Bug 1709180 (CVE-2019-11811) - CVE-2019-11811 kernel: use-after-free in drivers/char/ipmi/ipmi_si_intf.c, ipmi_si_mem_io.c, ipmi_si_port_io.c
Summary: CVE-2019-11811 kernel: use-after-free in drivers/char/ipmi/ipmi_si_intf.c, ip...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11811
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1709181 Engineering1714407 Engineering1714408 Engineering1714409 Engineering1714410 Engineering1714411 Engineering1714412 Engineering1714413 Engineering1714414 Engineering1739307 Engineering1739308 Engineering1771019 Engineering1832191
Blocks: Embargoed1709182
TreeView+ depends on / blocked
 
Reported: 2019-05-13 07:09 UTC by Marian Rehak
Modified: 2023-05-12 21:15 UTC (History)
46 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of IPMI (remote baseband access). An attacker, with local access to read /proc/ioports, may be able to create a use-after-free condition when the kernel module is unloaded which may result in privilege escalation.
Clone Of:
Environment:
Last Closed: 2019-07-29 19:18:35 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:1977 0 None None None 2019-07-30 14:16:02 UTC
Red Hat Product Errata RHBA-2019:1978 0 None None None 2019-07-30 14:16:35 UTC
Red Hat Product Errata RHSA-2019:1873 0 None None None 2019-07-29 15:14:29 UTC
Red Hat Product Errata RHSA-2019:1891 0 None None None 2019-07-29 15:15:37 UTC
Red Hat Product Errata RHSA-2019:1959 0 None None None 2019-07-30 09:42:20 UTC
Red Hat Product Errata RHSA-2019:1971 0 None None None 2019-07-30 11:02:11 UTC
Red Hat Product Errata RHSA-2019:4057 0 None None None 2019-12-03 08:07:07 UTC
Red Hat Product Errata RHSA-2019:4058 0 None None None 2019-12-03 08:26:01 UTC
Red Hat Product Errata RHSA-2020:0036 0 None None None 2020-01-07 12:26:32 UTC
Red Hat Product Errata RHSA-2020:2854 0 None None None 2020-07-07 13:18:34 UTC

Description Marian Rehak 2019-05-13 07:09:45 UTC 
A flaw was found in the Linux kernels implementation of IPMI (remote baseband access) where an attacker with local access to read /proc/ioports may be able to create a use-after-free condition when the kernel module is unloaded.  The use after-free condition may result in privilege escalation.   Investigation is ongoing.

Upstream Patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=401e7e88d4ef80188ffa07095ac00456f901b8c4
Comment 1 Marian Rehak 2019-05-13 07:10:02 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1709181]
Comment 2 Justin M. Forbes 2019-05-13 12:55:31 UTC 
This was fixed for Fedora with the 5.0.4 stable kernel updates.
Comment 10 Eric Christensen 2019-05-30 15:04:53 UTC 
Statement:

This flaw has been rated as "Moderate" as the attacker needs to be able to abuse this flaw in a very narrow race condition of the kernel module being unloaded. This scoring system from this flaw differentiates from other sources as the attacker must have a local account to be able to read the file (/proc/ioports) while the module is unloaded. None of the above actions are 'network facing' attack vectors.
Comment 11 Eric Christensen 2019-05-30 15:04:56 UTC 
Mitigation:

A mitigation to this flaw would be to no longer use IPMI on affected hardware until the kernel has been updated. Existing systems that have IPMI kernel modules loaded will need to unload the "ipmi_si" kernel module and blacklist ( See https://access.redhat.com/solutions/41278 for a guide on how to blacklist modules). Take careful consideration that if unloading and blacklisting the module, this creates a one-time attack vector window for a local attacker.
Comment 13 errata-xmlrpc 2019-07-29 15:14:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1873 https://access.redhat.com/errata/RHSA-2019:1873
Comment 14 errata-xmlrpc 2019-07-29 15:15:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1891 https://access.redhat.com/errata/RHSA-2019:1891
Comment 15 Product Security DevOps Team 2019-07-29 19:18:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11811
Comment 16 errata-xmlrpc 2019-07-30 09:42:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1959 https://access.redhat.com/errata/RHSA-2019:1959
Comment 17 errata-xmlrpc 2019-07-30 11:02:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1971 https://access.redhat.com/errata/RHSA-2019:1971
Comment 31 errata-xmlrpc 2019-12-03 08:07:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:4057 https://access.redhat.com/errata/RHSA-2019:4057
Comment 32 errata-xmlrpc 2019-12-03 08:25:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2019:4058 https://access.redhat.com/errata/RHSA-2019:4058
Comment 33 errata-xmlrpc 2020-01-07 12:26:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:0036 https://access.redhat.com/errata/RHSA-2020:0036
Comment 36 errata-xmlrpc 2020-07-07 13:18:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2854 https://access.redhat.com/errata/RHSA-2020:2854
Note You need to log in before you can comment on or make changes to this bug.