正文

INUX KERNEL UP TO 4.20.7 REFERENCE COUNTING VIRT/KVM/KVM_MAIN.C KVM_IOCTL_CREATE_DEVICE RACE CONDITION

admin
admin V管理员 /0 评论 /17 阅读
0423
此篇文章发布距今已超过1108天,您需要注意文章的内容或图片是否可用!

CVE编号

CVE-2019-6974

利用情况

POC 已公开

补丁情况

官方补丁

披露时间

2019-02-16
漏洞描述
在4.20.8之前的Linux内核中,virt / kvm / kvm_main.c中的kvm_ioctl_create_device由于竞争条件而错误地处理引用计数,从而导致UAF。
解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:
https://www.linux.org/
参考链接
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cfa...
http://www.securityfocus.com/bid/107127
https://access.redhat.com/errata/RHBA-2019:0959
https://access.redhat.com/errata/RHSA-2019:0818
https://access.redhat.com/errata/RHSA-2019:0833
https://access.redhat.com/errata/RHSA-2019:2809
https://access.redhat.com/errata/RHSA-2019:3967
https://access.redhat.com/errata/RHSA-2020:0103
https://bugs.chromium.org/p/project-zero/issues/detail?id=1765
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.99
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.21
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.8
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.156
https://github.com/torvalds/linux/commit/cfa39381173d5f969daf43582c95ad679189cbc9
https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html
https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html
https://lists.debian.org/debian-lts-announce/2019/05/msg00002.html
https://support.f5.com/csp/article/K11186236
https://support.f5.com/csp/article/K11186236?utm_source=f5support&utm_medium=RSS
https://usn.ubuntu.com/3930-1/
https://usn.ubuntu.com/3930-2/
https://usn.ubuntu.com/3931-1/
https://usn.ubuntu.com/3931-2/
https://usn.ubuntu.com/3932-1/
https://usn.ubuntu.com/3932-2/
https://usn.ubuntu.com/3933-1/
https://usn.ubuntu.com/3933-2/
https://www.exploit-db.com/exploits/46388/
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 f5 big-ip_access_policy_manager * From
(including)
13.0.0 		Up to
(including)
13.1.1
运行在以下环境
应用 f5 big-ip_access_policy_manager * From
(including)
14.0.0 		Up to
(including)
14.1.0
运行在以下环境
应用 f5 big-ip_advanced_firewall_manager * From
(including)
13.0.0 		Up to
(including)
13.1.1
运行在以下环境
应用 f5 big-ip_advanced_firewall_manager * From
(including)
14.0.0 		Up to
(including)
14.1.0
运行在以下环境
应用 f5 big-ip_analytics * From
(including)
13.0.0 		Up to
(including)
13.1.1
运行在以下环境
应用 f5 big-ip_analytics * From
(including)
14.0.0 		Up to
(including)
14.1.0
运行在以下环境
应用 f5 big-ip_application_acceleration_manager * From
(including)
13.0.0 		Up to
(including)
13.1.1
运行在以下环境
应用 f5 big-ip_application_acceleration_manager * From
(including)
14.0.0 		Up to
(including)
14.1.0
运行在以下环境
应用 f5 big-ip_application_security_manager * From
(including)
13.0.0 		Up to
(including)
13.1.1
运行在以下环境
应用 f5 big-ip_application_security_manager * From
(including)
14.0.0 		Up to
(including)
14.1.0
运行在以下环境
应用 f5 big-ip_edge_gateway * From
(including)
13.0.0 		Up to
(including)
13.1.1
运行在以下环境
应用 f5 big-ip_edge_gateway * From
(including)
14.0.0 		Up to
(including)
14.1.0
运行在以下环境
应用 f5 big-ip_fraud_protection_service * From
(including)
13.0.0 		Up to
(including)
13.1.1
运行在以下环境
应用 f5 big-ip_fraud_protection_service * From
(including)
14.0.0 		Up to
(including)
14.1.0
运行在以下环境
应用 f5 big-ip_global_traffic_manager * From
(including)
13.0.0 		Up to
(including)
13.1.1
运行在以下环境
应用 f5 big-ip_global_traffic_manager * From
(including)
14.0.0 		Up to
(including)
14.1.0
运行在以下环境
应用 f5 big-ip_link_controller * From
(including)
13.0.0 		Up to
(including)
13.1.1
运行在以下环境
应用 f5 big-ip_link_controller * From
(including)
14.0.0 		Up to
(including)
14.1.0
运行在以下环境
应用 f5 big-ip_local_traffic_manager * From
(including)
13.0.0 		Up to
(including)
13.1.1
运行在以下环境
应用 f5 big-ip_local_traffic_manager * From
(including)
14.0.0 		Up to
(including)
14.1.0
运行在以下环境
应用 f5 big-ip_policy_enforcement_manager * From
(including)
13.0.0 		Up to
(including)
13.1.1
运行在以下环境
应用 f5 big-ip_policy_enforcement_manager * From
(including)
14.0.0 		Up to
(including)
14.1.0
运行在以下环境
应用 f5 big-ip_webaccelerator * From
(including)
13.0.0 		Up to
(including)
13.1.1
运行在以下环境
应用 f5 big-ip_webaccelerator * From
(including)
14.0.0 		Up to
(including)
14.1.0
运行在以下环境
应用 redhat openshift_container_platform 3.11 -
运行在以下环境
系统 amazon linux_2 linux * Up to
(excluding)
4.14.101-91.76.amzn2
运行在以下环境
系统 amazon linux_AMI linux * Up to
(excluding)
4.14.101-75.76.amzn1
运行在以下环境
系统 amazon_2 linux * Up to
(excluding)
4.14.101-91.76.amzn2
运行在以下环境
系统 amazon_AMI linux * Up to
(excluding)
4.14.101-75.76.amzn1
运行在以下环境
系统 canonical ubuntu_linux 12.04 -
运行在以下环境
系统 canonical ubuntu_linux 14.04 -
运行在以下环境
系统 canonical ubuntu_linux 16.04 -
运行在以下环境
系统 canonical ubuntu_linux 18.04 -
运行在以下环境
系统 canonical ubuntu_linux 18.10 -
运行在以下环境
系统 centos_7 linux * Up to
(excluding)
3.10.0-957.12.1.el7
运行在以下环境
系统 debian debian_linux 8.0 -
运行在以下环境
系统 debian_8 linux * Up to
(excluding)
3.16.57-1
运行在以下环境
系统 debian_9 linux * Up to
(excluding)
4.9.161-1
运行在以下环境
系统 fedora_28 linux * Up to
(excluding)
4.20.8-100.fc28
运行在以下环境
系统 fedora_29 linux * Up to
(excluding)
4.20.8-200.fc29
运行在以下环境
系统 linux linux_kernel * Up to
(excluding)
4.20.8
运行在以下环境
系统 opensuse_Leap_15.0 linux * Up to
(excluding)
4.12.14-lp150.12.48.1
运行在以下环境
系统 oracle linux_6 linux * Up to
(excluding)
4.1.12-124.43.4.el6uek
运行在以下环境
系统 oracle linux_7 linux * Up to
(excluding)
4.1.12-124.43.4.el7uek
运行在以下环境
系统 oracle_6 linux * Up to
(excluding)
4.1.12-124.43.4.el7uek
运行在以下环境
系统 oracle_7 linux * Up to
(excluding)
4.1.12-124.43.4.el7uek
运行在以下环境
系统 redhat enterprise_linux 7.0 -
运行在以下环境
系统 redhat enterprise_linux_desktop 7.0 -
运行在以下环境
系统 redhat enterprise_linux_server 7.0 -
运行在以下环境
系统 redhat enterprise_linux_server_aus 7.6 -
运行在以下环境
系统 redhat enterprise_linux_server_eus 7.6 -
运行在以下环境
系统 redhat enterprise_linux_server_tus 7.6 -
运行在以下环境
系统 redhat enterprise_linux_workstation 7.0 -
运行在以下环境
系统 redhat_7 bpftool * Up to
(excluding)
0:3.10.0-957.12.1.el7
运行在以下环境
系统 redhat_7 kernel-rt * Up to
(excluding)
0:3.10.0-957.12.1.rt56.927.el7
运行在以下环境
系统 sles_12 kernel-default-extra * Up to
(excluding)
4.12.14-120
运行在以下环境
系统 sles_12_SP3 linux * Up to
(excluding)
4.4.176-4.25.1
运行在以下环境
系统 sles_12_SP4 linux * Up to
(excluding)
4.12.14-6.9.1
运行在以下环境
系统 suse_12_SP3 linux * Up to
(excluding)
4.4.176-4.25.1
运行在以下环境
系统 suse_12_SP4 linux * Up to
(excluding)
4.12.14-6.9.1
运行在以下环境
系统 ubuntu_14.04 linux * Up to
(excluding)
3.13.0-168.218
运行在以下环境
系统 ubuntu_14.04_lts linux * Up to
(excluding)
3.13.0-168.218
运行在以下环境
系统 ubuntu_16.04 linux * Up to
(excluding)
4.15.0-1010.12~16.04.1
运行在以下环境
系统 ubuntu_16.04_lts linux * Up to
(excluding)
4.4.0-145.171
运行在以下环境
系统 ubuntu_18.04 linux * Up to
(excluding)
4.15.0-1010.12
运行在以下环境
系统 ubuntu_18.04_lts linux * Up to
(excluding)
4.15.0-47.50
运行在以下环境
系统 ubuntu_18.10 linux * Up to
(excluding)
4.18.0-17.18
阿里云评分 5.3
  • 攻击路径 本地
  • 攻击复杂度 困难
  • 权限要求 普通权限
  • 影响范围 越权影响
  • EXP成熟度 POC 已公开
  • 补丁情况 官方补丁
  • 数据保密性 无影响
  • 数据完整性 无影响
  • 服务器危害 服务器失陷
  • 全网数量 N/A
CWE-ID 漏洞类型 CWE-362 使用共享资源的并发执行不恰当同步问题(竞争条件) CWE-416 释放后使用