Published: 05/07/2019 Updated: 07/11/2023

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 446

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

The Linux kernel 4.x (starting from 4.1) and 5.x prior to 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to have a dependency on an address associated with a network namespace.

Vulnerable Product	Search on Vulmon	Subscribe to Product
linux linux kernel

Synopsis Important: kernel security, bug fix, and enhancement update Type/Severity Security Advisory: Important Topic An update for kernel is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring S ...

Synopsis Important: kernel security and bug fix update Type/Severity Security Advisory: Important Topic An update for kernel is now available for Red Hat Enterprise Linux 77 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerabili ...

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks CVE-2015-8553 Jan Beulich discovered that CVE-2015-2150 was not completely addressed If a PCI physical function is passed through to a Xen guest, the guest is able to access its memory and I ...

Several security issues were fixed in the Linux kernel ...

USN 4115-1 introduced a regression in the Linux kernel ...

Impact: Moderate Public Date: 2019-07-15 CWE: CWE-331 Bugzilla: 1729933: CVE-2019-10639 kernel: extract ...

CWE-326 https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.8 https://arxiv.org/pdf/1906.10478.pdf https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=355b98553789b646ed97ad801a619ff898471b92 https://github.com/torvalds/linux/commit/355b98553789b646ed97ad801a619ff898471b92 http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00025.html https://lists.debian.org/debian-lts-announce/2019/07/msg00022.html https://security.netapp.com/advisory/ntap-20190806-0001/https://www.debian.org/security/2019/dsa-4497 https://seclists.org/bugtraq/2019/Aug/18 https://lists.debian.org/debian-lts-announce/2019/08/msg00017.html https://support.f5.com/csp/article/K32804955 https://usn.ubuntu.com/4115-1/https://usn.ubuntu.com/4118-1/https://www.oracle.com/security-alerts/cpuApr2021.html https://support.f5.com/csp/article/K32804955?utm_source=f5support&%3Butm_medium=RSS https://access.redhat.com/errata/RHSA-2020:1769 https://nvd.nist.gov https://usn.ubuntu.com/4118-1/https://www.debian.org/security/2019/dsa-4497

CVE-2019-10639

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect