VARIoT IoT vulnerabilities database
| VAR-201911-1177 | CVE-2019-2323 | plural Snapdragon Vulnerabilities related to the use of uninitialized resources in the product |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Lack of check to ensure crypto engine data passed by user is initialized can result in bus error in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24. plural Snapdragon The product contains a vulnerability related to the use of uninitialized resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9206, etc. are all products of Qualcomm. MDM9206 is a central processing unit (CPU) product. Qualcomm MDM9150 is a central processing unit (CPU) product. SDX20 is a modem.
Input validation error vulnerability exists in HLOS in many Qualcomm products. The vulnerability stems from the fact that the network system or product did not correctly verify the input data. No detailed vulnerability details are currently available
| VAR-201909-0108 | CVE-2019-5065 | Blynk-Library Vulnerable to information disclosure |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
An exploitable information disclosure vulnerability exists in the packet-parsing functionality of Blynk-Library v0.6.1. A specially crafted packet can cause an unterminated strncpy, resulting in information disclosure. An attacker can send a packet to trigger this vulnerability. This vulnerability stems from configuration and other errors in the operation of the network system or product. An unauthorized attacker can use the vulnerability to obtain sensitive information about the affected components. Blynk is a set of Internet of Things platform of Blynk in the United States. Blynk-Library is a Blynk library for embedded hardware. The vulnerability stems from the fact that when the network system or product performs operations on the memory, the data boundary is not correctly verified, resulting in incorrect read and write operations to other associated memory locations. Attackers can use this vulnerability to cause buffer overflow or heap overflow
| VAR-201911-1698 | CVE-2019-10531 | plural Snapdragon Classic buffer overflow vulnerability in products |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Incorrect reading of system image resulting in buffer overflow when size of system image is increased in Snapdragon Auto, Snapdragon Mobile, Snapdragon Wearables in MDM9607, MSM8909W, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SDM439. plural Snapdragon The product contains a classic buffer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9607 is a central processing unit (CPU) product of Qualcomm.
Input validation error vulnerability exists in HLOS in many Qualcomm products. The vulnerability stems from the fact that the network system or product did not correctly verify the input data. No detailed vulnerability details are currently available
| VAR-201911-0831 | CVE-2019-5226 | plural Huawei Vulnerability related to input confirmation in smartphones |
CVSS V2: 4.3 CVSS V3: 5.5 Severity: MEDIUM |
P30, P30 Pro, Mate 20 smartphones with software of versions earlier than ELLE-AL00B 9.1.0.193(C00E190R2P1), versions earlier than VOGUE-AL00A 9.1.0.193(C00E190R2P1), versions earlier than Hima-AL00B 9.1.0.135(C00E133R2P1) and HiSuite with versions earlier than HiSuite 9.1.0.305 have a version downgrade vulnerability. The device and HiSuite software do not validate the upgrade package sufficiently, so that the system of smartphone can be downgraded to an older version. Huawei P30 and others are products of China Huawei. The Huawei P30 is a smart phone. The Huawei P30 Pro is a smartphone. Huawei HiSuite is a mobile assistant application for the PC. There are security vulnerabilities in various Huawei products
| VAR-201911-1699 | CVE-2019-10533 | plural Snapdragon Vulnerability related to array index verification in products |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Out of bound access due to improper validation of array index cause the index table entry to get corrupt in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9206, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20. plural Snapdragon The product contains a vulnerability related to array index validation.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9607, etc. are all products of Qualcomm. MDM9607 is a central processing unit (CPU) product. Qualcomm MDM9206 is a central processing unit (CPU) product. SDX20 is a modem.
Input validation error vulnerabilities exist in many Qualcomm products. The vulnerability stems from the fact that the network system or product did not correctly verify the input data. No detailed vulnerability details are currently available
| VAR-201911-1186 | CVE-2019-2324 | plural Snapdragon Product buffer error vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
When ADSP is compromised, the audio port index that`s returned from ADSP might be out of the valid range and leads to out of boundary access in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9615, MDM9640, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 845 / SD 850, SD 855, SDX20, SDX24. plural Snapdragon The product contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9206, etc. are all products of Qualcomm. MDM9206 is a central processing unit (CPU) product. Qualcomm MDM9150 is a central processing unit (CPU) product. SDX20 is a modem.
There are input validation error vulnerabilities in Audio in many Qualcomm products. The vulnerability stems from the fact that the network system or product did not correctly verify the input data. No detailed vulnerability details are currently available
| VAR-201911-1185 | CVE-2019-2331 | plural Snapdragon Product integer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Possible Integer overflow because of subtracting two integers without checking if the result would overflow or not in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9615, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24. plural Snapdragon The product contains an integer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9206, etc. are all products of Qualcomm. MDM9206 is a central processing unit (CPU) product. Qualcomm MDM9150 is a central processing unit (CPU) product. SDX20 is a modem.
There are input validation error vulnerabilities in Audio in many Qualcomm products. The vulnerability stems from the fact that the network system or product did not correctly verify the input data. No detailed vulnerability details are currently available
| VAR-201911-1425 | CVE-2019-2249 | plural Snapdragon Product out-of-bounds vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Kernel can do a memory read from arbitrary address passed by user during execution of a syscall in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in IPQ8074, MDM9205, MDM9650, QCA8081, QCS605, SD 427, SD 435, SD 450, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SDX20, Snapdragon_High_Med_2016, SXR1130. plural Snapdragon The product contains an out-of-bounds vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9650 is a central processing unit (CPU) product of Qualcomm.
The Kernel in many Qualcomm products has an input validation error vulnerability. The vulnerability stems from the fact that the network system or product did not correctly verify the input data. No detailed vulnerability details are currently available
| VAR-201911-1434 | CVE-2019-2283 | plural Snapdragon Product buffer error vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Improper validation of read and write index of tx and rx fifo`s before calculating pointer can lead to out-of-bound access in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24. plural Snapdragon The product contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9206, etc. are all products of Qualcomm. MDM9206 is a central processing unit (CPU) product. Qualcomm MDM9150 is a central processing unit (CPU) product. SDX20 is a modem.
Many Qualcomm products have input validation error vulnerabilities, and no detailed vulnerability details are currently available
| VAR-201911-1076 | CVE-2019-2246 | plural Snapdragon Product buffer error vulnerability |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
Thread start can cause invalid memory writes to arbitrary memory location since the argument is passed by user to kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in MDM9205, MDM9640, MSM8996AU, QCA6574, QCS605, Qualcomm 215, SD 425, SD 427, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016, SXR1130. plural Snapdragon The product contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9640 is a central processing unit (CPU) product of Qualcomm.
The Kernel in many Qualcomm products has an input validation error vulnerability. The vulnerability stems from the fact that the network system or product did not correctly verify the input data. No detailed vulnerability details are currently available
| VAR-201911-1430 | CVE-2019-2275 | plural Snapdragon Vulnerability related to input validation in products |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
While deserializing any key blob during key operations, buffer overflow could occur exposing partial key information if any key operations are invoked(Depends on CVE-2018-13907) in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS404, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130. plural Snapdragon The product contains an input validation vulnerability.Information may be obtained. Qualcomm MDM9206 is a central processing unit (CPU) product of Qualcomm.
Many Qualcomm products have input validation error vulnerabilities, which can be exploited by attackers to cause buffer overflows or heap overflows
| VAR-201911-0832 | CVE-2019-5227 | plural Huawei Vulnerability related to input confirmation in smartphones |
CVSS V2: 4.3 CVSS V3: 5.5 Severity: MEDIUM |
P30, P30 Pro, Mate 20 smartphones with software of versions earlier than ELLE-AL00B 9.1.0.193(C00E190R2P1), versions earlier than VOGUE-AL00A 9.1.0.193(C00E190R2P1), versions earlier than Hima-AL00B 9.1.0.135(C00E133R2P1) and HiSuite with versions earlier than HiSuite 9.1.0.305 have a version downgrade vulnerability. The device and HiSuite software do not validate the upgrade package sufficiently, so that the system of smartphone can be downgraded to an older version. Huawei P30 and others are products of China Huawei. The Huawei P30 is a smart phone. The Huawei P30 Pro is a smartphone. Huawei HiSuite is a mobile assistant application for the PC.
There are security vulnerabilities in various Huawei products
| VAR-201909-1459 | CVE-2019-10508 | plural Snapdragon Classic buffer overflow vulnerability in products |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Lack of input validation for data received from user space can lead to OOB access in WLAN in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, SD 210/SD 212/SD 205, SD 425, SD 430, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 650/52, SD 820A, SDX20. plural Snapdragon The product contains a classic buffer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9206 and others are products of Qualcomm (Qualcomm). MDM9206 is a central processing unit (CPU) product. MDM9607 is a central processing unit (CPU) product. SDX20 is a modem. A buffer error vulnerability exists in WLAN in several Qualcomm products. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. The following products and versions are affected: Qualcomm MDM9150; MDM9206; MDM9607; MDM9640; MDM9650; MSM8909W; MSM8996AU; QCA6174A; /16; SD 415; SD 625; SD 632; SD 650/52; SD 820A; SDX20
| VAR-201909-1049 | CVE-2019-15902 | Linux Kernel Buffer error vulnerability |
CVSS V2: 4.7 CVSS V3: 5.6 Severity: MEDIUM |
A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped. Linux Kernel Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability stems from configuration errors in network systems or products during operation. The following products and versions are affected: Linux kernel 4.4.x to 4.4.190, 4.9.x to 4.9.190, 4.14.x to 4.14.141, 4.19.x to 4.19.69, 5.2 .x versions up to 5.2.11. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4531-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 25, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : linux
CVE ID : CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118
CVE-2019-15902
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
CVE-2019-14821
Matt Delco reported a race condition in KVM's coalesced MMIO
facility, which could lead to out-of-bounds access in the kernel.
CVE-2019-14835
Peter Pi of Tencent Blade Team discovered a missing bounds check
in vhost_net, the network back-end driver for KVM hosts, leading
to a buffer overflow when the host begins live migration of a VM. On the amd64 architecture, and on the
arm64 architecture in buster, this is mitigated by a guard page
on the kernel stack, so that it is only possible to cause a crash.
CVE-2019-15902
Brad Spengler reported that a backporting error reintroduced a
spectre-v1 vulnerability in the ptrace subsystem in the
ptrace_get_debugreg() function.
For the oldstable distribution (stretch), these problems have been fixed
in version 4.9.189-3+deb9u1.
For the stable distribution (buster), these problems have been fixed in
version 4.19.67-2+deb10u1.
We recommend that you upgrade your linux packages.
For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2K5xlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Sj8xAAnBGWzlmy5RyQe8VCE3kkMpwmH/00I5IFpjTbAVvyHzKVYl96YbY1YuAP
ID++cBxBElWCQriwCESc5Um/BGpOMmTa3VlkXIVy6uHgwt1Hn+ZW/syFaGt0/brW
eKIecVQLyZaV7OOx4Q+J9H5WN1FNKoV3BCsfUFlRqNCUtYQ46X7pN+gyytW4KbZo
AEbPkEdUhv2Z6ndq8Z/OJ5cyYms+OonEt08e2qcN0Ig+qRY9l3fgSn/X3tKQiuJj
jGKPkd0VYrFzfDKekcboIBZyegahReRe4k+V8I+o/acuQJGR1cV/qCGxboFFI2+s
WeSUhaVixP+7HLXyRljFBdvXlAnx/IajEPG+RAVt6zZs1yK+8bVIhai5TarcwbF3
DWQZvpAeLaKgIN4x7s7xDHNJzO9Ea9fhXm/9T1AoaO3wdN2zjOYHLG3YO4TF0PpF
rYY9t17uNdAuCxPeQWCciDOiNQVbEmr3+al/78m2VZcBYEI2s1E9fgQJV21rRlv+
fEavwX9OJg6GKcW9v6cyegyf4gfTvjyzIP/rcmn55hiQ9vjVNykkoNUES5Do6sTb
/pSSRuUpJtEE+6LnnqbdD0E6l8SC6zgA/+Pu/7BrACxlk9bhYFmVaAwbPPEuRgrz
3d87MB8FEHu4RDGSgomb849wuAXnEVDwM034VtURUSEAXVFQ0dY=Wqdv
-----END PGP SIGNATURE-----
. =========================================================================
Ubuntu Security Notice USN-4163-2
October 23, 2019
linux-lts-xenial, linux-aws vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
USN-4163-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 ESM.
It was discovered that a race condition existed in the ARC EMAC ethernet
driver for the Linux kernel, resulting in a use-after-free vulnerability.
An attacker could use this to cause a denial of service (system crash).
(CVE-2016-10906)
It was discovered that a race condition existed in the Serial Attached SCSI
(SAS) implementation in the Linux kernel when handling certain error
conditions. A local attacker could use this to cause a denial of service
(kernel deadlock). (CVE-2017-18232)
It was discovered that the RSI 91x Wi-Fi driver in the Linux kernel did not
did not handle detach operations correctly, leading to a use-after-free
vulnerability. A physically proximate attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-21008)
Wen Huang discovered that the Marvell Wi-Fi device driver in the Linux
kernel did not properly perform bounds checking, leading to a heap
overflow. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2019-14814,
CVE-2019-14816)
Matt Delco discovered that the KVM hypervisor implementation in the Linux
kernel did not properly perform bounds checking when handling coalesced
MMIO write operations. A local attacker with write access to /dev/kvm could
use this to cause a denial of service (system crash). (CVE-2019-14821)
Hui Peng and Mathias Payer discovered that the USB audio driver for the
Linux kernel did not properly validate device meta data. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2019-15117)
Hui Peng and Mathias Payer discovered that the USB audio driver for the
Linux kernel improperly performed recursion while handling device meta
data. A physically proximate attacker could use this to cause a denial of
service (system crash). A physically proximate attacker
could use this to cause a denial of service (system crash) or possibly
expose sensitive information. A local attacker
could possibly use this to expose sensitive information. (CVE-2019-15902)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
linux-image-4.4.0-1056-aws 4.4.0-1056.60
linux-image-4.4.0-166-generic 4.4.0-166.195~14.04.1
linux-image-4.4.0-166-generic-lpae 4.4.0-166.195~14.04.1
linux-image-4.4.0-166-lowlatency 4.4.0-166.195~14.04.1
linux-image-4.4.0-166-powerpc-e500mc 4.4.0-166.195~14.04.1
linux-image-4.4.0-166-powerpc-smp 4.4.0-166.195~14.04.1
linux-image-4.4.0-166-powerpc64-emb 4.4.0-166.195~14.04.1
linux-image-4.4.0-166-powerpc64-smp 4.4.0-166.195~14.04.1
linux-image-aws 4.4.0.1056.57
linux-image-generic-lpae-lts-xenial 4.4.0.166.145
linux-image-generic-lts-xenial 4.4.0.166.145
linux-image-lowlatency-lts-xenial 4.4.0.166.145
linux-image-powerpc-e500mc-lts-xenial 4.4.0.166.145
linux-image-powerpc-smp-lts-xenial 4.4.0.166.145
linux-image-powerpc64-emb-lts-xenial 4.4.0.166.145
linux-image-powerpc64-smp-lts-xenial 4.4.0.166.145
linux-image-virtual-lts-xenial 4.4.0.166.145
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/4163-2
https://usn.ubuntu.com/4163-1
CVE-2016-10906, CVE-2017-18232, CVE-2018-21008, CVE-2019-14814,
CVE-2019-14816, CVE-2019-14821, CVE-2019-15117, CVE-2019-15118,
CVE-2019-15505, CVE-2019-15902
. Please note that the RDS protocol is blacklisted in Ubuntu by
default
| VAR-201909-0658 | CVE-2019-1939 | Windows for Cisco Webex Teams Injection vulnerability in client |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
A vulnerability in the Cisco Webex Teams client for Windows could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. This vulnerability is due to improper restrictions on software logging features used by the application on Windows operating systems. An attacker could exploit this vulnerability by convincing a targeted user to visit a website designed to submit malicious input to the affected application. A successful exploit could allow the attacker to cause the application to modify files and execute arbitrary commands on the system with the privileges of the targeted user. Cisco Webex Teams is a team collaboration application of Cisco (Cisco). The program includes video conferencing, group messaging and file sharing capabilities
| VAR-201911-1704 | CVE-2019-10542 | plural Snapdragon Product out-of-bounds vulnerability |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Buffer over-read may occur when downloading a corrupted firmware file that has chunk length in header which doesn`t match the contents in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in MDM9150, MDM9206, MDM9607, MDM9615, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 845 / SD 850, SDX20. plural Snapdragon The product contains an out-of-bounds vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state
| VAR-201911-1671 | CVE-2019-10496 | plural Snapdragon Classic buffer overflow vulnerability in products |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Lack of checking a variable received from driver and populating in Firmware data structure leads to buffer overflow in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130. plural Snapdragon The product contains a classic buffer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state
| VAR-201911-1668 | CVE-2019-10502 | plural Snapdragon Classic buffer overflow vulnerability in products |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Possible stack overflow when an index equal to io buffer size is accessed in camera module in Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MSM8909W, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 845 / SD 850, SD 855, SDM439, SDX24. plural Snapdragon The product contains a classic buffer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state
| VAR-201911-1654 | CVE-2019-10565 | plural Snapdragon Double release vulnerability in products |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Double free issue can happen when sensor power settings is freed by some thread while another thread try to access. in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8053, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909, MSM8909W, QCN7605, QCS405, QCS605, SDM845, SDX24, SXR1130. plural Snapdragon The product contains a double release vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows local attackers to escalate privileges on affected installations of Google Android. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the v4l2 driver. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this to escalate privileges in the context of the kernel. Android is a set of Linux-based open source operating systems from Google (United States) and the Open Handset Alliance (OHA). Video4Linux2 (V4L2) is one of the kernel drivers used for video devices in Linux
| VAR-201909-0122 | CVE-2019-5478 | Zynq UltraScale+ Vulnerability related to input validation on devices |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
A weakness was found in Encrypt Only boot mode in Zynq UltraScale+ devices. This could lead to an adversary being able to modify the control fields of the boot image leading to an incorrect secure boot behavior. Zynq UltraScale+ The device contains an input validation vulnerability.Information may be tampered with