ASA-2019-00630 – Linux kernel: Wrong locking causes race conditions on streaming stop in vivid driver

An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem).

ASA-2019-00503 – Wind River VxWorks: TCP Urgent Pointer state confusion due to race condition

A series of segments with and without the URG-flag set must arrive with a very specific timing while an application on the victim is receiving from the session. The victim must be using a SMP-kernel and two or more CPU-cores alternatively an uni-processor kernel where the receiving task and the network task executes at different priorities. A prerequisite is that the system uses TCP-sockets, and there is at least one TCP session enabled that an attacker can inject traffic into. This vulnerability relies on a race condition between the network task (tNet0) and the receiving application. It is essentially impossible to trigger the race on a system with just a single CPU thread enabled and no way to reliably trigger it on SMP targets. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on the version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.

ASA-2019-00369 – ISC BIND: A race condition when discarding malformed packets can cause BIND to exit with an assertion failure

A race condition which may occur when discarding malformed packets can result in BIND exiting due to a REQUIRE assertion failure in dispatch.c. An attacker who can cause a resolver to perform queries which will be answered by a server which responds with deliberately malformed answers can cause named to exit, denying service to clients.

ASA-2019-00344 – Intel Open Cloud Integrity Technology (Open CIT): A race condition in the agent service

A race condition in the agent service for Open CIT may allow an authenticated user to potentially enable escalation of privilege via local access.

ASA-2019-00273 – Singularity: Namespace privilege escalation and arbitrary file corruption

A malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing//. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.