ID

VAR-201911-1619

CVE

CVE-2018-12207

TITLE

Ubuntu Security Notice USN-4185-2

DESCRIPTION

Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access. Both Microsoft Windows and Microsoft Windows Server are products of Microsoft Corporation. Microsoft Windows is an operating system for personal devices. Microsoft Windows Server is a server operating system. A denial of service vulnerability exists in Microsoft Windows and Windows Server due to the program's improper handling of objects in memory. An attacker could exploit this vulnerability by logging on to an affected system and running a specially crafted application to cause the targeted system to become unresponsive. The following products and versions are affected: Microsoft Windows 10, Windows 10 Version 1607, Windows 10 Version 1709, Windows 10 Version 1803, Windows 10 Version 1809, Windows 10 Version 1903, Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server version 1803, Windows Server version 1903. (CVE-2019-17052) Ori Nimron discovered that the IEEE 802.15.4 Low-Rate Wireless network protocol implementation in the Linux kernel did not properly perform permissions checks. (CVE-2019-17055) Ori Nimron discovered that the Near field Communication (NFC) network protocol implementation in the Linux kernel did not properly perform permissions checks. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. 8) - x86_64 3. Description: This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/): 1782199 - CVE-2019-19339 kpatch: hw: incomplete fix for CVE-2018-12207 6. In addition this update provides mitigations for the "TSX Asynchronous Abort" speculative side channel attack. Note that this will be the last security update for Xen in the oldstable distribution; upstream support for the 4.8.x branch ended by the end of December 2019. ========================================================================== Ubuntu Security Notice USN-4183-1 November 13, 2019 linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi2 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 19.10 Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud systems - linux-raspi2: Linux kernel for Raspberry Pi 2 Details: Stephan van Schaik, Alyssa Milburn, Sebastian \xd6sterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in microarchitectural buffers to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11135) It was discovered that the Intel i915 graphics chipsets allowed userspace to modify page table entries via writes to MMIO from the Blitter Command Streamer and expose kernel memory information. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2018-12207) It was discovered that the Intel i915 graphics chipsets could cause a system hang when userspace performed a read from GT memory mapped input output (MMIO) when the product is in certain low power states. (CVE-2019-0154) Jann Horn discovered a reference count underflow in the shiftfs implementation in the Linux kernel. (CVE-2019-15791) Jann Horn discovered a type confusion vulnerability in the shiftfs implementation in the Linux kernel. (CVE-2019-15792) Jann Horn discovered that the shiftfs implementation in the Linux kernel did not use the correct file system uid/gid when the user namespace of a lower file system is not in the init user namespace. A local attacker could use this to possibly bypass DAC permissions or have some other unspecified impact. (CVE-2019-15793) It was discovered that a buffer overflow existed in the 802.11 Wi-Fi configuration interface for the Linux kernel when handling beacon settings. (CVE-2019-16746) Nico Waisman discovered that a buffer overflow existed in the Realtek Wi-Fi driver for the Linux kernel when handling Notice of Absence frames. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-17666) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 19.10: linux-image-5.3.0-1006-oracle 5.3.0-1006.7 linux-image-5.3.0-1007-aws 5.3.0-1007.8 linux-image-5.3.0-1007-azure 5.3.0-1007.8 linux-image-5.3.0-1007-kvm 5.3.0-1007.8 linux-image-5.3.0-1008-gcp 5.3.0-1008.9 linux-image-5.3.0-1012-raspi2 5.3.0-1012.14 linux-image-5.3.0-22-generic 5.3.0-22.24 linux-image-5.3.0-22-generic-lpae 5.3.0-22.24 linux-image-5.3.0-22-lowlatency 5.3.0-22.24 linux-image-5.3.0-22-snapdragon 5.3.0-22.24 linux-image-aws 5.3.0.1007.9 linux-image-azure 5.3.0.1007.25 linux-image-gcp 5.3.0.1008.9 linux-image-generic 5.3.0.22.26 linux-image-generic-lpae 5.3.0.22.26 linux-image-gke 5.3.0.1008.9 linux-image-kvm 5.3.0.1007.9 linux-image-lowlatency 5.3.0.22.26 linux-image-oracle 5.3.0.1006.7 linux-image-raspi2 5.3.0.1012.9 linux-image-snapdragon 5.3.0.22.26 linux-image-virtual 5.3.0.22.26 Please note that mitigating the TSX (CVE-2019-11135) and i915 (CVE-2019-0154) issues requires corresponding microcode and graphics firmware updates respectively. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. CVE-2018-12207 It was discovered that on Intel CPUs supporting hardware virtualisation with Extended Page Tables (EPT), a guest VM may manipulate the memory management hardware to cause a Machine Check Error (MCE) and denial of service (hang or crash). The guest triggers this error by changing page tables without a TLB flush, so that both 4 KB and 2 MB entries for the same virtual address are loaded into the instruction TLB (iTLB). This update implements a mitigation in KVM that prevents guest VMs from loading 2 MB entries into the iTLB. This will reduce performance of guest VMs. Further information on the mitigation can be found at <https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html> or in the linux-doc-4.9 or linux-doc-4.19 package. A qemu update adding support for the PSCHANGE_MC_NO feature, which allows to disable iTLB Multihit mitigations in nested hypervisors will be provided via DSA 4566-1. Intel's explanation of the issue can be found at <https://software.intel.com/security-software-guidance/insights/deep-dive-machine-check-error-avoidance-page-size-change-0>. CVE-2019-0154 Intel discovered that on their 8th and 9th generation GPUs, reading certain registers while the GPU is in a low-power state can cause a system hang. A local user permitted to use the GPU can use this for denial of service. This update mitigates the issue through changes to the i915 driver. The affected chips (gen8 and gen9) are listed at <https://en.wikipedia.org/wiki/List_of_Intel_graphics_processing_units#Gen8>. CVE-2019-0155 Intel discovered that their 9th generation and newer GPUs are missing a security check in the Blitter Command Streamer (BCS). A local user permitted to use the GPU could use this to access any memory that the GPU has access to, which could result in a denial of service (memory corruption or crash), a leak of sensitive information, or privilege escalation. This update mitigates the issue by adding the security check to the i915 driver. The affected chips (gen9 onward) are listed at <https://en.wikipedia.org/wiki/List_of_Intel_graphics_processing_units#Gen9>. CVE-2019-11135 It was discovered that on Intel CPUs supporting transactional memory (TSX), a transaction that is going to be aborted may continue to execute speculatively, reading sensitive data from internal buffers and leaking it through dependent operations. Intel calls this "TSX Asynchronous Abort" (TAA). For CPUs affected by the previously published Microarchitectural Data Sampling (MDS) issues (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091), the existing mitigation also mitigates this issue. For processors that are vulnerable to TAA but not MDS, this update disables TSX by default. This mitigation requires updated CPU microcode. An updated intel-microcode package (only available in Debian non-free) will be provided via DSA 4565-1. The updated CPU microcode may also be available as part of a system firmware ("BIOS") update. Further information on the mitigation can be found at <https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html> or in the linux-doc-4.9 or linux-doc-4.19 package. Intel's explanation of the issue can be found at <https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort>. For the oldstable distribution (stretch), these problems have been fixed in version 4.9.189-3+deb9u2. For the stable distribution (buster), these problems have been fixed in version 4.19.67-2+deb10u2. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl3LBMVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RtSg//aBsENrrs5mbCKYxt6Lm1hVdxdmz+9TbgZkxU+lQ0XEfge4wQUCa8KhJh os4qGuDXh5q/2VkNMa+cUCyHCyxxl3qv4rCsm+MxG1Rd4Hy4JoKt4heJgi5hXW9A qhOQ5+rHb0OeoPM9BCduTi37h+mLS4ItRz30n3+3B2+VC0tj+iV2nOZJmC0WMEiq LrqeDm39pa6DqKBAExdYT/TCyKLsngMHoIGorWVPXdJP1/xmrH2gU0W3L7k5KJPz apeCi4E3H9bjRh8Be5SeT3zDoEaiiNn/sHHkLDeAryFMuwilekxFaYocbW/0CEIH kWRMkC+uq1KfQfBDSxIOsH8yq8n+zQ12XJ0YiiqEKg6ErabWz5rCaVHyPWvdh0Ny mezs99PkQ7mUkjAUVzIfz2Rq6VByOCdfuT/GvPL7rUtIJYRdqYkWBI8t/hVlrnDq yR+X7vQZWm5wb3+Jiz/sA6TqgDvKSgk1+tUfBmqI9sh1wWNKSSYee0b81BLLubs3 IInPlgW2Lp+IsA3CVKKQNTNMWZkuNyPZH2UGpZV45otazcLPrrdNtt52x4gvIJ/W lizVpb2BOpTpoeEXNYlEDCjwcrW9f1FkVztwMgz3J6eb9pHjieFuGO9vOxcP7li3 FNJbGhaUUZa8BfjsQgBwFSwVXRr212zK9yv0UHnLRJo4l0I3xC0=YZWL -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security update Advisory ID: RHSA-2019:3841-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:3841 Issue date: 2019-11-12 CVE Names: CVE-2018-12207 CVE-2019-0154 CVE-2019-11135 ===================================================================== 1. Summary: An update for kernel is now available for Red Hat Enterprise Linux 7.2 Advanced Update Support, Red Hat Enterprise Linux 7.2 Telco Extended Update Support, and Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.2) - noarch, x86_64 Red Hat Enterprise Linux Server E4S (v. 7.2) - noarch, x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.2) - x86_64 Red Hat Enterprise Linux Server Optional E4S (v. 7.2) - x86_64 Red Hat Enterprise Linux Server Optional TUS (v. 7.2) - x86_64 Red Hat Enterprise Linux Server TUS (v. 7.2) - noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * hw: Machine Check Error on Page Size Change (IFU) (CVE-2018-12207) * hw: TSX Transaction Asynchronous Abort (TAA) (CVE-2019-11135) * hw: Intel GPU Denial Of Service while accessing MMIO in lower power state (CVE-2019-0154) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1646768 - CVE-2018-12207 hw: Machine Check Error on Page Size Change (IPU) 1724393 - CVE-2019-0154 hw: Intel GPU Denial Of Service while accessing MMIO in lower power state 1753062 - CVE-2019-11135 hw: TSX Transaction Asynchronous Abort (TAA) 6. Package List: Red Hat Enterprise Linux Server AUS (v. 7.2): Source: kernel-3.10.0-327.82.2.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-327.82.2.el7.noarch.rpm kernel-doc-3.10.0-327.82.2.el7.noarch.rpm x86_64: kernel-3.10.0-327.82.2.el7.x86_64.rpm kernel-debug-3.10.0-327.82.2.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-debug-devel-3.10.0-327.82.2.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.82.2.el7.x86_64.rpm kernel-devel-3.10.0-327.82.2.el7.x86_64.rpm kernel-headers-3.10.0-327.82.2.el7.x86_64.rpm kernel-tools-3.10.0-327.82.2.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-tools-libs-3.10.0-327.82.2.el7.x86_64.rpm perf-3.10.0-327.82.2.el7.x86_64.rpm perf-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm python-perf-3.10.0-327.82.2.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.2): Source: kernel-3.10.0-327.82.2.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-327.82.2.el7.noarch.rpm kernel-doc-3.10.0-327.82.2.el7.noarch.rpm x86_64: kernel-3.10.0-327.82.2.el7.x86_64.rpm kernel-debug-3.10.0-327.82.2.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-debug-devel-3.10.0-327.82.2.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.82.2.el7.x86_64.rpm kernel-devel-3.10.0-327.82.2.el7.x86_64.rpm kernel-headers-3.10.0-327.82.2.el7.x86_64.rpm kernel-tools-3.10.0-327.82.2.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-tools-libs-3.10.0-327.82.2.el7.x86_64.rpm perf-3.10.0-327.82.2.el7.x86_64.rpm perf-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm python-perf-3.10.0-327.82.2.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.2): Source: kernel-3.10.0-327.82.2.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-327.82.2.el7.noarch.rpm kernel-doc-3.10.0-327.82.2.el7.noarch.rpm x86_64: kernel-3.10.0-327.82.2.el7.x86_64.rpm kernel-debug-3.10.0-327.82.2.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-debug-devel-3.10.0-327.82.2.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.82.2.el7.x86_64.rpm kernel-devel-3.10.0-327.82.2.el7.x86_64.rpm kernel-headers-3.10.0-327.82.2.el7.x86_64.rpm kernel-tools-3.10.0-327.82.2.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-tools-libs-3.10.0-327.82.2.el7.x86_64.rpm perf-3.10.0-327.82.2.el7.x86_64.rpm perf-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm python-perf-3.10.0-327.82.2.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional AUS (v. 7.2): x86_64: kernel-debug-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.82.2.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-327.82.2.el7.x86_64.rpm perf-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional E4S (v. 7.2): x86_64: kernel-debug-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.82.2.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-327.82.2.el7.x86_64.rpm perf-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional TUS (v. 7.2): x86_64: kernel-debug-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.82.2.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-327.82.2.el7.x86_64.rpm perf-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.82.2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-12207 https://access.redhat.com/security/cve/CVE-2019-0154 https://access.redhat.com/security/cve/CVE-2019-11135 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/ifu-page-mce https://access.redhat.com/solutions/tsx-asynchronousabort https://access.redhat.com/solutions/i915-graphics 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXcsdGtzjgjWX9erEAQhzBQ//Sjgws2dy8r4xW9FjiYP34QhxBm5PYfhT zqERPadTm6cdb/qvhogXyLeuPZIgFAalz00SscHRGykyFaBk0ZCa0qrMCc9DiuWG SE/uzCsJ6S6ZFeyDs5nG804I9WcafQN6EMCJwjzobzHPnLq/10DSls+NPrZcdM/R 9eybeJ1E1oA0O2VMLbSLVwhV8mQ5IzejOwiUntvn320ozR1SsdgPOZCjP+r8Libq W8O6ADd40mtmSLrQl5aZWzo4MStW+0mVF5MKt65i7SASN344SQWOKZxdqGucC9mw oqfD02T25r4l61YTWjXCbefUZPDB+BaK/PiM6SVT3zhH/7KepxHJbjw0ARDhZ4Ny Jh4Wz+ZkvuPLc3U5jog8mzEOU/Wnh7LESwWRFA21zx73trf9jZ6231XiEQL8IiPO etXYe8Fv6oWcvJpx6jRQ88fco9/UiA0XGBwjuGiFUPXaSVLpBpnf/Gp3wXcEn6kf E35wuE6yHIcKdvPMvVHgAV8Kf1CVvwj709TgnfPOAHNEfY16vlsBPUhmbgErgsdO MZTHH/A7eG08T1+fbdUc6/oJ+967SicPUJXwvLWqX+pdeyj13jnDVQlkKdpQLckN XKR6LBzoWnxWgWZLiNw7wD5naxU6M3jcAxgTE87TrAsPS1+k3jeRwXl0+AHOtS7Z Rxkt0z//xYk= =Vh4k -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 7.5) - ppc64, ppc64le, x86_64 3

AFFECTED PRODUCTS