http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=853bc26a7ea39e354b9f8889ae7ad1492ffa28d2

103278

https://github.com/torvalds/linux/commit/853bc26a7ea39e354b9f8889ae7ad1492ffa28d2

[debian-lts-announce] 20180502 [SECURITY] [DLA 1369-1] linux security update

USN-3776-1

USN-3776-2

USN-3798-1

USN-3798-2

DSA-4187

DSA-4188

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2020-0466)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - A race condition was found in the Linux kernels     implementation of the floppy disk drive controller     driver software. The impact of this issue is lessened     by the fact that the default permissions on the floppy     device (/dev/fd0) are restricted to root. If the     permissions on the device have changed the impact     changes greatly. In the default configuration root (or     equivalent) permissions are required to attack this     flaw.(CVE-2021-20261)

  - In fs/ocfs2/cluster/nodemanager.c in the Linux kernel     before 4.15, local users can cause a denial of service     (NULL pointer dereference and BUG) because a required     mutex is not used.(CVE-2017-18216)

  - The omninet_open function in     drivers/usb/serial/omninet.c in the Linux kernel before     4.10.4 allows local users to cause a denial of service     (tty exhaustion) by leveraging reference count     mishandling.(CVE-2017-8925)

  - A flaw was found in the way memory resources were freed     in the unix_stream_recvmsg function in the Linux kernel     when a signal was pending. This flaw allows an     unprivileged local user to crash the system by     exhausting available memory. The highest threat from     this vulnerability is to system     availability.(CVE-2021-20265)

  - A flaw was found in the JFS filesystem code in the     Linux Kernel which allows a local attacker with the     ability to set extended attributes to panic the system,     causing memory corruption or escalating privileges. The     highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-27815)

  - An out-of-bounds (OOB) memory access flaw was found in     x25_bind in net/x25/af_x25.c in the Linux kernel     version v5.12-rc5. A bounds check failure allows a     local attacker with a user account on the system to     gain access to out-of-bounds memory, leading to a     system crash or a leak of internal kernel information.
    The highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-35519)

  - There is a flaw reported in the Linux kernel in     versions before 5.9 in     drivers/gpu/drm/nouveau/nouveau_sgdma.c in     nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The     issue results from the lack of validating the existence     of an object prior to performing operations on the     object. An attacker with a local account with a root     privilege, can leverage this vulnerability to escalate     privileges and execute code in the context of the     kernel.(CVE-2021-20292)

  - In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux     kernel through 5.11.8, the RPA PCI Hotplug driver has a     user-tolerable buffer overflow when writing a new     device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame     directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination,     aka CID-cc7a0bb058b8.(CVE-2021-28972)

  - A race condition was discovered in get_old_root in     fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It     allows attackers to cause a denial of service (BUG)     because of a lack of locking on an extent buffer before     a cloning operation, aka     CID-dbcc7d57bffc.(CVE-2021-28964)

  - An issue was discovered in the Linux kernel before     5.11.7. usbip_sockfd_store in     drivers/usb/usbip/stub_dev.c allows attackers to cause     a denial of service (GPF) because the stub-up sequence     has race conditions during an update of the local and     shared status, aka CID-9380afd6df70.(CVE-2021-29265)

  - BPF JIT compilers in the Linux kernel through 5.11.12     have incorrect computation of branch displacements,     allowing them to execute arbitrary code within the     kernel context. This affects     arch/x86/net/bpf_jit_comp.c and     arch/x86/net/bpf_jit_comp32.c.(CVE-2021-29154)

  - The KVM implementation in the Linux kernel through     4.14.7 allows attackers to obtain potentially sensitive     information from kernel memory, aka a write_mmio     stack-based out-of-bounds read, related to     arch/x86/kvm/x86.c and     include/trace/events/kvm.h.(CVE-2017-17741)

  - An issue was discovered in the Linux kernel before     5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak     for large arguments, aka     CID-fb18802a338b.(CVE-2021-30002)

  - An issue was discovered in the Linux kernel through     4.17.10. There is an invalid pointer dereference in
    __del_reloc_root() in fs/btrfs/relocation.c when     mounting a crafted btrfs image, related to removing     reloc rb_trees when reloc control has not been     initialized.(CVE-2018-14609)

  - An issue was discovered in     fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel     through 4.17.3. A denial of service (memory corruption     and BUG) can occur for a corrupted xfs image upon     encountering an inode that is in extent format, but has     more extents than fit in the inode     fork.(CVE-2018-13095)

  - The vmw_gb_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel through 4.10.7 does not validate certain levels     data, which allows local users to cause a denial of     service (system hang) via a crafted ioctl call for a     /dev/dri/renderD* device.(CVE-2017-7346)

  - The klsi_105_get_line_state function in     drivers/usb/serial/kl5kusb105.c in the Linux kernel     before 4.9.5 places uninitialized heap-memory contents     into a log entry upon a failure to read the line     status, which allows local users to obtain sensitive     information by reading the log.(CVE-2017-5549)

  - An integer overflow in the uvesafb_setcmap function in     drivers/video/fbdev/uvesafb.c in the Linux kernel     before 4.17.4 could result in local attackers being     able to crash the kernel or potentially elevate     privileges because kmalloc_array is not     used.(CVE-2018-13406)

  - In the Linux kernel before version 4.12, Kerberos 5     tickets decoded when using the RXRPC keys incorrectly     assumes the size of a field. This could lead to the     size-remaining variable wrapping and the data pointer     going over the end of the buffer. This could possibly     lead to memory corruption and possible privilege     escalation.(CVE-2017-7482)

  - drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x     before 4.9.11 interacts incorrectly with the     CONFIG_VMAP_STACK option, which allows local users to     cause a denial of service (system crash or memory     corruption) or possibly have unspecified other impact     by leveraging use of more than one virtual page for a     DMA scatterlist.(CVE-2017-8069)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - A flaw was found in the Nosy driver in the Linux     kernel. This issue allows a device to be inserted twice     into a doubly-linked list, leading to a use-after-free     when one of these devices is removed. The highest     threat from this vulnerability is to confidentiality,     integrity, as well as system availability. Versions     before kernel 5.12-rc6 are affected(CVE-2021-3483)

  - An issue was discovered in the FUSE filesystem     implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls     make_bad_inode() in inappropriate situations, causing a     system crash. NOTE: the original fix for this     vulnerability was incomplete, and its incompleteness is     tracked as CVE-2021-28950.(CVE-2020-36322)

  - An out-of-bounds (OOB) memory write flaw was found in     list_devices in drivers/md/dm-ioctl.c in the     Multi-device driver module in the Linux kernel before     5.12. A bound check failure allows an attacker with     special user (CAP_SYS_ADMIN) privilege to gain access     to out-of-bounds memory leading to a system crash or a     leak of internal kernel information. The highest threat     from this vulnerability is to system     availability.(CVE-2021-31916)

  - A vulnerability was found in Linux Kernel, where a     refcount leak in llcp_sock_connect() causing     use-after-free which might lead to privilege     escalations.(CVE-2020-25671)

  - A vulnerability was found in Linux Kernel where     refcount leak in llcp_sock_bind() causing     use-after-free which might lead to privilege     escalations.(CVE-2020-25670)

  - A memory leak vulnerability was found in Linux kernel     in llcp_sock_connect(CVE-2020-25672)

  - The Linux kernel before 5.11.14 has a use-after-free in     cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the     CIPSO and CALIPSO refcounting for the DOI definitions     is mishandled, aka CID-ad5d07f4a9cd. This leads to     writing an arbitrary value.(CVE-2021-33033)

  - Use After Free vulnerability in nfc sockets in the     Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations,     the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability.(CVE-2021-23134)

  - A flaw use-after-free in function     hci_sock_bound_ioctl() of the Linux kernel HCI     subsystem was found in the way user detaches bluetooth     dongle or other way triggers unregister bluetooth     device event. A local user could use this flaw to crash     the system or escalate their privileges on the     system.(CVE-2021-3573)

  - An issue was discovered in the Linux kernel through     5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute     code in the kernel, aka     CID-34b1a1ce1458.(CVE-2021-3347)

  - A vulnerability was found in Linux kernel where     non-blocking socket in llcp_sock_connect() leads to     leak and eventually hanging-up the     system.(CVE-2020-25673)

  - net/bluetooth/hci_request.c in the Linux kernel through     5.12.2 has a race condition for removal of the HCI     controller.(CVE-2021-32399)

  - In all Qualcomm products with Android releases from CAF     using the Linux kernel, during DMA allocation, due to     wrong data type of size, allocation size gets truncated     which makes allocation succeed when it should     fail.(CVE-2017-9725)

  - A flaw double-free memory corruption in the Linux     kernel HCI device initialization subsystem was found in     the way user attach malicious HCI TTY Bluetooth device.
    A local user could use this flaw to crash the system.
    This flaw affects all the Linux kernel versions     starting from 3.13.(CVE-2021-3564)

  - A flaw was found in the CAN BCM networking protocol in     the Linux kernel, where a local attacker can abuse a     flaw in the CAN subsystem to corrupt memory, crash the     system or escalate privileges.(CVE-2021-3609)

  - The ip6gre_err function in net/ipv6/ip6_gre.c in the     Linux kernel allows remote attackers to have     unspecified impact via vectors involving GRE flags in     an IPv6 packet, which trigger an out-of-bounds     access.(CVE-2017-5897)

  - An Out-of-Bounds Read was discovered in     arch/arm/mach-footbridge/personal-pci.c in the Linux     kernel through 5.12.11 because of the lack of a check     for a value that shouldn't be negative, e.g., access to     element -2 of an array, aka     CID-298a58e165e4.(CVE-2021-32078)

  - In the Linux kernel before 4.20.8,     kvm_ioctl_create_device in virt/kvm/kvm_main.c     mishandles reference counting because of a race     condition, leading to a use-after-free.(CVE-2019-6974)

  - In uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2020-0404)

  - In create_pinctrl of core.c, there is a possible out of     bounds read due to a use after free. This could lead to     local information disclosure with no additional     execution privileges needed. User interaction is not     needed for exploitation.(CVE-2020-0427)

  - In kbd_keycode of keyboard.c, there is a possible out     of bounds write due to a missing bounds check. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-144161459(CVE-2020-0431)

  - In blk_mq_queue_tag_busy_iter of blk-mq-tag.c, there is     a possible use after free due to improper locking. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2020-0433)

  - In various methods of hid-multitouch.c, there is a     possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2020-0465)

  - A vulnerability was found in the Linux Kernel where the     function sunkbd_reinit having been scheduled by     sunkbd_interrupt before sunkbd being freed. Though the     dangling pointer is set to NULL in sunkbd_disconnect,     there is still an alias in sunkbd_reinit causing Use     After Free.(CVE-2020-25669)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In various methods of hid-multitouch.c, there is a     possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-162844689References: Upstream kernel(CVE-2020-0465)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-147802478References: Upstream kernel(CVE-2020-0466)

  - In fs/ocfs2/cluster/nodemanager.c in the Linux kernel     before 4.15, local users can cause a denial of service     (NULL pointer dereference and BUG) because a required     mutex is not used.(CVE-2017-18216)

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - A race condition was found in the Linux kernels     implementation of the floppy disk drive controller     driver software. The impact of this issue is lessened     by the fact that the default permissions on the floppy     device (/dev/fd0) are restricted to root. If the     permissions on the device have changed the impact     changes greatly. In the default configuration root (or     equivalent) permissions are required to attack this     flaw.(CVE-2021-20261)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):A flaw was found in Linux     kernel in the ext4 filesystem code. A use-after-free is     possible in ext4_ext_remove_space() function when     mounting and operating a crafted ext4     image.(CVE-2018-10876)A flaw was found in the Linux     kernel. A use-after-free was found in the way the     console subsystem was using ioctls KDGKBSENT and     KDSKBSENT. A local user could use this flaw to get read     memory access out of bounds. The highest threat from     this vulnerability is to data     confidentiality.(CVE-2020-25656)A flaw was found in the     way RTAS handled memory accesses in userspace to kernel     communication. On a locked down (usually due to Secure     Boot) guest system running on top of PowerVM or KVM     hypervisors (pseries platform) a root like local user     could use this flaw to further increase their     privileges to that of a running     kernel.(CVE-2020-27777)A information disclosure     vulnerability in the Upstream kernel encrypted-keys.
    Product: Android. Versions: Android kernel. Android ID:
    A-70526974.(CVE-2017-13305)A race condition was found     in the Linux kernels implementation of the floppy disk     drive controller driver software. The impact of this     issue is lessened by the fact that the default     permissions on the floppy device (/dev/fd0) are     restricted to root. If the permissions on the device     have changed the impact changes greatly. In the default     configuration root (or equivalent) permissions are     required to attack this flaw.(CVE-2021-20261)An issue     was discovered in dlpar_parse_cc_property in     arch/powerpc/platforms/pseries/dlpar.c in the Linux     kernel through 5.1.6. There is an unchecked kstrdup of     prop->name, which might allow an attacker to cause a     denial of service (NULL pointer dereference and system     crash).(CVE-2019-12614)An issue was discovered in     fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3.
    There is a NULL pointer dereference and panic in     lookup_slow() on a NULL inode->i_ops pointer when doing     pathwalks on a corrupted xfs image. This occurs because     of a lack of proper validation that cached inodes are     free during allocation.(CVE-2018-13093)An issue was     discovered in rds_tcp_kill_sock in net/rds/tcp.c in the     Linux kernel before 5.0.8. There is a race condition     leading to a use-after-free, related to net namespace     cleanup.(CVE-2019-11815)An issue was discovered in the     Linux kernel through 5.11.3. A kernel pointer leak can     be used to determine the address of the iscsi_transport     structure. When an iSCSI transport is registered with     the iSCSI subsystem, the transport's handle is     available to unprivileged users via the sysfs file     system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)An issue was     discovered in the Linux kernel through 5.11.3. Certain     iSCSI data structures do not have appropriate length     constraints or checks, and can exceed the PAGE_SIZE     value. An unprivileged user can send a Netlink message     that is associated with iSCSI, and has a length up to     the maximum length of a Netlink     message.(CVE-2021-27365)An issue was discovered in the     Linux kernel through 5.11.3.
    drivers/scsi/scsi_transport_iscsi.c is adversely     affected by the ability of an unprivileged user to     craft Netlink messages.(CVE-2021-27364)An issue was     discovered in yurex_read in drivers/usb/misc/yurex.c in     the Linux kernel before 4.17.7. Local attackers could     use user access read/writes with incorrect bounds     checking in the yurex USB driver to crash the kernel or     potentially escalate     privileges.(CVE-2018-16276)drivers/infiniband/core/ucma     .c in the Linux kernel through 4.17.11 allows     ucma_leave_multicast to access a certain data structure     after a cleanup step in ucma_process_join, which allows     attackers to cause a denial of service     (use-after-free).(CVE-2018-14734)In create_pinctrl of     core.c, there is a possible out of bounds read due to a     use after free. This could lead to local information     disclosure with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-140550171(CVE-2020-0427)In     do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-147802478References: Upstream kernel(CVE-2020-0466)In     fs/ocfs2/cluster/ nodemanager.c in the Linux kernel     before 4.15, local users can cause a denial of service     (NULL pointer dereference and BUG) because a required     mutex is not used.(CVE-2017-18216)In the Linux kernel     before 5.2, a setxattr operation, after a mount of a     crafted ext4 image, can cause a slab-out-of-bounds     write access because of an ext4_xattr_set_entry     use-after-free in fs/ext4/xattr.c when a large old_size     value is used in a memset call, aka     CID-345c0dbf3a30.(CVE-2019-19319)In the Linux kernel     before version 4.12, Kerberos 5 tickets decoded when     using the RXRPC keys incorrectly assumes the size of a     field. This could lead to the size-remaining variable     wrapping and the data pointer going over the end of the     buffer. This could possibly lead to memory corruption     and possible privilege escalation.(CVE-2017-7482)In     uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-111893654References: Upstream     kernel(CVE-2020-0404)In various methods of     hid-multitouch.c, there is a possible out of bounds     write due to a missing bounds check. This could lead to     local escalation of privilege with no additional     execution privileges needed. User interaction is not     needed for exploitation.Product: AndroidVersions:
    Android kernelAndroid ID: A-162844689References:
    Upstream kernel(CVE-2020-0465)It was found that the raw     midi kernel driver does not protect against concurrent     access which leads to a double realloc (double free) in     snd_rawmidi_input_params() and     snd_rawmidi_output_status() which are part of     snd_rawmidi_ioctl() handler in rawmidi.c file. A     malicious local attacker could possibly use this for     privilege escalation.(CVE-2018-10902)Linux kernel ext4     filesystem is vulnerable to an out-of-bound access in     the ext4_ext_drop_refs() function when operating on a     crafted ext4 filesystem image.(CVE-2018-10877)Linux     kernel is vulnerable to a stack-out-of-bounds write in     the ext4 filesystem code when mounting and writing to a     crafted ext4 image in ext4_update_inline_data(). An     attacker could use this to cause a system crash and a     denial of service.(CVE-2018-10880)Linux Kernel contains     an out-of-bounds read flaw in the asn1_ber_decoder()     function in lib/asn1_decoder.c that is triggered when     decoding ASN.1 data. This may allow a remote attacker     to disclose potentially sensitive memory     contents.(CVE-2018-9383)use-after-free read in     sunkbd_reinit in     drivers/input/keyboard/sunkbd.c(CVE-2020-25669)mwifiex_     cmd_802_11_ad_hoc_start in drivers/     net/wireless/marvell/mwifiex/join.c in the Linux kernel     through 5.10.4 might allow remote attackers to execute     arbitrary code via a long SSID value, aka     CID-5c455c5ab332.(CVE-2020-36158)fs/ nfsd/ nfs3xdr.c in     the Linux kernel through 5.10.8, when there is an NFS     export of a subdirectory of a filesystem, allows remote     attackers to traverse to other parts of the filesystem     via READDIRPLUS. NOTE: some parties argue that such a     subdirectory export is not intended to prevent this     attack see also the exports(5) no_subtree_check default     behavior.(CVE-2021-3178)In the Linux kernel before     4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c     mishandles reference counting because of a race     condition, leading to a     use-after-free.(CVE-2019-6974)The KVM implementation in     the Linux kernel through 4.20.5 has a     Use-after-Free.(CVE-2019-7221)A flaw was found in the     JFS filesystem code. This flaw allows a local attacker     with the ability to set extended attributes to panic     the system, causing memory corruption or escalating     privileges. The highest threat from this vulnerability     is to confidentiality, integrity, as well as system     availability.(CVE-2020-27815)An out-of-bounds (OOB)     memory access flaw was found in x25_bind in     net/x25/af_x25.c in the Linux kernel. A bounds check     failure allows a local attacker with a user account on     the system to gain access to out-of-bounds memory,     leading to a system crash or a leak of internal kernel     information. The highest threat from this vulnerability     is to confidentiality, integrity, as well as system     availability.(CVE-2020-35519)In     drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux     kernel through 5.11.8, the RPA PCI Hotplug driver has a     user-tolerable buffer overflow when writing a new     device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame     directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination,     aka CID-cc7a0bb058b8.(CVE-2021-28972)A NULL pointer     dereference was found in the net/rds/rdma.c
    __rds_rdma_map() function in the Linux kernel before     4.14.7 allowing local attackers to cause a system panic     and a denial-of-service, related to RDS_GET_MR and     RDS_GET_MR_FOR_DEST.(CVE-2018-7492)The Siemens R3964     line discipline driver in drivers/tty/ n_r3964.c in the     Linux kernel before 5.0.8 has multiple race     conditions.(CVE-2019-11486)The kernel in Android before     2016-08-05 on Nexus 7 (2013) devices allows attackers     to gain privileges via a crafted application, aka     internal bug 28522518.(CVE-2016-3857)The KVM     implementation in the Linux kernel through 4.14.7     allows attackers to obtain potentially sensitive     information from kernel memory, aka a write_mmio     stack-based out-of-bounds read, related to     arch/x86/kvm/x86.c and     include/trace/events/kvm.h.(CVE-2017-17741)The     sctp_process_param function in net/sctp/sm_make_chunk.c     in the SCTP implementation in the Linux kernel before     3.17.4, when ASCONF is used, allows remote attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a malformed INIT     chunk.(CVE-2014-7841)The XFS subsystem in the Linux     kernel through 4.8.2 allows local users to cause a     denial of service (fdatasync failure and system hang)     by using the vfs syscall group in the trinity program,     related to a 'page lock order bug in the XFS seek     hole/data implementation.'(CVE-2016-8660)The     xfs_dinode_verify function in     fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel     through 4.16.3 allows local users to cause a denial of     service (xfs_ilock_attr_map_shared invalid pointer     dereference) via a crafted xfs image.(CVE-2018-10322)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - An information-leak vulnerability was found in the     kernel when it truncated a file to a smaller size which     consisted of an inline extent that was compressed. The     data between the new file size and the old file size     was not discarded and the number of bytes used by the     inode were not correctly decremented, which gave the     wrong report for callers of the stat(2) syscall. This     wasted metadata space and allowed for the truncated     data to be leaked, and data corruption or loss to     occur. A caller of the clone ioctl could exploit this     flaw by using only standard file-system operations     without root access to read the truncated     data.(CVE-2015-8374i1/4%0

  - crypto/pcrypt.c in the Linux kernel, before 4.14.13,     mishandles freeing instances, allowing a local user     able to access the AF_ALG-based AEAD interface     (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt     (CONFIG_CRYPTO_PCRYPT) to cause a denial of service     (kfree of an incorrect pointer) or possibly have     unspecified other impact by executing a crafted     sequence of system calls. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-18075i1/4%0

  - An elevation of privilege vulnerability in the Qualcomm     Wi-Fi driver could enable a local malicious application     to execute arbitrary code within the context of the     kernel. This issue is rated as High because it first     requires compromising a privileged process. Product:
    Android. Versions: N/A. Android ID: A-32835279.
    References: QC-CR#1096945.(CVE-2017-0523i1/4%0

  - The saa7164_bus_get function in     drivers/media/pci/saa7164/saa7164-bus.c in the Linux     kernel through 4.10.14 allows local users to cause a     denial of service (out-of-bounds array access) or     possibly have unspecified other impact by changing a     certain sequence-number value, aka a 'double fetch'     vulnerability.(CVE-2017-8831i1/4%0

  - A flaw was found in the way the Linux kernel's splice()     system call validated its parameters. On certain file     systems, a local, unprivileged user could use this flaw     to write past the maximum file size, and thus crash the     system.(CVE-2014-7822i1/4%0

  - The vc4_get_bcl function in     drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM     driver in the Linux kernel before 4.9.7 does not set an     errno value upon certain overflow detections allowing     local users to cause a denial of service (incorrect     pointer dereference and OOPS) via inconsistent size     values in a VC4_SUBMIT_CL ioctl call.(CVE-2017-5577i1/4%0

  - In fs/ocfs2/cluster/nodemanager.c in the Linux kernel     before 4.15, local users can cause a denial of service     (NULL pointer dereference and BUG) because a required     mutex is not used.(CVE-2017-18216i1/4%0

  - A race condition issue leading to a use-after-free flaw     was found in the way the raw packet sockets     implementation in the Linux kernel networking subsystem     handled synchronization while creating the TPACKET_V3     ring buffer. A local user able to open a raw packet     socket (requires the CAP_NET_RAW capability) could use     this flaw to elevate their privileges on the     system.(CVE-2016-8655i1/4%0

  - An exploitable memory corruption flaw was found in the     Linux kernel. The append path can be erroneously     switched from UFO to non-UFO in ip_ufo_append_data()     when building an UFO packet with MSG_MORE option. If     unprivileged user namespaces are available, this flaw     can be exploited to gain root     privileges.(CVE-2017-1000112i1/4%0

  - A security flaw was found in the Linux kernel in a way     that the cleancache subsystem clears an inode after the     final file truncation (removal). The new file created     with the same inode may contain leftover pages from     cleancache and the old file data instead of the new     one.(CVE-2018-16862i1/4%0

  - arch/arm64/ include /asm/pgtable.h in the Linux kernel     before 3.15-rc5-next-20140519, as used in Android     before 2016-07-05 on Nexus 5X and 6P devices,     mishandles execute-only pages, which allows attackers     to gain privileges via a crafted application, aka     Android internal bug 28557020.(CVE-2014-9803i1/4%0

  - A heap-buffer overflow vulnerability was found in the     arcmsr_iop_message_xfer() function in     'drivers/scsi/arcmsr/arcmsr_hba.c' file in the Linux     kernel through 4.8.2. The function does not restrict a     certain length field, which allows local users to gain     privileges or cause a denial of service via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code. This can     potentially cause kernel heap corruption and arbitrary     kernel code execution.(CVE-2016-7425i1/4%0

  - An issue was discovered in the Linux kernel before     4.18.11. The ipddp_ioctl function in     drivers/net/appletalk/ipddp.c allows local users to     obtain sensitive kernel address information by     leveraging CAP_NET_ADMIN to read the ipddp_route dev     and next fields via an SIOCFINDIPDDPRT ioctl     call.(CVE-2018-20511i1/4%0

  - A memory leak in the irda_bind function in     net/irda/af_irda.c in the Linux kernel, through 4.16,     allows local users to cause a denial of service due to     a memory consumption by repeatedly binding an AF_IRDA     socket.(CVE-2018-6554i1/4%0

  - sound/core/timer.c in the Linux kernel before 4.4.1     employs a locking approach that does not consider slave     timer instances, which allows local users to cause a     denial of service (race condition, use-after-free, and     system crash) via a crafted ioctl     call.(CVE-2016-2547i1/4%0

  - Buffer overflow in the complete_emulated_mmio function     in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6     allows guest OS users to execute arbitrary code on the     host OS by leveraging a loop that triggers an invalid     memory copy affecting certain cancel_work_item     data.(CVE-2014-0049i1/4%0

  - An issue was discovered in the F2FS filesystem code in     the Linux kernel in fs/f2fs/inode.c. A denial of     service due to a slab out-of-bounds read can occur for     a crafted f2fs filesystem image in which FI_EXTRA_ATTR     is set in an inode.(CVE-2018-13098i1/4%0

  - A vulnerability was found in the Linux kernel where     having malicious IP options present would cause the     ipv4_pktinfo_prepare() function to drop/free the dst.
    This could result in a system crash or possible     privilege escalation.(CVE-2017-5970i1/4%0

  - In the Linux kernel's vmw_gb_surface_define_ioctl()     function, in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c'     file, a 'req-i1/4zmip_levels' is a user-controlled value     which is later used as a loop count limit. This allows     local unprivileged user to cause a denial of service by     a kernel lockup via a crafted ioctl call for a     '/dev/dri/renderD*' device.(CVE-2017-7346i1/4%0

  - It was found that the NFSv4 server in the Linux kernel     did not properly validate layout type when processing     NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A     remote attacker could use this flaw to soft-lockup the     system and thus cause denial of     service.(CVE-2017-8797i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the linux package has been released.

Dmitry Vyukov discovered that the key management subsystem in the Linux kernel did not properly restrict adding a key that already exists but is negatively instantiated. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8539)

It was discovered that a use-after-free vulnerability existed in the device driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-7913)

Pengfei Ding (Ding Peng Fei ), Chenfu Bao (Bao Chen Fu ), and Lenx Wei (Wei Tao ) discovered a race condition in the generic SCSI driver (sg) of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-0794)

Eric Biggers discovered that the key management subsystem in the Linux kernel did not properly restrict adding a key that already exists but is uninstantiated. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-15299)

It was discovered that a NULL pointer dereference could be triggered in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-18216)

Luo Quan and Wei Yang discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when handling ioctl()s. A local attacker could use this to cause a denial of service (system deadlock). (CVE-2018-1000004)

Fan Long Fei  discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel that could lead to a use- after-free or an out-of-bounds buffer access. A local attacker with access to /dev/snd/seq could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-7566)

It was discovered that a buffer overflow existed in the NFC Logical Link Control Protocol (llcp) implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-9518).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3776-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

Jann Horn discovered that the vmacache subsystem did not properly handle sequence number overflows, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2018-17182)

It was discovered that the paravirtualization implementation in the Linux kernel did not properly handle some indirect calls, reducing the effectiveness of Spectre v2 mitigations for paravirtual guests. A local attacker could use this to expose sensitive information.
(CVE-2018-15594)

It was discovered that microprocessors utilizing speculative execution and prediction of return addresses via Return Stack Buffer (RSB) may allow unauthorized memory reads via sidechannel attacks. An attacker could use this to expose sensitive information. (CVE-2018-15572)

It was discovered that a NULL pointer dereference could be triggered in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-18216)

It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10902)

It was discovered that a stack-based buffer overflow existed in the iSCSI target implementation of the Linux kernel. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2018-14633)

It was discovered that the YUREX USB device driver for the Linux kernel did not properly restrict user space reads or writes. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-16276)

It was discovered that a memory leak existed in the IRDA subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2018-6554)

It was discovered that a use-after-free vulnerability existed in the IRDA implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-6555).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jann Horn discovered that the vmacache subsystem did not properly handle sequence number overflows, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2018-17182)

It was discovered that the paravirtualization implementation in the Linux kernel did not properly handle some indirect calls, reducing the effectiveness of Spectre v2 mitigations for paravirtual guests. A local attacker could use this to expose sensitive information.
(CVE-2018-15594)

It was discovered that microprocessors utilizing speculative execution and prediction of return addresses via Return Stack Buffer (RSB) may allow unauthorized memory reads via sidechannel attacks. An attacker could use this to expose sensitive information. (CVE-2018-15572)

It was discovered that a NULL pointer dereference could be triggered in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-18216)

It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10902)

It was discovered that a stack-based buffer overflow existed in the iSCSI target implementation of the Linux kernel. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2018-14633)

It was discovered that the YUREX USB device driver for the Linux kernel did not properly restrict user space reads or writes. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-16276)

It was discovered that a memory leak existed in the IRDA subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2018-6554)

It was discovered that a use-after-free vulnerability existed in the IRDA implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-6555).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of 'linux', 'linux-esx' packages of Photon OS has been released.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2017-0861

Robb Glasser reported a potential use-after-free in the ALSA (sound) PCM core. We believe this was not possible in practice.

CVE-2017-5715

Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system.

This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using the 'retpoline' compiler feature which allows indirect branches to be isolated from speculative execution.

CVE-2017-13166

A bug in the 32-bit compatibility layer of the v4l2 ioctl handling code has been found. Memory protections ensuring user-provided buffers always point to userland memory were disabled, allowing destination addresses to be in kernel space. On a 64-bit kernel (amd64 flavour) a local user with access to a suitable video device can exploit this to overwrite kernel memory, leading to privilege escalation.

CVE-2017-16526

Andrey Konovalov reported that the UWB subsystem may dereference an invalid pointer in an error case. A local user might be able to use this for denial of service.

CVE-2017-16911

Secunia Research reported that the USB/IP vhci_hcd driver exposed kernel heap addresses to local users. This information could aid the exploitation of other vulnerabilities.

CVE-2017-16912

Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to an out-of-bounds read. A remote user able to connect to the USB/IP server could use this for denial of service.

CVE-2017-16913

Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to excessive memory allocation. A remote user able to connect to the USB/IP server could use this for denial of service.

CVE-2017-16914

Secunia Research reported that the USB/IP stub driver failed to check for an invalid combination of fields in a recieved packet, leading to a NULL pointer dereference. A remote user able to connect to the USB/IP server could use this for denial of service.

CVE-2017-18017

Denys Fedoryshchenko reported that the netfilter xt_TCPMSS module failed to validate TCP header lengths, potentially leading to a use-after-free. If this module is loaded, it could be used by a remote attacker for denial of service or possibly for code execution.

CVE-2017-18203

Hou Tao reported that there was a race condition in creation and deletion of device-mapper (DM) devices. A local user could potentially use this for denial of service.

CVE-2017-18216

Alex Chen reported that the OCFS2 filesystem failed to hold a necessary lock during nodemanager sysfs file operations, potentially leading to a NULL pointer dereference. A local user could use this for denial of service.

CVE-2018-1068

The syzkaller tool found that the 32-bit compatibility layer of ebtables did not sufficiently validate offset values. On a 64-bit kernel (amd64 flavour), a local user with the CAP_NET_ADMIN capability could use this to overwrite kernel memory, possibly leading to privilege escalation.

CVE-2018-1092

Wen Xu reported that a crafted ext4 filesystem image would trigger a null dereference when mounted. A local user able to mount arbitrary filesystems could use this for denial of service.

CVE-2018-5332

Mohamed Ghannam reported that the RDS protocol did not sufficiently validate RDMA requests, leading to an out-of-bounds write. A local attacker on a system with the rds module loaded could use this for denial of service or possibly for privilege escalation.

CVE-2018-5333

Mohamed Ghannam reported that the RDS protocol did not properly handle an error case, leading to a NULL pointer dereference. A local attacker on a system with the rds module loaded could possibly use this for denial of service.

CVE-2018-5750

Wang Qize reported that the ACPI sbshc driver logged a kernel heap address. This information could aid the exploitation of other vulnerabilities.

CVE-2018-5803

Alexey Kodanev reported that the SCTP protocol did not range-check the length of chunks to be created. A local or remote user could use this to cause a denial of service.

CVE-2018-6927

Li Jinyue reported that the FUTEX_REQUEUE operation on futexes did not check for negative parameter values, which might lead to a denial of service or other security impact.

CVE-2018-7492

The syzkaller tool found that the RDS protocol was lacking a NULL pointer check. A local attacker on a system with the rds module loaded could use this for denial of service.

CVE-2018-7566

&#x8303;&#x9F99;&#x98DE; (Fan LongFei) reported a race condition in the ALSA (sound) sequencer core, between write and ioctl operations.
This could lead to an out-of-bounds access or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation.

CVE-2018-7740

Nic Losby reported that the hugetlbfs filesystem's mmap operation did not properly range-check the file offset. A local user with access to files on a hugetlbfs filesystem could use this to cause a denial of service.

CVE-2018-7757

Jason Yan reported a memory leak in the SAS (Serial-Attached SCSI) subsystem. A local user on a system with SAS devices could use this to cause a denial of service.

CVE-2018-7995

Seunghun Han reported a race condition in the x86 MCE (Machine Check Exception) driver. This is unlikely to have any security impact.

CVE-2018-8781

Eyal Itkin reported that the udl (DisplayLink) driver's mmap operation did not properly range-check the file offset. A local user with access to a udl framebuffer device could exploit this to overwrite kernel memory, leading to privilege escalation.

CVE-2018-8822

Dr Silvio Cesare of InfoSect reported that the ncpfs client implementation did not validate reply lengths from the server. An ncpfs server could use this to cause a denial of service or remote code execution in the client.

CVE-2018-1000004

Luo Quan reported a race condition in the ALSA (sound) sequencer core, between multiple ioctl operations. This could lead to a deadlock or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation.

CVE-2018-1000199

Andy Lutomirski discovered that the ptrace subsystem did not sufficiently validate hardware breakpoint settings. Local users can use this to cause a denial of service, or possibly for privilege escalation, on x86 (amd64 and i386) and possibly other architectures.

Additionally, some mitigations for CVE-2017-5753 are included in this release :

CVE-2017-5753

Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system.

This specific attack has been named Spectre variant 1 (bounds-check bypass) and is mitigated by identifying vulnerable code sections (array bounds checking followed by array access) and replacing the array access with the speculation-safe array_index_nospec() function.

More use sites will be added over time.

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.101-1. This version also includes bug fixes from upstream versions up to and including 3.2.101. It also fixes a regression in the procfs hidepid option in the previous version (Debian bug #887106).

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2017-5715     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 2 (branch target   injection) and is mitigated for the x86 architecture (amd64 and   i386) by using the 'retpoline' compiler feature which allows   indirect branches to be isolated from speculative execution.

  - CVE-2017-5753     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 1 (bounds-check   bypass) and is mitigated by identifying vulnerable code sections   (array bounds checking followed by array access) and replacing the   array access with the speculation-safe array_index_nospec()   function.

  More use sites will be added over time.

  - CVE-2017-17975     Tuba Yavuz reported a use-after-free flaw in the     USBTV007 audio-video grabber driver. A local user could     use this for denial of service by triggering failure of     audio registration.

  - CVE-2017-18193     Yunlei He reported that the f2fs implementation does not     properly handle extent trees, allowing a local user to     cause a denial of service via an application with     multiple threads.

  - CVE-2017-18216     Alex Chen reported that the OCFS2 filesystem failed to     hold a necessary lock during nodemanager sysfs file     operations, potentially leading to a NULL pointer     dereference. A local user could use this for denial of     service.

  - CVE-2017-18218     Jun He reported a use-after-free flaw in the Hisilicon     HNS ethernet driver. A local user could use this for     denial of service.

  - CVE-2017-18222     It was reported that the Hisilicon Network Subsystem     (HNS) driver implementation does not properly handle     ethtool private flags. A local user could use this for     denial of service or possibly have other impact.

  - CVE-2017-18224     Alex Chen reported that the OCFS2 filesystem omits the     use of a semaphore and consequently has a race condition     for access to the extent tree during read operations in     DIRECT mode. A local user could use this for denial of     service.

  - CVE-2017-18241     Yunlei He reported that the f2fs implementation does not     properly initialise its state if the 'noflush_merge'     mount option is used. A local user with access to a     filesystem mounted with this option could use this to     cause a denial of service.

  - CVE-2017-18257     It was reported that the f2fs implementation is prone to     an infinite loop caused by an integer overflow in the
    __get_data_block() function. A local user can use this     for denial of service via crafted use of the open and     fallocate system calls with an FS_IOC_FIEMAP ioctl.

  - CVE-2018-1065     The syzkaller tool found a NULL pointer dereference flaw     in the netfilter subsystem when handling certain     malformed iptables rulesets. A local user with the     CAP_NET_RAW or CAP_NET_ADMIN capability (in any user     namespace) could use this to cause a denial of service.
    Debian disables unprivileged user namespaces by default.

  - CVE-2018-1066     Dan Aloni reported to Red Hat that the CIFS client     implementation would dereference a NULL pointer if the     server sent an invalid response during NTLMSSP setup     negotiation. This could be used by a malicious server     for denial of service.

  - CVE-2018-1068     The syzkaller tool found that the 32-bit compatibility     layer of ebtables did not sufficiently validate offset     values. On a 64-bit kernel, a local user with the     CAP_NET_ADMIN capability (in any user namespace) could     use this to overwrite kernel memory, possibly leading to     privilege escalation. Debian disables unprivileged user     namespaces by default.

  - CVE-2018-1092     Wen Xu reported that a crafted ext4 filesystem image     would trigger a null dereference when mounted. A local     user able to mount arbitrary filesystems could use this     for denial of service.

  - CVE-2018-1093     Wen Xu reported that a crafted ext4 filesystem image     could trigger an out-of-bounds read in the     ext4_valid_block_bitmap() function. A local user able to     mount arbitrary filesystems could use this for denial of     service.

  - CVE-2018-1108     Jann Horn reported that crng_ready() does not properly     handle the crng_init variable states and the RNG could     be treated as cryptographically safe too early after     system boot.

  - CVE-2018-5803     Alexey Kodanev reported that the SCTP protocol did not     range-check the length of chunks to be created. A local     or remote user could use this to cause a denial of     service.

  - CVE-2018-7480     Hou Tao discovered a double-free flaw in the     blkcg_init_queue() function in block/blk-cgroup.c. A     local user could use this to cause a denial of service     or have other impact.

  - CVE-2018-7566     Fan LongFei reported a race condition in the ALSA     (sound) sequencer core, between write and ioctl     operations. This could lead to an out-of-bounds access     or use-after-free. A local user with access to a     sequencer device could use this for denial of service or     possibly for privilege escalation.

  - CVE-2018-7740     Nic Losby reported that the hugetlbfs filesystem's mmap     operation did not properly range-check the file offset.
    A local user with access to files on a hugetlbfs     filesystem could use this to cause a denial of service.

  - CVE-2018-7757     Jason Yan reported a memory leak in the SAS     (Serial-Attached SCSI) subsystem. A local user on a     system with SAS devices could use this to cause a denial     of service.

  - CVE-2018-7995     Seunghun Han reported a race condition in the x86 MCE     (Machine Check Exception) driver. This is unlikely to     have any security impact.

  - CVE-2018-8087     A memory leak flaw was found in the hwsim_new_radio_nl()     function in the simulated radio testing tool driver for     mac80211, allowing a local user to cause a denial of     service.

  - CVE-2018-8781     Eyal Itkin reported that the udl (DisplayLink) driver's     mmap operation did not properly range-check the file     offset. A local user with access to a udl framebuffer     device could exploit this to overwrite kernel memory,     leading to privilege escalation.

  - CVE-2018-8822     Dr Silvio Cesare of InfoSect reported that the ncpfs     client implementation did not validate reply lengths     from the server. An ncpfs server could use this to cause     a denial of service or remote code execution in the     client.

  - CVE-2018-10323     Wen Xu reported a NULL pointer dereference flaw in the     xfs_bmapi_write() function triggered when mounting and     operating a crafted xfs filesystem image. A local user     able to mount arbitrary filesystems could use this for     denial of service.

  - CVE-2018-1000199     Andy Lutomirski discovered that the ptrace subsystem did     not sufficiently validate hardware breakpoint settings.
    Local users can use this to cause a denial of service,     or possibly for privilege escalation, on x86 (amd64 and     i386) and possibly other architectures.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2015-9016     Ming Lei reported a race condition in the multiqueue     block layer (blk-mq). On a system with a driver using     blk-mq (mtip32xx, null_blk, or virtio_blk), a local user     might be able to use this for denial of service or     possibly for privilege escalation.

  - CVE-2017-0861     Robb Glasser reported a potential use-after-free in the     ALSA (sound) PCM core. We believe this was not possible     in practice.

  - CVE-2017-5715     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 2 (branch target   injection) and is mitigated for the x86 architecture (amd64 and   i386) by using the 'retpoline' compiler feature which allows   indirect branches to be isolated from speculative execution.

  - CVE-2017-5753     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 1 (bounds-check   bypass) and is mitigated by identifying vulnerable code sections   (array bounds checking followed by array access) and replacing the   array access with the speculation-safe array_index_nospec()   function.

  More use sites will be added over time.

  - CVE-2017-13166     A bug in the 32-bit compatibility layer of the v4l2     ioctl handling code has been found. Memory protections     ensuring user-provided buffers always point to userland     memory were disabled, allowing destination addresses to     be in kernel space. On a 64-bit kernel a local user with     access to a suitable video device can exploit this to     overwrite kernel memory, leading to privilege     escalation.

  - CVE-2017-13220     Al Viro reported that the Bluetooth HIDP implementation     could dereference a pointer before performing the     necessary type check. A local user could use this to     cause a denial of service.

  - CVE-2017-16526     Andrey Konovalov reported that the UWB subsystem may     dereference an invalid pointer in an error case. A local     user might be able to use this for denial of service.

  - CVE-2017-16911     Secunia Research reported that the USB/IP vhci_hcd     driver exposed kernel heap addresses to local users.
    This information could aid the exploitation of other     vulnerabilities.

  - CVE-2017-16912     Secunia Research reported that the USB/IP stub driver     failed to perform a range check on a received packet     header field, leading to an out-of-bounds read. A remote     user able to connect to the USB/IP server could use this     for denial of service.

  - CVE-2017-16913     Secunia Research reported that the USB/IP stub driver     failed to perform a range check on a received packet     header field, leading to excessive memory allocation. A     remote user able to connect to the USB/IP server could     use this for denial of service.

  - CVE-2017-16914     Secunia Research reported that the USB/IP stub driver     failed to check for an invalid combination of fields in     a received packet, leading to a NULL pointer     dereference. A remote user able to connect to the USB/IP     server could use this for denial of service.

  - CVE-2017-18017     Denys Fedoryshchenko reported that the netfilter     xt_TCPMSS module failed to validate TCP header lengths,     potentially leading to a use-after-free. If this module     is loaded, it could be used by a remote attacker for     denial of service or possibly for code execution.

  - CVE-2017-18203     Hou Tao reported that there was a race condition in     creation and deletion of device-mapper (DM) devices. A     local user could potentially use this for denial of     service.

  - CVE-2017-18216     Alex Chen reported that the OCFS2 filesystem failed to     hold a necessary lock during nodemanager sysfs file     operations, potentially leading to a NULL pointer     dereference. A local user could use this for denial of     service.

  - CVE-2017-18232     Jason Yan reported a race condition in the SAS     (Serial-Attached SCSI) subsystem, between probing and     destroying a port. This could lead to a deadlock. A     physically present attacker could use this to cause a     denial of service.

  - CVE-2017-18241     Yunlei He reported that the f2fs implementation does not     properly initialise its state if the 'noflush_merge'     mount option is used. A local user with access to a     filesystem mounted with this option could use this to     cause a denial of service.

  - CVE-2018-1066     Dan Aloni reported to Red Hat that the CIFS client     implementation would dereference a NULL pointer if the     server sent an invalid response during NTLMSSP setup     negotiation. This could be used by a malicious server     for denial of service.

  - CVE-2018-1068     The syzkaller tool found that the 32-bit compatibility     layer of ebtables did not sufficiently validate offset     values. On a 64-bit kernel, a local user with the     CAP_NET_ADMIN capability (in any user namespace) could     use this to overwrite kernel memory, possibly leading to     privilege escalation. Debian disables unprivileged user     namespaces by default.

  - CVE-2018-1092     Wen Xu reported that a crafted ext4 filesystem image     would trigger a null dereference when mounted. A local     user able to mount arbitrary filesystems could use this     for denial of service.

  - CVE-2018-5332     Mohamed Ghannam reported that the RDS protocol did not     sufficiently validate RDMA requests, leading to an     out-of-bounds write. A local attacker on a system with     the rds module loaded could use this for denial of     service or possibly for privilege escalation.

  - CVE-2018-5333     Mohamed Ghannam reported that the RDS protocol did not     properly handle an error case, leading to a NULL pointer     dereference. A local attacker on a system with the rds     module loaded could possibly use this for denial of     service.

  - CVE-2018-5750     Wang Qize reported that the ACPI sbshc driver logged a     kernel heap address. This information could aid the     exploitation of other vulnerabilities.

  - CVE-2018-5803     Alexey Kodanev reported that the SCTP protocol did not     range-check the length of chunks to be created. A local     or remote user could use this to cause a denial of     service.

  - CVE-2018-6927     Li Jinyue reported that the FUTEX_REQUEUE operation on     futexes did not check for negative parameter values,     which might lead to a denial of service or other     security impact.

  - CVE-2018-7492     The syzkaller tool found that the RDS protocol was     lacking a null pointer check. A local attacker on a     system with the rds module loaded could use this for     denial of service.

  - CVE-2018-7566     Fan LongFei reported a race condition in the ALSA     (sound) sequencer core, between write and ioctl     operations. This could lead to an out-of-bounds access     or use-after-free. A local user with access to a     sequencer device could use this for denial of service or     possibly for privilege escalation.

  - CVE-2018-7740     Nic Losby reported that the hugetlbfs filesystem's mmap     operation did not properly range-check the file offset.
    A local user with access to files on a hugetlbfs     filesystem could use this to cause a denial of service.

  - CVE-2018-7757     Jason Yan reported a memory leak in the SAS     (Serial-Attached SCSI) subsystem. A local user on a     system with SAS devices could use this to cause a denial     of service.

  - CVE-2018-7995     Seunghun Han reported a race condition in the x86 MCE     (Machine Check Exception) driver. This is unlikely to     have any security impact.

  - CVE-2018-8781     Eyal Itkin reported that the udl (DisplayLink) driver's     mmap operation did not properly range-check the file     offset. A local user with access to a udl framebuffer     device could exploit this to overwrite kernel memory,     leading to privilege escalation.

  - CVE-2018-8822     Dr Silvio Cesare of InfoSect reported that the ncpfs     client implementation did not validate reply lengths     from the server. An ncpfs server could use this to cause     a denial of service or remote code execution in the     client.

  - CVE-2018-1000004     Luo Quan reported a race condition in the ALSA (sound)     sequencer core, between multiple ioctl operations. This     could lead to a deadlock or use-after-free. A local user     with access to a sequencer device could use this for     denial of service or possibly for privilege escalation.

  - CVE-2018-1000199     Andy Lutomirski discovered that the ptrace subsystem did     not sufficiently validate hardware breakpoint settings.
    Local users can use this to cause a denial of service,     or possibly for privilege escalation, on x86 (amd64 and     i386) and possibly other architectures.

ID	Name	Product	Family	Severity
153271	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2021-2392)	Nessus	Huawei Local Security Checks	high
149587	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-1904)	Nessus	Huawei Local Security Checks	high
149098	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2021-1808)	Nessus	Huawei Local Security Checks	high
124806	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1482)	Nessus	Huawei Local Security Checks	high
121841	Photon OS 1.0: Linux PHSA-2018-1.0-0135	Nessus	PhotonOS Local Security Checks	medium
118329	Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-3798-1)	Nessus	Ubuntu Local Security Checks	high
117871	Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3776-2)	Nessus	Ubuntu Local Security Checks	high
117870	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3776-1)	Nessus	Ubuntu Local Security Checks	high
111937	Photon OS 1.0: Linux PHSA-2018-1.0-0135 (deprecated)	Nessus	PhotonOS Local Security Checks	medium
109531	Debian DLA-1369-1 : linux security update (Spectre)	Nessus	Debian Local Security Checks	critical
109518	Debian DSA-4188-1 : linux - security update (Spectre)	Nessus	Debian Local Security Checks	high
109517	Debian DSA-4187-1 : linux - security update (Spectre)	Nessus	Debian Local Security Checks	critical

CVE-2017-18216

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

medium

high

high

high

medium

critical

high

critical