SB2022031306 - Multiple vulnerabilities in Linux kernel

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) NULL pointer dereference (CVE-ID: CVE-2022-25258)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error drivers/usb/gadget/composite.c in the Linux kernel. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). A local user can run a specially crafted program to trigger memory corruption and perform a denial of service (DoS) attack.

2) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2022-25375)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper access restrictions in drivers/usb/gadget/function/rndis.c in the Linux kernel. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. A local user can run a specially crafted program to gain access to kernel memory.

Remediation

Install update from vendor's website.

References

• https://github.com/torvalds/linux/commit/75e5b4849b81e19e9efe1654b30d7f3151c33c2c
• https://github.com/szymonh/d-os-descriptor
• https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.10
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TCW2KZYJ2H6BKZE3CVLHRIXYDGNYYC5P/
• https://www.debian.org/security/2022/dsa-5096
• https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html
• https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html
• https://www.debian.org/security/2022/dsa-5092
• https://github.com/szymonh/rndis-co
• https://github.com/torvalds/linux/commit/38ea1eac7d88072bbffb630e2b3db83ca649b826
• http://www.openwall.com/lists/oss-security/2022/02/21/1