1 |
type: security |
2 |
subject: Updated kernel-tmb packages fixes security vulnerabilities |
3 |
CVE: |
4 |
- CVE-2018-1128 |
5 |
- CVE-2018-1129 |
6 |
- CVE-2018-12126 |
7 |
- CVE-2018-12127 |
8 |
- CVE-2018-12130 |
9 |
- CVE-2018-14625 |
10 |
- CVE-2018-16862 |
11 |
- CVE-2018-16882 |
12 |
- CVE-2018-16884 |
13 |
- CVE-2018-18397 |
14 |
- CVE-2018-19824 |
15 |
- CVE-2018-19985 |
16 |
- CVE-2018-1000026 |
17 |
- CVE-2019-3701 |
18 |
- CVE-2019-3819 |
19 |
- CVE-2019-3882 |
20 |
- CVE-2019-7308 |
21 |
- CVE-2019-6974 |
22 |
- CVE-2019-7221 |
23 |
- CVE-2019-7222 |
24 |
- CVE-2019-9213 |
25 |
- CVE-2019-11091 |
26 |
- CVE-2019-11486 |
27 |
- CVE-2019-11599 |
28 |
src: |
29 |
6: |
30 |
core: |
31 |
- kernel-tmb-4.14.119-1.mga6 |
32 |
description: | |
33 |
This kernel update provides the upstream 4.14.119 that adds the kernel side |
34 |
mitigations for the Microarchitectural Data Sampling (MDS, also called |
35 |
ZombieLoad attack) vulnerabilities in Intel processors that can allow |
36 |
attackers to retrieve data being processed inside a CPU. To complete the |
37 |
mitigations new microcode is also needed, either by installing the |
38 |
microcode-0.20190514-1.mga6 package, or get an updated bios / uefi |
39 |
firmware from the motherboard vendor. |
40 |
|
41 |
The fixed / mitigated issues are: |
42 |
|
43 |
Modern Intel microprocessors implement hardware-level micro-optimizations |
44 |
to improve the performance of writing data back to CPU caches. The write |
45 |
operation is split into STA (STore Address) and STD (STore Data) |
46 |
sub-operations. These sub-operations allow the processor to hand-off |
47 |
address generation logic into these sub-operations for optimized writes. |
48 |
Both of these sub-operations write to a shared distributed processor |
49 |
structure called the 'processor store buffer'. As a result, an |
50 |
unprivileged attacker could use this flaw to read private data resident |
51 |
within the CPU's processor store buffer. (CVE-2018-12126) |
52 |
|
53 |
Microprocessors use a ‘load port’ subcomponent to perform load operations |
54 |
from memory or IO. During a load operation, the load port receives data |
55 |
from the memory or IO subsystem and then provides the data to the CPU |
56 |
registers and operations in the CPU’s pipelines. Stale load operations |
57 |
results are stored in the 'load port' table until overwritten by newer |
58 |
operations. Certain load-port operations triggered by an attacker can be |
59 |
used to reveal data about previous stale requests leaking data back to the |
60 |
attacker via a timing side-channel. (CVE-2018-12127) |
61 |
|
62 |
A flaw was found in the implementation of the "fill buffer", a mechanism |
63 |
used by modern CPUs when a cache-miss is made on L1 CPU cache. If an |
64 |
attacker can generate a load operation that would create a page fault, |
65 |
the execution will continue speculatively with incorrect data from the |
66 |
fill buffer while the data is fetched from higher level caches. This |
67 |
response time can be measured to infer data in the fill buffer. |
68 |
(CVE-2018-12130) |
69 |
|
70 |
Uncacheable memory on some microprocessors utilizing speculative execution |
71 |
may allow an authenticated user to potentially enable information disclosure |
72 |
via a side channel with local access. (CVE-2019-11091) |
73 |
|
74 |
|
75 |
It also fixes atleast the following security issues: |
76 |
|
77 |
Cross-hyperthread Spectre v2 mitigation is now provided by the Single |
78 |
Thread Indirect Branch Predictors (STIBP) support. Note that STIBP also |
79 |
requires the functionality be supported by the Intel microcode in use. |
80 |
|
81 |
It was found that cephx authentication protocol did not verify ceph clients |
82 |
correctly and was vulnerable to replay attack. Any attacker having access |
83 |
to ceph cluster network who is able to sniff packets on network can use |
84 |
this vulnerability to authenticate with ceph service and perform actions |
85 |
allowed by ceph service (CVE-2018-1128). |
86 |
|
87 |
A flaw was found in the way signature calculation was handled by cephx |
88 |
authentication protocol. An attacker having access to ceph cluster network |
89 |
who is able to alter the message payload was able to bypass signature |
90 |
checks done by cephx protocol (CVE-2018-1129). |
91 |
|
92 |
A flaw was found in the Linux Kernel where an attacker may be able to have |
93 |
an uncontrolled read to kernel-memory from within a vm guest. A race |
94 |
condition between connect() and close() function may allow an attacker |
95 |
using the AF_VSOCK protocol to gather a 4 byte information leak or possibly |
96 |
intercept or corrupt AF_VSOCK messages destined to other clients |
97 |
(CVE-2018-14625). |
98 |
|
99 |
A security flaw was found in the Linux kernel in a way that the cleancache |
100 |
subsystem clears an inode after the final file truncation (removal). The |
101 |
new file created with the same inode may contain leftover pages from |
102 |
cleancache and the old file data instead of the new one (CVE-2018-16862). |
103 |
|
104 |
A use-after-free issue was found in the way the Linux kernel's KVM |
105 |
hypervisor processed posted interrupts when nested(=1) virtualization is |
106 |
enabled. In nested_get_vmcs12_pages(), in case of an error while |
107 |
processing posted interrupt address, it unmaps the 'pi_desc_page' without |
108 |
resetting 'pi_desc' descriptor address, which is later used in |
109 |
pi_test_and_clear_on(). A guest user/process could use this flaw to crash |
110 |
the host kernel resulting in DoS or potentially gain privileged access to |
111 |
a system (CVE-2018-16882). |
112 |
|
113 |
A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares |
114 |
mounted in different network namespaces at the same time can make |
115 |
bc_svc_process() use wrong back-channel IDs and cause a use-after-free |
116 |
vulnerability. Thus a malicious container user can cause a host kernel |
117 |
memory corruption and a system panic. Due to the nature of the flaw, |
118 |
privilege escalation cannot be fully ruled out (CVE-2018-16884). |
119 |
|
120 |
The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles |
121 |
access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing |
122 |
local users to write data into holes in a tmpfs file (if the user has |
123 |
read-only access to that file, and that file contains holes) |
124 |
(CVE-2018-18397). |
125 |
|
126 |
In the Linux kernel through 4.19.6, a local user could exploit a |
127 |
use-after-free in the ALSA driver by supplying a malicious USB Sound device |
128 |
(with zero interfaces) (CVE-2018-19824). |
129 |
|
130 |
A flaw was found in the Linux kernel in the function hso_probe() which |
131 |
reads if_num value from the USB device (as an u8) and uses it without a |
132 |
length check to index an array, resulting in an OOB memory read in |
133 |
hso_probe() or hso_get_config_data(). An attacker with a forged USB |
134 |
device and physical access to a system (needed to connect such a device) |
135 |
can cause a system crash and a denial of service (CVE-2018-19985). |
136 |
|
137 |
Linux Linux kernel version at least v4.8 onwards, probably well before |
138 |
contains a Insufficient input validation vulnerability in bnx2x network |
139 |
card driver that can result in DoS: Network card firmware assertion takes |
140 |
card off-line. This attack appear to be exploitable via An attacker on a |
141 |
must pass a very large, specially crafted packet to the bnx2x card. |
142 |
This can be done from an untrusted guest VM (CVE-2018-1000026) |
143 |
|
144 |
An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux |
145 |
kernel through 4.19.13. The CAN frame modification rules allow bitwise |
146 |
logical operations that can be also applied to the can_dlc field. Because |
147 |
of a missing check, the CAN drivers may write arbitrary content beyond |
148 |
the data registers in the CAN controller's I/O memory when processing |
149 |
can-gw manipulated outgoing frames. This is related to cgw_csum_xor_rel. |
150 |
An unprivileged user can trigger a system crash (general protection fault) |
151 |
(CVE-2019-3701). |
152 |
|
153 |
A flaw was found in the Linux kernel in the function hid_debug_events_read() |
154 |
in drivers/hid/hid-debug.c file which may enter an infinite loop with |
155 |
certain parameters passed from a userspace. A local privileged user ("root") |
156 |
can cause a system lock up and a denial of service (CVE-2019-3819). |
157 |
A flaw was found in the Linux kernel's vfio interface implementation that |
158 |
permits violation of the user's locked memory limit. If a device is bound |
159 |
to a vfio driver, such as vfio-pci, and the local attacker is |
160 |
administratively granted ownership of the device, it may cause a system |
161 |
memory exhaustion and thus a denial of service (DoS) (CVE-2019-3882). |
162 |
|
163 |
In the Linux kernel before 4.20.8, kvm_ioctl_create_device in |
164 |
virt/kvm/kvm_main.c mishandles reference counting because of a race |
165 |
condition, leading to a use-after-free (CVE-2019-6974). |
166 |
|
167 |
A use-after-free vulnerability was found in the way the Linux kernel's KVM |
168 |
hypervisor emulates a preemption timer for L2 guests when nested (=1) |
169 |
virtualization is enabled. This high resolution timer(hrtimer) runs when |
170 |
a L2 guest is active. After VM exit, the sync_vmcs12() timer object is |
171 |
stopped. The use-after-free occurs if the timer object is freed before |
172 |
calling sync_vmcs12() routine. A guest user/process could use this flaw |
173 |
to crash the host kernel resulting in a denial of service or, potentially, |
174 |
gain privileged access to a system (CVE-2019-7221). |
175 |
|
176 |
An information leakage issue was found in the way Linux kernel's KVM |
177 |
hypervisor handled page fault exceptions while emulating instructions |
178 |
like VMXON, VMCLEAR, VMPTRLD, and VMWRITE with memory address as an |
179 |
operand. It occurs if the operand is a mmio address, as the returned |
180 |
exception object holds uninitialized stack memory contents. A guest |
181 |
user/process could use this flaw to leak host's stack memory contents |
182 |
to a guest (CVE-2019-7222). |
183 |
|
184 |
kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable |
185 |
out-of-bounds speculation on pointer arithmetic in various cases, including |
186 |
cases of different branches with different state or limits to sanitize, |
187 |
leading to side-channel attacks (CVE-2019-7308). |
188 |
|
189 |
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks |
190 |
a check for the mmap minimum address, which makes it easier for attackers |
191 |
to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is |
192 |
related to a capability check for the wrong task (CVE-2019-9213). |
193 |
|
194 |
The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the |
195 |
Linux kernel before 5.0.8 has multiple race conditions (CVE-2019-11486). |
196 |
|
197 |
The coredump implementation in the Linux kernel before 5.0.10 does not use |
198 |
locking or other mechanisms to prevent vma layout or vma flags changes while |
199 |
it runs, which allows local users to obtain sensitive information, cause a |
200 |
denial of service, or possibly have unspecified other impact by triggering |
201 |
a race condition with mmget_not_zero or get_task_mm calls (CVE-2019-11599). |
202 |
|
203 |
It also fixes signal handling issues causing powertop to crash and some |
204 |
tracing tools to fail on execve tests. |
205 |
|
206 |
Ndiswrapper has been updated to 1.62 |
207 |
|
208 |
WireGuard has been updated to 0.0.20190406. |
209 |
|
210 |
For other uptstream fixes in this update, see the referenced changelogs. |
211 |
references: |
212 |
- https://bugs.mageia.org/show_bug.cgi?id=24774 |
213 |
- https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html |
214 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.79 |
215 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.80 |
216 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.81 |
217 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.82 |
218 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.83 |
219 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.84 |
220 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.85 |
221 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.86 |
222 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.87 |
223 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.88 |
224 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.89 |
225 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.90 |
226 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.91 |
227 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.92 |
228 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.93 |
229 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.94 |
230 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.95 |
231 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.96 |
232 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.97 |
233 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.98 |
234 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.99 |
235 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.100 |
236 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.101 |
237 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.102 |
238 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.103 |
239 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.104 |
240 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.105 |
241 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.106 |
242 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.107 |
243 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.108 |
244 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.109 |
245 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.110 |
246 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.111 |
247 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.112 |
248 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.113 |
249 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.114 |
250 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.115 |
251 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.116 |
252 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.117 |
253 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.118 |
254 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.119 |