CVE-2019-18683

An issue was discovered in drivers/media/platform/vivid in the Linux kernel through 5.3.8. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.

CVSS v3.0 7.0 HIGH
CVSS v2.0 6.9 MEDIUM

7.0^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.9^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 3.4 / Impact : 10.0

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://www.openwall.com/lists/oss-security/2019/11/02/1	Exploit Mailing List Third Party Advisory
https://lore.kernel.org/lkml/20191103221719.27118-1-alex.popov@linux.com/	Patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2019/11/05/1	Exploit Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20191205-0001/	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00029.html	Mailing List Third Party Advisory
https://seclists.org/bugtraq/2020/Jan/10	Mailing List Patch Third Party Advisory
http://packetstormsecurity.com/files/155890/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html	Third Party Advisory VDB Entry
https://usn.ubuntu.com/4254-1/	Third Party Advisory
https://usn.ubuntu.com/4254-2/	Third Party Advisory
https://usn.ubuntu.com/4258-1/	Third Party Advisory
https://usn.ubuntu.com/4287-1/	Third Party Advisory
https://usn.ubuntu.com/4287-2/	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00001.html	Mailing List Third Party Advisory
https://usn.ubuntu.com/4284-1/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:19.10:::::::*

Configuration 3 (hide)

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:cloud_backup:-:::::::*
	cpe:2.3:a:netapp:data_availability_services:-:::::::*
	cpe:2.3:a:netapp:e-series_santricity_os_controller::::::::
	cpe:2.3:a:netapp:element_software:-:::::::*
	cpe:2.3:a:netapp:hci_management_node:-:::::::*
	cpe:2.3:a:netapp:solidfire:-:::::::*
	cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:::::::*

Configuration 5 (hide)

cpe:2.3:o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:netapp:a700s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:a700s:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:netapp:8300_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:8300:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:netapp:8700_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:8700:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:netapp:a400_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:a400:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:netapp:h610s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h610s:-:*:*:*:*:*:*:*

Configuration 11 (hide)

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Information

Published : 2019-11-04 08:15

Updated : 2022-04-18 08:46

NVD link : CVE-2019-18683

Mitre link : CVE-2019-18683

JSON object : View

CWE

CWE-416

Use After Free

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Products Affected

netapp

cloud_backup
a400_firmware
h610s_firmware
active_iq_unified_manager
steelstore_cloud_integrated_storage
h610s
a400
data_availability_services
e-series_santricity_os_controller
8700
element_software
solidfire
8700_firmware
8300_firmware
8300
a700s
a700s_firmware
hci_management_node

canonical

ubuntu_linux

linux

linux_kernel

debian

debian_linux

broadcom

fabric_operating_system

opensuse

leap

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://www.openwall.com/lists/oss-security/2019/11/02/1", "name": "https://www.openwall.com/lists/oss-security/2019/11/02/1", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://lore.kernel.org/lkml/20191103221719.27118-1-alex.popov@linux.com/", "name": "https://lore.kernel.org/lkml/20191103221719.27118-1-alex.popov@linux.com/", "tags": ["Patch", "Vendor Advisory"], "refsource": "MISC"}, {"url": "http://www.openwall.com/lists/oss-security/2019/11/05/1", "name": "[oss-security] 20191105 Re: [ Linux kernel ] Exploitable bugs in drivers/media/platform/vivid", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://security.netapp.com/advisory/ntap-20191205-0001/", "name": "https://security.netapp.com/advisory/ntap-20191205-0001/", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00029.html", "name": "openSUSE-SU-2019:2675", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "SUSE"}, {"url": "https://seclists.org/bugtraq/2020/Jan/10", "name": "20200109 [slackware-security] Slackware 14.2 kernel (SSA:2020-008-01)", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "refsource": "BUGTRAQ"}, {"url": "http://packetstormsecurity.com/files/155890/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html", "name": "http://packetstormsecurity.com/files/155890/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "MISC"}, {"url": "https://usn.ubuntu.com/4254-1/", "name": "USN-4254-1", "tags": ["Third Party Advisory"], "refsource": "UBUNTU"}, {"url": "https://usn.ubuntu.com/4254-2/", "name": "USN-4254-2", "tags": ["Third Party Advisory"], "refsource": "UBUNTU"}, {"url": "https://usn.ubuntu.com/4258-1/", "name": "USN-4258-1", "tags": ["Third Party Advisory"], "refsource": "UBUNTU"}, {"url": "https://usn.ubuntu.com/4287-1/", "name": "USN-4287-1", "tags": ["Third Party Advisory"], "refsource": "UBUNTU"}, {"url": "https://usn.ubuntu.com/4287-2/", "name": "USN-4287-2", "tags": ["Third Party Advisory"], "refsource": "UBUNTU"}, {"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00001.html", "name": "[debian-lts-announce] 20200302 [SECURITY] [DLA 2114-1] linux-4.9 security update", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://usn.ubuntu.com/4284-1/", "name": "USN-4284-1", "tags": ["Third Party Advisory"], "refsource": "UBUNTU"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "An issue was discovered in drivers/media/platform/vivid in the Linux kernel through 5.3.8. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-416"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2019-18683", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 10.0, "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}}, "publishedDate": "2019-11-04T16:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "5.3.8"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netapp:data_availability_services:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "11.70.1", "versionStartIncluding": "11.0.0"}, {"cpe23Uri": "cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:netapp:a700s_firmware:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:netapp:a700s:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:netapp:8300_firmware:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:netapp:8300:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:netapp:8700_firmware:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:netapp:8700:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:netapp:a400_firmware:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:netapp:a400:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:netapp:h610s_firmware:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:netapp:h610s:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-04-18T15:46Z"}

7.0 /10