MGASA-2021-0257 - Updated kernel packages fix security vulnerabilities

Publication date: 13 Jun 2021
URL: https://advisories.mageia.org/MGASA-2021-0257.html
Type: security
Affected Mageia releases: 7, 8
CVE: CVE-2020-24586,
     CVE-2020-24587,
     CVE-2020-24588,
     CVE-2020-26139,
     CVE-2020-26141,
     CVE-2020-26145,
     CVE-2020-26147,
     CVE-2021-3573,
     CVE-2021-3587,
     CVE-2021-28691

This kernel update is based on upstream 5.10.43 and fixes atleast the
following security issues:

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and
WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received
fragments be cleared from memory after (re)connecting to a network. Under
the right circumstances, when another device sends fragmented frames
encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary
network packets and/or exfiltrate user data (CVE-2020-24586).

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and
WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments
of a frame are encrypted under the same key. An adversary can abuse this to
decrypt selected fragments when another device sends fragmented frames and
the WEP, CCMP, or GCMP encryption key is periodically renewed
(CVE-2020-24587).

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and
WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU
flag in the plaintext QoS header field is authenticated. Against devices
that support receiving non-SSP A-MSDU frames (which is mandatory as part
of 802.11n), an adversary can abuse this to inject arbitrary network
packets (CVE-2020-24588).

An issue was discovered in the kernel. An Access Point (AP) forwards EAPOL
frames to other clients even though the sender has not yet successfully
authenticated to the AP. This might be abused in projected Wi-Fi networks
to launch denial-of-service attacks against connected clients and makes
it easier to exploit other vulnerabilities in connected clients
(CVE-2020-26139).

An issue was discovered in the kernel ath10k driver. The Wi-Fi
implementation does not verify the Message Integrity Check (authenticity)
of fragmented TKIP frames. An adversary can abuse this to inject and
possibly decrypt packets in WPA or WPA2 networks that support the TKIP
data-confidentiality protocol (CVE-2020-26141). 

An issue was discovered in the kernel ath10k driver. The WEP, WPA, WPA2,
and WPA3 implementations accept second (or subsequent) broadcast fragments
even when sent in plaintext and process them as full unfragmented frames.
An adversary can abuse this to inject arbitrary network packets independent
of the network configuration (CVE-2020-26145).

An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and
WPA3 implementations reassemble fragments even though some of them were
sent in plaintext. This vulnerability can be abused to inject packets and/
or exfiltrate selected fragments when another device sends fragmented
frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used
(CVE-2020-26147).

A use after free vulnerability has been found in the hci_sock_bound_ioctl()
function of the Linux kernel. It can allow attackers to corrupt kernel
heaps (kmalloc-8k to be specific) and adopt further exploitations
(CVE-2021-3573).

There is a null pointer dereference in llcp_sock_getname in net/nfc/
llcp_sock.c of the Linux kernel. An unprivileged user can trigger this bug
and cause denial of service (CVE-2021-3587).

There is a guest triggered use-after-free in Linux xen-netback. A malicious
or buggy network PV frontend can force Linux netback to disable the
interface and terminate the receive kernel thread associated with queue 0
in response to the frontend sending a malformed packet. Such kernel thread
termination will lead to a use-after-free in Linux netback when the backend
is destroyed, as the kernel thread associated with queue 0 will have already
exited and thus the call to kthread_stop will be performed against a stale
pointer. A malicious or buggy frontend driver can trigger a dom0 crash.
Privilege escalation and information leaks cannot be ruled out.
(CVE-2021-28691 / XSA-374).

Other fixes in this update:
- bpf: Forbid trampoline attach for functions with variable arguments
- bpf: Add deny list of btf ids check for tracing programs
- net/nfc/rawsock.c: fix a permission check bug
- proc: Track /proc/$pid/attr/ opener mm_struct
- RDS tcp loopback connection can hang

For other upstream fixes, see the referenced changelogs.

References:
- https://bugs.mageia.org/show_bug.cgi?id=29106
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.42
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.43
- https://xenbits.xen.org/xsa/advisory-374.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24586
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24587
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24588
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26139
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26141
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26145
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26147
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3573
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3587
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28691

SRPMS:
- 7/core/kernel-5.10.43-1.mga7
- 7/core/kmod-virtualbox-6.1.22-1.6.mga7
- 7/core/kmod-xtables-addons-3.13-28.mga7
- 8/core/kernel-5.10.43-1.mga8
- 8/core/kmod-virtualbox-6.1.22-1.6.mga8
- 8/core/kmod-xtables-addons-3.18-1.6.mga8

Mageia 2021-0257: kernel security update

This kernel update is based on upstream 5.10.43 and fixes atleast the following security issues: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) an...

Summary

This kernel update is based on upstream 5.10.43 and fixes atleast the following security issues:
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data (CVE-2020-24586).
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (CVE-2020-24587).
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets (CVE-2020-24588).
An issue was discovered in the kernel. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients (CVE-2020-26139).
An issue was discovered in the kernel ath10k driver. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol (CVE-2020-26141).
An issue was discovered in the kernel ath10k driver. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration (CVE-2020-26145).
An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/ or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (CVE-2020-26147).
A use after free vulnerability has been found in the hci_sock_bound_ioctl() function of the Linux kernel. It can allow attackers to corrupt kernel heaps (kmalloc-8k to be specific) and adopt further exploitations (CVE-2021-3573).
There is a null pointer dereference in llcp_sock_getname in net/nfc/ llcp_sock.c of the Linux kernel. An unprivileged user can trigger this bug and cause denial of service (CVE-2021-3587).
There is a guest triggered use-after-free in Linux xen-netback. A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux netback when the backend is destroyed, as the kernel thread associated with queue 0 will have already exited and thus the call to kthread_stop will be performed against a stale pointer. A malicious or buggy frontend driver can trigger a dom0 crash. Privilege escalation and information leaks cannot be ruled out. (CVE-2021-28691 / XSA-374).
Other fixes in this update: - bpf: Forbid trampoline attach for functions with variable arguments - bpf: Add deny list of btf ids check for tracing programs - net/nfc/rawsock.c: fix a permission check bug - proc: Track /proc/$pid/attr/ opener mm_struct - RDS tcp loopback connection can hang
For other upstream fixes, see the referenced changelogs.

References

- https://bugs.mageia.org/show_bug.cgi?id=29106

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.42

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.43

- https://xenbits.xen.org/xsa/advisory-374.html

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24586

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24587

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24588

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26139

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26141

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26145

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26147

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3573

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3587

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28691

Resolution

MGASA-2021-0257 - Updated kernel packages fix security vulnerabilities

SRPMS

- 7/core/kernel-5.10.43-1.mga7

- 7/core/kmod-virtualbox-6.1.22-1.6.mga7

- 7/core/kmod-xtables-addons-3.13-28.mga7

- 8/core/kernel-5.10.43-1.mga8

- 8/core/kmod-virtualbox-6.1.22-1.6.mga8

- 8/core/kmod-xtables-addons-3.18-1.6.mga8

Severity
Publication date: 13 Jun 2021
URL: https://advisories.mageia.org/MGASA-2021-0257.html
Type: security
CVE: CVE-2020-24586, CVE-2020-24587, CVE-2020-24588, CVE-2020-26139, CVE-2020-26141, CVE-2020-26145, CVE-2020-26147, CVE-2021-3573, CVE-2021-3587, CVE-2021-28691

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved