New CVE entries this week


Masami Ichikawa
 

Hi !

It's this week's CVE report.

This week reported 8 CVEs and 2 updated CVEs.

* New CVEs

CVE-2022-2318: UAF vulnerabilities in rose protocol

CVSS v3 score is not assigned.

A use-after-free bug was found in net/rose/rose_timer.c. An attacker
will be able to crash system via this vulnerability.
4.4 kernel is vulnerable too.

No CIP member enables CONFIG_ROSE.

Fixed status
mainline: [9cc02ede696272c5271a401e4f27c262359bc2f6]

CVE-2022-26365: Xen Linux disk/nic frontends data leaks

CVSS v3 score is not assigned.

When allocating a shared page in
fill_grant_buffer()/blkfront_setup_indirect() via alloc_page(), it
doesn't initialize the allocated page.
In the result, unintended data in the page will leak.

4.4 kernel seems to be vulnerable.

Fixed status
mainline: [2f446ffe9d737e9a844b97887919c4fda18246e7]

CVE-2022-33740: Xen Linux disk/nic frontends data leaks

CVSS v3 score is not assigned.

When allocating a shared page in xennet_alloc_one_rx_buffer() via
alloc_page(), it doesn't initialize the allocated page.
In the result, unintended data in the page will leak.

4.4 kernel seems to be vulnerable.

Fixed status
mainline: [307c8de2b02344805ebead3440d8feed28f2f010]

CVE-2022-33741: Xen Linux disk/nic frontends data leaks

CVSS v3 score is not assigned.

Xen backend will be able to read data from a shared page which is not
related to this backend.

Commit 4491001 ("xen/netfront: force data bouncing when backend is
untrusted") is based on commit fd07160 ("xen-netfront: avoid packet
loss when ethernet header crosses page boundary") which is not merged
in 4.4.

Fixed status
mainline: [4491001c2e0fa69efbb748c96ec96b100a5cdb7e]

CVE-2022-33742: Xen Linux disk/nic frontends data leaks

CVSS v3 score is not assigned.

Xen backend will be able to read data from a shared page which is not
related to this backend.

Commit 2400617 ("xen/blkfront: force data bouncing when backend is
untrusted") is based on commit 3df0e50 ("xen/blkfront: pseudo support
for multi hardware queues/rings") which is not merged in 4.4.

Fixed status
mainline: [2400617da7eebf9167d71a46122828bc479d64c9]

CVE-2022-33743: Xen network backend may cause Linux netfront to use freed SKBs

CVSS v3 score is not assigned.

Xen's network backend will use freed SKBs which will cause system crash.

4.4 seems vulnerable.
Apply commit f63c2c2 will fail because it modifies blkif_free_ring()
which is introduced by commit 3df0e50 ("xen/blkfront: pseudo support
for multi hardware queues/rings").

Fixed status
mainline: [f63c2c2032c2e3caad9add3b82cc6e91c376fd26]

CVE-2022-33744: Xen Arm guests can cause Dom0 DoS via PV devices

CVSS v3 score is not assigned.

Arm guests can cause Dom0 DoS via PV devices When mapping pages of
guests on Arm.
4.4 seems to be vulnerable.

Fixed status
mainline: [b75cd218274e01d026dc5240e86fdeb44bbed0c8]

CVE-2022-34918: netfilter: nf_tables: stricter validation of element data

CVSS v3 score is not assigned.

A heap overflow bug was found in nft_set_elem_init() in netfilter
subsystem. This bug lead to a local privilege escalation.
This vulnerability was introduced by commit fdb9c40 ("netfilter:
nf_tables: allow up to 64 bytes in the set element data area") which
is merged in 5.8-r1. The commit fdb9c40 is not backported to 4.x
stable kernels.
However, commit 7e6bc1f ("netfilter: nf_tables: stricter validation of
element data") mentions 7d7402642ea ("netfilter: nf_tables: variable
sized set element keys / data") introduced this bug. So, it seems that
a vulnerability was introduced by commit fdb9c40 and a bug not
vulnerable bug was introduced by commit 7d7402642eaf.

Fixed status
Fixed in netdev
tree(https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6)but
not merged into the mainline yet.

* Updated CVEs

CVE-2021-33624: Linux kernel BPF protection against speculative
execution attacks can be bypassed to read arbitrary kernel memory

Commit 30ea1c5 ("bpf, selftests: Adjust few selftest outcomes wrt
unreachable code") was added to stable/5.10.

Fixed status
mainline: [d203b0fd863a2261e5d00b97f3d060c4c2a6db71,
fe9a5ca7e370e613a9a75a13008a3845ea759d6e,
9183671af6dbf60a1219371d4ed73e23f43b49db,
973377ffe8148180b2651825b92ae91988141b05]
stable/4.19: [0abc8c9754c953f5cd0ac7488c668ca8d53ffc90,
c510c1845f7b54214b4117272e0d87dff8732af6,
9df311b2e743642c5427ecf563c5050ceb355d1d,
c15b387769446c37a892f958b169744dabf7ff23]
stable/5.10: [e9d271731d21647f8f9e9a261582cf47b868589a,
8c82c52d1de931532200b447df8b4fc92129cfd9,
5fc6ed1831ca5a30fb0ceefd5e33c7c689e7627b,
30ea1c535291e88e41413464277fcf98a95cf8c6]
stable/5.12: [408a4956acde24413f3c684912b1d3e404bed8e2,
68a1936e1812653b68c5b68e698d88fb35018835,
4a99047ed51c98a09a537fe2c12420d815dfe296,
e5e2010ac3e27efa1e6e830b250f491da82d51b4]
stable/5.4: [283d742988f6b304f32110f39e189a00d4e52b92,
d2f790327f83b457db357e7c66f942bc00d43462,
fd568de5806f8859190e6305a1792ba8cb20de61,
a0f66ddf05c2050e1b7f53256bd9c25c2bb3022b]

CVE-2022-23038: Xen: fix race conditions, resulting in potential data
leaks, data corruption, DoS by malicious backends

stable 4.19 was fixed this week.

Fixed status
mainline: [6b1775f26a2da2b05a6dc8ec2b5d14e9a4701a1a,
33172ab50a53578a95691310f49567c9266968b0]
stable/4.19: [17659846fe336366b1663194f5669d10f5947f53,
62a696c15cfcfd32527f81ca3d94f2bde57475dc]
stable/4.9: [73e1d9b33f2bd93ce30719dfc8990b6328243b7e,
98bdfdf89e987406f4afdc7694cbdbb715383d8e]
stable/5.10: [3d81e85f30a8f712c3e4f2a507553d9063a20ed6,
3047255182774266950b22acc29c22a2d76e859e]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...