Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-2283)

Published: 2020-01-23 12:45:16
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:A/AC:L/Au:N/C:C/I:C/A:C

Summary:
The remote host is missing an update for the Huawei EulerOS 'kernel' Linux Distribution Package(s) announced via the EulerOS-SA-2019-2283 advisory.

Detection Method:
Checks if a vulnerable Linux Distribution Package version is present on the target host.

Technical Details:
A memory leak in the af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-2289adbfa559.(CVE-2019-18809) A memory leak in the dwc3_pci_probe() function in drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering platform_device_add_properties() failures, aka CID-9bbfceea12a8.(CVE-2019-18813) A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f.(CVE-2019-18806) drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16234) Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access.(CVE-2019-0136) An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.(CVE-2019-16746) In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow.(CVE-2019-17133) rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.(CVE-2019-17666) An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel through 5.3.2. The cxgb4 driver is directly calling dma_map_single (a DMA function) from a stack variable. This could allow an attacker to trigger a Denial of Service, exploitable if this driver is used on an architecture for which this stack/DMA interaction has security relevance.(CVE-2019-17075) ax25_create in net/ax25/af_ax25.c in the AF_AX25 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-0614e2b73768.(CVE-2019-17052) ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-e69dbd4619e7.(CVE-2019-17053) atalk_create in net/appletalk/ddp ... Description truncated. Please see the references for more information.

Affected Versions:
'kernel' Linux Distribution Package(s) on Huawei EulerOS V2.0SP8.

Recommendations:
Please install the updated Linux Distribution Package(s).

Solution Type:
Vendor Patch

Detection Type:
Linux Distribution Package

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2019-0136
https://nvd.nist.gov/vuln/detail/CVE-2019-16234
https://nvd.nist.gov/vuln/detail/CVE-2019-16746
https://nvd.nist.gov/vuln/detail/CVE-2019-17052
https://nvd.nist.gov/vuln/detail/CVE-2019-17053
https://nvd.nist.gov/vuln/detail/CVE-2019-17054
https://nvd.nist.gov/vuln/detail/CVE-2019-17055
https://nvd.nist.gov/vuln/detail/CVE-2019-17056
https://nvd.nist.gov/vuln/detail/CVE-2019-17075
https://nvd.nist.gov/vuln/detail/CVE-2019-17133
https://nvd.nist.gov/vuln/detail/CVE-2019-17666
https://nvd.nist.gov/vuln/detail/CVE-2019-18806
https://nvd.nist.gov/vuln/detail/CVE-2019-18809
https://nvd.nist.gov/vuln/detail/CVE-2019-18813

References:

https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2283

Search
Severity
High
CVSS Score
8.3

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.