First published: Fri Jul 26 2019(Updated: )
A vulnerability was found in the Linux kernel’s floppy disk driver implementation. A local attacker with access to the floppy device could call set_geometry in drivers/block/floppy.c, which does not validate the sect and head fields, causing an integer overflow and out-of-bounds read. This flaw may crash the system or allow an attacker to gather information causing subsequent successful attacks.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/kernel-rt | <0:3.10.0-1127.rt56.1093.el7 | 0:3.10.0-1127.rt56.1093.el7 |
redhat/kernel | <0:3.10.0-1127.el7 | 0:3.10.0-1127.el7 |
redhat/kernel | <0:3.10.0-1062.26.1.el7 | 0:3.10.0-1062.26.1.el7 |
IBM Data Risk Manager | <=2.0.6 | |
Linux Kernel | <5.2.3 | |
debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.128-1 6.12.20-1 6.12.21-1 |
The kernel module named 'floppy' contains the affected code, this can be blacklisted using the standard blacklisting techniques or disabled in the systems BIOS. See https://access.redhat.com/solutions/41278 for how to blacklist a kernel module. Virtualized guest systems can also remove the system from the guests configuration to ensure that the module does not load.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2019-14283 is classified as a high severity vulnerability due to the potential for local attackers to exploit it.
To fix CVE-2019-14283, update your Linux kernel to a version that addresses this vulnerability.
CVE-2019-14283 affects versions of the Linux kernel prior to 5.2.3.
CVE-2019-14283 requires local access to the vulnerable system and cannot be exploited remotely.
CVE-2019-14283 impacts systems running specific versions of the Linux kernel and the IBM Data Risk Manager.