http://source.android.com/security/bulletin/2016-08-01.html

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):A flaw was found in Linux     kernel in the ext4 filesystem code. A use-after-free is     possible in ext4_ext_remove_space() function when     mounting and operating a crafted ext4     image.(CVE-2018-10876)A flaw was found in the Linux     kernel. A use-after-free was found in the way the     console subsystem was using ioctls KDGKBSENT and     KDSKBSENT. A local user could use this flaw to get read     memory access out of bounds. The highest threat from     this vulnerability is to data     confidentiality.(CVE-2020-25656)A flaw was found in the     way RTAS handled memory accesses in userspace to kernel     communication. On a locked down (usually due to Secure     Boot) guest system running on top of PowerVM or KVM     hypervisors (pseries platform) a root like local user     could use this flaw to further increase their     privileges to that of a running     kernel.(CVE-2020-27777)A information disclosure     vulnerability in the Upstream kernel encrypted-keys.
    Product: Android. Versions: Android kernel. Android ID:
    A-70526974.(CVE-2017-13305)A race condition was found     in the Linux kernels implementation of the floppy disk     drive controller driver software. The impact of this     issue is lessened by the fact that the default     permissions on the floppy device (/dev/fd0) are     restricted to root. If the permissions on the device     have changed the impact changes greatly. In the default     configuration root (or equivalent) permissions are     required to attack this flaw.(CVE-2021-20261)An issue     was discovered in dlpar_parse_cc_property in     arch/powerpc/platforms/pseries/dlpar.c in the Linux     kernel through 5.1.6. There is an unchecked kstrdup of     prop->name, which might allow an attacker to cause a     denial of service (NULL pointer dereference and system     crash).(CVE-2019-12614)An issue was discovered in     fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3.
    There is a NULL pointer dereference and panic in     lookup_slow() on a NULL inode->i_ops pointer when doing     pathwalks on a corrupted xfs image. This occurs because     of a lack of proper validation that cached inodes are     free during allocation.(CVE-2018-13093)An issue was     discovered in rds_tcp_kill_sock in net/rds/tcp.c in the     Linux kernel before 5.0.8. There is a race condition     leading to a use-after-free, related to net namespace     cleanup.(CVE-2019-11815)An issue was discovered in the     Linux kernel through 5.11.3. A kernel pointer leak can     be used to determine the address of the iscsi_transport     structure. When an iSCSI transport is registered with     the iSCSI subsystem, the transport's handle is     available to unprivileged users via the sysfs file     system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)An issue was     discovered in the Linux kernel through 5.11.3. Certain     iSCSI data structures do not have appropriate length     constraints or checks, and can exceed the PAGE_SIZE     value. An unprivileged user can send a Netlink message     that is associated with iSCSI, and has a length up to     the maximum length of a Netlink     message.(CVE-2021-27365)An issue was discovered in the     Linux kernel through 5.11.3.
    drivers/scsi/scsi_transport_iscsi.c is adversely     affected by the ability of an unprivileged user to     craft Netlink messages.(CVE-2021-27364)An issue was     discovered in yurex_read in drivers/usb/misc/yurex.c in     the Linux kernel before 4.17.7. Local attackers could     use user access read/writes with incorrect bounds     checking in the yurex USB driver to crash the kernel or     potentially escalate     privileges.(CVE-2018-16276)drivers/infiniband/core/ucma     .c in the Linux kernel through 4.17.11 allows     ucma_leave_multicast to access a certain data structure     after a cleanup step in ucma_process_join, which allows     attackers to cause a denial of service     (use-after-free).(CVE-2018-14734)In create_pinctrl of     core.c, there is a possible out of bounds read due to a     use after free. This could lead to local information     disclosure with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-140550171(CVE-2020-0427)In     do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-147802478References: Upstream kernel(CVE-2020-0466)In     fs/ocfs2/cluster/ nodemanager.c in the Linux kernel     before 4.15, local users can cause a denial of service     (NULL pointer dereference and BUG) because a required     mutex is not used.(CVE-2017-18216)In the Linux kernel     before 5.2, a setxattr operation, after a mount of a     crafted ext4 image, can cause a slab-out-of-bounds     write access because of an ext4_xattr_set_entry     use-after-free in fs/ext4/xattr.c when a large old_size     value is used in a memset call, aka     CID-345c0dbf3a30.(CVE-2019-19319)In the Linux kernel     before version 4.12, Kerberos 5 tickets decoded when     using the RXRPC keys incorrectly assumes the size of a     field. This could lead to the size-remaining variable     wrapping and the data pointer going over the end of the     buffer. This could possibly lead to memory corruption     and possible privilege escalation.(CVE-2017-7482)In     uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-111893654References: Upstream     kernel(CVE-2020-0404)In various methods of     hid-multitouch.c, there is a possible out of bounds     write due to a missing bounds check. This could lead to     local escalation of privilege with no additional     execution privileges needed. User interaction is not     needed for exploitation.Product: AndroidVersions:
    Android kernelAndroid ID: A-162844689References:
    Upstream kernel(CVE-2020-0465)It was found that the raw     midi kernel driver does not protect against concurrent     access which leads to a double realloc (double free) in     snd_rawmidi_input_params() and     snd_rawmidi_output_status() which are part of     snd_rawmidi_ioctl() handler in rawmidi.c file. A     malicious local attacker could possibly use this for     privilege escalation.(CVE-2018-10902)Linux kernel ext4     filesystem is vulnerable to an out-of-bound access in     the ext4_ext_drop_refs() function when operating on a     crafted ext4 filesystem image.(CVE-2018-10877)Linux     kernel is vulnerable to a stack-out-of-bounds write in     the ext4 filesystem code when mounting and writing to a     crafted ext4 image in ext4_update_inline_data(). An     attacker could use this to cause a system crash and a     denial of service.(CVE-2018-10880)Linux Kernel contains     an out-of-bounds read flaw in the asn1_ber_decoder()     function in lib/asn1_decoder.c that is triggered when     decoding ASN.1 data. This may allow a remote attacker     to disclose potentially sensitive memory     contents.(CVE-2018-9383)use-after-free read in     sunkbd_reinit in     drivers/input/keyboard/sunkbd.c(CVE-2020-25669)mwifiex_     cmd_802_11_ad_hoc_start in drivers/     net/wireless/marvell/mwifiex/join.c in the Linux kernel     through 5.10.4 might allow remote attackers to execute     arbitrary code via a long SSID value, aka     CID-5c455c5ab332.(CVE-2020-36158)fs/ nfsd/ nfs3xdr.c in     the Linux kernel through 5.10.8, when there is an NFS     export of a subdirectory of a filesystem, allows remote     attackers to traverse to other parts of the filesystem     via READDIRPLUS. NOTE: some parties argue that such a     subdirectory export is not intended to prevent this     attack see also the exports(5) no_subtree_check default     behavior.(CVE-2021-3178)In the Linux kernel before     4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c     mishandles reference counting because of a race     condition, leading to a     use-after-free.(CVE-2019-6974)The KVM implementation in     the Linux kernel through 4.20.5 has a     Use-after-Free.(CVE-2019-7221)A flaw was found in the     JFS filesystem code. This flaw allows a local attacker     with the ability to set extended attributes to panic     the system, causing memory corruption or escalating     privileges. The highest threat from this vulnerability     is to confidentiality, integrity, as well as system     availability.(CVE-2020-27815)An out-of-bounds (OOB)     memory access flaw was found in x25_bind in     net/x25/af_x25.c in the Linux kernel. A bounds check     failure allows a local attacker with a user account on     the system to gain access to out-of-bounds memory,     leading to a system crash or a leak of internal kernel     information. The highest threat from this vulnerability     is to confidentiality, integrity, as well as system     availability.(CVE-2020-35519)In     drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux     kernel through 5.11.8, the RPA PCI Hotplug driver has a     user-tolerable buffer overflow when writing a new     device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame     directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination,     aka CID-cc7a0bb058b8.(CVE-2021-28972)A NULL pointer     dereference was found in the net/rds/rdma.c
    __rds_rdma_map() function in the Linux kernel before     4.14.7 allowing local attackers to cause a system panic     and a denial-of-service, related to RDS_GET_MR and     RDS_GET_MR_FOR_DEST.(CVE-2018-7492)The Siemens R3964     line discipline driver in drivers/tty/ n_r3964.c in the     Linux kernel before 5.0.8 has multiple race     conditions.(CVE-2019-11486)The kernel in Android before     2016-08-05 on Nexus 7 (2013) devices allows attackers     to gain privileges via a crafted application, aka     internal bug 28522518.(CVE-2016-3857)The KVM     implementation in the Linux kernel through 4.14.7     allows attackers to obtain potentially sensitive     information from kernel memory, aka a write_mmio     stack-based out-of-bounds read, related to     arch/x86/kvm/x86.c and     include/trace/events/kvm.h.(CVE-2017-17741)The     sctp_process_param function in net/sctp/sm_make_chunk.c     in the SCTP implementation in the Linux kernel before     3.17.4, when ASCONF is used, allows remote attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a malformed INIT     chunk.(CVE-2014-7841)The XFS subsystem in the Linux     kernel through 4.8.2 allows local users to cause a     denial of service (fdatasync failure and system hang)     by using the vfs syscall group in the trinity program,     related to a 'page lock order bug in the XFS seek     hole/data implementation.'(CVE-2016-8660)The     xfs_dinode_verify function in     fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel     through 4.16.3 allows local users to cause a denial of     service (xfs_ilock_attr_map_shared invalid pointer     dereference) via a crafted xfs image.(CVE-2018-10322)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186)

  - The snd_compr_tstamp function in     sound/core/compress_offload.c in the Linux kernel     through 4.7, as used in Android before 2016-08-05 on     Nexus 5 and 7 (2013) devices, does not properly     initialize a timestamp data structure, which allows     attackers to obtain sensitive information via a crafted     application, aka Android internal bug 28770164 and     Qualcomm internal bug CR568717.(CVE-2014-9892)

  - A memory leak in the cx23888_ir_probe() function in     drivers/media/pci/cx23885/cx23888-ir.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     kfifo_alloc() failures, aka     CID-a7b2df76b42b.(CVE-2019-19054)

  - A memory leak in the adis_update_scan_mode() function     in drivers/iio/imu/adis_buffer.c in the Linux kernel     before 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-ab612b1daf41.(CVE-2019-19060)

  - A memory leak in the adis_update_scan_mode_burst()     function in drivers/iio/imu/adis_buffer.c in the Linux     kernel before 5.3.9 allows attackers to cause a denial     of service (memory consumption), aka     CID-9c0530e898f3.(CVE-2019-19061)

  - A memory leak in the crypto_report() function in     crypto/crypto_user_base.c in the Linux kernel through     5.3.11 allows attackers to cause a denial of service     (memory consumption) by triggering crypto_report_alg()     failures, aka CID-ffdde5932042.(CVE-2019-19062)

  - A memory leak in the ccp_run_sha_cmd() function in     drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-128c66429247.(CVE-2019-18808)

  - In ashmem_ioctl of ashmem.c, there is an out-of-bounds     write due to insufficient locking when accessing asma.
    This could lead to a local elevation of privilege     enabling code execution as a privileged process with no     additional execution privileges needed. User     interaction is not needed for exploitation. Product:
    Android. Versions: Android kernel. Android ID:
    A-66954097.(CVE-2017-13216)

  - A certain backport in the TCP Fast Open implementation     for the Linux kernel before 3.18 does not properly     maintain a count value, which allow local users to     cause a denial of service (system crash) via the Fast     Open feature, as demonstrated by visiting the     chrome://flags/#enable-tcp-fast-open URL when using     certain 3.10.x through 3.16.x kernel builds, including     longterm-maintenance releases and ckt (aka Canonical     Kernel Team) builds.(CVE-2015-3332)

  - The rtnl_fill_link_ifmap function in     net/core/rtnetlink.c in the Linux kernel before 4.5.5     does not initialize a certain data structure, which     allows local users to obtain sensitive information from     kernel stack memory by reading a Netlink     message.(CVE-2016-4486)

  - The ip6gre_err function in net/ipv6/ip6_gre.c in the     Linux kernel allows remote attackers to have     unspecified impact via vectors involving GRE flags in     an IPv6 packet, which trigger an out-of-bounds     access.(CVE-2017-5897)

  - In the Linux kernel before version 4.12, Kerberos 5     tickets decoded when using the RXRPC keys incorrectly     assumes the size of a field. This could lead to the     size-remaining variable wrapping and the data pointer     going over the end of the buffer. This could possibly     lead to memory corruption and possible privilege     escalation.(CVE-2017-7482)

  - A flaw was found in the Linux Kernel where an attacker     may be able to have an uncontrolled read to     kernel-memory from within a vm guest. A race condition     between connect() and close() function may allow an     attacker using the AF_VSOCK protocol to gather a 4 byte     information leak or possibly intercept or corrupt     AF_VSOCK messages destined to other     clients.(CVE-2018-14625)

  - drivers/net/usb/asix_devices.c in the Linux kernel     through 4.13.11 allows local users to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact via a crafted     USB device.(CVE-2017-16647)

  - A memory leak in the ql_alloc_large_buffers() function     in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux     kernel before 5.3.5 allows local users to cause a     denial of service (memory consumption) by triggering     pci_dma_mapping_error() failures, aka     CID-1acb8f2a7a9f.(CVE-2019-18806)

  - An issue was discovered in the fd_locked_ioctl function     in drivers/block/floppy.c in the Linux kernel through     4.15.7. The floppy driver will copy a kernel pointer to     user memory in response to the FDGETPRM ioctl. An     attacker can send the FDGETPRM ioctl and use the     obtained kernel pointer to discover the location of     kernel code and data and bypass kernel security     protections such as KASLR.(CVE-2018-7755)

  - The usbvision driver in the Linux kernel package     3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red     Hat Enterprise Linux (RHEL) 7.1 allows physically     proximate attackers to cause a denial of service     (panic) via a nonzero bInterfaceNumber value in a USB     device descriptor.(CVE-2015-7833)

  - A flaw that allowed an attacker to corrupt memory and     possibly escalate privileges was found in the mwifiex     kernel module while connecting to a malicious wireless     network.(CVE-2019-3846)

  - drivers/net/wireless/marvell/libertas/if_sdio.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16232)

  - drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16234)

  - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14     does not check the alloc_workqueue return value,     leading to a NULL pointer dereference.(CVE-2019-16231)

  - Insufficient access control in the Intel(R)     PROSet/Wireless WiFi Software driver before version     21.10 may allow an unauthenticated user to potentially     enable denial of service via adjacent     access.(CVE-2019-0136)

  - A flaw was found in the Linux kernel. A heap based     buffer overflow in mwifiex_uap_parse_tail_ies function     in drivers/net/wireless/marvell/mwifiex/ie.c might lead     to memory corruption and possibly other     consequences.(CVE-2019-10126)

  - The Bluetooth BR/EDR specification up to and including     version 5.1 permits sufficiently low encryption key     length and does not prevent an attacker from     influencing the key length negotiation. This allows     practical brute-force attacks (aka 'KNOB') that can     decrypt traffic and inject arbitrary ciphertext without     the victim noticing.(CVE-2019-9506)

  - An issue was discovered in net/wireless/nl80211.c in     the Linux kernel through 5.2.17. It does not check the     length of variable elements in a beacon head, leading     to a buffer overflow.(CVE-2019-16746)

  - In the hidp_process_report in bluetooth, there is an     integer overflow. This could lead to an out of bounds     write with no additional execution privileges needed.
    User interaction is not needed for exploitation.
    Product: Android Versions: Android kernel Android ID:
    A-65853588 References: Upstream kernel.(CVE-2018-9363)

  - An issue was discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance.(CVE-2019-17075)

  - rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel through 5.3.6 lacks a certain upper-bound check,     leading to a buffer overflow.(CVE-2019-17666)

  - arch/arm/mm/dma-mapping.c in the Linux kernel before     3.13 on ARM platforms, as used in Android before     2016-08-05 on Nexus 5 and 7 (2013) devices, does not     prevent executable DMA mappings, which might allow     local users to gain privileges via a crafted     application, aka Android internal bug 28803642 and     Qualcomm internal bug CR642735.(CVE-2014-9888)

  - An issue was discovered in drivers/i2c/i2c-core-smbus.c     in the Linux kernel before 4.14.15. There is an out of     bounds write in the function     i2c_smbus_xfer_emulated.(CVE-2017-18551)

  - The rds_ib_xmit function in net/rds/ib_send.c in the     Reliable Datagram Sockets (RDS) protocol implementation     in the Linux kernel 3.7.4 and earlier allows local     users to cause a denial of service (BUG_ON and kernel     panic) by establishing an RDS connection with the     source IP address equal to the IPoIB interface's own IP     address, as demonstrated by rds-ping.(CVE-2012-2372)

  - In the Linux kernel through 5.3.2,     cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c     does not reject a long SSID IE, leading to a Buffer     Overflow.(CVE-2019-17133)

  - A memory leak in the bfad_im_get_stats() function in     drivers/scsi/bfa/bfad_attr.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     bfa_port_get_stats() failures, aka     CID-0e62395da2bd.(CVE-2019-19066)

  - The kernel in Android before 2016-08-05 on Nexus 7     (2013) devices allows attackers to gain privileges via     a crafted application, aka internal bug     28522518.(CVE-2016-3857)

  - arch/arm64/kernel/sys.c in the Linux kernel before 4.0     allows local users to bypass the 'strict page     permissions' protection mechanism and modify the     system-call table, and consequently gain privileges, by     leveraging write access.(CVE-2015-8967)

  - arch/arm64/kernel/perf_event.c in the Linux kernel     before 4.1 on arm64 platforms allows local users to     gain privileges or cause a denial of service (invalid     pointer dereference) via vectors involving events that     are mishandled during a span of multiple HW     PMUs.(CVE-2015-8955)

  - The __clear_user function in     arch/arm64/lib/clear_user.S in the Linux kernel before     3.17.4 on the ARM64 platform allows local users to     cause a denial of service (system crash) by reading one     byte beyond a /dev/zero page boundary.(CVE-2014-7843)

  - The x86/fpu (Floating Point Unit) subsystem in the     Linux kernel before 4.13.5, when a processor supports     the xsave feature but not the xsaves feature, does not     correctly handle attempts to set reserved bits in the     xstate header via the ptrace() or rt_sigreturn() system     call, allowing local users to read the FPU registers of     other processes on the system, related to     arch/x86/kernel/fpu/regset.c and     arch/x86/kernel/fpu/signal.c.(CVE-2017-15537)

  - The Linux kernel before 3.11 on ARM platforms, as used     in Android before 2016-08-05 on Nexus 5 and 7 (2013)     devices, does not properly consider user-space access     to the TPIDRURW register, which allows local users to     gain privileges via a crafted application, aka Android     internal bug 28749743 and Qualcomm internal bug     CR561044.(CVE-2014-9870)

  - ** DISPUTED ** Race condition in the     store_int_with_restart() function in     arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel     through 4.15.7 allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck     directory. NOTE: a third party has indicated that this     report is not security relevant.(CVE-2018-7995)

  - arch/x86/kernel/entry_32.S in the Linux kernel through     3.15.1 on 32-bit x86 platforms, when syscall auditing     is enabled and the sep CPU feature flag is set, allows     local users to cause a denial of service (OOPS and     system crash) via an invalid syscall number, as     demonstrated by number 1000.(CVE-2014-4508)

  - arch/x86/kernel/tls.c in the Thread Local Storage (TLS)     implementation in the Linux kernel through 3.18.1     allows local users to bypass the espfix protection     mechanism, and consequently makes it easier for local     users to bypass the ASLR protection mechanism, via a     crafted application that makes a set_thread_area system     call and later reads a 16-bit value.(CVE-2014-8133)

  - arch/mips/include/asm/thread_info.h in the Linux kernel     before 3.14.8 on the MIPS platform does not configure
    _TIF_SECCOMP checks on the fast system-call path, which     allows local users to bypass intended PR_SET_SECCOMP     restrictions by executing a crafted application without     invoking a trace or audit subsystem.(CVE-2014-4157)

  - Integer signedness error in the oz_hcd_get_desc_cnf     function in drivers/staging/ozwpan/ozhcd.c in the     OZWPAN driver in the Linux kernel through 4.0.5 allows     remote attackers to cause a denial of service (system     crash) or possibly execute arbitrary code via a crafted     packet.(CVE-2015-4001)

  - drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel through 4.0.5 does not ensure that     certain length values are sufficiently large, which     allows remote attackers to cause a denial of service     (system crash or large loop) or possibly execute     arbitrary code via a crafted packet, related to the (1)     oz_usb_rx and (2) oz_usb_handle_ep_data     functions.(CVE-2015-4002)

  - The oz_usb_handle_ep_data function in     drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel through 4.0.5 allows remote     attackers to cause a denial of service (divide-by-zero     error and system crash) via a crafted     packet.(CVE-2015-4003)

  - The OZWPAN driver in the Linux kernel through 4.0.5     relies on an untrusted length field during packet     parsing, which allows remote attackers to obtain     sensitive information from kernel memory or cause a     denial of service (out-of-bounds read and system crash)     via a crafted packet.(CVE-2015-4004)

  - Race condition in the sclp_ctl_ioctl_sccb function in     drivers/s390/char/sclp_ctl.c in the Linux kernel before     4.6 allows local users to obtain sensitive information     from kernel memory by changing a certain length value,     aka a 'double fetch' vulnerability.(CVE-2016-6130)

  - The print_binder_transaction_ilocked function in     drivers/android/binder.c in the Linux kernel 4.14.90     allows local users to obtain sensitive address     information by reading '*from *code *flags' lines in a     debugfs file.(CVE-2018-20510)

  - In the Linux kernel before 4.1.4, a buffer overflow     occurs when checking userspace params in     drivers/media/dvb-frontends/cx24116.c. The maximum size     for a DiSEqC command is 6, according to the userspace     API. However, the code allows larger values such as     23.(CVE-2015-9289)

  - The saa7164_bus_get function in     drivers/media/pci/saa7164/saa7164-bus.c in the Linux     kernel through 4.11.5 allows local users to cause a     denial of service (out-of-bounds array access) or     possibly have unspecified other impact by changing a     certain sequence-number value, aka a 'double fetch'     vulnerability.(CVE-2017-8831)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Chiachih Wu, Yuan-Tsung Lo, and Xuxian Jiang discovered that the legacy ABI for ARM (OABI) had incomplete access checks for epoll_wait(2) and semtimedop(2). A local attacker could use this to possibly execute arbitrary code.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes the CVEs described below.

CVE-2016-3857

Chiachih Wu reported two bugs in the ARM OABI compatibility layer that can be used by local users for privilege escalation. The OABI compatibility layer is enabled in all kernel flavours for armel and armhf.

CVE-2016-4470

Wade Mealing of the Red Hat Product Security Team reported that in some error cases the KEYS subsystem will dereference an uninitialised pointer. A local user can use the keyctl() system call for denial of service (crash) or possibly for privilege escalation.

CVE-2016-5696

Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V.
Krishnamurthy of the University of California, Riverside; and Lisa M.
Marvel of the United States Army Research Laboratory discovered that Linux's implementation of the TCP Challenge ACK feature results in a side channel that can be used to find TCP connections between specific IP addresses, and to inject messages into those connections.

Where a service is made available through TCP, this may allow remote attackers to impersonate another connected user to the server or to impersonate the server to another connected user. In case the service uses a protocol with message authentication (e.g. TLS or SSH), this vulnerability only allows denial of service (connection failure). An attack takes tens of seconds, so short-lived TCP connections are also unlikely to be vulnerable.

This may be mitigated by increasing the rate limit for TCP Challenge ACKs so that it is never exceeded: sysctl net.ipv4.tcp_challenge_ack_limit=1000000000

CVE-2016-5829

Several heap-based buffer overflow vulnerabilities were found in the hiddev driver, allowing a local user with access to a HID device to cause a denial of service or potentially escalate their privileges.

CVE-2016-6136

Pengfei Wang discovered that the audit subsystem has a 'double-fetch' or 'TOCTTOU' bug in its handling of special characters in the name of an executable. Where audit logging of execve() is enabled, this allows a local user to generate misleading log messages.

CVE-2016-6480

Pengfei Wang discovered that the aacraid driver for Adaptec RAID controllers has a 'double-fetch' or 'TOCTTOU' bug in its validation of 'FIB' messages passed through the ioctl() system call. This has no practical security impact in current Debian releases.

CVE-2016-6828

Marco Grassi reported a 'use-after-free' bug in the TCP implementation, which can be triggered by local users. The security impact is unclear, but might include denial of service or privilege escalation.

CVE-2016-7118

Marcin Szewczyk reported that calling fcntl() on a file descriptor for a directory on an aufs filesystem would result in am 'oops'. This allows local users to cause a denial of service. This is a Debian-specific regression introduced in version 3.2.81-1.

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.81-2. This version also fixes a build failure (bug #827561) for custom kernels with CONFIG_MODULES disabled, a regression in version 3.2.81-1. It also updates the PREEMPT_RT featureset to version 3.2.81-rt117.

For Debian 8 'Jessie', CVE-2016-3857 has no impact; CVE-2016-4470 and CVE-2016-5829 were fixed in linux version 3.16.7-ckt25-2+deb8u3 or earlier; and the remaining issues are fixed in version 3.16.36-1+deb8u1.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
149098	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2021-1808)	Nessus	Huawei Local Security Checks	high
131805	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2531)	Nessus	Huawei Local Security Checks	high
93601	Ubuntu 12.04 LTS : linux vulnerability (USN-3082-1)	Nessus	Ubuntu Local Security Checks	high
93321	Debian DLA-609-1 : linux security update	Nessus	Debian Local Security Checks	high

CVE-2016-3857

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high