CVE-2019-11811 - Use After Free

Severity

70%

Complexity

10%

Confidentiality

98%

An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c.

An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c.

CVSS 3.0 Base Score 9.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 9.9. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C).

CVSS 3.1 Base Score 7. CVSS Attack Vector: local. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 6.9. CVSS Attack Vector: local. CVSS Attack Complexity: medium. CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C).

Demo Examples

Use After Free

CWE-416

The following example demonstrates the weakness.


               
}
free(buf3R2);

Use After Free

CWE-416

The following code illustrates a use after free error:


               
}
free(ptr);
logError("operation aborted before commit", ptr);

When an error occurs, the pointer is immediately freed. However, this pointer is later incorrectly used in the logError function.

Overview

First reported 5 years ago

2019-05-07 14:29:00

Last updated 4 years ago

2020-05-06 15:14:00

Affected Software

Linux Kernel

OpenSUSE Leap 15.1

15.1

Red Hat Enterprise Linux (RHEL) 7.0 (7)

7.0

Red Hat Enterprise Linux Advanced mission critical Update Support (AUS) 7.6

7.6

RedHat Enterprise Linux Desktop 7.0

7.0

RedHat Enterprise Linux Server 7.0

7.0

Red Hat Enterprise Linux Server Advanced mission critical Update Support (AUS) 7.4

7.4

Red Hat Enterprise Linux Server TUS 7.4

7.4

Red Hat Enterprise Linux Server Telecommunications Update Service (TUS) 7.6

7.6

RedHat Enterprise Linux Workstation 7.0

7.0

References

openSUSE-SU-2019:1479

108410

RHSA-2019:1873

RHSA-2019:1891

RHSA-2019:1959

RHSA-2019:1971

RHSA-2019:4057

RHSA-2019:4058

RHSA-2020:0036

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.4

Release Notes, Vendor Advisory

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=401e7e88d4ef80188ffa07095ac00456f901b8c4

Patch, Vendor Advisory

https://github.com/torvalds/linux/commit/401e7e88d4ef80188ffa07095ac00456f901b8c4

Patch, Third Party Advisory

https://security.netapp.com/advisory/ntap-20190719-0003/

https://support.f5.com/csp/article/K01512680

openSUSE-SU-2019:1479

Third Party Advisory

108410

Third Party Advisory, VDB Entry

RHSA-2019:1873

Third Party Advisory

RHSA-2019:1891

Third Party Advisory

RHSA-2019:1959

Third Party Advisory

RHSA-2019:1971

Third Party Advisory

RHSA-2019:4057

Third Party Advisory

RHSA-2019:4058

Third Party Advisory

RHSA-2020:0036

Third Party Advisory

https://security.netapp.com/advisory/ntap-20190719-0003/

Third Party Advisory

https://support.f5.com/csp/article/K01512680

Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.