ALASKERNEL-5.4-2023-053

Amazon Linux 2 Security Advisory: ALASKERNEL-5.4-2023-053
Advisory Release Date: 2023-09-27 22:59 Pacific
Advisory Updated Date: 2024-07-03 22:01 Pacific

Severity: Important

References: CVE-2023-3772 CVE-2023-39189 CVE-2023-39192 CVE-2023-39193 CVE-2023-39194 CVE-2023-42753 CVE-2023-42755 CVE-2023-45871 CVE-2023-4622 CVE-2023-4623 CVE-2023-4921 CVE-2023-51042 CVE-2023-6176
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

2024-07-03: CVE-2023-6176 was added to this advisory.

2024-07-03: CVE-2023-51042 was added to this advisory.

2024-06-06: CVE-2023-39189 was added to this advisory.

2023-11-29: CVE-2023-42755 was added to this advisory.

2023-10-31: CVE-2023-45871 was added to this advisory.

2023-10-12: CVE-2023-39192 was added to this advisory.

2023-10-12: CVE-2023-39193 was added to this advisory.

2023-10-12: CVE-2023-39194 was added to this advisory.

A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)

nftables out-of-bounds read in nf_osf_match_one() (CVE-2023-39189)

A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure. (CVE-2023-39192)

A flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. (CVE-2023-39193)

A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure. (CVE-2023-39194)

The upstream commit describes this issue as follows:

The missing IP_SET_HASH_WITH_NET0 macro in ip_set_hash_netportnet can lead to the use of wrong `CIDR_POS(c)` for calculating array offsets, which can lead to integer underflow. As a result, it leads to slab out-of-bound access. (CVE-2023-42753)

A flaw was found in rsvp_change(). The root cause is an slab-out-of-bound access, but since the offset to the original pointer is an `unsign int` fully controlled by users, the behavior is usually a wild pointer access. (CVE-2023-42755)

An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU. (CVE-2023-45871)

A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.

The unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.

We recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c. (CVE-2023-4622)

A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.

If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.

We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f. (CVE-2023-4623)

A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.

When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue().

We recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8. (CVE-2023-4921)

In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free. (CVE-2023-51042)

A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system. (CVE-2023-6176)

Affected Packages:

kernel

Note:

This advisory is applicable to Amazon Linux 2 - Kernel-5.4 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update kernel to update your system.

New Packages:

aarch64:
    kernel-5.4.257-170.359.amzn2.aarch64
    kernel-headers-5.4.257-170.359.amzn2.aarch64
    kernel-debuginfo-common-aarch64-5.4.257-170.359.amzn2.aarch64
    perf-5.4.257-170.359.amzn2.aarch64
    perf-debuginfo-5.4.257-170.359.amzn2.aarch64
    python-perf-5.4.257-170.359.amzn2.aarch64
    python-perf-debuginfo-5.4.257-170.359.amzn2.aarch64
    kernel-tools-5.4.257-170.359.amzn2.aarch64
    kernel-tools-devel-5.4.257-170.359.amzn2.aarch64
    kernel-tools-debuginfo-5.4.257-170.359.amzn2.aarch64
    bpftool-5.4.257-170.359.amzn2.aarch64
    bpftool-debuginfo-5.4.257-170.359.amzn2.aarch64
    kernel-devel-5.4.257-170.359.amzn2.aarch64
    kernel-debuginfo-5.4.257-170.359.amzn2.aarch64

i686:
    kernel-headers-5.4.257-170.359.amzn2.i686

src:
    kernel-5.4.257-170.359.amzn2.src

x86_64:
    kernel-5.4.257-170.359.amzn2.x86_64
    kernel-headers-5.4.257-170.359.amzn2.x86_64
    kernel-debuginfo-common-x86_64-5.4.257-170.359.amzn2.x86_64
    perf-5.4.257-170.359.amzn2.x86_64
    perf-debuginfo-5.4.257-170.359.amzn2.x86_64
    python-perf-5.4.257-170.359.amzn2.x86_64
    python-perf-debuginfo-5.4.257-170.359.amzn2.x86_64
    kernel-tools-5.4.257-170.359.amzn2.x86_64
    kernel-tools-devel-5.4.257-170.359.amzn2.x86_64
    kernel-tools-debuginfo-5.4.257-170.359.amzn2.x86_64
    bpftool-5.4.257-170.359.amzn2.x86_64
    bpftool-debuginfo-5.4.257-170.359.amzn2.x86_64
    kernel-devel-5.4.257-170.359.amzn2.x86_64
    kernel-debuginfo-5.4.257-170.359.amzn2.x86_64

Additional References

Red Hat: CVE-2023-3772, CVE-2023-39189, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-42753, CVE-2023-42755, CVE-2023-45871, CVE-2023-4622, CVE-2023-4623, CVE-2023-4921, CVE-2023-51042, CVE-2023-6176

Mitre: CVE-2023-3772, CVE-2023-39189, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-42753, CVE-2023-42755, CVE-2023-45871, CVE-2023-4622, CVE-2023-4623, CVE-2023-4921, CVE-2023-51042, CVE-2023-6176

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALASKERNEL-5.4-2023-053

Additional References