SB2018112212 - Denial of service vulnerabilities in Linux Kernel

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Null pointer dereference (CVE-ID: CVE-2018-19406)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in the kvm_pv_send_ipi function, as defined in the arch/x86/kvm/lapic.c source code file due to the failure of the Advanced Programmable Interrupt Controller (APIC) map to initialize. A local attacker can access the system and execute an application that submits malicious system calls, trigger a NULL pointer dereference, which could result in a DoS condition.

2) Null pointer dereference (CVE-ID: CVE-2018-19407)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in the vcpu_scan_ioapic function, as defined in the arch/x86/kvm/x86.c source code file due to the failure of the I/O Advanced Programmable Interrupt Controller (I/O APIC) to initialize. A local attacker can access the system and execute an application that submits malicious system calls, trigger a NULL pointer dereference, which could result in a DoS condition.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://lkml.org/lkml/2018/11/20/411
• https://lkml.org/lkml/2018/11/20/580