CVE-2019-10639

The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to have a dependency on an address associated with a network namespace.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 76%
VendorProductVersion
linuxlinux_kernel
4.1 ≤
𝑥
≤ 4.20.9
linuxlinux_kernel
5.0 ≤
𝑥
< 5.0.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.226-1
fixed
bookworm
6.1.106-3
fixed
bookworm (security)
6.1.112-1
fixed
trixie
6.11.5-1
fixed
sid
6.11.6-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
linux
eoan
not-affected
disco
Fixed 5.0.0-16.17
released
cosmic
ignored
bionic
Fixed 4.15.0-60.67
released
xenial
Fixed 4.4.0-150.176
released
trusty
ignored
linux-aws
eoan
not-affected
disco
Fixed 5.0.0-1007.7
released
cosmic
ignored
bionic
Fixed 4.15.0-1047.49
released
xenial
Fixed 4.4.0-1084.94
released
trusty
ignored
linux-aws-5.0
eoan
dne
disco
dne
bionic
not-affected
xenial
dne
trusty
dne
linux-aws-hwe
eoan
dne
disco
dne
cosmic
dne
bionic
dne
xenial
Fixed 4.15.0-1047.49~16.04.1
released
trusty
dne
linux-azure
eoan
not-affected
disco
Fixed 5.0.0-1008.8
released
cosmic
ignored
bionic
Fixed 5.0.0-1014.14~18.04.1
released
xenial
Fixed 4.15.0-1056.61
released
trusty
ignored
linux-azure-5.3
eoan
dne
disco
dne
bionic
not-affected
xenial
dne
trusty
dne
linux-azure-edge
eoan
dne
disco
dne
cosmic
dne
bionic
Fixed 5.0.0-1014.14~18.04.1
released
xenial
Fixed 4.15.0-1056.61
released
trusty
dne
linux-euclid
eoan
dne
disco
dne
cosmic
dne
bionic
dne
xenial
ignored
trusty
dne
linux-flo
eoan
dne
disco
dne
cosmic
dne
bionic
dne
xenial
ignored
trusty
dne
linux-gcp
eoan
not-affected
disco
Fixed 5.0.0-1007.7
released
cosmic
ignored
bionic
Fixed 4.15.0-1042.45
released
xenial
Fixed 4.15.0-1041.43
released
trusty
dne
linux-gcp-5.3
eoan
dne
disco
dne
bionic
not-affected
xenial
dne
trusty
dne
linux-gcp-edge
eoan
dne
disco
dne
cosmic
dne
bionic
Fixed 4.15.0-1042.45
released
xenial
dne
trusty
dne
linux-gke
eoan
dne
disco
dne
cosmic
dne
bionic
dne
xenial
ignored
trusty
dne
linux-gke-4.15
eoan
dne
disco
dne
bionic
Fixed 4.15.0-1041.43
released
xenial
dne
trusty
dne
linux-gke-5.0
eoan
dne
disco
dne
bionic
not-affected
xenial
dne
trusty
dne
linux-goldfish
eoan
dne
disco
dne
cosmic
dne
bionic
dne
xenial
ignored
trusty
dne
linux-grouper
eoan
dne
disco
dne
cosmic
dne
bionic
dne
xenial
dne
trusty
dne
linux-hwe
eoan
dne
disco
dne
cosmic
dne
bionic
Fixed 5.0.0-23.24~18.04.1
released
xenial
Fixed 4.15.0-60.67~16.04.1
released
trusty
dne
linux-hwe-edge
eoan
dne
disco
dne
cosmic
dne
bionic
Fixed 5.0.0-16.17~18.04.1
released
xenial
Fixed 4.15.0-60.67~16.04.1
released
trusty
dne
linux-kvm
eoan
not-affected
disco
Fixed 5.0.0-1007.7
released
cosmic
ignored
bionic
Fixed 4.15.0-1043.43
released
xenial
Fixed 4.4.0-1047.53
released
trusty
dne
linux-lts-trusty
eoan
dne
disco
dne
cosmic
dne
bionic
dne
xenial
dne
trusty
dne
linux-lts-utopic
eoan
dne
disco
dne
cosmic
dne
bionic
dne
xenial
dne
trusty
dne
linux-lts-vivid
eoan
dne
disco
dne
cosmic
dne
bionic
dne
xenial
dne
trusty
dne
linux-lts-wily
eoan
dne
disco
dne
cosmic
dne
bionic
dne
xenial
dne
trusty
dne
linux-lts-xenial
eoan
dne
disco
dne
cosmic
dne
bionic
dne
xenial
dne
trusty
ignored
linux-maguro
eoan
dne
disco
dne
cosmic
dne
bionic
dne
xenial
dne
trusty
dne
linux-mako
eoan
dne
disco
dne
cosmic
dne
bionic
dne
xenial
ignored
trusty
dne
linux-manta
eoan
dne
disco
dne
cosmic
dne
bionic
dne
xenial
dne
trusty
dne
linux-oem
eoan
Fixed 4.15.0-1059.68
released
disco
ignored
cosmic
ignored
bionic
Fixed 4.15.0-1056.65
released
xenial
ignored
trusty
dne
linux-oem-5.4
eoan
dne
bionic
dne
xenial
dne
trusty
dne
linux-oem-osp1
eoan
not-affected
disco
not-affected
bionic
not-affected
xenial
dne
trusty
dne
linux-oracle
eoan
not-affected
disco
Fixed 5.0.0-1004.8
released
cosmic
ignored
bionic
Fixed 4.15.0-1022.25
released
xenial
Fixed 4.15.0-1022.25~16.04.1
released
trusty
dne
linux-oracle-5.0
eoan
dne
disco
dne
bionic
not-affected
xenial
dne
trusty
dne
linux-raspi2
eoan
not-affected
disco
Fixed 5.0.0-1009.9
released
cosmic
ignored
bionic
Fixed 4.15.0-1044.47
released
xenial
Fixed 4.4.0-1110.118
released
trusty
dne
linux-raspi2-5.3
eoan
dne
bionic
not-affected
xenial
dne
trusty
dne
linux-snapdragon
eoan
dne
disco
Fixed 5.0.0-1013.13
released
cosmic
dne
bionic
Fixed 4.15.0-1062.69
released
xenial
Fixed 4.4.0-1114.119
released
trusty
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00025.html
https://arxiv.org/pdf/1906.10478.pdf
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.8
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=355b98553789b646ed97ad801a619ff898471b92
https://github.com/torvalds/linux/commit/355b98553789b646ed97ad801a619ff898471b92
https://lists.debian.org/debian-lts-announce/2019/07/msg00022.html
https://lists.debian.org/debian-lts-announce/2019/08/msg00017.html
https://seclists.org/bugtraq/2019/Aug/18
https://security.netapp.com/advisory/ntap-20190806-0001/
https://support.f5.com/csp/article/K32804955
https://support.f5.com/csp/article/K32804955?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4115-1/
https://usn.ubuntu.com/4118-1/
https://www.debian.org/security/2019/dsa-4497
https://www.oracle.com/security-alerts/cpuApr2021.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00025.html
https://arxiv.org/pdf/1906.10478.pdf
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.8
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=355b98553789b646ed97ad801a619ff898471b92
https://github.com/torvalds/linux/commit/355b98553789b646ed97ad801a619ff898471b92
https://lists.debian.org/debian-lts-announce/2019/07/msg00022.html
https://lists.debian.org/debian-lts-announce/2019/08/msg00017.html
https://seclists.org/bugtraq/2019/Aug/18
https://security.netapp.com/advisory/ntap-20190806-0001/
https://support.f5.com/csp/article/K32804955
https://support.f5.com/csp/article/K32804955?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4115-1/
https://usn.ubuntu.com/4118-1/
https://www.debian.org/security/2019/dsa-4497
https://www.oracle.com/security-alerts/cpuApr2021.html