Security Bulletin
Summary
Kernel is used by IBM Netezza Host Management. This bulletin provides mitigation for the reported CVEs.
Vulnerability Details
CVEID: CVE-2019-19051
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/net/wimax/i2400m/op-rfkill.c. A remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171759 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-19055
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c. A remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171763 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| IBM Netezza Host Management | All IBM Netezza Host Management starting 5.4.9.0 |
Remediation/Fixes
None
Workarounds and Mitigations
Mitigation of the reported CVEs : CVE-2019-19051, CVE-2019-19055 blocklisting kernel modules i2400m, cfg80211 to prevent them from loading automatically on PureData System for Analytics N200x and N3001 is as follows:
1. Change to user nz:
[root@nzhost1 ~]# su – nz
2. Check to see if Call Home is enabled:
[nz@nzhost1 ~]$ nzcallhome -status
If enabled, disable it:
[nz@nzhost1 ~]$ nzcallhome –off
Note: Ensure that nzcallhome returns status as disabled. If there are errors in the callHome.txt configuration file, errors are listed in the output, and call-Home is disabled.
3. Check the state of the Netezza system:
[nz@nzhost1 ~]$ nzstate
4. If the system state is online, stop the system using the command:
[nz@nzhost1 ~]$ nzstop
5. Wait for the system to stop, using the command:
[nz@nzhos1t ~]$ nzstate
System state is 'Stopped'.
6. Exit from the nz session to return to user root:
[nz@nzhost1 ~]$ exit
7. Logged into the active host as root, type the following commands to stop the heartbeat processes:
[root@nzhost1 ~]# ssh ha2 /sbin/service heartbeat stop
[root@nzhost1 ~]# /sbin/service heartbeat stop
8. Run below commands as a root user to disable heartbeat from startup:
[root@nzhost1 ~]# ssh ha2 /sbin/chkconfig heartbeat off
[root@nzhost1 ~]# /sbin/chkconfig heartbeat off
9. Type the following commands to stop the DRBD processes:
[root@nzhost1 ~]# ssh ha2 /sbin/service drbd stop
[root@nzhost1 ~]# /sbin/service drbd stop
10. Run below commands as a root user to disable drbd from startup:
[root@nzhost1 ~]# ssh ha2 /sbin/chkconfig drbd off
[root@nzhost1 ~]# /sbin/chkconfig drbd off
Execute below steps using "root" user on both ha1/ha2 hosts
Step 1: Check if kernel modules i2400m, cfg80211 are loaded in the hosts
lsmod | grep i2400m
lsmod | grep cfg80211
example:
[root@ nzhost1 ~]# lsmod | grep i2400m
i2400m 85954 0
wimax 27043 1 i2400m
[root@ nzhost1 ~]# lsmod | grep cfg80211
cfg80211 699840 0
rfkill 19319 2 cfg80211,wimax
Note: No output on Step 1 for any module indicates, that module is not loaded hence skip Step 2 for that module, and proceed with Step 3
Step 2: Unload kernel modules are i2400m, cfg80211 if they are loaded
modprobe -rv i2400m
modprobe -rv cfg80211
example:
[root@nzhost1 ~]# modprobe -rv i2400m
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/drivers/net/wimax/i2400m/i2400m.ko
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/net/wimax/wimax.ko
[root@nzhost1 ~]# modprobe -rv cfg80211
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/net/wireless/cfg80211.ko
rmmod /lib/modules/2.6.32-754.35.1.el6.x86_64/kernel/net/rfkill/rfkill.ko
Kernel modules and their dependent modules will be unloaded in the reverse order that they are loaded, given that no processes depend on any of the modules being unloaded.
Step 3: To prevent modules from being loaded directly you add the blocklist line to a configuration file specific to the system configuration.
echo "blocklist i2400m" >> /etc/modprobe.d/local-blocklist.conf
echo "blocklist cfg80211" >> /etc/modprobe.d/local-blocklist.conf
example :
[root@nzhost1 ~]# echo "blocklist i2400m" >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# echo "blocklist cfg80211" >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep i2400m
blocklist i2400m
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep cfg80211
blocklist cfg80211
Step 4: Kernel modules can be loaded directly or loaded as a dependency from another module
To prevent installation as a dependency from another module follow below step:
echo "install i2400m /bin/false" >> /etc/modprobe.d/local-blocklist.conf
echo "install cfg80211 /bin/false" >> /etc/modprobe.d/local-blocklist.conf
example:
[root@nzhost1 ~]# echo "install i2400m /bin/false" >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# echo "install cfg80211 /bin/false" >> /etc/modprobe.d/local-blocklist.conf
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep i2400m
blocklist i2400m
install i2400m /bin/false
[root@nzhost1 ~]# cat /etc/modprobe.d/local-blocklist.conf | grep cfg80211
blocklist cfg80211
install cfg80211 /bin/false
The install line simply causes /bin/false to be run instead of installing a module.
Step 5: Make a backup copy of your initramfs.
cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak
Example:
[root@nzhost1 ~]# cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak
[root@nzhost1 ~]# uname -r
2.6.32-754.35.1.el6.x86_64
[root@nzhost1 ~]# ll /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img.10-29-030600.bak
-rw------- 1 root root 22553648 Oct 29 03:06 /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img.10-29-030600.bak
Step 6: If the kernel module is part of the initramfs (boot configuration), rebuild your initial ramdisk image, omitting the module to be avoided
dracut --omit-drivers i2400m -f
dracut --omit-drivers cfg80211 -f
example:
[root@nzhost1 ~]# dracut --omit-drivers i2400m -f
[root@nzhost1 ~]# dracut --omit-drivers cfg80211 -f
[root@nzhost1 ~]# lsinitrd /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img | grep i2400m
[root@nzhost1 ~]# lsinitrd /boot/initramfs-2.6.32-754.35.1.el6.x86_64.img | grep cfg80211
Step 7: Append module_name.blocklist to the kernel cmdline. We give it an invalid parameter of blocklist and set it to 1 as a way to preclude the kernel from loading it.
sed --follow-symlinks -i '/\s*kernel \/vmlinuz/s/$/ i2400m.blocklist=1/' /etc/grub.conf
sed --follow-symlinks -i '/\s*kernel \/vmlinuz/s/$/ cfg80211.blocklist=1/' /etc/grub.conf
example :
[root@nzhost1 ~]# sed --follow-symlinks -i '/\s*kernel \/vmlinuz/s/$/ i2400m.blocklist=1/' /etc/grub.conf
[root@nzhost1 ~]# sed --follow-symlinks -i '/\s*kernel \/vmlinuz/s/$/ cfg80211.blocklist=1/' /etc/grub.conf
Step 8: blocklist the kernel module in kdump's configuration file.
echo "blocklist i2400m" >> /etc/kdump.conf
echo "blocklist cfg80211" >> /etc/kdump.conf
example:
[root@nzhost1 ~]# echo "blocklist i2400m" >> /etc/kdump.conf
[root@nzhost1 ~]# echo "blocklist cfg80211" >> /etc/kdump.conf
[root@nzhost1 ~]# cat /etc/kdump.conf | grep i2400m
blocklist i2400m
[root@nzhost1 ~]# cat /etc/kdump.conf | grep cfg80211
blocklist cfg80211
Note: Perform Step 9 if kexec-tools is installed and kdump is configured else continue with Step 10.
Perform below commands to check if kexec-tools is installed and Kdump is operational
[root@nzhost1 ~]# rpm -qa | grep kexec-tools
[root@nzhost1 ~]# service kdump status
Step 9: Restart the kdump service to pick up the changes to kdump's initrd.
service kdump restart
example:
[root@nzhost1 ~]# service kdump restart
Stopping kdump: [ OK ]
Detected change(s) the following file(s):
/etc/kdump.conf
Rebuilding /boot/initrd-2.6.32-754.31.1.el6.x86_64kdump.img
Starting kdump: [ OK ]
Step 10: Reboot the system at a convenient time to have the changes take effect.
Make sure the secondary host is up by pinging or logging in before rebooting the primary host.
/sbin/shutdown -r now
example:
[root@nzhost1 ~]# /sbin/shutdown -r now
Make sure the primary server comes up and is reachable before performing Mitigation steps on the secondary server.
After applying the mitigation:
1. Start the services using following:
[root@nzhost1 ~]# service heartbeat start
[root@nzhost1 ~]# ssh ha2 service heartbeat start
[root@nzhost1 ~]# service drbd start
[root@nzhost1 ~]# ssh ha2 service drbd start
2. Check the stat of the system. Type:
[root@nzhost1 ~]# crm_mon -i5
Result: When the cluster manager comes up and is ready, status appears as follows.
Make sure that nzinit has started before you proceed. (This could take a few minutes.)
Node: nps61074 (e890696b-ab7b-42c0-9e91-4c1cdacbe3f9): online
Node: nps61068 (72043b2e-9217-4666-be6f-79923aef2958): online
Resource Group: nps
drbd_exphome_device(heartbeat:drbddisk): Started nps61074
drbd_nz_device(heartbeat:drbddisk): Started nps61074
exphome_filesystem(heartbeat::ocf:Filesystem): Started nps61074
nz_filesystem (heartbeat::ocf:Filesystem): Started nps61074
fabric_ip (heartbeat::ocf:IPaddr): Started nps61074
wall_ip (heartbeat::ocf:IPaddr): Started nps61074
nzinit (lsb:nzinit): Started nps61074
fencing_route_to_ha1(stonith:apcmaster): Started nps61074
fencing_route_to_ha2(stonith:apcmaster): Started nps61068
3. From host 1 (ha1), press Ctrl+C to break out of crm_mon.
4. Turn on heartbeat and DRBD using the chkconfig:
ssh ha2 /sbin/chkconfig drbd on
/sbin/chkconfig drbd on
ssh ha2 /sbin/chkconfig heartbeat on
/sbin/chkconfig heartbeat on
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
29 Oct 2020: Original Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
More support for:
IBM PureData System
Software version:
All Versions
Document number:
6357033
Modified date:
29 October 2020
UID
ibm16357033