New CVE Entries in this week


Masami Ichikawa
 

Hi !

It's this week's CVE report.

This week reported 4 new CVEs.

* New CVEs

CVE-2021-43057: selinux,smack: fix subjective/objective credential use mixups

CVSS v3 score is "7.8 HIGH".

selinux and smack have UFA bug which cause a local attacker can
escalates privileges.
This bug was introduced since 5.13-rc1 so before 5.13 kernel isn't affected.
All stable kernels are fixed.

Fixed status

mainline: [a3727a8bac0a9e77c70820655fd8715523ba3db7]
stable/5.14: [bef2b32a149030babba8ad5d2b6c121638fb911d]

CVE-2021-3892: memory leak in fib6_rule_suppress could result in DoS

CVSS v3 score is not provided.

According to the red hat
bugzilla(https://bugzilla.redhat.com/show_bug.cgi?id=2014623) it said
that "The kernel leaks memory when firewalld IPv6_rpfilter is enabled
and a suppress_prefix rule is present in the IPv6 routing rules (used
by certain tools such as wg-quick). In such scenarios, every incoming
packet will leak an allocation in ip6_dst_cache slab cache." It seems
like this CVE can do remote DoS attack, however it requires some
conditions to do it.

Fixed status

Not fixed yet.

CVE-2021-34981: Bluetooth CMTP Module Double Free Privilege Escalation
Vulnerability

This CVE is fixed in 5.14-rc1.

Fixed status

mainline: [3cfdf8fcaafa62a4123f92eb0f4a72650da3a479]
stable/4.19: [f8be26b9950710fe50fb45358df5bd01ad18efb7]
stable/4.9: [77c559407276ed4a8854dafc4a5efc8608e51906]
stable/5.10: [1b364f8ede200e79e25df0df588fcedc322518fb]
stable/5.4: [fe201316ac36c48fc3cb2891dfdc8ab68058734d]

CVE-2021-43267: tipc: fix size validations for the MSG_CRYPTO type

This vulnerability was introduced since 5.1-rc1 so before 5.10 kernels
aren't affected by this issue.
The mainline and stable kernels have been fixed.

Fixed status

mainline: [fa40d9734a57bcbfa79a280189799f76c88f7bb0]
stable/5.10: [0b1b3e086b0af2c2faa9938c4db956fe6ce5c965]
stable/5.14: [e029c9828c5b503b11a609fcc7c5840de2db3fb4]

* Updated CVEs

CVE-2021-3772: Invalid chunks may be used to remotely remove existing
associations

This bug is in SCTP stack that attacker may be able to send packet
with spoofed IP address if attacker knows IP address and port number
being used.

Below is a list for backported status in each patch.

* 4f7019c7eb33 ("sctp: use init_tag from inithdr for ABORT chunk")
stable/4.4: backported
stable/4.19: backported
stable/4.9: backported
stable/5.10: backported
stable/5.4: backported

* eae578390804 ("sctp: fix the processing for INIT chunk")
stable/4.4: not yet
stable/4.19: not yet
stable/4.9: not yet
stable/5.10: not yet
stable/5.4: not yet

* 438b95a7c98f ("sctp: fix the processing for INIT_ACK chunk")
stable/4.4: not yet
stable/4.19: not yet
stable/4.9: not yet
stable/5.10: backported
stable/5.4: backported

* a64b341b8695 ("sctp: fix the processing for COOKIE_ECHO chunk")
stable/4.4: not yet
stable/4.19: backported
stable/4.9: not yet
stable/5.10: backported
stable/5.4: backported

* aa0f697e4528 ("sctp: add vtag check in sctp_sf_violation")
stable/4.4: backported
stable/4.19: backported
stable/4.9: backported
stable/5.10: backported
stable/5.4: backported

* ef16b1734f0a ("sctp: add vtag check in sctp_sf_do_8_5_1_E_sa")
stable/4.4: not yet
stable/4.19: backported
stable/4.9: not yet
stable/5.10: backported
stable/5.4: backported

* 9d02831e517a ("sctp: add vtag check in sctp_sf_ootb")
stable/4.4: not yet
stable/4.19: backported
stable/4.9: not yet
stable/5.10: backported
stable/5.4: backported

Fixed status

mainline: [4f7019c7eb33967eb87766e0e4602b5576873680,
eae5783908042a762c24e1bd11876edb91d314b1,
438b95a7c98f77d51cbf4db021f41b602d750a3f,
a64b341b8695e1c744dd972b39868371b4f68f83,
aa0f697e45286a6b5f0ceca9418acf54b9099d99,
ef16b1734f0a176277b7bb9c71a6d977a6ef3998,
9d02831e517aa36ee6bdb453a0eb47bd49923fe3]
stable/4.19: [1f52dfacca7bb315d89f5ece5660b0337809798e,
86044244fc6f9eaec0070cb668e0d500de22dbba,
aa0f697e45286a6b5f0ceca9418acf54b9099d99,
ef16b1734f0a176277b7bb9c71a6d977a6ef3998,
9d02831e517aa36ee6bdb453a0eb47bd49923fe3, ]
stable/4.4: [629d2823abf957bcbcba32154f1f6fd49bdb850c,
c0b5302e3a74997b57985b561e776269d1951ac7]
stable/4.9: [42ce7a69f8140783bab908dc29a93c0bcda315d5,
16d0bfb045abf587c72d46dfea56c20c4aeda927]
stable/5.10: [a7112b8eeb14b3db21bc96abc79ca7525d77e129,
c2442f721972ea7c317fbfd55c902616b3151ad5,
14c1e02b11c2233343573aff90766ef8472f27e7,
dad2486414b5c81697aa5a24383fbb65fad13cae,
8c50693d25e4ab6873b32bc3cea23b382a94d05f,
ad111d4435d85fd3eeb2c09692030d89f8862401]
stable/5.14: [332933f9ae0a17f6e362ec0f35ed51e7bc8e76d6,
6277d424ead2702798e8b981fb6f51b8ec2304ec,
7975f42f10380ff9743a7ee94ef3cb81f1a8275d,
44ef3ecbc24a532fde6a8c7b87b3e55d4ad1c1d1,
dd82b3a345abf6fc325e748469d9d7f477a0b718,
1c255b5f68f4dac3f1f0f24741575aac2325470a,
0717c71deae69aa3511492c302dd44a2f3722184]
stable/5.4: [5953ee99bab134d74c805a00eaa20fed33f54255,
5fe74d5e4d58262e4adde277ef773032c57e873d,
d6470c2200253da67a439aa18c9ce32a127c5a61,
0aa322b5fe70204d3d7f9d1d4cd265fdff2e5a1f,
df527764072c5fb7ede93a41cc8f3acbf41dde8c,
0f5b4c57dc8573bdb9926b17748065ac2104b1d1]

CVE-2021-42327: drm/amdgpu: fix out of bounds write

The parse_write_buffer_into_params() was introduced since 5.9 so
before 5.9 kernels aren't affected by this vulnerability.

This CVE was fixed by 5afa7898ab7a ("drm/amdgpu: fix out of bounds
write"), however next commit 3f4e54bd312d ("drm/amdgpu: Fix even more
out of bound writes from debugfs") said that amdgpu_dm_debugfs.c
contains same issues so it'd be nice to apply 3f4e54bd312d
("drm/amdgpu: Fix even more out of bound writes from debugfs") too.

Fixed status

mainline: [5afa7898ab7a0ec9c28556a91df714bf3c2f725e]
stable/5.10: [eb3b6805e3e9d98b2507201fd061a231988ce623]
stable/5.14: [d3ed72495a59fbfb9377450c8dfe94389a6509a7]

CVE-2021-20322: new DNS Cache Poisoning Attack based on ICMP fragment
needed packets replies

Update stable/5.4 and stable/4.19 fixed revisions.
It seems like stable/4.4 and stable/4.9 need backport following patches.
- 4785305c05b2 ("ipv6: use siphash in rt6_exception_hash()")
- a00df2caffed ("ipv6: make exception cache less predictible")
- 6457378fe796 ("ipv4: use siphash instead of Jenkins in fnhe_hashfun()")

Fixed status

mainline: [4785305c05b25a242e5314cc821f54ade4c18810,
6457378fe796815c973f631a1904e147d6ee33b1,
a00df2caffed3883c341d5685f830434312e4a43,
67d6d681e15b578c1725bad8ad079e05d1c48a8e]
stable/4.19: [3e6bd2b583f18da9856fc9741ffa200a74a52cba,
6e2856767eb1a9cfcfcd82136928037f04920e97,
ad829847ad59af8e26a1f1c345716099abbc7a58,
c6d0d68d6da68159948cad3d808d61bb291a0283]
stable/4.4: [bed8941fbdb72a61f6348c4deb0db69c4de87aca]
stable/4.9: [f10ce783bcc4d8ea454563a7d56ae781640e7dcb]
stable/5.10: [8692f0bb29927d13a871b198adff1d336a8d2d00,
5867e20e1808acd0c832ddea2587e5ee49813874,
dced8347a727528b388f04820f48166f1e651af6,
beefd5f0c63a31a83bc5a99e6888af884745684b]
stable/5.14: [4785305c05b25a242e5314cc821f54ade4c18810,
6457378fe796815c973f631a1904e147d6ee33b1,
55938482a1461a35087c6f3051f8447662889ea8,
4589a12dcf80af31137ef202be1ff4a321707a73]
stable/5.4: [3f439c231a035bab056a5e20b1fd16f4c4c483c1,
4ba6c163fe64e0836acd0708962fb30cf78dbd42,
f73cbdd1b8e7ea32c66138426f826c8734b70c18,
e46e23c289f62ccd8e2230d9ce652072d777ff30]

CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
avc_ca_pmt()

According to the cip-kernel-config repo, no CIP member uses firewire driver.

Fixed status

mainline: [35d2969ea3c7d32aee78066b1f3cf61a0d935a4e]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

Fixed in bluetooth-next tree.

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/net/bluetooth/sco.c?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,


--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com


Pavel Machek
 

Hi!

CVE-2021-34981: Bluetooth CMTP Module Double Free Privilege Escalation
Vulnerability

This CVE is fixed in 5.14-rc1.

Fixed status

mainline: [3cfdf8fcaafa62a4123f92eb0f4a72650da3a479]
stable/4.19: [f8be26b9950710fe50fb45358df5bd01ad18efb7]
stable/4.9: [77c559407276ed4a8854dafc4a5efc8608e51906]
stable/5.10: [1b364f8ede200e79e25df0df588fcedc322518fb]
stable/5.4: [fe201316ac36c48fc3cb2891dfdc8ab68058734d]
This seems to be fixed in stable/4.4, too, as
61a811e8f5229264b822361f8b23d7638fd8c914. And cip-kernel-sec says so,
good.

CVE-2021-43267: tipc: fix size validations for the MSG_CRYPTO type

This vulnerability was introduced since 5.1-rc1 so before 5.10 kernels
aren't affected by this issue.
The mainline and stable kernels have been fixed.
AFAICT the vulnerability was introduced by 1ef6f7c9390f in
5.9-rc3. But that does not change anything for us.

* Updated CVEs

CVE-2021-3772: Invalid chunks may be used to remotely remove existing
associations

This bug is in SCTP stack that attacker may be able to send packet
with spoofed IP address if attacker knows IP address and port number
being used.
AFAICT it is more of "if attacker can send packets with spoofed IP
addresses, he can...". Many of our configs use SCTP.

CVE-2021-42327: drm/amdgpu: fix out of bounds write

The parse_write_buffer_into_params() was introduced since 5.9 so
before 5.9 kernels aren't affected by this vulnerability.

This CVE was fixed by 5afa7898ab7a ("drm/amdgpu: fix out of bounds
write"), however next commit 3f4e54bd312d ("drm/amdgpu: Fix even more
out of bound writes from debugfs") said that amdgpu_dm_debugfs.c
contains same issues so it'd be nice to apply 3f4e54bd312d
("drm/amdgpu: Fix even more out of bound writes from debugfs") too.
This looks quite easy to fix, OTOH CIP configs do not use amdgpu and
it is not too serious in the fist place.

CVE-2021-20322: new DNS Cache Poisoning Attack based on ICMP fragment
needed packets replies

Update stable/5.4 and stable/4.19 fixed revisions.
It seems like stable/4.4 and stable/4.9 need backport following patches.
- 4785305c05b2 ("ipv6: use siphash in rt6_exception_hash()")
- a00df2caffed ("ipv6: make exception cache less predictible")
- 6457378fe796 ("ipv4: use siphash instead of Jenkins in
fnhe_hashfun()")
It would not be bad to understand the problem in the first place. Yes,
I guess different hashes have different qualities, but...

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Masami Ichikawa
 

Hi!

On Thu, Nov 4, 2021 at 6:57 PM Pavel Machek <pavel@denx.de> wrote:

Hi!

CVE-2021-34981: Bluetooth CMTP Module Double Free Privilege Escalation
Vulnerability

This CVE is fixed in 5.14-rc1.

Fixed status

mainline: [3cfdf8fcaafa62a4123f92eb0f4a72650da3a479]
stable/4.19: [f8be26b9950710fe50fb45358df5bd01ad18efb7]
stable/4.9: [77c559407276ed4a8854dafc4a5efc8608e51906]
stable/5.10: [1b364f8ede200e79e25df0df588fcedc322518fb]
stable/5.4: [fe201316ac36c48fc3cb2891dfdc8ab68058734d]
This seems to be fixed in stable/4.4, too, as
61a811e8f5229264b822361f8b23d7638fd8c914. And cip-kernel-sec says so,
good.
Thanks. I accidentally removed stable/4.4 from the above list.
CVE-2021-34981.yml contains stable/4.4 too.

CVE-2021-43267: tipc: fix size validations for the MSG_CRYPTO type

This vulnerability was introduced since 5.1-rc1 so before 5.10 kernels
aren't affected by this issue.
The mainline and stable kernels have been fixed.
AFAICT the vulnerability was introduced by 1ef6f7c9390f in
5.9-rc3. But that does not change anything for us.

* Updated CVEs

CVE-2021-3772: Invalid chunks may be used to remotely remove existing
associations

This bug is in SCTP stack that attacker may be able to send packet
with spoofed IP address if attacker knows IP address and port number
being used.
AFAICT it is more of "if attacker can send packets with spoofed IP
addresses, he can...". Many of our configs use SCTP.
NVD hasn't given CVSS v3 Scores yet. However Red Hat and SUSE both
give it a score of 5.9. So it looks like it's not too serious issue.
Of course, it'd be nice to have patches.

https://access.redhat.com/security/cve/CVE-2021-3772
https://www.suse.com/security/cve/CVE-2021-3772.html

CVE-2021-42327: drm/amdgpu: fix out of bounds write

The parse_write_buffer_into_params() was introduced since 5.9 so
before 5.9 kernels aren't affected by this vulnerability.

This CVE was fixed by 5afa7898ab7a ("drm/amdgpu: fix out of bounds
write"), however next commit 3f4e54bd312d ("drm/amdgpu: Fix even more
out of bound writes from debugfs") said that amdgpu_dm_debugfs.c
contains same issues so it'd be nice to apply 3f4e54bd312d
("drm/amdgpu: Fix even more out of bound writes from debugfs") too.
This looks quite easy to fix, OTOH CIP configs do not use amdgpu and
it is not too serious in the fist place.
I agree.

CVE-2021-20322: new DNS Cache Poisoning Attack based on ICMP fragment
needed packets replies

Update stable/5.4 and stable/4.19 fixed revisions.
It seems like stable/4.4 and stable/4.9 need backport following patches.
- 4785305c05b2 ("ipv6: use siphash in rt6_exception_hash()")
- a00df2caffed ("ipv6: make exception cache less predictible")
- 6457378fe796 ("ipv4: use siphash instead of Jenkins in
fnhe_hashfun()")
It would not be bad to understand the problem in the first place. Yes,
I guess different hashes have different qualities, but...

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany



--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com