CVE-2019-19534: Infoleak
First published: Mon Nov 04 2019(Updated: )
An information-leak flaw was found in the Linux kernel's pcan USB driver. When a device using this driver connects to the system, the stack information is leaked to the CAN bus, a controller area network for automobiles. The highest threat with this vulnerability is breach of data confidentiality.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:3.10.0-1160.rt56.1131.el7 | 0:3.10.0-1160.rt56.1131.el7 |
| redhat/kernel | <0:3.10.0-1160.el7 | 0:3.10.0-1160.el7 |
| redhat/kernel-rt | <0:4.18.0-193.rt13.51.el8 | 0:4.18.0-193.rt13.51.el8 |
| redhat/kernel | <0:4.18.0-193.el8 | 0:4.18.0-193.el8 |
| Linux Kernel | <5.3.11 | |
| Debian GNU/Linux | =8.0 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =19.04 | |
| Ubuntu Linux | =19.10 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.13-1 | |
| Debian | =8.0 | |
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =19.04 | |
| Ubuntu | =19.10 |
Remedy
As the devices module will be auto-loaded when the USB CAN bus adapter is connected, its can be disabled by preventing the module from loading with the following instructions: # echo "install peak_usb /bin/true" >> /etc/modprobe.d/disable-peak-usb-canbus.conf The system will need to be restarted if the peak_usb module is already loaded. In most circumstances, the kernel modules will be unable to be unloaded while any CAN bus interfaces are active and the protocol is in use. If the system requires this module to work correctly, this mitigation may not be suitable. If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-19534 https://nvd.nist.gov/vuln/detail/CVE-2019-19534
- https://bugzilla.redhat.com/show_bug.cgi?id=1783540
- https://access.redhat.com/errata/RHSA-2020:4062
- https://access.redhat.com/errata/RHSA-2020:4060
- https://access.redhat.com/errata/RHSA-2020:1567
- https://access.redhat.com/errata/RHSA-2020:1769
- https://access.redhat.com/security/cve/cve-2019-19534
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00029.html
- http://www.openwall.com/lists/oss-security/2019/12/03/4
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.11
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f7a1337f0d29b98733c8824e165fca3371d7d4fd
- https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html
- https://lists.debian.org/debian-lts-announce/2020/03/msg00001.html
- https://usn.ubuntu.com/4225-1/
- https://usn.ubuntu.com/4225-2/
- https://usn.ubuntu.com/4226-1/
- https://usn.ubuntu.com/4227-1/
- https://usn.ubuntu.com/4227-2/
- https://usn.ubuntu.com/4228-1/
- https://usn.ubuntu.com/4228-2/
- https://launchpad.net/bugs/cve/CVE-2019-19534
- http://seclists.org/oss-sec/2019/q4/115
- https://www.openwall.com/lists/oss-security/2019/12/03/4
- https://access.redhat.com/solutions/41278
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1796101
- https://git.kernel.org/linus/f7a1337f0d29b98733c8824e165fca3371d7d4fd
- https://security-tracker.debian.org/tracker/CVE-2019-19534
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19534
- https://nvd.nist.gov/vuln/detail/CVE-2019-19534
- https://ubuntu.com/security/CVE-2019-19534
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2019-19534?
The severity of CVE-2019-19534 is high due to its potential to breach data confidentiality.
How do I fix CVE-2019-19534?
To fix CVE-2019-19534, update your kernel to the recommended versions specified in the security advisories.
Which software versions are affected by CVE-2019-19534?
CVE-2019-19534 affects various versions of the Linux kernel, specifically those prior to version 5.3.11 and certain Red Hat kernel versions.
What type of vulnerability is CVE-2019-19534?
CVE-2019-19534 is an information-leak vulnerability found in the Linux kernel's pcan USB driver.
Who is impacted by CVE-2019-19534?
Users and systems using affected versions of the Linux kernel with the pcan USB driver are impacted by CVE-2019-19534.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-19534
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/references
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/trending
- agent/last-modified-date
- agent/source
- agent/event
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/nvd-index
- package-manager/redhat
- vendor/linux
- canonical/linux kernel
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/8.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/14.04
- version/ubuntu linux/16.04
- version/ubuntu linux/18.04
- version/ubuntu linux/19.04
- version/ubuntu linux/19.10
- package-manager/debian
- canonical/debian
- version/debian/8.0
- canonical/ubuntu
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/19.04
- version/ubuntu/19.10