ALAS-2020-1437


Amazon Linux AMI Security Advisory: ALAS-2020-1437
Advisory Release Date: 2020-10-26 18:08 Pacific
Advisory Updated Date: 2020-10-27 21:29 Pacific
Severity: Important

Issue Overview:

In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to a right data structure. (CVE-2019-19448 )

A flaw was found in the Linux kernel's implementation of BTRFS free space management, where the kernel does not correctly manage the lifetime of internal data structures used. An attacker could use this flaw to corrupt memory or escalate privileges. (CVE-2020-12888 )

A flaw was found in the Linux kernel, where it allows userspace processes, for example, a guest VM, to directly access h/w devices via its VFIO driver modules. The VFIO modules allow users to enable or disable access to the devices' MMIO memory address spaces. If a user attempts to access the read/write devices' MMIO address space when it is disabled, some h/w devices issue an interrupt to the CPU to indicate a fatal error condition, crashing the system. This flaw allows a guest user or process to crash the host system resulting in a denial of service. A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability. (CVE-2020-14314 )

A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-14331 )

A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-14390 )

A flaw was found in the Linux kernel. When changing screen size, an out-of-bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response allow for local memory corruption and possibly privilege escalation. A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212 )

A flaw was found in the capabilities check of the rados block device functionality in the Linux kernel. Incorrect capability checks could alllow a local user with root priviledges (but no capabilities) to add or remove Rados Block Devices from the system. (CVE-2020-25284 )

A flaw was found in the Linux kernels sysctl handling code for hugepages managment. When multiple root level processes would write to modify the /proc/sys/vm/nr_hugepages file it could create a race on internal variables leading to a system crash or memory corruption. A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact, aka CID-17743798d812. (CVE-2020-25285 )

A flaw was found in the Linux kernel's implementation of biovecs. A zero-length biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block device, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25641 )

A flaw was found in the HDLC_PPP module of the Linux kernel. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25643 )

A flaw was found in the Linux kernel. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. (CVE-2020-25645 )

A missing capabilities check when creating NFC raw sockets could be used by local attackers to create raw sockets, bypassing security mechanisms allowing them to create or listen to NFC communication frames. (CVE-2020-26088 )


Affected Packages:

kernel


Issue Correction:
Run yum update kernel to update your system.

New Packages:
i686:
    kernel-debuginfo-4.14.200-116.320.amzn1.i686
    kernel-headers-4.14.200-116.320.amzn1.i686
    perf-debuginfo-4.14.200-116.320.amzn1.i686
    kernel-debuginfo-common-i686-4.14.200-116.320.amzn1.i686
    kernel-4.14.200-116.320.amzn1.i686
    kernel-devel-4.14.200-116.320.amzn1.i686
    kernel-tools-4.14.200-116.320.amzn1.i686
    perf-4.14.200-116.320.amzn1.i686
    kernel-tools-debuginfo-4.14.200-116.320.amzn1.i686
    kernel-tools-devel-4.14.200-116.320.amzn1.i686

src:
    kernel-4.14.200-116.320.amzn1.src

x86_64:
    kernel-tools-4.14.200-116.320.amzn1.x86_64
    kernel-tools-debuginfo-4.14.200-116.320.amzn1.x86_64
    kernel-4.14.200-116.320.amzn1.x86_64
    perf-debuginfo-4.14.200-116.320.amzn1.x86_64
    kernel-debuginfo-4.14.200-116.320.amzn1.x86_64
    perf-4.14.200-116.320.amzn1.x86_64
    kernel-devel-4.14.200-116.320.amzn1.x86_64
    kernel-tools-devel-4.14.200-116.320.amzn1.x86_64
    kernel-headers-4.14.200-116.320.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.14.200-116.320.amzn1.x86_64