CVE-2019-19241
published 2019-12-17CVE-2019-19241: In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is…
PriorityP344high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.09%
61.1th percentile
In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 5.3.15-1 (bookworm) | linux 5.3.15-1 (bookworm) |
| linux | linux_kernel | < 5.4.2 | 5.4.2 |
| linux | linux_kernel | >= 0 < 5.3.15-1 | 5.3.15-1 |
| linux | linux_kernel | >= 0 < 5.3.15-1 | 5.3.15-1 |
| linux | linux_kernel | >= 0 < 5.3.15-1 | 5.3.15-1 |
| linux | linux_kernel | >= 0 < 5.3.15-1 | 5.3.15-1 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2020-02-19·CVSS 5.5
CVE-2019-15291 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly clear data
structures on context switches for certain Intel graphics processors. A
local attacker could use this to expose sensitive information.
(CVE-2019-14615)
It was discovered that the Atheros 802.11ac wireless USB device driver in
the Linux kernel did not properly validate device metadata. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2019-15099)
It was discovered that the HSA Linux kernel driver for AMD GPU devices did
not properly check for errors in certain situations, leading to a NULL
pointer dereference. A local attacker could possibly use this to cause a
denial of ser
Red Hat
kernel: privilege escalation via io_uring offload of sendmsg() onto kernel thread with kernel creds
vendor_redhat·2019-11-25·CVSS 7.8
CVE-2019-19241 [HIGH] CWE-250 kernel: privilege escalation via io_uring offload of sendmsg() onto kernel thread with kernel creds
kernel: privilege escalation via io_uring offload of sendmsg() onto kernel thread with kernel creds
In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context.
Statement: At this time, no Red Hat Enterprise Linux products ship with support for this feature. There is an outstanding feature request for io_uring to be included with Red Hat Ent
Debian
CVE-2019-19241: linux - In the Linux kernel before 5.4.2, the io_uring feature leads to requests that in...
vendor_debian·2019·CVSS 7.8
CVE-2019-19241 [HIGH] CVE-2019-19241: linux - In the Linux kernel before 5.4.2, the io_uring feature leads to requests that in...
In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context.
Scope: local
bookworm: resolved (fixed in 5.3.15-1)
bullseye: resolved (fixed in 5.3.15-1)
forky: resolved (fixed in 5.3.15-1)
sid: resolved (fixed in 5.3.15-1)
trixie: resolved (fixed in 5.3.15-1)
GHSA
GHSA-wxfp-qr5h-g4wx: In the Linux kernel before 5
ghsa_unreviewed·2022-05-24
CVE-2019-19241 [MEDIUM] GHSA-wxfp-qr5h-g4wx: In the Linux kernel before 5
In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context.
OSV
linux, linux-aws, linux-azure, linux-azure-5.3, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3 vulnerabilities
osv·2020-02-19·CVSS 5.5
CVE-2019-14615 [MEDIUM] linux, linux-aws, linux-azure, linux-azure-5.3, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3 vulnerabilities
linux, linux-aws, linux-azure, linux-azure-5.3, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3 vulnerabilities
It was discovered that the Linux kernel did not properly clear data
structures on context switches for certain Intel graphics processors. A
local attacker could use this to expose sensitive information.
(CVE-2019-14615)
It was discovered that the Atheros 802.11ac wireless USB device driver in
the Linux kernel did not properly validate device metadata. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2019-15099)
It was discovered that the HSA Linux kernel driver for AMD GPU devices did
not properly check for errors in certain situations, leading to a NULL
pointer dereference. A local at
OSV
CVE-2019-19241: In the Linux kernel before 5
osv·2019-12-17·CVSS 7.8
CVE-2019-19241 [HIGH] CVE-2019-19241: In the Linux kernel before 5
In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context.
No detection rules found.
Bugzilla
CVE-2019-19241 kernel: privilege escalation via io_uring offload of sendmsg() onto kernel thread with kernel creds
bugzilla·2019-12-18·CVSS 7.8
CVE-2019-19241 [HIGH] CVE-2019-19241 kernel: privilege escalation via io_uring offload of sendmsg() onto kernel thread with kernel creds
CVE-2019-19241 kernel: privilege escalation via io_uring offload of sendmsg() onto kernel thread with kernel creds
In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context.
Reference:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1975
Upstream commits:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=181e448d8709e517c9
Bugzilla
CVE-2019-19241 kernel: privilege escalation via io_uring offload of sendmsg() onto kernel thread with kernel creds [fedora-all]
bugzilla·2019-12-18·CVSS 7.8
CVE-2019-19241 [HIGH] CVE-2019-19241 kernel: privilege escalation via io_uring offload of sendmsg() onto kernel thread with kernel creds [fedora-all]
CVE-2019-19241 kernel: privilege escalation via io_uring offload of sendmsg() onto kernel thread with kernel creds [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NO
https://bugs.chromium.org/p/project-zero/issues/detail?id=1975https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.2https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=181e448d8709e517c9c7b523fcd209f24eb38ca7https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d69e07793f891524c6bbf1e75b9ae69db4450953https://security.netapp.com/advisory/ntap-20200103-0001/https://usn.ubuntu.com/4284-1/https://bugs.chromium.org/p/project-zero/issues/detail?id=1975https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.2https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=181e448d8709e517c9c7b523fcd209f24eb38ca7https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d69e07793f891524c6bbf1e75b9ae69db4450953https://security.netapp.com/advisory/ntap-20200103-0001/https://usn.ubuntu.com/4284-1/
2019-12-17
Published