Debian DLA-2483-1 : linux-4.19 security update

high Nessus Plugin ID 144097

Synopsis

The remote Debian host is missing a security update.

Description

Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks.

CVE-2019-19039

'Team bobfuzzer' reported a bug in Btrfs that could lead to an assertion failure (WARN). A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash) if the panic_on_warn kernel parameter is set.

CVE-2019-19377

'Team bobfuzzer' reported a bug in Btrfs that could lead to a use-after-free. A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2019-19770

The syzbot tool discovered a race condition in the block I/O tracer (blktrace) that could lead to a system crash. Since blktrace can only be controlled by privileged users, the security impact of this is unclear.

CVE-2019-19816

'Team bobfuzzer' reported a bug in Btrfs that could lead to an out-of-bounds write. A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-0423

A race condition was discovered in the Android binder driver, that could result in a use-after-free. On systems using this driver, a local user could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-8694

Multiple researchers discovered that the powercap subsystem allowed all users to read CPU energy meters, by default. On systems using Intel CPUs, this provided a side channel that could leak sensitive information between user processes, or from the kernel to user processes. The energy meters are now readable only by root, by default.

This issue can be mitigated by running :

chmod go-r /sys/devices/virtual/powercap/*/*/energy_uj

This needs to be repeated each time the system is booted with an unfixed kernel version.

CVE-2020-14351

A race condition was discovered in the performance events subsystem, which could lead to a use-after-free. A local user permitted to access performance events could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue.

CVE-2020-25656

Yuan Ming and Bodong Zhao discovered a race condition in the virtual terminal (vt) driver that could lead to a use-after-free. A local user with the CAP_SYS_TTY_CONFIG capability could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-25668

Yuan Ming and Bodong Zhao discovered a race condition in the virtual terminal (vt) driver that could lead to a use-after-free. A local user with access to a virtual terminal, or with the CAP_SYS_TTY_CONFIG capability, could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-25669

Bodong Zhao discovered a bug in the Sun keyboard driver (sunkbd) that could lead to a use-after-free. On a system using this driver, a local user could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-25704

kiyin(尹亮) discovered a potential memory leak in the performance events subsystem. A local user permitted to access performance events could use this to cause a denial of service (memory exhaustion).

Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue.

CVE-2020-25705

Keyu Man reported that strict rate-limiting of ICMP packet transmission provided a side-channel that could help networked attackers to carry out packet spoofing. In particular, this made it practical for off-path networked attackers to 'poison' DNS caches with spoofed responses ('SAD DNS' attack).

This issue has been mitigated by randomising whether packets are counted against the rate limit.

CVE-2020-27673 / XSA-332

Julien Grall from Arm discovered a bug in the Xen event handling code.
Where Linux was used in a Xen dom0, unprivileged (domU) guests could cause a denial of service (excessive CPU usage or hang) in dom0.

CVE-2020-27675 / XSA-331

Jinoh Kang of Theori discovered a race condition in the Xen event handling code. Where Linux was used in a Xen dom0, unprivileged (domU) guests could cause a denial of service (crash) in dom0.

CVE-2020-28941

Shisong Qin and Bodong Zhao discovered a bug in the Speakup screen reader subsystem. Speakup assumed that it would only be bound to one terminal (tty) device at a time, but did not enforce this. A local user could exploit this bug to cause a denial of service (crash or memory exhaustion).

CVE-2020-28974

Yuan Ming discovered a bug in the virtual terminal (vt) driver that could lead to an out-of-bounds read. A local user with access to a virtual terminal, or with the CAP_SYS_TTY_CONFIG capability, could possibly use this to obtain sensitive information from the kernel or to cause a denial of service (crash).

The specific ioctl operation affected by this bug (KD_FONT_OP_COPY) has been disabled, as it is not believed that any programs depended on it.

For Debian 9 stretch, these problems have been fixed in version 4.19.160-2~deb9u1.

We recommend that you upgrade your linux-4.19 packages.

For the detailed security status of linux-4.19 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux-4.19

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

https://lists.debian.org/debian-lts-announce/2020/12/msg00015.html

https://packages.debian.org/source/stretch/linux-4.19

https://security-tracker.debian.org/tracker/source-package/linux-4.19

Plugin Details

Severity: High

ID: 144097

File Name: debian_DLA-2483.nasl

Version: 1.8

Type: local

Agent: unix

Published: 12/11/2020

Updated: 2/2/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-19816

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2019-19770

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:linux-config-4.19, p-cpe:/a:debian:debian_linux:linux-doc-4.19, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-686, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-686-pae, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all-amd64, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all-arm64, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all-armel, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all-armhf, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all-i386, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-amd64, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-arm64, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-armmp, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-armmp-lpae, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-cloud-amd64, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-common, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-common-rt, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-marvell, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-rpi, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-rt-686-pae, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-rt-amd64, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-rt-arm64, p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-rt-armmp, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-686, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-686-dbg, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-686-pae, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-686-pae-dbg, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-amd64, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-amd64-dbg, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-arm64, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-arm64-dbg, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-armmp, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-armmp-dbg, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-armmp-lpae, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-armmp-lpae-dbg, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-cloud-amd64, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-cloud-amd64-dbg, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-marvell, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-marvell-dbg, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rpi, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rpi-dbg, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-686-pae, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-686-pae-dbg, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-amd64, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-amd64-dbg, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-arm64, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-arm64-dbg, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-armmp, p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-armmp-dbg, p-cpe:/a:debian:debian_linux:linux-kbuild-4.19, p-cpe:/a:debian:debian_linux:linux-perf-4.19, p-cpe:/a:debian:debian_linux:linux-source-4.19, p-cpe:/a:debian:debian_linux:linux-support-4.19.0-0.bpo.10, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/10/2020

Vulnerability Publication Date: 11/21/2019

Reference Information

CVE: CVE-2019-19039, CVE-2019-19377, CVE-2019-19770, CVE-2019-19816, CVE-2020-0423, CVE-2020-14351, CVE-2020-25656, CVE-2020-25668, CVE-2020-25669, CVE-2020-25704, CVE-2020-25705, CVE-2020-27673, CVE-2020-27675, CVE-2020-28941, CVE-2020-28974, CVE-2020-8694