ID

VAR-201911-1619

CVE

CVE-2018-12207

TITLE

Ubuntu Security Notice USN-4184-1

DESCRIPTION

Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access. Both Microsoft Windows and Microsoft Windows Server are products of Microsoft Corporation. Microsoft Windows is an operating system for personal devices. Microsoft Windows Server is a server operating system. A denial of service vulnerability exists in Microsoft Windows and Windows Server due to the program's improper handling of objects in memory. An attacker could exploit this vulnerability by logging on to an affected system and running a specially crafted application to cause the targeted system to become unresponsive. The following products and versions are affected: Microsoft Windows 10, Windows 10 Version 1607, Windows 10 Version 1709, Windows 10 Version 1803, Windows 10 Version 1809, Windows 10 Version 1903, Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server version 1803, Windows Server version 1903. ========================================================================== Ubuntu Security Notice USN-4184-1 November 13, 2019 linux, linux-aws, linux-azure, linux-gcp, linux-gke-5.0, linux-hwe, linux-kvm, linux-oem-osp1, linux-oracle, linux-raspi2 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 19.04 - Ubuntu 18.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud systems - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-gke-5.0: Linux kernel for Google Container Engine (GKE) systems - linux-hwe: Linux hardware enablement (HWE) kernel - linux-oem-osp1: Linux kernel for OEM processors Details: Stephan van Schaik, Alyssa Milburn, Sebastian \xd6sterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in microarchitectural buffers to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11135) It was discovered that the Intel i915 graphics chipsets allowed userspace to modify page table entries via writes to MMIO from the Blitter Command Streamer and expose kernel memory information. A local attacker could use this to expose sensitive information or possibly elevate privileges. A local attacker in a guest VM could use this to cause a denial of service (host system crash). (CVE-2018-12207) It was discovered that the Intel i915 graphics chipsets could cause a system hang when userspace performed a read from GT memory mapped input output (MMIO) when the product is in certain low power states. A local attacker could use this to cause a denial of service. (CVE-2019-0154) Hui Peng discovered that the Atheros AR6004 USB Wi-Fi device driver for the Linux kernel did not properly validate endpoint descriptors returned by the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15098) Jann Horn discovered a reference count underflow in the shiftfs implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15791) Jann Horn discovered a type confusion vulnerability in the shiftfs implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15792) Jann Horn discovered that the shiftfs implementation in the Linux kernel did not use the correct file system uid/gid when the user namespace of a lower file system is not in the init user namespace. A local attacker could use this to possibly bypass DAC permissions or have some other unspecified impact. (CVE-2019-15793) Ori Nimron discovered that the AX25 network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17052) Ori Nimron discovered that the IEEE 802.15.4 Low-Rate Wireless network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17053) Ori Nimron discovered that the Appletalk network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17054) Ori Nimron discovered that the modular ISDN network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17055) Ori Nimron discovered that the Near field Communication (NFC) network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17056) Nico Waisman discovered that a buffer overflow existed in the Realtek Wi-Fi driver for the Linux kernel when handling Notice of Absence frames. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-17666) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 19.04: linux-image-5.0.0-1007-oracle 5.0.0-1007.12 linux-image-5.0.0-1021-aws 5.0.0-1021.24 linux-image-5.0.0-1022-kvm 5.0.0-1022.24 linux-image-5.0.0-1022-raspi2 5.0.0-1022.23 linux-image-5.0.0-1025-azure 5.0.0-1025.27 linux-image-5.0.0-1025-gcp 5.0.0-1025.26 linux-image-5.0.0-35-generic 5.0.0-35.38 linux-image-5.0.0-35-generic-lpae 5.0.0-35.38 linux-image-5.0.0-35-lowlatency 5.0.0-35.38 linux-image-aws 5.0.0.1021.23 linux-image-azure 5.0.0.1025.25 linux-image-gcp 5.0.0.1025.50 linux-image-generic 5.0.0.35.37 linux-image-generic-lpae 5.0.0.35.37 linux-image-gke 5.0.0.1025.50 linux-image-kvm 5.0.0.1022.23 linux-image-lowlatency 5.0.0.35.37 linux-image-oracle 5.0.0.1007.33 linux-image-raspi2 5.0.0.1022.20 linux-image-virtual 5.0.0.35.37 Ubuntu 18.04 LTS: linux-image-5.0.0-1025-azure 5.0.0-1025.27~18.04.1 linux-image-5.0.0-1025-gcp 5.0.0-1025.26~18.04.1 linux-image-5.0.0-1025-gke 5.0.0-1025.26~18.04.1 linux-image-5.0.0-1027-oem-osp1 5.0.0-1027.31 linux-image-5.0.0-35-generic 5.0.0-35.38~18.04.1 linux-image-5.0.0-35-generic-lpae 5.0.0-35.38~18.04.1 linux-image-5.0.0-35-lowlatency 5.0.0-35.38~18.04.1 linux-image-azure 5.0.0.1025.36 linux-image-gcp 5.0.0.1025.29 linux-image-generic-hwe-18.04 5.0.0.35.93 linux-image-generic-lpae-hwe-18.04 5.0.0.35.93 linux-image-gke-5.0 5.0.0.1025.14 linux-image-lowlatency-hwe-18.04 5.0.0.35.93 linux-image-oem-osp1 5.0.0.1027.31 linux-image-snapdragon-hwe-18.04 5.0.0.35.93 linux-image-virtual-hwe-18.04 5.0.0.35.93 Please note that mitigating the TSX (CVE-2019-11135) and i915 (CVE-2019-0154) issues requires corresponding microcode and graphics firmware updates respectively. After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://usn.ubuntu.com/4184-1 CVE-2018-12207, CVE-2019-0154, CVE-2019-0155, CVE-2019-11135, CVE-2019-15098, CVE-2019-15791, CVE-2019-15792, CVE-2019-15793, CVE-2019-17052, CVE-2019-17053, CVE-2019-17054, CVE-2019-17055, CVE-2019-17056, CVE-2019-17666, https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/TAA_MCEPSC_i915 Package Information: https://launchpad.net/ubuntu/+source/linux/5.0.0-35.38 https://launchpad.net/ubuntu/+source/linux-aws/5.0.0-1021.24 https://launchpad.net/ubuntu/+source/linux-azure/5.0.0-1025.27 https://launchpad.net/ubuntu/+source/linux-gcp/5.0.0-1025.26 https://launchpad.net/ubuntu/+source/linux-kvm/5.0.0-1022.24 https://launchpad.net/ubuntu/+source/linux-oracle/5.0.0-1007.12 https://launchpad.net/ubuntu/+source/linux-raspi2/5.0.0-1022.23 https://launchpad.net/ubuntu/+source/linux-azure/5.0.0-1025.27~18.04.1 https://launchpad.net/ubuntu/+source/linux-gcp/5.0.0-1025.26~18.04.1 https://launchpad.net/ubuntu/+source/linux-gke-5.0/5.0.0-1025.26~18.04.1 https://launchpad.net/ubuntu/+source/linux-hwe/5.0.0-35.38~18.04.1 https://launchpad.net/ubuntu/+source/linux-oem-osp1/5.0.0-1027.31 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.2.5 machine-os-content-container security update Advisory ID: RHSA-2019:3916-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:3916 Issue date: 2019-11-19 CVE Names: CVE-2018-12207 CVE-2019-14287 ===================================================================== 1. Summary: An update for machine-os-content-container is now available for Red Hat OpenShift Container Platform 4.2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This is a text-only advisory for the machine-os-content container image, which includes RPM packages for Red Hat Enterprise Linux CoreOS. Security Fix(es): * A flaw was found in the way Intel CPUs handled inconsistency between virtual to physical memory address translations in the CPU's local cache and the system software's Paging structure entries. A privileged guest user can exploit this flaw to induce a hardware Machine Check Error (MCE) on the host processor, resulting in a severe DoS scenario by halting the processor. System software like the OS OR Virtual Machine Monitor (VMM) use the virtual memory system for storing program instructions and data in memory. The virtual memory system uses Paging structures like Page Tables and Page Directories to manage system memory. The processor's Memory Management Unit (MMU) uses Paging structure entries to translate a program's virtual memory addresses to physical memory addresses. The processor stores these address translations into its local cache buffer, called the Translation Lookaside Buffer (TLB). TLB has two parts, one for instructions and the other for data addresses. System software can modify its Paging structure entries to change address mappings or certain attributes like page size, etc. Upon such Paging structure alterations in memory, system software must invalidate the corresponding address translations in the processor's TLB cache. Before this TLB invalidation takes place, however, a privileged guest user could trigger an instruction fetch operation, which could use an already cached, but now invalid, virtual to physical address translation from Instruction TLB (ITLB). This would access an invalid physical memory address, resulting in halting the processor due to the MCE on Page Size Change. (CVE-2018-12207) * A flaw was found in the way sudo implemented running commands with an arbitrary user ID. If a sudoers entry is written to allow users to run a command as any user except root, this flaw can be used by an attacker to bypass that restriction. (CVE-2019-14287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: See the following documentation, which will be updated shortly for release 4.2.5, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-rel ease-notes.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1646768 - CVE-2018-12207 hw: Machine Check Error on Page Size Change (IFU) 1760531 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword 5. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXdQQ0dzjgjWX9erEAQiSVBAAgyjN3wQzGmJCCVUz0BVvDv4vmz9jAFF9 XEnsyd7r9n4pR0PTjHmfqYE/oAd2Eq3P75tpw7Mht3K7q2GfM57s02ESpDFCeUu5 RD6jybxjApl7e4d1aqO4T6otPCgx0UqiksCjg71r2v6mLQRd/BLgR7jCLuYCscM2 WVQCZcpRvkosCauevd/BPysFPGwTa/Q3XpweDIZQ0o0ndpazO/8t5VfJ+1OqtbdG Zfda1n/TEjtTK93FO5AfjWbpWQCtTOzFrpwQoFTh1bLxbyCSZUw+z7w5DGRiEb71 eIZkgO+65YRwCswrqmHtiTsHUuskNg9+0dc7ot+XdJniU6TOGSPKGxdLimN3KscP HWKOhDqcrHAjY1hj1MN5JMQc7CZQtB5P+Xo35Of7onqK7ZJWPZW1YpNZZmVUxxSr /paAbSP0gH7VLyd8sM+VL5ZbTtA1UtH8PjZPuiRkH+ozzgLMQIA1hCSESgE0LWCV rwZdx9SQuAQSCVSJxiDYe8kfdTTZRk5bCr3AKihR06hgGk1bnLvsF3L4Qu06QgF1 eDfhcQCDLjweyXTww62vMqXlJG/xwX9VLe5e4Q9V6iEI1oy1bGTe8q1/AtiwizLI x9pORf4Q2I2k6q3OuMC3TJHo7m1IYVpxIpEpck857KQJJwO4jOGmvhRQQetNU14J U/4/cD7341k= =a3Pa -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Relevant releases/architectures: RHEL 7-based RHEV-H for RHEV 4 (build requirements) - noarch, x86_64 RHEL 7-based RHEV-H for RHEV 4.2 (build requirements) - noarch, x86_64 Red Hat Virtualization 4 Hypervisor for RHEL 7 - noarch Red Hat Virtualization 4.2 Hypervisor for RHEL 7.6 EUS - noarch, x86_64 3. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/2974891 5. Package List: Red Hat Virtualization 4.2 Hypervisor for RHEL 7.6 EUS: Source: redhat-release-virtualization-host-4.2-16.1.el7.src.rpm redhat-virtualization-host-4.2-20191107.0.el7_6.src.rpm noarch: redhat-virtualization-host-image-update-4.2-20191107.0.el7_6.noarch.rpm redhat-virtualization-host-image-update-placeholder-4.2-16.1.el7.noarch.rpm x86_64: redhat-release-virtualization-host-4.2-16.1.el7.x86_64.rpm redhat-release-virtualization-host-content-4.2-16.1.el7.x86_64.rpm RHEL 7-based RHEV-H for RHEV 4.2 (build requirements): Source: redhat-release-virtualization-host-4.2-16.1.el7.src.rpm noarch: redhat-virtualization-host-image-update-placeholder-4.2-16.1.el7.noarch.rpm x86_64: redhat-release-virtualization-host-4.2-16.1.el7.x86_64.rpm Red Hat Virtualization 4 Hypervisor for RHEL 7: Source: redhat-virtualization-host-4.3.6-20191108.0.el7_7.src.rpm noarch: redhat-virtualization-host-image-update-4.3.6-20191108.0.el7_7.noarch.rpm RHEL 7-based RHEV-H for RHEV 4 (build requirements): Source: redhat-release-virtualization-host-4.3.6-5.el7ev.src.rpm redhat-virtualization-host-4.3.6-20191108.0.el7_7.src.rpm noarch: redhat-virtualization-host-image-update-4.3.6-20191108.0.el7_7.noarch.rpm redhat-virtualization-host-image-update-placeholder-4.3.6-5.el7ev.noarch.rpm x86_64: redhat-release-virtualization-host-4.3.6-5.el7ev.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, the update introduced a regression that broke KVM guests where extended page tables (EPT) are disabled or not supported. This update addresses both issues. We apologize for the inconvenience. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================FreeBSD-SA-19:25.mcepsc Security Advisory The FreeBSD Project Topic: Machine Check Exception on Page Size Change Category: core Module: kernel Announced: 2019-11-12 Credits: Intel Affects: All supported versions of FreeBSD. Corrected: 2019-11-12 18:03:26 UTC (stable/12, 12.1-STABLE) 2019-11-12 18:13:04 UTC (releng/12.1, 12.1-RELEASE-p1) 2019-11-12 18:13:04 UTC (releng/12.0, 12.0-RELEASE-p12) 2019-11-12 18:04:28 UTC (stable/11, 11.3-STABLE) 2019-11-12 18:13:04 UTC (releng/11.3, 11.3-RELEASE-p5) CVE Name: CVE-2018-12207 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. Background The Intel machine check architecture is a mechanism to detect and report hardware errors, such as system bus errors, ECC errors, parity errors, and others. This allows the processor to signal the detection of a machine check error to the operating system. II. Problem Description Intel discovered a previously published erratum on some Intel platforms can be exploited by malicious software to potentially cause a denial of service by triggering a machine check that will crash or hang the system. III. IV. Workaround No workaround is available. Systems not running untrusted guest virtual machines are not impacted. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.1] # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.1.patch # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.1.patch.asc # gpg --verify mcepsc.12.1.patch.asc [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.0.patch.asc # gpg --verify mcepsc.12.0.patch.asc [FreeBSD 11.3] # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.11.patch.asc # gpg --verify mcepsc.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r354650 releng/12.1/ r354653 releng/12.0/ r354653 stable/11/ r354651 releng/11.3/ r354653 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. 6.5) - x86_64 3

AFFECTED PRODUCTS