Red Hat update for kernel-rt

Published: 2019-09-12

Risk	High
Patch available	YES
Number of vulnerabilities	5
CVE-ID	CVE-2018-9568 CVE-2018-13405 CVE-2018-16871 CVE-2018-16884 CVE-2019-1125
CWE-ID	CWE-843 CWE-264 CWE-476 CWE-416 CWE-200
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #5 is available.
Vulnerable software Subscribe	kernel-rt (Red Hat package) Operating systems & Components / Operating system package or component MRG Realtime Server applications / Application servers
Vendor	Red Hat Inc.

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Type Confusion

EUVDB-ID: #VU21092

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-9568

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a type confusion error in the sk_clone_lock() function in sock.c. A local user can run a specially crafted application to trigger memory corruption and execute arbitrary code on the target system with elevated privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

kernel-rt (Red Hat package): 3.10.0-229.rt56.144.el6rt - 3.10.0-693.50.3.rt56.644.el6rt

MRG Realtime: 2

CPE2.3

cpe:2.3:o:red_hat:kernel-rt:3.10.0-693.50.3.rt56.644.el6rt:*:*:*:*:red_hat_enterprise_linux:*:*

External links

http://access.redhat.com/errata/RHSA-2019:2730

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Security restrictions bypass

EUVDB-ID: #VU13631

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2018-13405

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local attacker to create arbitrary files on the target system.

The vulnerability exists due to the inode_init_owner function, as defined in the fs/inode.c source code file, allows the creation of arbitrary files in set-group identification (SGID) directories. A local attacker can create arbitrary files with unintended group ownership.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

kernel-rt (Red Hat package): 3.10.0-229.rt56.144.el6rt - 3.10.0-693.50.3.rt56.644.el6rt

MRG Realtime: 2

CPE2.3

cpe:2.3:o:red_hat:kernel-rt:3.10.0-693.50.3.rt56.644.el6rt:*:*:*:*:red_hat_enterprise_linux:*:*

External links

http://access.redhat.com/errata/RHSA-2019:2730

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) NULL pointer dereference

EUVDB-ID: #VU19573

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2018-16871

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the Network File System (NFS) implementation. A remote authenticated attacker can mount an exported NFS filesystem, cause a NULL pointer dereference condition due to an invalid NFS sequence and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

kernel-rt (Red Hat package): 3.10.0-229.rt56.144.el6rt - 3.10.0-693.50.3.rt56.644.el6rt

MRG Realtime: 2

CPE2.3

cpe:2.3:o:red_hat:kernel-rt:3.10.0-693.50.3.rt56.644.el6rt:*:*:*:*:red_hat_enterprise_linux:*:*

External links

http://access.redhat.com/errata/RHSA-2019:2730

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Use-after-free error

EUVDB-ID: #VU16616

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2018-16884

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to bc_svc_process() use wrong back-channel id when NFS41+ shares mounted in different network namespaces at the same time. A remote attacker can use a malicious container to trigger use-after-free error and cause a system panic.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

kernel-rt (Red Hat package): 3.10.0-229.rt56.144.el6rt - 3.10.0-693.50.3.rt56.644.el6rt

MRG Realtime: 2

CPE2.3

cpe:2.3:o:red_hat:kernel-rt:3.10.0-693.50.3.rt56.644.el6rt:*:*:*:*:red_hat_enterprise_linux:*:*

External links

http://access.redhat.com/errata/RHSA-2019:2730

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Information disclosure

EUVDB-ID: #VU19946

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-1125

CWE-ID: CWE-200 - Information Exposure

Exploit availability: Yes

Description

The vulnerability allows a local user to gain access to potentially sensitive information and elevate privileges on the system.

The vulnerability exists when certain central processing units (CPU) speculatively access memory. A local user can gain unauthorized access to sensitive information and elevate privileges on the system.

This issue is a variant of the Spectre Variant 1 speculative execution side channel vulnerability that leverages SWAPGS instructions to bypass KPTI/KVA mitigations.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

kernel-rt (Red Hat package): 3.10.0-229.rt56.144.el6rt - 3.10.0-693.50.3.rt56.644.el6rt

MRG Realtime: 2

CPE2.3

cpe:2.3:o:red_hat:kernel-rt:3.10.0-693.50.3.rt56.644.el6rt:*:*:*:*:red_hat_enterprise_linux:*:*

External links

http://access.redhat.com/errata/RHSA-2019:2730

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?