ID

VAR-202006-0241

CVE

CVE-2020-0543

TITLE

Multiple Intel Product Information Disclosure Vulnerability

DESCRIPTION

Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. Intel 06_3DH and Intel 06_9EH are both a central processing unit (CPU) product of Intel Corporation of the United States. Security vulnerabilities exist in several Intel products. The following products and versions are affected: Intel Celeron 1000M; Celeron 1005M; Celeron 1007U; Celeron 1019Y; Celeron 1020m, etc. (CVE-2020-12654). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4698-1 security@debian.org https://www.debian.org/security/ Ben Hutchings June 09, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2019-2182 CVE-2019-5108 CVE-2019-19319 CVE-2019-19462 CVE-2019-19768 CVE-2019-20806 CVE-2019-20811 CVE-2020-0543 CVE-2020-2732 CVE-2020-8428 CVE-2020-8647 CVE-2020-8648 CVE-2020-8649 CVE-2020-9383 CVE-2020-10711 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-10942 CVE-2020-11494 CVE-2020-11565 CVE-2020-11608 CVE-2020-11609 CVE-2020-11668 CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12770 CVE-2020-13143 Debian Bug : 952660 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-2182 Hanjun Guo and Lei Li reported a race condition in the arm64 virtual memory management code, which could lead to an information disclosure, denial of service (crash), or possibly privilege escalation. CVE-2019-5108 Mitchell Frank of Cisco discovered that when the IEEE 802.11 (WiFi) stack was used in AP mode with roaming, it would trigger roaming for a newly associated station before the station was authenticated. An attacker within range of the AP could use this to cause a denial of service, either by filling up a switching table or by redirecting traffic away from other stations. CVE-2019-19319 Jungyeon discovered that a crafted filesystem can cause the ext4 implementation to deallocate or reallocate journal blocks. A user permitted to mount filesystems could use this to cause a denial of service (crash), or possibly for privilege escalation. CVE-2019-19462 The syzbot tool found a missing error check in the 'relay' library used to implement various files under debugfs. A local user permitted to access debugfs could use this to cause a denial of service (crash) or possibly for privilege escalation. CVE-2019-19768 Tristan Madani reported a race condition in the blktrace debug facility that could result in a use-after-free. A local user able to trigger removal of block devices could possibly use this to cause a denial of service (crash) or for privilege escalation. CVE-2019-20806 A potential null pointer dereference was discovered in the tw5864 media driver. The security impact of this is unclear. CVE-2019-20811 The Hulk Robot tool found a reference-counting bug in an error path in the network subsystem. The security impact of this is unclear. CVE-2020-0543 Researchers at VU Amsterdam discovered that on some Intel CPUs supporting the RDRAND and RDSEED instructions, part of a random value generated by these instructions may be used in a later speculative execution on any core of the same physical CPU. Depending on how these instructions are used by applications, a local user or VM guest could use this to obtain sensitive information such as cryptographic keys from other users or VMs. This vulnerability can be mitigated by a microcode update, either as part of system firmware (BIOS) or through the intel-microcode package in Debian's non-free archive section. This kernel update only provides reporting of the vulnerability and the option to disable the mitigation if it is not needed. CVE-2020-2732 Paulo Bonzini discovered that the KVM implementation for Intel processors did not properly handle instruction emulation for L2 guests when nested virtualization is enabled. This could allow an L2 guest to cause privilege escalation, denial of service, or information leaks in the L1 guest. CVE-2020-8428 Al Viro discovered a potential use-after-free in the filesystem core (vfs). A local user could exploit this to cause a denial of service (crash) or possibly to obtain sensitive information from the kernel. CVE-2020-8647, CVE-2020-8649 The Hulk Robot tool found a potential MMIO out-of-bounds access in the vgacon driver. A local user permitted to access a virtual terminal (/dev/tty1 etc.) on a system using the vgacon driver could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-8648 The syzbot tool found a race condition in the the virtual terminal driver, which could result in a use-after-free. A local user permitted to access a virtual terminal could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-9383 Jordy Zomer reported an incorrect range check in the floppy driver which could lead to a static out-of-bounds access. A local user permitted to access a floppy drive could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-10711 Matthew Sheets reported NULL pointer dereference issues in the SELinux subsystem while receiving CIPSO packet with null category. A remote attacker can take advantage of this flaw to cause a denial of service (crash). Note that this issue does not affect the binary packages distributed in Debian as CONFIG_NETLABEL is not enabled. CVE-2020-10732 An information leak of kernel private memory to userspace was found in the kernel's implementation of core dumping userspace processes. CVE-2020-10751 Dmitry Vyukov reported that the SELinux subsystem did not properly handle validating multiple messages, which could allow a privileged attacker to bypass SELinux netlink restrictions. CVE-2020-10757 Fan Yang reported a flaw in the way mremap handled DAX hugepages, allowing a local user to escalate their privileges CVE-2020-10942 It was discovered that the vhost_net driver did not properly validate the type of sockets set as back-ends. A local user permitted to access /dev/vhost-net could use this to cause a stack corruption via crafted system calls, resulting in denial of service (crash) or possibly privilege escalation. CVE-2020-11494 It was discovered that the slcan (serial line CAN) network driver did not fully initialise CAN headers for received packets, resulting in an information leak from the kernel to user-space or over the CAN network. CVE-2020-11565 Entropy Moe reported that the shared memory filesystem (tmpfs) did not correctly handle an "mpol" mount option specifying an empty node list, leading to a stack-based out-of-bounds write. If user namespaces are enabled, a local user could use this to cause a denial of service (crash) or possibly for privilege escalation. CVE-2020-11608, CVE-2020-11609, CVE-2020-11668 It was discovered that the ov519, stv06xx, and xirlink_cit media drivers did not properly validate USB device descriptors. A physically present user with a specially constructed USB device could use this to cause a denial-of-service (crash) or possibly for privilege escalation. CVE-2020-12114 Piotr Krysiuk discovered a race condition between the umount and pivot_root operations in the filesystem core (vfs). A local user with the CAP_SYS_ADMIN capability in any user namespace could use this to cause a denial of service (crash). CVE-2020-12464 Kyungtae Kim reported a race condition in the USB core that can result in a use-after-free. It is not clear how this can be exploited, but it could result in a denial of service (crash or memory corruption) or privilege escalation. CVE-2020-12652 Tom Hatskevich reported a bug in the mptfusion storage drivers. An ioctl handler fetched a parameter from user memory twice, creating a race condition which could result in incorrect locking of internal data structures. A local user permitted to access /dev/mptctl could use this to cause a denial of service (crash or memory corruption) or for privilege escalation. CVE-2020-12653 It was discovered that the mwifiex WiFi driver did not sufficiently validate scan requests, resulting a potential heap buffer overflow. A local user with CAP_NET_ADMIN capability could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-12654 It was discovered that the mwifiex WiFi driver did not sufficiently validate WMM parameters received from an access point (AP), resulting a potential heap buffer overflow. A malicious AP could use this to cause a denial of service (crash or memory corruption) or possibly to execute code on a vulnerable system. CVE-2020-12770 It was discovered that the sg (SCSI generic) driver did not correctly release internal resources in a particular error case. A local user permitted to access an sg device could possibly use this to cause a denial of service (resource exhaustion). CVE-2020-13143 Kyungtae Kim reported a potential heap out-of-bounds write in the USB gadget subsystem. A local user permitted to write to the gadget configuration filesystem could use this to cause a denial of service (crash or memory corruption) or potentially for privilege escalation. For the oldstable distribution (stretch), these problems have been fixed in version 4.9.210-1+deb9u1. This version also fixes some related bugs that do not have their own CVE IDs, and a regression in the macvlan driver introduced in the previous point release (bug #952660). We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7f5blfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Sh5RAAmfLUcD69AFSfY6hVPLCvTHS0gVYHUk57NSP7vHaUqQPWXMv4lV6pJ1sp I6sB7tuDW8MWERVy9lBuZrLhnhlhAfqhzkJ+F/yh6ze703QCf1mMoHBAI44yXGtB fZDV2vxreXpJ4LfoBfGP2+yFiJXBBCRASgyNEtiBoHYG0yt1gfqXP5OjlaRJ5p1I yElJ5Uj0MkclVj3nbupUmPs7V/2o4tPavOgTyLplTHTDfOMkK1Z86M0fUfh7fS97 ffwJutFObQuxrkO/2vtzTvaXPnqHh5DUIEQzq5xKhK10+GUlkppqHvId1c//0krF Wd1gZc2RXLkREQShh21BUaI2XxRTcOw7f6Nmz2QnwN/Q/dXGeWeCjPUGslna3BQs d/pToA0OpbFNxkNKsbg+ovzMrB9C9aP03aDpSztbf/ZLReR+yOf74s9ypdeadGLC qKmHcFRWP25ct/ZOxNnTquEwd2NT6qDc9Iu6VNdXb2ndRz1zFU/OZlZ3oEPkrCIp FxJ+j8jpMFJsluE09UjAxH4AhyNAPjPcCr3M+fkgG+WPgzxSHdKComDN06O53iVi kWbN/AQPXiLlWHuKpCWbS87dZUyT1K1Wf+7mJbsAUfrrd+1mgWSHTRw1QNii74CR bD91B+70LVu2UCKKxtnOIJ3+iUiUwBNPYw70B0cc3vZTv9O7q7k= =WzfN -----END PGP SIGNATURE----- . The microcode update for HEDT and Xeon CPUs with signature 0x50654 which was reverted in DSA 4565-2 is now included again with a fixed release. The upstream update for Skylake-U/Y (signature 0x406e3) had to be excluded from this update due to reported hangs on boot. CVE-2019-3016 It was discovered that the KVM implementation for x86 did not always perform TLB flushes when needed, if the paravirtualised TLB flush feature was enabled. CVE-2020-12768 A bug was discovered in the KVM implementation for AMD processors, which could result in a memory leak. Description: The microcode_ctl packages provide microcode updates for Intel. Summary: An update for microcode_ctl is now available for Red Hat enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS EUS (v. 8.1) - x86_64 3. Description: Security Fix(es): * hw: Special Register Buffer Data Sampling (SRBDS) (CVE-2020-0543) * hw: L1D Cache Eviction Sampling (CVE-2020-0549) * hw: Vector Register Data Sampling (CVE-2020-0548) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Update Intel CPU microcode to microcode-20200609 release: - Update of 06-2d-06/0x6d (SNB-E/EN/EP C1/M0) microcode from revision 0x61f up to 0x621; - Update of 06-2d-07/0x6d (SNB-E/EN/EP C2/M1) microcode from revision 0x718 up to 0x71a; - Update of 06-3c-03/0x32 (HSW C0) microcode from revision 0x27 up to 0x28; - Update of 06-3d-04/0xc0 (BDW-U/Y E0/F0) microcode from revision 0x2e up to 0x2f; - Update of 06-45-01/0x72 (HSW-U C0/D0) microcode from revision 0x25 up to 0x26; - Update of 06-46-01/0x32 (HSW-H C0) microcode from revision 0x1b up to 0x1c; - Update of 06-47-01/0x22 (BDW-H/Xeon E3 E0/G0) microcode from revision 0x21 up to 0x22; - Update of 06-4e-03/0xc0 (SKL-U/Y D0) microcode from revision 0xd6 up to 0xdc; - Update of 06-55-03/0x97 (SKX-SP B1) microcode from revision 0x1000151 up to 0x1000157; - Update of 06-55-04/0xb7 (SKX-SP H0/M0/U0, SKX-D M1) microcode (in intel-06-55-04/intel-ucode/06-55-04) from revision 0x2000065 up to 0x2006906; - Update of 06-55-06/0xbf (CLX-SP B0) microcode from revision 0x400002c up to 0x4002f01; - Update of 06-55-07/0xbf (CLX-SP B1) microcode from revision 0x500002c up to 0x5002f01; - Update of 06-5e-03/0x36 (SKL-H/S R0/N0) microcode from revision 0xd6 up to 0xdc; - Update of 06-7e-05/0x80 (ICL-U/Y D1) microcode from revision 0x46 up to 0x78; - Update of 06-8e-09/0x10 (AML-Y22 H0) microcode from revision 0xca up to 0xd6; - Update of 06-8e-09/0xc0 (KBL-U/Y H0) microcode from revision 0xca up to 0xd6; - Update of 06-8e-0a/0xc0 (CFL-U43e D0) microcode from revision 0xca up to 0xd6; - Update of 06-8e-0b/0xd0 (WHL-U W0) microcode from revision 0xca up to 0xd6; - Update of 06-8e-0c/0x94 (AML-Y42 V0, CML-Y42 V0, WHL-U V0) microcode from revision 0xca up to 0xd6; - Update of 06-9e-09/0x2a (KBL-G/H/S/X/Xeon E3 B0) microcode from revision 0xca up to 0xd6; - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E3 U0) microcode from revision 0xca up to 0xd6; - Update of 06-9e-0b/0x02 (CFL-S B0) microcode from revision 0xca up to 0xd6; - Update of 06-9e-0c/0x22 (CFL-H/S P0) microcode from revision 0xca up to 0xd6; - Update of 06-9e-0d/0x22 (CFL-H R0) microcode from revision 0xca up to 0xd6. * Do not update 06-4e-03 (SKL-U/Y) and 06-5e-03 (SKL-H/S/Xeon E3 v5) to revision 0xdc, use 0xd6 by default. * Enable 06-2d-07 (SNB-E/EN/EP) caveat by default. * Enable 06-55-04 (SKL-SP/X/W) caveat by default. * Avoid find being SIGPIPE'd on early "grep -q" exit in the dracut script. * Re-generate initramfs not only for the currently running kernel, but for several recently installed kernels as well. * Change the URL to point to the GitHub repository since the microcode download. section at Intel Download Center does not exist anymore. * Avoid temporary file creation, used for here-documents in check_caveats. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1788786 - CVE-2020-0548 hw: Vector Register Data Sampling 1788788 - CVE-2020-0549 hw: L1D Cache Eviction Sampling 1827165 - CVE-2020-0543 hw: Special Register Buffer Data Sampling (SRBDS) 1848439 - [rhel-8.1.0] skylake (06-4e-03) microcode update hangs 1848502 - [rhel-8.1.0] Package microcode-20200609 release 6. Package List: Red Hat Enterprise Linux BaseOS EUS (v. 8.1): Source: microcode_ctl-20190618-1.20200609.1.el8_1.src.rpm x86_64: microcode_ctl-20190618-1.20200609.1.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-0543 https://access.redhat.com/security/cve/CVE-2020-0548 https://access.redhat.com/security/cve/CVE-2020-0549 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/solutions/5142691 https://access.redhat.com/solutions/l1d-cache-eviction-and-vector-register-sampling 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXvH/7tzjgjWX9erEAQgL9g//anwIq/uMxJEiNQDX851j9dzE7f1pyOAL dDCQG9WHU7RJmO0aZkR+KTJ5fa5pHx8oqQLp+tyXOcvpJhn/2aukr4Hv3NT59cxi kVS97KHhLL79dBjpodNOryiqjbZ6FVXYzUPesExj/cwzYqwk3ctSENor3UnlnZVI H+5vsyo8hgufYJ35BCxFAJQPXR3vQFGcOLGQUpA/aOOWJVnkDSHFQF+xJGyIJOPX Yr6g/P2qKaZg6nvzDDbl0gwIuKzEf1oydqxD2pjOR/DDzxbkDIuDpshY1oJnZjE5 HS0SyNCc66QZq7kMvCDZM+Qc20eC5ZiXCpuBbpjVk20XuG9cpFR0zbDgT24ROpic TUQ/Hh84Cbjc9P3MzzyJrcyHlc6q/QTqJBBBHgVoe38DewRAeR6tAPJ2rrysu7zL KohPzgzmnH4xl9AM1zWQPNCwNumZe6HS7bzuF4by2Ul8GJqKX0+Hw+vqegw8QAoQ nQZHjF3OsfNpmHnwTVBCeTWFOrsu+eTa3QtYauIFdhgadfpuO7wkhbf6sicITXn7 0Z4e3ici8BbOVuzsYJyqI4FlSqwh4q5AZ469Co68JMtPkeZnqmExEHYS/xitKDb6 t6BbxR2k2KhbtonmWsIkqh9zx6zLLsADwJT8OTG3EnRdZIFez098m8D7vtDLdzff vxuyj6vUO9w= =U2Xs -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================= Ubuntu Security Notice USN-4393-1 June 10, 2020 linux vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 ESM Summary: Several security issues were fixed in the Linux kernel. A physically proximate attacker controlling an access point could use this to construct messages that could possibly result in arbitrary code execution. (CVE-2020-12654) It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. (CVE-2020-0543) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 ESM: linux-image-3.2.0-147-generic 3.2.0-147.194 linux-image-3.2.0-147-generic-pae 3.2.0-147.194 linux-image-3.2.0-147-highbank 3.2.0-147.194 linux-image-3.2.0-147-powerpc-smp 3.2.0-147.194 linux-image-3.2.0-147-powerpc64-smp 3.2.0-147.194 linux-image-3.2.0-147-virtual 3.2.0-147.194 linux-image-generic 3.2.0.147.161 linux-image-generic-pae 3.2.0.147.161 linux-image-highbank 3.2.0.147.161 linux-image-powerpc 3.2.0.147.161 linux-image-powerpc-smp 3.2.0.147.161 linux-image-powerpc64-smp 3.2.0.147.161 linux-image-server 3.2.0.147.161 linux-image-virtual 3.2.0.147.161 Please note that the mitigation for CVE-2020-0543 requires a processor microcode update to be applied, either from your system manufacturer or via the intel-microcode package. After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well

AFFECTED PRODUCTS