Bug 1709180 (CVE-2019-11811)

Summary: CVE-2019-11811 kernel: use-after-free in drivers/char/ipmi/ipmi_si_intf.c, ipmi_si_mem_io.c, ipmi_si_port_io.c
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mkeir, mlangsdo, mmilgram, nmurray, plougher, rt-maint, rvrbovsk, steved, williams, wmealing, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of IPMI (remote baseband access). An attacker, with local access to read /proc/ioports, may be able to create a use-after-free condition when the kernel module is unloaded which may result in privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-29 19:18:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1709181, 1714407, 1714408, 1714409, 1714410, 1714411, 1714412, 1714413, 1714414, 1739307, 1739308, 1771019, 1832191    
Bug Blocks: 1709182    

Description Marian Rehak 2019-05-13 07:09:45 UTC 
A flaw was found in the Linux kernels implementation of IPMI (remote baseband access) where an attacker with local access to read /proc/ioports may be able to create a use-after-free condition when the kernel module is unloaded.  The use after-free condition may result in privilege escalation.   Investigation is ongoing.

Upstream Patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=401e7e88d4ef80188ffa07095ac00456f901b8c4
Comment 1 Marian Rehak 2019-05-13 07:10:02 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1709181]
Comment 2 Justin M. Forbes 2019-05-13 12:55:31 UTC 
This was fixed for Fedora with the 5.0.4 stable kernel updates.
Comment 10 Eric Christensen 2019-05-30 15:04:53 UTC 
Statement:

This flaw has been rated as "Moderate" as the attacker needs to be able to abuse this flaw in a very narrow race condition of the kernel module being unloaded. This scoring system from this flaw differentiates from other sources as the attacker must have a local account to be able to read the file (/proc/ioports) while the module is unloaded. None of the above actions are 'network facing' attack vectors.
Comment 11 Eric Christensen 2019-05-30 15:04:56 UTC 
Mitigation:

A mitigation to this flaw would be to no longer use IPMI on affected hardware until the kernel has been updated. Existing systems that have IPMI kernel modules loaded will need to unload the "ipmi_si" kernel module and blacklist ( See https://access.redhat.com/solutions/41278 for a guide on how to blacklist modules). Take careful consideration that if unloading and blacklisting the module, this creates a one-time attack vector window for a local attacker.
Comment 13 errata-xmlrpc 2019-07-29 15:14:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1873 https://access.redhat.com/errata/RHSA-2019:1873
Comment 14 errata-xmlrpc 2019-07-29 15:15:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1891 https://access.redhat.com/errata/RHSA-2019:1891
Comment 15 Product Security DevOps Team 2019-07-29 19:18:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11811
Comment 16 errata-xmlrpc 2019-07-30 09:42:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1959 https://access.redhat.com/errata/RHSA-2019:1959
Comment 17 errata-xmlrpc 2019-07-30 11:02:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1971 https://access.redhat.com/errata/RHSA-2019:1971
Comment 31 errata-xmlrpc 2019-12-03 08:07:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:4057 https://access.redhat.com/errata/RHSA-2019:4057
Comment 32 errata-xmlrpc 2019-12-03 08:25:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2019:4058 https://access.redhat.com/errata/RHSA-2019:4058
Comment 33 errata-xmlrpc 2020-01-07 12:26:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:0036 https://access.redhat.com/errata/RHSA-2020:0036
Comment 36 errata-xmlrpc 2020-07-07 13:18:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2854 https://access.redhat.com/errata/RHSA-2020:2854