Vulnerability CVE-2018-19985


Published: 2019-03-21

Description:
The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space.

Type:

CWE-125

(Out-of-bounds Read)

CVSS2 => (AV:L/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
2.1/10
2.9/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Netapp -> Active iq performance analytics services 
Netapp -> Element software management node 
Linux -> Linux kernel 
Debian -> Debian linux 

 References:
http://lists.opensuse.org/opensuse-security-announce/2019-01/msg00023.html
http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00007.html
http://packetstormsecurity.com/files/151420/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html
https://hexhive.epfl.ch/projects/perifuzz/
https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html
https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html
https://lists.debian.org/debian-lts-announce/2019/05/msg00002.html
https://seclists.org/bugtraq/2019/Jan/52
https://security.netapp.com/advisory/ntap-20190404-0002/
https://usn.ubuntu.com/4115-1/
https://usn.ubuntu.com/4118-1/

Copyright 2021, cxsecurity.com

 

Back to Top