CVE-2019-19241
Published: 17 December 2019
In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context.
From the Ubuntu Security Team
It was discovered that the IO uring implementation in the Linux kernel did not properly perform credentials checks in certain situations. A local attacker could possibly use this to gain administrative privileges.
Priority
Status
Package | Release | Status |
---|---|---|
linux
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.13.0-16.19)
|
disco |
Not vulnerable
(4.18.0-10.11)
|
|
eoan |
Released
(5.3.0-40.32)
|
|
focal |
Not vulnerable
(5.4.0-9.12)
|
|
trusty |
Ignored
(was needs-triage ESM criteria)
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Not vulnerable
(4.2.0-16.19)
|
|
Patches:
Introduced by
771b53d033e8663abdf59704806aa856b236dcdb
Introduced by
6c271ce2f1d572f7fa225700a13cfe7ced492434
Introduced by
0fa03c624d8fc9932d0f27c39a9deca6a37e0e17
Introduced by
aa1fa28fc73ea6b740ee7b62bf3b07141883dbb8
|
||
linux-aws
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.15.0-1001.1)
|
disco |
Not vulnerable
(4.18.0-1002.3)
|
|
eoan |
Released
(5.3.0-1011.12)
|
|
focal |
Not vulnerable
(5.4.0-1005.5)
|
|
trusty |
Ignored
(was needs-triage ESM criteria)
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Not vulnerable
(4.4.0-1001.10)
|
|
linux-aws-5.0
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.0.0-1021.24~18.04.1)
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-aws-5.3
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
linux-aws-hwe
Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Not vulnerable
(4.15.0-1030.31~16.04.1)
|
|
linux-azure
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.15.0-1002.2)
|
disco |
Not vulnerable
(4.18.0-1003.3)
|
|
eoan |
Released
(5.3.0-1013.14)
|
|
focal |
Not vulnerable
(5.4.0-1006.6)
|
|
trusty |
Ignored
(was needs-triage ESM criteria)
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Not vulnerable
(4.11.0-1009.9)
|
|
linux-azure-4.15
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
linux-azure-5.3
Launchpad, Ubuntu, Debian |
bionic |
Released
(5.3.0-1013.14~18.04.1)
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-azure-edge
Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of life, was needs-triage)
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-gcp
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.15.0-1001.1)
|
disco |
Not vulnerable
(4.18.0-1002.3)
|
|
eoan |
Released
(5.3.0-1012.13)
|
|
focal |
Not vulnerable
(5.4.0-1005.5)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Not vulnerable
(4.10.0-1004.4)
|
|
linux-gcp-5.3
Launchpad, Ubuntu, Debian |
bionic |
Released
(5.3.0-1012.13~18.04.1)
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-gcp-edge
Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of life, was needs-triage)
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-gke-4.15
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.15.0-1030.32)
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-gke-5.0
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.0.0-1011.11~18.04.1)
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-gke-5.3
Launchpad, Ubuntu, Debian |
bionic |
Released
(5.3.0-1012.13~18.04.1)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-hwe
Launchpad, Ubuntu, Debian |
bionic |
Released
(5.3.0-40.32~18.04.1)
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Not vulnerable
(4.8.0-36.36~16.04.1)
|
|
linux-hwe-edge
Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of life, was needs-triage)
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Ignored
(end of life, was needs-triage)
|
|
linux-kvm
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.15.0-1002.2)
|
disco |
Not vulnerable
(4.18.0-1003.3)
|
|
eoan |
Released
(5.3.0-1010.11)
|
|
focal |
Not vulnerable
(5.4.0-1004.4)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Not vulnerable
(4.4.0-1004.9)
|
|
linux-lts-trusty
Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-lts-xenial
Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Ignored
(was needs-triage ESM criteria)
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-oem
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.15.0-1002.3)
|
disco |
Not vulnerable
(4.15.0-1021.24)
|
|
eoan |
Not vulnerable
(4.15.0-1035.40)
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Ignored
(end of standard support, was needs-triage)
|
|
linux-oem-5.6
Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
eoan |
Does not exist
|
|
focal |
Not vulnerable
(5.6.0-1007.7)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-oem-osp1
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.0.0-1010.11)
|
disco |
Not vulnerable
(5.0.0-1010.11)
|
|
eoan |
Not vulnerable
(5.0.0-1010.11)
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-oracle
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.15.0-1007.9)
|
disco |
Not vulnerable
(4.15.0-1007.9)
|
|
eoan |
Released
(5.3.0-1009.10)
|
|
focal |
Not vulnerable
(5.4.0-1005.5)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Not vulnerable
(4.15.0-1007.9~16.04.1)
|
|
linux-oracle-5.0
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.0.0-1007.12~18.04.1)
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-oracle-5.3
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.3.0-1011.12~18.04.1)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-raspi
Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
eoan |
Does not exist
|
|
focal |
Not vulnerable
(5.4.0-1007.7)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-raspi2
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.13.0-1005.5)
|
disco |
Not vulnerable
(4.18.0-1005.7)
|
|
eoan |
Released
(5.3.0-1018.20)
|
|
focal |
Ignored
(end of life, was needed)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Not vulnerable
(4.2.0-1013.19)
|
|
linux-raspi2-5.3
Launchpad, Ubuntu, Debian |
bionic |
Released
(5.3.0-1018.20~18.04.1)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-riscv
Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
eoan |
Does not exist
|
|
focal |
Not vulnerable
(5.4.0-24.28)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Does not exist
|
|
linux-snapdragon
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.4.0-1077.82)
|
disco |
Not vulnerable
(5.0.0-1010.10)
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.5~rc1)
|
|
xenial |
Not vulnerable
(4.4.0-1012.12)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.8 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1975
- https://git.kernel.org/linus/181e448d8709e517c9c7b523fcd209f24eb38ca7
- https://git.kernel.org/linus/d69e07793f891524c6bbf1e75b9ae69db4450953
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.2
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=181e448d8709e517c9c7b523fcd209f24eb38ca7
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d69e07793f891524c6bbf1e75b9ae69db4450953
- https://ubuntu.com/security/notices/USN-4284-1
- https://www.cve.org/CVERecord?id=CVE-2019-19241
- NVD
- Launchpad
- Debian