CVE-2019-15239

Published: Aug 20, 2019Modified: Nov 21, 2024

7.8

Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation. NOTE: this affects (for example) Linux distributions that use 4.9.x longterm kernels before 4.9.190 or 4.14.x longterm kernels before 4.14.139.

Affected (3)

Products: Linux: Linux Kernel · Debian: Debian Linux

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Linux Linux Kernel	Version 4.16.12

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0

Related CWEs

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

References (20)

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html

Source: cve@mitre.org

https://access.redhat.com/errata/RHSA-2019:3978

Source: cve@mitre.org

https://access.redhat.com/errata/RHSA-2019:3979

Source: cve@mitre.org

https://access.redhat.com/errata/RHSA-2020:0027

Source: cve@mitre.org

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7f582b248d0a86bae5788c548d7bb5bca6f7691a

Source: cve@mitre.org

Patch

https://lore.kernel.org/stable/41a61a2f87691d2bc839f26cdfe6f5ff2f51e472.camel%40decadent.org.uk/

Source: cve@mitre.org

https://pulsesecurity.co.nz/advisories/linux-kernel-4.9-tcpsocketsuaf

Source: cve@mitre.org

ExploitThird Party Advisory

https://salsa.debian.org/kernel-team/kernel-sec/blob/f6273af2d956a87296b6b60379d0a186c9be4bbc/active/CVE-2019-15239

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2019/dsa-4497

Source: cve@mitre.org

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://access.redhat.com/errata/RHSA-2019:3978

Source: af854a3a-2127-422b-91ae-364da2661108

https://access.redhat.com/errata/RHSA-2019:3979

Source: af854a3a-2127-422b-91ae-364da2661108

https://access.redhat.com/errata/RHSA-2020:0027

Source: af854a3a-2127-422b-91ae-364da2661108

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7f582b248d0a86bae5788c548d7bb5bca6f7691a

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://lore.kernel.org/stable/41a61a2f87691d2bc839f26cdfe6f5ff2f51e472.camel%40decadent.org.uk/

Source: af854a3a-2127-422b-91ae-364da2661108

https://pulsesecurity.co.nz/advisories/linux-kernel-4.9-tcpsocketsuaf

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://salsa.debian.org/kernel-team/kernel-sec/blob/f6273af2d956a87296b6b60379d0a186c9be4bbc/active/CVE-2019-15239

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2019/dsa-4497

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.