PT-2018-2587 · Linux+5 · Linux Kernel+5

Publicado

2018-11-03

Atualizado

2019-11-06

CVE-2018-19854

CVSS v3.1

4.7

Média

Vetor

AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 4.19.3

Description The issue is related to the crypto user configuration API in the Linux kernel, specifically with the crypto report one() function and related functions in crypto/crypto user.c. These functions do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. This could allow an attacker to gain unauthorized access to protected information. The system must have the CONFIG CRYPTO USER kconfig option for this issue to be exploitable.

Recommendations For Linux kernel versions prior to 4.19.3, update to version 4.19.3 or later to resolve the issue. As a temporary workaround, consider disabling the crypto report one() function and related functions in crypto/crypto user.c until a patch is available. Restrict access to the crypto user configuration API to minimize the risk of exploitation.

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200

Identificadores relacionados

ALT-PU-2018-2699

ALT-PU-2018-2729

ALT-PU-2019-1433

BDU:2019-01062

CESA-2019_3309

CESA-2019_3517

CVE-2018-19854

OPENSUSE-SU-2019:0065-1

OPENSUSE-SU-2019_0065-1

RHSA-2019:3309

RHSA-2019:3517

RHSA-2019_3309

RHSA-2019_3517

SUSE-SU-2019:0150-1

SUSE-SU-2019:0196-1

SUSE-SU-2019:0222-1

SUSE-SU-2019:0224-1

USN-3872-1

USN-3878-1

USN-3878-2

USN-3901-1

USN-3901-2

Produtos afetados

Alt Linux

Centos

Linux Kernel

Red Hat

Suse

Ubuntu

PT-2018-2587 · Linux+5 · Linux Kernel+5

CVE-2018-19854

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 354