXNx9kcAOz/HnXoWNGMVMfq97CEXgc ZZlH8TpmG1rn1rxqjkLVbOvVF+g4681nXYJW31WH5YNlX/8m0YU9e9nm/9UTDcUV iYnl8g5utgNniP4vXaUfsrTX3kUlEPsfyMqAqXc5W26O0ylN92JyC6EBE6V8fPBi 2W5CUYi7jKxotezeqrxn4vCCE/yereBcR/MCPO9GwANA0XiUNzk= =kUZu - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYr90s8kNZI30y1K9AQgYDw/+IMy9T3OnusDBx4ahlZP0mDkyaKCvWtjR 5ZEizRhJm6NKucDKVS08Neq1X0roYWgGZ1JfEMWehxSg9X2BCHEPdSSgAyYlAQqG cR8Oh3ZtKLOw61KBVLeBS0QH59ZS33sCAKAjB/CNhRDxxO/p2NtO5JzjEzrc6XkV t8c+bn48HelX1c+blQwcwd2hEOlh3oxl1TJ1G4LkyeLTaTywtavvo9q8FA9YNmpc wQn6KY5J3SkkyDKvVn2rqf5Hk9T+jn/bEJ4+9ZMImOQb9o8hqJyf6lFIkb4PKlUW BXb+9LuadA78wHJhnQH2+TpMghLYtonYd342+s5QK/f3R36I68W3i1YWEtneEGjL 0ceb7Z0r7To+UfiNF98SNwwRjmvoln3GHvasmjU43GfbUAjV4nYrhYCsQSNmtLI3 WnMUFN9U3TV8+FU/84c1A+YWKL3Ms90O7F8QtehH5RJ108zmjM9lMRxA+lcOfDPF 4/E1q/42mJ3cugaG7oDc5i3fU6/5MnGk5ZwdqjTDXYIij+mmXwfiBX/f80TX5f19 I1sbZLK+I8217F19QTfmtPvnKUavoEjRs6Whhcvr9JZWZ52NnAcXQPVvEUTuTGvN DQYZ4dSTPxkRkfbXokqKNqsjIbGu2nqLrlQZaX2RLCKGnm/5dkOXG2GulDohkuYF hyRBBAdoCOo= =ug/q -----END PGP SIGNATURE-----