CVE-2019-11191
https://notcve.org/view.php?id=CVE-2019-11191
The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. NOTE: the software maintainer disputes that this is a vulnerability because ASLR for a.out format executables has never been supported ** EN DISPUTA ** En el kernel de Linux hasta de la versión 5.0.7, cuando CONFIG_IA32_AOUT está habilitado y ia32_aout está cargado, permite a los usuarios locales omitir ASLR en programas setuid a.out (si existe) porque install_exec_creds() es llamado demasiado tarde en load_aout_binary() en fs/binfmt_aout .c, y por lo tanto la comprobación ptrace_may_access() tiene una condición de carrera cuando se lee /proc/pid/stat. NOTA: el mantenedor de software discute que se trate de una vulnerabilidad porque ASLR para un archivo ejecutable de formato nunca fue compatible. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00039.html http://www.openwall.com/lists/oss-security/2019/04/18/5 http://www.openwall.com/lists/oss-security/2019/05/22/7 http://www.securityfocus.com/bid/107887 https://usn.ubuntu.com/4006-1 https://usn.ubuntu.com/4006-2 https://usn.ubuntu.com/4007-1 https://usn.ubuntu.com/4007-2 https://usn.ubuntu.com/4008-1 https://usn.ubuntu.com/4008-3 https://www.openwall.com/lists/oss- • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2019-11190 – kernel: ASLR bypass for setuid binaries due to late install_exec_creds()
https://notcve.org/view.php?id=CVE-2019-11190
The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. El kernel de Linux anterior a la versión 4.8 permite a los usuarios locales eludir ASLR en programas setuid (como /bin/su) porque install_exec_creds() es llamado demasiado tarde en load_elf_binary() en fs/binfmt_elf.c, y por lo tanto la comprobación ptrace_may_access() tiene una condición de carrera al leer /proc/pid/stat. A flaw in the load_elf_binary() function in the Linux kernel allows a local attacker to leak the base address of .text and stack sections for setuid binaries and bypass ASLR because install_exec_creds() is called too late in this function. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00039.html http://www.openwall.com/lists/oss-security/2019/04/15/1 http://www.securityfocus.com/bid/107890 https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/?id=a5b5352558f6808db0589644ea5401b3e3148a0d https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/?id=e1676b55d874a43646e8b2c46d87f2f3e45516ff https://lists.debian.org/debian-lts-announce/2019/05/msg00041.html https://lists • CWE-250: Execution with Unnecessary Privileges CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2019-3459 – kernel: Heap address information leak while using L2CAP_GET_CONF_OPT
https://notcve.org/view.php?id=CVE-2019-3459
A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before 5.1-rc1. Se descubrió una fuga de información de direcciones en memoria dinámica mientras se usaba L2CAP_GET_CONF_OPT en el kernel de Linux anterior a 5.1-rc1. A flaw was found in the Linux kernel's implementation of Logical Link Control and Adaptation Protocol (L2CAP), part of the Bluetooth stack. An attacker, within the range of standard Bluetooth transmissions, can create and send a specially crafted packet. The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack. • http://www.openwall.com/lists/oss-security/2019/06/27/2 http://www.openwall.com/lists/oss-security/2019/06/27/7 http://www.openwall.com/lists/oss-security/2019/06/28/1 http://www.openwall.com/lists/oss-security/2019/06/28/2 http://www.openwall.com/lists/oss-security/2019/08/12/1 https://access.redhat.com/errata/RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:3309 https://access.redhat. • CWE-125: Out-of-bounds Read CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-3460 – kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP
https://notcve.org/view.php?id=CVE-2019-3460
A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel before 5.1-rc1. Se ha descubierto una fuga de información en múltiples ubicaciones en memoria dinámica, incluyendo L2CAP_GET_CONF_OPT en el kernel de Linux anterior a 5.1-rc1. A flaw was found in the Linux kernel's implementation of logical link control and adaptation protocol (L2CAP), part of the Bluetooth stack in the l2cap_parse_conf_rsp and l2cap_parse_conf_req functions. An attacker with physical access within the range of standard Bluetooth transmission can create a specially crafted packet. The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack. • http://www.openwall.com/lists/oss-security/2019/06/27/2 http://www.openwall.com/lists/oss-security/2019/06/27/7 http://www.openwall.com/lists/oss-security/2019/06/28/1 http://www.openwall.com/lists/oss-security/2019/06/28/2 http://www.openwall.com/lists/oss-security/2019/08/12/1 https://access.redhat.com/errata/RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:3309 https://access.redhat. • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-3874 – kernel: SCTP socket buffer memory leak leading to denial of service
https://notcve.org/view.php?id=CVE-2019-3874
The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are believed to be vulnerable. El búfer del socket SCTP utilizado por una aplicación de espacio de usuario no es tenido en cuenta por el subsistema de cgroups. Un atacante podría explotar este error para lanzar un ataque de denegación de servicio. • https://access.redhat.com/errata/RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3517 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3874 https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html https://security.netapp.com/advisory/ntap-20190411-0003 https://usn.ubuntu.com/3979-1 https://usn.ubuntu.com/3980-1 https://usn.ubuntu.com/3980-2 https://usn.ubuntu.com/3981-1 https://usn.ubuntu.com/3981-2 https://usn.ubuntu.com/398 • CWE-400: Uncontrolled Resource Consumption •