Linux Security
    Linux Security
    Linux Security

    ArchLinux: 202011-10: linux-hardened: multiple issues

    Date 10 Nov 2020
    1556
    Posted By LinuxSecurity Advisories
    The package linux-hardened before version 5.9.8.a-1 is vulnerable to multiple issues including denial of service and information disclosure.
    Arch Linux Security Advisory ASA-202011-10
    ==========================================
    
    Severity: Medium
    Date    : 2020-11-10
    CVE-ID  : CVE-2020-8694 CVE-2020-25704
    Package : linux-hardened
    Type    : multiple issues
    Remote  : No
    Link    : https://security.archlinux.org/AVG-1269
    
    Summary
    =======
    
    The package linux-hardened before version 5.9.8.a-1 is vulnerable to
    multiple issues including denial of service and information disclosure.
    
    Resolution
    ==========
    
    Upgrade to 5.9.8.a-1.
    
    # pacman -Syu "linux-hardened>=5.9.8.a-1"
    
    The problems have been fixed upstream in version 5.9.8.a.
    
    Workaround
    ==========
    
    - CVE-2020-8694
    
    A temporary measure would be to remove the ability for non-root users
    to read the current RAPL energy reporting metrics.
    This can be done with the command:
    
    # sudo chmod 400 /sys/class/powercap/intel_rapl/*/energy_uj
    
    This mitigation will only work on the current boot and will need to be
    reapplied at each system boot to remain in effect.
    
    Description
    ===========
    
    - CVE-2020-8694 (information disclosure)
    
    An information disclosure flaw was found in the Linux kernel's Intel
    Running Average Power Limit (RAPL) implementation. A local non-
    privileged attacker could infer secrets by measuring power usage and
    also infer private data by observing the power usage of calculations
    performed on the data.
    
    - CVE-2020-25704 (denial of service)
    
    A memory leak has been found in the perf_event_parse_addr_filter
    function of Linux before 5.9.7, leading to a denial of service.
    
    Impact
    ======
    
    A local attacker might be able to exhaust the memory available on the
    system, causing a denial of service, or access sensitive information by
    observing the power usage.
    
    References
    ==========
    
    https://www.openwall.com/lists/oss-security/2020/11/09/1
    https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=7bdb157cdebbf95a1cd94ed2e01b338714075d00
    https://www.openwall.com/lists/oss-security/2020/11/10/5
    https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=949dd0104c496fa7c14991a23c03c62e44637e71
    https://platypusattack.com/
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html
    https://github.com/anthraxx/linux-hardened/commit/b72aaa9506b38e68f3476a642d0e42b3071f82bb
    https://security.archlinux.org/CVE-2020-8694
    https://security.archlinux.org/CVE-2020-25704
    
    

    LinuxSecurity Poll

    How long have you been using Linux?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /main-polls/46-how-long-have-you-been-using-linux?task=poll.vote&format=json
    46
    radio
    [{"id":"160","title":"Just made the switch!","votes":"3","type":"x","order":"1","pct":30,"resources":[]},{"id":"161","title":"1-5 years","votes":"1","type":"x","order":"2","pct":10,"resources":[]},{"id":"162","title":"6-10 years","votes":"0","type":"x","order":"3","pct":0,"resources":[]},{"id":"163","title":">10 years - I'm a veteran!","votes":"6","type":"x","order":"4","pct":60,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.