Vulnerability CVE-2019-14835


Published: 2019-09-17

Description:
A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.

Type:

CWE-120

(Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))

Vendor: Redhat
Product: Enterprise linux 
Version:
8.0
7.0
6.0
See more versions on NVD
Vendor: Linux
Product: Linux kernel 
Version:
5.2.9
5.2.8
5.2.6
5.2.3
5.2.17
5.2.16
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.1
5.2
5.1.9
5.1.8
5.1.7
5.1.6
5.1.5
5.1.4
5.1.3
5.1.2
5.1.18
5.1.17
5.1.15
5.1.14
5.1.13
5.1.12
5.1.11
5.1.10
5.1
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
5.0.19
5.0.18
5.0.17
5.0.16
5.0.15
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.1
5.0
4.9.99
4.9.98
4.9.97
4.9.96
4.9.95
4.9.94
4.9.93
4.9.92
4.9.91
4.9.90
4.9.9
4.9.89
4.9.88
4.9.87
4.9.86
4.9.85
4.9.84
4.9.83
4.9.82
4.9.81
4.9.80
4.9.8
4.9.79
4.9.78
4.9.77
4.9.76
4.9.75
4.9.74
4.9.73
4.9.72
4.9.71
4.9.70
4.9.7
4.9.69
4.9.68
4.9.67
4.9.66
4.9.65
4.9.64
4.9.63
4.9.62
4.9.61
4.9.60
4.9.6
4.9.59
4.9.58
See more versions on NVD

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.2/10
10/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html
http://packetstormsecurity.com/files/154572/Kernel-Live-Patch-Security-Notice-LSN-0056-1.html
http://www.openwall.com/lists/oss-security/2019/09/24/1
https://access.redhat.com/errata/RHSA-2019:2827
https://access.redhat.com/errata/RHSA-2019:2828
https://access.redhat.com/errata/RHSA-2019:2829
https://access.redhat.com/errata/RHSA-2019:2830
https://access.redhat.com/errata/RHSA-2019:2854
https://access.redhat.com/errata/RHSA-2019:2862
https://access.redhat.com/errata/RHSA-2019:2863
https://access.redhat.com/errata/RHSA-2019:2864
https://access.redhat.com/errata/RHSA-2019:2865
https://access.redhat.com/errata/RHSA-2019:2866
https://access.redhat.com/errata/RHSA-2019:2867
https://access.redhat.com/errata/RHSA-2019:2869
https://access.redhat.com/errata/RHSA-2019:2889
https://access.redhat.com/errata/RHSA-2019:2899
https://access.redhat.com/errata/RHSA-2019:2900
https://access.redhat.com/errata/RHSA-2019:2901
https://access.redhat.com/errata/RHSA-2019:2924
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14835
https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQFY6JYFIQ2VFQ7QCSXPWTUL5ZDNCJL5/
https://seclists.org/bugtraq/2019/Sep/41
https://usn.ubuntu.com/4135-2/
https://www.debian.org/security/2019/dsa-4531
https://www.openwall.com/lists/oss-security/2019/09/17/1

Related CVE
CVE-2019-17351
An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, ak...
CVE-2019-17133
In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow.
CVE-2019-17075
An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel through 5.3.2. The cxgb4 driver is directly calling dma_map_single (a DMA function) from a stack variable. This could allow an attacker to trigger a D...
CVE-2019-17056
llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-3a359798b176.
CVE-2019-17055
base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21.
CVE-2019-17054
atalk_create in net/appletalk/ddp.c in the AF_APPLETALK network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-6cc03e8aa36c.
CVE-2019-17053
ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-e69dbd4619e7.
CVE-2019-17052
ax25_create in net/ax25/af_ax25.c in the AF_AX25 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-0614e2b73768.

Copyright 2019, cxsecurity.com

 

Back to Top