Bug 1709180 (CVE-2019-11811) - CVE-2019-11811 kernel: use-after-free in drivers/char/ipmi/ipmi_si_intf.c, ipmi_si_mem_io.c, ipmi_si_port_io.c
Summary: CVE-2019-11811 kernel: use-after-free in drivers/char/ipmi/ipmi_si_intf.c, ip...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11811
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1714410 1714414 1739307 1739308 1709181 1714407 1714408 1714409 1714411 1714412 1714413
Blocks: 1709182
TreeView+ depends on / blocked
 
Reported: 2019-05-13 07:09 UTC by Marian Rehak
Modified: 2019-10-02 11:42 UTC (History)
46 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of IPMI (remote baseband access). An attacker, with local access to read /proc/ioports, may be able to create a use-after-free condition when the kernel module is unloaded which may result in privilege escalation.
Clone Of:
Environment:
Last Closed: 2019-07-29 19:18:35 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:1977 None None None 2019-07-30 14:16:02 UTC
Red Hat Product Errata RHBA-2019:1978 None None None 2019-07-30 14:16:35 UTC
Red Hat Product Errata RHSA-2019:1873 None None None 2019-07-29 15:14:29 UTC
Red Hat Product Errata RHSA-2019:1891 None None None 2019-07-29 15:15:37 UTC
Red Hat Product Errata RHSA-2019:1959 None None None 2019-07-30 09:42:20 UTC
Red Hat Product Errata RHSA-2019:1971 None None None 2019-07-30 11:02:11 UTC

Description Marian Rehak 2019-05-13 07:09:45 UTC
A flaw was found in the Linux kernels implementation of IPMI (remote baseband access) where an attacker with local access to read /proc/ioports may be able to create a use-after-free condition when the kernel module is unloaded.  The use after-free condition may result in privilege escalation.   Investigation is ongoing.

Upstream Patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=401e7e88d4ef80188ffa07095ac00456f901b8c4

Comment 1 Marian Rehak 2019-05-13 07:10:02 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1709181]

Comment 2 Justin M. Forbes 2019-05-13 12:55:31 UTC
This was fixed for Fedora with the 5.0.4 stable kernel updates.

Comment 10 Eric Christensen 2019-05-30 15:04:53 UTC
Statement:

This flaw has been rated as "Moderate" as the attacker needs to be able to abuse this flaw in a very narrow race condition of the kernel module being unloaded. This scoring system from this flaw differentiates from other sources as the attacker must have a local account to be able to read the file (/proc/ioports) while the module is unloaded. None of the above actions are 'network facing' attack vectors.

Comment 11 Eric Christensen 2019-05-30 15:04:56 UTC
Mitigation:

A mitigation to this flaw would be to no longer use IPMI on affected hardware until the kernel has been updated. Existing systems that have IPMI kernel modules loaded will need to unload the "ipmi_si" kernel module and blacklist ( See https://access.redhat.com/solutions/41278 for a guide on how to blacklist modules). Take careful consideration that if unloading and blacklisting the module, this creates a one-time attack vector window for a local attacker.

Comment 13 errata-xmlrpc 2019-07-29 15:14:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1873 https://access.redhat.com/errata/RHSA-2019:1873

Comment 14 errata-xmlrpc 2019-07-29 15:15:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1891 https://access.redhat.com/errata/RHSA-2019:1891

Comment 15 Product Security DevOps Team 2019-07-29 19:18:35 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11811

Comment 16 errata-xmlrpc 2019-07-30 09:42:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1959 https://access.redhat.com/errata/RHSA-2019:1959

Comment 17 errata-xmlrpc 2019-07-30 11:02:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1971 https://access.redhat.com/errata/RHSA-2019:1971


Note You need to log in before you can comment on or make changes to this bug.