CVE-2019-14284

Impact:
Moderate
Public Date:
2019-07-26
CWE:
CWE-400
Bugzilla:
1734246: CVE-2019-14284 kernel: denial of service in drivers/block/floppy.c by setup_format_params division-by-zero
A vulnerability was found in the Linux kernel’s floppy disk driver implementation. A local attacker with access to the floppy disk device file (/dev/fd0 through to /dev/fdN) can create a situation that causes the kernel to divide by zero. This requires two consecutive ioctl calls to be issued. The first ioctl call sets the sector and rate values, and the second ioctl is the call to format the floppy disk to the appropriate values. This flaw can cause the system to divide by zero and panic the host. No media (floppy) is required to be inserted for this attack to work properly.

Find out more about CVE-2019-14284 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 5
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Affected Packages State

Platform Package State
Red Hat Enterprise MRG 2 kernel-rt Out of support scope
Red Hat Enterprise Linux 8 kernel Will not fix
Red Hat Enterprise Linux 8 kernel-rt Will not fix
Red Hat Enterprise Linux 7 kernel-alt Affected
Red Hat Enterprise Linux 7 kernel Affected
Red Hat Enterprise Linux 7 kernel-rt Affected
Red Hat Enterprise Linux 6 kernel Affected
Red Hat Enterprise Linux 5 kernel Out of support scope
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

Mitigation

The kernel module named 'floppy' contains the affected code, this can be blacklisted using the standard blacklisting techniques or disabled in the systems BIOS. See https://access.redhat.com/solutions/41278 for how to blacklist a kernel module.

Virtualized guest systems can also remove the system from the guests configuration to ensure that the module does not load.

Last Modified