Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2019-10639

Disclosure Date: July 05, 2019
CVE-2019-10639
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker’s web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to have a dependency on an address associated with a network namespace.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • linux

Products

  • linux kernel

References

Canonical
CVE-2019-10639 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10639)
Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00025.html
[debian-lts-announce] 20190723 [SECURITY] [DLA 1862-1] linux security update (https://lists.debian.org/debian-lts-announce/2019/07/msg00022.html)
https://security.netapp.com/advisory/ntap-20190806-0001
20190813 [SECURITY] [DSA 4497-1] linux security update (https://seclists.org/bugtraq/2019/Aug/18)
[debian-lts-announce] 20190814 [SECURITY] [DLA 1885-1] linux-4.9 security update (https://lists.debian.org/debian-lts-announce/2019/08/msg00017.html)
https://support.f5.com/csp/article/K32804955
USN-4115-1 (https://usn.ubuntu.com/4115-1)
USN-4118-1 (https://usn.ubuntu.com/4118-1)
https://support.f5.com/csp/article/K32804955?utm_source=f5support&utm_medium=RSS
https://security.netapp.com/advisory/ntap-20190806-0001/
USN-4115-1 (https://usn.ubuntu.com/4115-1/)
USN-4118-1 (https://usn.ubuntu.com/4118-1/)
Miscellaneous
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.8
https://github.com/torvalds/linux/commit/355b98553789b646ed97ad801a619ff898471b92
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=355b98553789b646ed97ad801a619ff898471b92
https://arxiv.org/pdf/1906.10478.pdf
https://www.debian.org/security/2019/dsa-4497
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=355b98553789b646ed97ad801a619ff898471b92
https://www.oracle.com/security-alerts/cpuApr2021.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis