https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.10/commit/?id=e20f20aaed6b6d2fd1667bad9be9ef35103a51df

https://www.codeaurora.org/issues-tsc-tspp2-and-buspm-drivers-cve-2015-0573-cve-2016-2441-cve-2016-2442

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - It was found that the parse_rock_ridge_inode_internal()     function of the Linux kernel's ISOFS implementation did     not correctly check relocated directories when     processing Rock Ridge child link (CL) tags. An attacker     with physical access to the system could use a     specially crafted ISO image to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-5472i1/4%0

  - An issue was discovered in the Linux kernel's F2FS     filesystem code. An out-of-bounds access vulnerability     is possible the in __remove_dirty_segment() in     fs/f2fs/segment.c function when mounting a crafted f2fs     image.(CVE-2018-14614i1/4%0

  - Race condition in kernel/events/core.c in the Linux     kernel before 4.4 allows local users to gain privileges     or cause a denial of service via use-after-free     vulnerability by leveraging incorrect handling of an     swevent data structure during a CPU unplug     operation.(CVE-2015-8963i1/4%0

  - The skbs processed by ip_cmsg_recv() are not guaranteed     to be linear (e.g. when sending UDP packets over     loopback with MSGMORE). Using csum_partial() on     potentially the whole skb len is dangerous instead be     on the safe side and use skb_checksum(). This may lead     to an infoleak as the kernel memory may be checksummed     and sent as part of the packet.(CVE-2017-6347i1/4%0

  - The apic_get_tmcct function in arch/x86/kvm/lapic.c in     the KVM subsystem in the Linux kernel through 3.12.5     allows guest OS users to cause a denial of service     (divide-by-zero error and host OS crash) via crafted     modifications of the TMICT value.(CVE-2013-6367i1/4%0

  - A use-after-free issue was found in the way the Linux     kernel's KVM hypervisor processed posted interrupts     when nested(=1) virtualization is enabled. In     nested_get_vmcs12_pages(), in case of an error while     processing posted interrupt address, it unmaps the     'pi_desc_page' without resetting 'pi_desc' descriptor     address, which is later used in pi_test_and_clear_on().
    A guest user/process could use this flaw to crash the     host kernel resulting in DoS or potentially gain     privileged access to a system.(CVE-2018-16882i1/4%0

  - It was discovered that the atl2_probe() function in the     Atheros L2 Ethernet driver in the Linux kernel     incorrectly enabled scatter/gather I/O. A remote     attacker could use this flaw to obtain potentially     sensitive information from the kernel     memory.(CVE-2016-2117i1/4%0

  - A flaw was found in the way the nft_flush_table()     function of the Linux kernel's netfilter tables     implementation flushed rules that were referencing     deleted chains. A local user who has the CAP_NET_ADMIN     capability could use this flaw to crash the     system.(CVE-2015-1573i1/4%0

  - The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186i1/4%0

  - It was found that KVM's Write to Model Specific     Register (WRMSR) instruction emulation would write     non-canonical values passed in by the guest to certain     MSRs in the host's context. A privileged guest user     could use this flaw to crash the host.(CVE-2014-3610i1/4%0

  - The BPF_S_ANC_NLATTR_NEST extension implementation in     the sk_run_filter function in net/core/filter.c in the     Linux kernel through 3.14.3 uses the reverse order in a     certain subtraction, which allows local users to cause     a denial of service (over-read and system crash) via     crafted BPF instructions. NOTE: the affected code was     moved to the __skb_get_nlattr_nest function before the     vulnerability was announced.(CVE-2014-3145i1/4%0

  - The yam_ioctl function in drivers/net/hamradio/yam.c in     the Linux kernel before 3.12.8 does not initialize a     certain structure member, which allows local users to     obtain sensitive information from kernel memory by     leveraging the CAP_NET_ADMIN capability for an     SIOCYAMGCFG ioctl call.(CVE-2014-1446i1/4%0

  - A race condition flaw was found in the N_HLDC Linux     kernel driver when accessing n_hdlc.tbuf list that can     lead to double free. A local, unprivileged user able to     set the HDLC line discipline on the tty device could     use this flaw to increase their privileges on the     system.(CVE-2017-2636i1/4%0

  - A flaw was found in the way Linux kernel's Transparent     Huge Pages (THP) implementation handled non-huge page     migration. A local, unprivileged user could use this     flaw to crash the kernel by migrating transparent     hugepages.(CVE-2014-3940i1/4%0

  - A security flaw was found in the     chap_server_compute_md5() function in the ISCSI target     code in the Linux kernel in a way an authentication     request from an ISCSI initiator is processed. An     unauthenticated remote attacker can cause a stack     buffer overflow and smash up to 17 bytes of the stack.
    The attack requires the iSCSI target to be enabled on     the victim host. Depending on how the target's code was     built (i.e. depending on a compiler, compile flags and     hardware architecture) an attack may lead to a system     crash and thus to a denial of service or possibly to a     non-authorized access to data exported by an iSCSI     target. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is highly unlikely.(CVE-2018-14633i1/4%0

  - A vulnerability was found in the Linux kernel where     filesystems mounted with data=ordered mode may allow an     attacker to read stale data from recently allocated     blocks in new files after a system 'reset' by abusing     ext4 mechanics of delayed allocation.(CVE-2017-7495i1/4%0

  - drivers/media/platform/msm/broadcast/tsc.c in the TSC     driver for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allows attackers to cause a     denial of service (invalid pointer dereference) or     possibly have unspecified other impact via a crafted     application that makes a TSC_GET_CARD_STATUS ioctl     call.(CVE-2015-0573i1/4%0

  - It was found that the unlink and rename functionality     in overlayfs did not verify the upper dentry for     staleness. A local, unprivileged user could use the     rename syscall on overlayfs on top of xfs to panic or     crash the system.(CVE-2016-6197i1/4%0

  - In net/socket.c in the Linux kernel through 4.17.1,     there is a race condition between fchownat and close in     cases where they target the same socket file     descriptor, related to the sock_close and     sockfs_setattr functions. fchownat does not increment     the file descriptor reference count, which allows close     to set the socket to NULL during fchownat's execution,     leading to a NULL pointer dereference and system     crash.(CVE-2018-12232i1/4%0

  - The ath9k_htc_set_bssid_mask function in     drivers/net/wireless/ath/ath9k/htc_drv_main.c in the     Linux kernel through 3.12 uses a BSSID masking approach     to determine the set of MAC addresses on which a Wi-Fi     device is listening, which allows remote attackers to     discover the original MAC address after spoofing by     sending a series of packets to MAC addresses with     certain bit manipulations.(CVE-2013-4579i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

CVE-2015-0573

HIGH

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high