CVE-2019-15239

20.08.2019, 08:15

In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation. NOTE: this affects (for example) Linux distributions that use 4.9.x longterm kernels before 4.9.190 or 4.14.x longterm kernels before 4.14.139.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 7%

Vendor	Product	Version
linux	linux_kernel	4.16.12
debian	debian_linux	9.0
debian	debian_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
trixie	6.11.5-1 fixed
sid	6.11.6-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

disco	not-affected
bionic	not-affected
xenial	Fixed 4.4.0-165.193 released
trusty	ignored

linux-aws

disco	not-affected
bionic	not-affected
xenial	Fixed 4.4.0-1095.106 released
trusty	ignored

linux-aws-hwe

disco	dne
bionic	dne
xenial	not-affected
trusty	dne

linux-azure

disco	not-affected
bionic	not-affected
xenial	not-affected
trusty	ignored

linux-azure-edge

disco	dne
bionic	not-affected
xenial	not-affected
trusty	dne

linux-gcp

disco	not-affected
bionic	not-affected
xenial	not-affected
trusty	dne

linux-gcp-edge

disco	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-gke-4.15

disco	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-gke-5.0

disco	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-hwe

disco	dne
bionic	not-affected
xenial	not-affected
trusty	dne

linux-hwe-edge

disco	dne
bionic	not-affected
xenial	not-affected
trusty	dne

linux-kvm

disco	not-affected
bionic	not-affected
xenial	Fixed 4.4.0-1059.66 released
trusty	dne

linux-lts-trusty

disco	dne
bionic	dne
xenial	dne
trusty	dne

linux-lts-xenial

disco	dne
bionic	dne
xenial	dne
trusty	ignored

linux-oem

disco	not-affected
bionic	not-affected
xenial	ignored
trusty	dne

linux-oracle

disco	not-affected
bionic	not-affected
xenial	not-affected
trusty	dne

linux-raspi2

disco	not-affected
bionic	not-affected
xenial	Fixed 4.4.0-1123.132 released
trusty	dne

linux-snapdragon

disco	not-affected
bionic	not-affected
xenial	Fixed 4.4.0-1127.135 released
trusty	dne

Known Exploits!

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html

https://access.redhat.com/errata/RHSA-2019:3978

https://access.redhat.com/errata/RHSA-2019:3979

https://access.redhat.com/errata/RHSA-2020:0027

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7f582b248d0a86bae5788c548d7bb5bca6f7691a

https://lore.kernel.org/stable/41a61a2f87691d2bc839f26cdfe6f5ff2f51e472.camel%40decadent.org.uk/

https://pulsesecurity.co.nz/advisories/linux-kernel-4.9-tcpsocketsuaf

https://salsa.debian.org/kernel-team/kernel-sec/blob/f6273af2d956a87296b6b60379d0a186c9be4bbc/active/CVE-2019-15239

https://www.debian.org/security/2019/dsa-4497