New CVE entries this week


Masami Ichikawa
 

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 0 updated CVEs.

* New CVEs

CVE-2022-2639: openvswitch: fix OOB access in reserve_sfa_size()

CVSS v3 score is not assigned.

An OOB write bug was found in reserve_sfa_size() in the openvswitch
subsystem. It will cause system crashes or potentially escalate their
privileges on the system.
This bug was fixed in the mainline, stable, and cip kernels.

Fixed status
cip/4.4-st: [25b37bbe34192188ae7f4b04a7bb857621b3a597]
mainline: [cefa91b2332d7009bc0be5d951d6cbbf349f90f8]
stable/4.14: [6cde4a87248e8d39fad5e5e72e104b6d74fcabef]
stable/4.19: [bbbf059337f9a74285c1cf088ff85ee92d149e64]
stable/4.9: [1aba176280dcd0eb08e291bc59ba6067df22af98]
stable/5.10: [0837ff17d052b7d755d5086208c3445867aaff82]
stable/5.15: [e411af98013dba5bce8118ee2b84bd1ad4c36b86]
stable/5.4: [aa70705560871725e963945a2d36ace7849c004e]

CVE-2022-2590: mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW

CVSS v3 score is not assigned.

This is kind of Dirty COW like vulnerability in shmem/tmpfs so that it
allows unprivileged users to modify read only files.
This bug was introduced by commit 9ae0f87d009c ("mm/shmem:
unconditionally set pte dirty in mfill_atomic_install_pte") which was
merged in 5.16-rc1. If kernel contains commit 9ae0f87d009c and is
compiled with CONFIG_USERFAULTFD=y, the kernel will affect this
vulnerability.

Kernel 4.4, 4.9, 4.19, 5.4, 5.10, 1.15 did not contain commit
9ae0f87d009c so they are not affected.

Fixed status
Patch is available
(https://lore.kernel.org/linux-mm/20220808073232.8808-1-david@redhat.com/)
but hasn't been merged into the mainline yet.

CVE-2022-2585: Linux kernel POSIX CPU timer UAF

CVSS v3 score is not assigned.

A use-after-free bug was found in posix_cpu_timer when a non-leader
thread calls execve().
This vulnerability may allow an attacker to escalate privilege escalation.

Commit 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not
a task") isn't backported to 4.4, 4.9, 4.14, 4.19, and 5.4 kernels so
they won't be affected.

Patch is available on
https://lore.kernel.org/lkml/20220809170751.164716-1-cascardo@canonical.com/T/#u
.

Fixed status
Patch is available but it hasn't been merged into the mainline yet.

CVE-2022-2586: Linux kernel nf_tables cross-table reference UAF

CVSS v3 score is not assigned.

A use-after-free vulnerability was found in nf_tables. This
vulnerability may allow an attacker to escalate privilege escalation.
However, to exploit this vulnerability, it requires CAP_NET_ADMIN in
user or netns.

This bug was introduced by commit 958bee14d071 ("netfilter: nf_tables:
use new transaction infrastructure to handle sets") which was merged
in 3.16-rc1. So, all stable kernels are affected by this
vulnerability.

Patch is available on
https://lore.kernel.org/netfilter-devel/20220809170148.164591-1-cascardo@canonical.com/T/#t
.

Fixed status
Patch is available but it hasn't been merged into the mainline yet.

CVE-2022-2588: Linux kernel cls_route UAF

CVSS v3 score is not assigned.

A use-after-free vulnerability was found in the net scheduler
subsystem. This vulnerability may allow an attacker to escalate
privilege escalation. This vulnerability was introduced before the git
era. Therefore all stable kernels are affected.

Exploiting this vulnerability, it requires CAP_NET_ADMIN in user or netns.

Patch is available on
https://lore.kernel.org/netdev/20220809170518.164662-1-cascardo@canonical.com/T/#u
.

Fixed status
Patch is available but it hasn't been merged into the mainline yet.

CVE-2022-26373: Post-Barrier Return Stack Buffer Predictions (PBRSB)

NIST: CVSS v3 score is not assigned.
Intel: CVSS Base Score: 5.5 Medium

This vulnerability affects Intel CPUs.
The Enhanced Indirect Branch Restricted Speculation (eIBRS) mitigation
for Specre V2 doesn't work for RET instruction after VM exits. This
causes information disclosure via local access.

Fixed status
mainline: [2b1299322016731d56807aa49254a5ea3080b6b3,
ba6e31af2be96c4d0536f2152ed6f7b6c11bca47]

* Updated CVEs

no updates.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...