Slackware Linux update for Slackware 14.2 kernel
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2019-0154 CVE-2019-0155 CVE-2019-11135 |
| CWE-ID | CWE-284 CWE-399 |
| Exploitation vector | Local |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #3 is available. |
| Vulnerable software Subscribe |
Slackware Linux Operating systems & Components / Operating system |
| Vendor | Slackware |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU22743
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-0154
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A local user with the ability to issue an ioctl can trigger a hardware level crash if MMIO registers were read while the graphics card was in a low-power state and cause a denial of service (DoS) on the target system.
MitigationUpdate the affected package Slackware 14.2 kernel.
Vulnerable software versionsSlackware Linux: 14.2
External linkshttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.666634
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Improper access control
EUVDB-ID: #VU22755
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-0155
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in Intel GPU subsystem. A local unprivileged user can perform blitter manipulation manipulation and write data to arbitrary location in kernel memory. As a result a local authenticated user can execute arbitrary code on the system with superuser privileges.
This vulnerability affects the following Intel products:
- 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families
- Intel(R) Pentium(R) Processor J, N, Silver and Gold Series
- Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series
- Intel(R) Atom(R) Processor A and E3900 Series
- Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and E-2200 Processor Families
- Intel(R) Graphics Driver for Windows before 26.20.100.6813 (DCH) or 26.20.100.6812 and before 21.20.x.5077 (aka15.45.5077)
- i915 Linux Driver for Intel(R) Processor Graphics before versions 5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201
MitigationUpdate the affected package Slackware 14.2 kernel.
Vulnerable software versionsSlackware Linux: 14.2
External linkshttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.666634
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource management error
EUVDB-ID: #VU22704
Risk: Low
CVSSv3.1: 5.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-11135
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the TSX Asynchronous Abort (TAA) in Intel CPUs. The TAA condition, on some microprocessors utilizing speculative execution, may allow an authenticated user to potentially enable information disclosure via a side channel. MitigationUpdate the affected package Slackware 14.2 kernel.
Vulnerable software versionsSlackware Linux: 14.2
External linkshttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.666634
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
