CVE-2019-10166 – libvirt: virDomainManagedSaveDefineXML API exposed to readonly clients
https://notcve.org/view.php?id=CVE-2019-10166
It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed. Se detectó que libvirtd, versiones 4.x.x anteriores a 4.10.1 y versiones 5.x.x anteriores a 5.4.1, permitiría a los clientes de solo lectura utilizar la API de la función virDomainManagedSaveDefineXML(), lo que les permitiría modificar archivos de estado managed save. Si un managed save ya ha sido creado por un usuario privilegiado, un atacante local podría modificar este archivo de manera que libvirtd ejecutaría un programa arbitrario cuando el dominio esté reanudado. It was discovered that libvirtd would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. • https://access.redhat.com/libvirt-privesc-vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10166 https://security.gentoo.org/glsa/202003-18 https://access.redhat.com/security/cve/CVE-2019-10166 https://bugzilla.redhat.com/show_bug.cgi?id=1720114 • CWE-284: Improper Access Control •
CVE-2019-10167 – libvirt: arbitrary command execution via virConnectGetDomainCapabilities API
https://notcve.org/view.php?id=CVE-2019-10167
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges. La API libvirt de la función virConnectGetDomainCapabilities(), versiones 4.x.x anteriores a 4.10.1 y versiones 5.x.x anteriores a 5.4.1, acepta un argumento "emulatorbin" para especificar el programa que proporciona emulación para un dominio. Desde versión v1.2.19, libvirt ejecutará ese programa para examinar las capacidades del dominio. • https://access.redhat.com/libvirt-privesc-vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10167 https://security.gentoo.org/glsa/202003-18 https://access.redhat.com/security/cve/CVE-2019-10167 https://bugzilla.redhat.com/show_bug.cgi?id=1720117 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-250: Execution with Unnecessary Privileges CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVE-2019-3896 – kernel: Double free in lib/idr.c
https://notcve.org/view.php?id=CVE-2019-3896
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS). Puede suceder una vulnerabilidad de doble liberación en la función idr_remove_all() en el archivo lib/idr.c en la sección del kernel de Linux versión 2.6. Un atacante local sin privilegios puede usar este defecto para una escalada de privilegios o para un bloqueo del sistema y una denegación de servicio (DoS). A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel. • http://www.securityfocus.com/bid/108814 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3896 https://security.netapp.com/advisory/ntap-20190710-0002 https://support.f5.com/csp/article/K04327111 https://access.redhat.com/security/cve/CVE-2019-3896 https://bugzilla.redhat.com/show_bug.cgi?id=1694812 • CWE-415: Double Free CWE-416: Use After Free •
CVE-2019-11477 – Integer overflow in TCP_SKB_CB(skb)->tcp_gso_segs
https://notcve.org/view.php?id=CVE-2019-11477
Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff. Jonathan Looney detectó que el valor TCP_SKB_CB(skb)-mayor que tcp_gso_segs estuvo sujeto a un desbordamiento de enteros en el kernel de Linux durante el manejo del Reconocimiento Selectivo (SACK) de TCP. Un atacante remoto podría usar esto para causar una denegación de servicio. • http://packetstormsecurity.com/files/153346/Kernel-Live-Patch-Security-Notice-LSN-0052-1.html http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-010.txt http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191225-01-kernel-en http://www.openwall.com/lists/oss-security/2019/06/20/3 http://www.openwall.com/lists/oss-security/2019/06/28/2 http://www.openwall.com/lists/oss • CWE-190: Integer Overflow or Wraparound CWE-400: Uncontrolled Resource Consumption •
CVE-2019-11478 – SACK can cause extensive memory use via fragmented resend queue
https://notcve.org/view.php?id=CVE-2019-11478
Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e. Jonathan Looney descubrió que la implementación de la cola de retransmisión de TCP en tcp_fragment en el kernel de Linux podría estar fragmentada cuando se manejan ciertas secuencias de Reconocimiento Selectivo (SACK) de TCP. Un atacante remoto podría usar esto para causar una denegación de servicio. • http://packetstormsecurity.com/files/153346/Kernel-Live-Patch-Security-Notice-LSN-0052-1.html http://packetstormsecurity.com/files/154408/Kernel-Live-Patch-Security-Notice-LSN-0055-1.html http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-010.txt http://www.openwall.com/lists/oss-security/2019/06/28/2 http://www.openwall.com/lists/oss-security/2019/07/06/3 http://www.openwall.com/lists& • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •