ID

VAR-201911-1619

CVE

CVE-2018-12207

TITLE

Intel(R) Processor Input validation vulnerability

DESCRIPTION

Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access. Intel(R) Processor Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Both Microsoft Windows and Microsoft Windows Server are products of Microsoft Corporation. Microsoft Windows is an operating system for personal devices. Microsoft Windows Server is a server operating system. A denial of service vulnerability exists in Microsoft Windows and Windows Server due to the program's improper handling of objects in memory. An attacker could exploit this vulnerability by logging on to an affected system and running a specially crafted application to cause the targeted system to become unresponsive. The following products and versions are affected: Microsoft Windows 10, Windows 10 Version 1607, Windows 10 Version 1709, Windows 10 Version 1803, Windows 10 Version 1809, Windows 10 Version 1903, Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server version 1803, Windows Server version 1903. Also, the update introduced a regression that broke KVM guests where extended page tables (EPT) are disabled or not supported. 8.0) - aarch64, noarch, ppc64le, s390x, x86_64 3. Bug Fix(es): * Backport TCP follow-up for small buffers (BZ#1739184) * TCP performance regression after CVE-2019-11478 bug fix (BZ#1743170) * RHEL8.0 - bnx2x link down, caused by transmit timeouts during load test (Marvell/Cavium/QLogic) (L3:) (BZ#1743548) * block: blk-mq improvement (BZ#1780567) * RHEL8.0 - Regression to RHEL7.6 by changing force_latency found during RHEL8.0 validation for SAP HANA on POWER (BZ#1781111) * blk-mq: overwirte performance drops on real MQ device (BZ#1782183) * RHEL8: creating vport takes lot of memory i.e 2GB per vport which leads to drain out system memory quickly. (BZ#1782705) 4. 7) - noarch, x86_64 3. Description: The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.1.24 machine-os-content-container security update Advisory ID: RHSA-2019:3941-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:3941 Issue date: 2019-11-21 CVE Names: CVE-2018-12207 CVE-2019-14287 CVE-2019-15718 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.1.24 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This is a text-only advisory for the machine-os-content container image, which includes RPM packages for Red Hat Enterprise Linux CoreOS. Security Fix(es): * A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries. A privileged guest user may use this flaw to induce a hardware Machine Check Error on the host processor, resulting in a severe DoS scenario by halting the processor. System software like OS OR Virtual Machine Monitor (VMM) use virtual memory system for storing program instructions and data in memory. Virtual Memory system uses Paging structures like Page Tables and Page Directories to manage system memory. The processor's Memory Management Unit (MMU) uses Paging structure entries to translate program's virtual memory addresses to physical memory addresses. The processor stores these address translations into its local cache buffer called - Translation Lookaside Buffer (TLB). TLB has two parts, one for instructions and other for data addresses. System software can modify its Paging structure entries to change address mappings OR certain attributes like page size etc. Upon such Paging structure alterations in memory, system software must invalidate the corresponding address translations in the processor's TLB cache. But before this TLB invalidation takes place, a privileged guest user may trigger an instruction fetch operation, which could use an already cached, but now invalid, virtual to physical address translation from Instruction TLB (ITLB). Thus accessing an invalid physical memory address and resulting in halting the processor due to the Machine Check Error (MCE) on Page Size Change. (CVE-2018-12207) * A flaw was found in the way sudo implemented running commands with an arbitrary user ID. If a sudoers entry is written to allow users to run a command as any user except root, this flaw can be used by an attacker to bypass that restriction. (CVE-2019-14287) * An improper authorization flaw was discovered in systemd-resolved in the way it configures the exposed DBus interface org.freedesktop.resolve1. An unprivileged local user could call all DBus methods, even when marked as privileged operations. An attacker could abuse this flaw by changing the DNS, Search Domain, LLMNR, DNSSEC, and other network link settings without any authorization, giving them control of the network names resolution process and causing the system to communicate with wrong or malicious servers. (CVE-2019-15718) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For OpenShift Container Platform 4.1 see the following documentation, which will be updated shortly for release 4.1.24, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-rel ease-notes.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1646768 - CVE-2018-12207 hw: Machine Check Error on Page Size Change (IFU) 1746057 - CVE-2019-15718 systemd: systemd-resolved allows unprivileged users to configure DNS 1760531 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword 5. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXdZfNtzjgjWX9erEAQiIJA/8DVpw4bPJ/QftagWt+yTuVrElc8k0ilKD Nm5N28A+S4n7FThUMq261i9a/vaNMRe0aA1iaRtU+65jLGZQK42QNrVSHrWb+URe TL6g1IWD/nzCVB7jW7pER8kraHw3YDxgGmpDite38SZ6xF8lU57Vzn5a9btRbKfU D0i+Lp7ak0PCZ280B/LCSsZtB1wN4U1knVQKOsNd8AE5C6bB6dXLD0eVMur5aWMI 0IZy0rzLHHZIMEhAxXyssyFGnm3EDqjjFp27dScD9nEMemToduyK82pJTOfIUusx geFGYQhKC3ZXCNG1pHzqF9Llzy4gcvYuhW85tT4ICbDaGnYOmmAh/dpWlevJm2Le A7WPEQSxUUH1SCr7RrDrWqz04uPkvZJgzwV8vNH5FtnbLsCF4RI1fKJY5rZ/NOil 0YMR28rRQYJcK7MvwLbQCwRTQx3lk4NcV3V1RYn3Igi6dsIw++6/sIsbzhtPJF9A LuTf5v55MMhQI062yT6seorAPIcKtTk90PkXXihQrY+i2kkdkYIBDLs9fRAJU0Va 10eaTc2NC535bd/NliwPnPEn4RaXXTImMA+HhEhX/arAJ88sW0hyWyyBE+DkJAb4 KGYHvPMefV10tj9gJPoXHr9InuCCSb37cAvJn5FzInCZ5181E4D8Vxv4HZIAi8P0 7YKxx54lRpE= =9Xq5 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Due to the high complexity of the fixes and the required microcode update, we are unable to livepatch this set of CVEs. Please plan to reboot into an updated kernel as soon as possible. The details of these CVEs follows: CVE-2018-12207 On an Ubuntu KVM host configured to use huge pages, a malicious KVM guest can cause a host machine check exception (MCE) capable of bringing down the host OS. CVE-2019-11135 On Intel processors with support for Transactional Synchronization Extensions (TSX), it is possible to exploit a transactional asynchronous abort (TAA) to perform a side-channel attack and leak kernel memory. Further details on the vulnerabilities and our response can be found here: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/TAA_MCEPSC_i915 Again, due to the high complexity of the fixes and the required microcode update, we are unable to livepatch this set of CVEs. Please plan to reboot into an updated kernel as soon as possible. | Series | Version | Flavors | |------------------+-----------------------+--------------------------| | Ubuntu 18.04 LTS | 4.15.0-1054.55 | aws | | Ubuntu 16.04 LTS | 4.4.0-1098.102 | aws | | Ubuntu 18.04 LTS | 5.0.0-1025.27~18.04.1 | azure | | Ubuntu 16.04 LTS | 4.15.0-1063.66 | azure | | Ubuntu 18.04 LTS | 4.15.0-69.78 | generic lowlatency | | Ubuntu 16.04 LTS | 4.15.0-69.78~16.04.1 | generic lowlatency | | Ubuntu 14.04 LTS | 4.4.0-168.197~14.04.1 | generic lowlatency | | Ubuntu 18.04 LTS | 4.15.0-1063.72 | oem | | Ubuntu 16.04 LTS | 4.4.0-168.197 | generic lowlatency | Support Information: Kernels older than the levels listed above will no longer receive livepatch updates. References: CVE-2018-12207, CVE-2019-0154, CVE-2019-0155, CVE-2019-11135 -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce . ========================================================================== Ubuntu Security Notice USN-4186-3 November 13, 2019 linux vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel Details: USN-4186-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems. This update addresses the issue. We apologize for the inconvenience. Original advisory details: Stephan van Schaik, Alyssa Milburn, Sebastian \xd6sterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in microarchitectural buffers to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11135) It was discovered that the Intel i915 graphics chipsets allowed userspace to modify page table entries via writes to MMIO from the Blitter Command Streamer and expose kernel memory information. A local attacker could use this to expose sensitive information or possibly elevate privileges. A local attacker in a guest VM could use this to cause a denial of service (host system crash). (CVE-2018-12207) It was discovered that the Intel i915 graphics chipsets could cause a system hang when userspace performed a read from GT memory mapped input output (MMIO) when the product is in certain low power states. A local attacker could use this to cause a denial of service. (CVE-2019-0154) Hui Peng discovered that the Atheros AR6004 USB Wi-Fi device driver for the Linux kernel did not properly validate endpoint descriptors returned by the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15098) It was discovered that a buffer overflow existed in the 802.11 Wi-Fi configuration interface for the Linux kernel when handling beacon settings. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-16746) Ori Nimron discovered that the AX25 network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17052) Ori Nimron discovered that the IEEE 802.15.4 Low-Rate Wireless network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17053) Ori Nimron discovered that the Appletalk network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17054) Ori Nimron discovered that the modular ISDN network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17055) Ori Nimron discovered that the Near field Communication (NFC) network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17056) Nico Waisman discovered that a buffer overflow existed in the Realtek Wi-Fi driver for the Linux kernel when handling Notice of Absence frames. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-17666) Maddie Stone discovered that the Binder IPC Driver implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-2215) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: linux-image-4.4.0-169-generic 4.4.0-169.198 linux-image-4.4.0-169-generic-lpae 4.4.0-169.198 linux-image-4.4.0-169-lowlatency 4.4.0-169.198 linux-image-generic 4.4.0.169.177 linux-image-generic-lpae 4.4.0.169.177 linux-image-lowlatency 4.4.0.169.177 linux-image-virtual 4.4.0.169.177 Please note that mitigating the TSX (CVE-2019-11135) and i915 (CVE-2019-0154) issues requires corresponding microcode and graphics firmware updates respectively. After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://usn.ubuntu.com/4186-3 https://usn.ubuntu.com/4186-1 CVE-2019-0155, https://bugs.launchpad.net/bugs/1852141 Package Information: https://launchpad.net/ubuntu/+source/linux/4.4.0-169.198 . 7.6) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.6) - x86_64 Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 7.6) - ppc64, ppc64le, x86_64 3. 7.6): x86_64: kernel-debug-debuginfo-3.10.0-957.38.2.el7.x86_64.rpm kernel-debuginfo-3.10.0-957.38.2.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-957.38.2.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-957.38.2.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-957.38.2.el7.x86_64.rpm perf-debuginfo-3.10.0-957.38.2.el7.x86_64.rpm python-perf-debuginfo-3.10.0-957.38.2.el7.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. 6.5) - x86_64 3. (CVE-2019-15792) Jann Horn discovered that the shiftfs implementation in the Linux kernel did not use the correct file system uid/gid when the user namespace of a lower file system is not in the init user namespace

AFFECTED PRODUCTS