openSUSE-SU-2020:0801

openSUSE-SU-2020:0935

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.7

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b43d1f9f7067c6759b1051e8ecb84e82cef569fe

This update syncs the RT kernel from the SUSE Linux Enterprise 15-SP2 codestream. This update was imported from the SUSE:SLE-15-SP2:Update update project.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):A flaw was found in the     Linux kernel's implementation of the invert video code     on VGA consoles when a local attacker attempts to     resize the console, calling an ioctl VT_RESIZE, which     causes an out-of-bounds write to occur. This flaw     allows a local user with access to the VGA console to     crash the system, potentially escalating their     privileges on the system. The highest threat from this     vulnerability is to data confidentiality and integrity     as well as system availability.(CVE-2020-14331)A flaw     was found in the HDLC_PPP module of the Linux kernel in     versions before 5.9-rc7. Memory corruption and a read     overflow is caused by improper input validation in the     ppp_cp_parse_cr function which can cause the system to     crash or cause a denial of service. The highest threat     from this vulnerability is to data confidentiality and     integrity as well as system     availability.(CVE-2020-25643)A memory out-of-bounds     read flaw was found in the Linux kernel before 5.9-rc2     with the ext3/ext4 file system, in the way it accesses     a directory with broken indexing. This flaw allows a     local user to crash the system if the directory exists.
    The highest threat from this vulnerability is to system     availability.(CVE-2020-14314)A TOCTOU mismatch in the     NFS client code in the Linux kernel before 5.8.3 could     be used by local attackers to corrupt memory or     possibly have unspecified other impact because a size     check is in fs/ nfs/ nfs4proc.c instead of fs/ nfs/     nfs4xdr.c, aka CID-b4487b935452.(CVE-2020-25212)The rbd     block device driver in drivers/block/rbd.c in the Linux     kernel through 5.8.9 used incomplete permission     checking for access to rbd devices, which could be     leveraged by local attackers to map or unmap rbd block     devices, aka CID-f44d04e696fe.(CVE-2020-25284)A race     condition between hugetlb sysctl handlers in     mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL     pointer dereference, or possibly have unspecified other     impact, aka CID-17743798d812.(CVE-2020-25285)A flaw was     found in the Linux kernel before 5.9-rc4. Memory     corruption can be exploited to gain root privileges     from unprivileged processes. The highest threat from     this vulnerability is to data confidentiality and     integrity.(CVE-2020-14386)In the Linux kernel through     5.8.7, local attackers able to inject conntrack netlink     configuration could overflow a local buffer, causing     crashes or triggering use of incorrect protocol numbers     in ctnetlink_parse_tuple_filter in net/ netfilter/     nf_conntrack_netlink.c, aka     CID-1cc5ef91d2ff.(CVE-2020-25211)The VFIO PCI driver in     the Linux kernel through 5.6.13 mishandles attempts to     access disabled memory space.(CVE-2020-12888)The kernel     in Red Hat Enterprise Linux 7 and MRG-2 does not clear     garbage data for SG_IO buffer, which may leaking     sensitive information to userspace.(CVE-2014-8181)A     flaw was found in the Linux kernels SELinux LSM hook     implementation before version 5.7, where it incorrectly     assumed that an skb would only contain a single netlink     message. The hook would incorrectly only validate the     first netlink message in the skb and allow or deny the     rest of the messages within the skb with the granted     permission without further     processing.(CVE-2020-10751)The Linux kernel through     5.7.11 allows remote attackers to make observations     that help to obtain sensitive information about the     internal state of the network RNG, aka     CID-f227e3ec3b5c. This is related to     drivers/char/random.c and     kernel/time/timer.c.(CVE-2020-16166)A buffer over-read     flaw was found in RH kernel versions before 5.0 in     crypto_authenc_extractkeys in crypto/authenc.c in the     IPsec Cryptographic algorithm's module, authenc. When a     payload longer than 4 bytes, and is not following     4-byte alignment boundary guidelines, it causes a     buffer over-read threat, leading to a system crash.
    This flaw allows a local attacker with user privileges     to cause a denial of service.(CVE-2020-10769)In the     Linux kernel through 5.7.6, usbtest_disconnect in     drivers/usb/misc/usbtest.c has a memory leak, aka     CID-28ebeb8db770.(CVE-2020-15393)An issue was     discovered in the Linux kernel through 5.7.1.
    drivers/tty/vt/keyboard.c has an integer overflow if     k_ascii is called several times in a row, aka     CID-b86dab054059.(CVE-2020-13974)go7007_snd_init in     drivers/media/usb/go7007/snd-go7007.c in the Linux     kernel before 5.6 does not call snd_card_free for a     failure path, which causes a memory leak, aka     CID-9453264ef586.(CVE-2019-20810)An issue was     discovered in the Linux kernel before 5.0.6. In     rx_queue_add_kobject() and netdev_queue_add_kobject()     in net/core/ net-sysfs.c, a reference count is     mishandled, aka CID-a3e23f719f5c.(CVE-2019-20811)An     issue was discovered in the Linux kernel before 5.4.7.
    The prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of     service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka     CID-b43d1f9f7067.(CVE-2019-20812)A flaw was found in     the Linux kernel's implementation of Userspace core     dumps. This flaw allows an attacker with a local     account to crash a trivial program and exfiltrate     private kernel data.(CVE-2020-10732)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Array index error in the tcm_vhost_make_tpg function in     drivers/vhost/scsi.c in the Linux kernel before 4.0     might allow guest OS users to cause a denial of service     (memory corruption) or possibly have unspecified other     impact via a crafted VHOST_SCSI_SET_ENDPOINT ioctl     call. NOTE: the affected function was renamed to     vhost_scsi_make_tpg before the vulnerability was     announced.(CVE-2015-4036)

  - The ecryptfs_privileged_open function in     fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3     allows local users to gain privileges or cause a denial     of service (stack memory consumption) via vectors     involving crafted mmap calls for /proc pathnames,     leading to recursive pagefault handling.(CVE-2016-1583)

  - It was found that SCSI driver in the Linux kernel can     improperly access userspace memory outside the provided     buffer. A local privileged attacker could potentially     use this flaw to expose information from the kernel     memory.(CVE-2017-13168)

  - The acpi_ds_create_operands() function in     drivers/acpi/acpica/dsutils.c in the Linux kernel     through 4.12.9 does not flush the operand cache and     causes a kernel stack dump, which allows local users to     obtain sensitive information from kernel memory and     bypass the KASLR protection mechanism (in the kernel     through 4.9) via a crafted ACPI table.(CVE-2017-13693)

  - The acpi_ps_complete_final_op() function in     drivers/acpi/acpica/psobject.c in the Linux kernel     through 4.12.9 does not flush the node and node_ext     caches and causes a kernel stack dump, which allows     local users to obtain sensitive information from kernel     memory and bypass the KASLR protection mechanism (in     the kernel through 4.9) via a crafted ACPI     table.(CVE-2017-13694)

  - The acpi_ns_evaluate() function in     drivers/acpi/acpica/nseval.c in the Linux kernel     through 4.12.9 does not flush the operand cache and     causes a kernel stack dump, which allows local users to     obtain sensitive information from kernel memory and     bypass the KASLR protection mechanism (in the kernel     through 4.9) via a crafted ACPI table.(CVE-2017-13695)

  - The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h     in the Linux kernel before 4.13.2 does not verify that     a filesystem has a realtime device, which allows local     users to cause a denial of service (NULL pointer     dereference and OOPS) via vectors related to setting an     RHINHERIT flag on a directory.(CVE-2017-14340)

  - The xfs_bmap_extents_to_btree function in     fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through     4.16.3 allows local users to cause a denial of service     (xfs_bmapi_write NULL pointer dereference) via a     crafted xfs image.(CVE-2018-10323)

  - A flaw was found in Linux kernel in the ext4 filesystem     code. A use-after-free is possible in     ext4_ext_remove_space() function when mounting and     operating a crafted ext4 image.(CVE-2018-10876)

  - A flaw was found in the Linux kernel ext4 filesystem.
    An out-of-bound access is possible in the     ext4_ext_drop_refs() function when operating on a     crafted ext4 filesystem image.(CVE-2018-10877)

  - The pcpu_embed_first_chunk function in mm/percpu.c in     the Linux kernel through 4.14.14 allows local users to     obtain sensitive address information by reading dmesg     data from a(CVE-2018-5995)

  - Memory leak in the irda_bind function in     net/irda/af_irda.c and later in     drivers/staging/irda/net/af_irda.c in the Linux kernel     before 4.17 allows local users to cause a denial of     service (memory consumption) by repeatedly binding an     AF_IRDA socket.(CVE-2018-6554)

  - A NULL pointer dereference was found in the     net/rds/rdma.c __rds_rdma_map() function in the Linux     kernel before 4.14.7 allowing local attackers to cause     a system panic and a denial-of-service, related to     RDS_GET_MR and RDS_GET_MR_FOR_DEST.(CVE-2018-7492)

  - ** DISPUTED ** Race condition in the     store_int_with_restart() function in     arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel     through 4.15.7 allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck<cpu     number> directory. NOTE: a third party has indicated     that this report is not security     relevant.(CVE-2018-7995)

  - Non-optimized code for key handling of shared futexes     was found in the Linux kernel in the form of unbounded     contention time due to the page lock for real-time     users. Before the fix, the page lock was an     unnecessarily heavy lock for the futex path that     protected too much. After the fix, the page lock is     only required in a specific corner case.(CVE-2018-9422)

  - A memory leak in the ccp_run_sha_cmd() function in     drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-128c66429247.(CVE-2019-18808)

  - In the Linux kernel before 5.1, there is a memory leak     in __feat_register_sp() in net/dccp/feat.c, which may     cause denial of service, aka     CID-1d3ff0950e2b.(CVE-2019-20096)

  - An issue was discovered in the Linux kernel before     5.4.7. The prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of     service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka     CID-b43d1f9f7067.(CVE-2019-20812)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2020-0044 for details.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5866 advisory.

  - An issue was discovered in fs/gfs2/rgrp.c in the Linux kernel before 4.8. A use-after-free is caused by     the functions gfs2_clear_rgrpd and read_rindex_entry. (CVE-2016-10905)

  - An issue was discovered in drivers/net/ethernet/arc/emac_main.c in the Linux kernel before 4.5. A use-     after-free is caused by a race condition between the functions arc_emac_tx and arc_emac_tx_clean.
    (CVE-2016-10906)

  - The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel before 4.10.4 allows     local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer     underflow. (CVE-2017-8924)

  - The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel before 4.10.4 allows local     users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling.
    (CVE-2017-8925)

  - sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local users to cause a denial of service     (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a     crafted USB device. (CVE-2017-16528)

  - In driver_override_store and driver_override_show of bus.c, there is a possible double free due to     improper locking. This could lead to local escalation of privilege with System execution privileges     needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android     ID: A-69129004 References: Upstream kernel. (CVE-2018-9415)

  - A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network     namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-     free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system     panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2018-16884)

  - An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an
    __blk_drain_queue() use-after-free because a certain error case is mishandled. (CVE-2018-20856)

  - A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the     mwifiex kernel module while connecting to a malicious wireless network. (CVE-2019-3846)

  - The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An     attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are     believed to be vulnerable. (CVE-2019-3874)

  - An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An     attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations     before the required authentication process has completed. This could lead to different denial-of-service     scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already     existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge     Authentication and Association Request packets to trigger this vulnerability. (CVE-2019-5108)

  - In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference     counting because of a race condition, leading to a use-after-free. (CVE-2019-6974)

  - The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free. (CVE-2019-7221)

  - The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. (CVE-2019-7222)

  - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-     free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could     use this flaw to obtain sensitive information, cause a denial of service, or possibly have other     unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.
    (CVE-2019-14898)

  - An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a     malicious USB device in the drivers/media/usb/siano/smsusb.c driver. (CVE-2019-15218)

  - drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through 5.2.9 has an out-of-bounds read via     crafted USB device traffic (which may be remote via usbip or usbredir). (CVE-2019-15505)

  - An issue was discovered in the Linux kernel before 4.20.2. An out-of-bounds access exists in the function     build_audio_procunit in the file sound/usb/mixer.c. (CVE-2019-15927)

  - An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check     the length of variable elements in a beacon head, leading to a buffer overflow. (CVE-2019-16746)

  - An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has security relevance. (CVE-2019-17075)

  - fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer     dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka     CID-09ba3bc9dd15. (CVE-2019-18885)

  - A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel before     5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb()     failures, aka CID-fb5be6a7b486. (CVE-2019-19052)

  - Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow     attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout()     failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the     htc_connect_service() function, aka CID-853acf7caf10. (CVE-2019-19073)

  - In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in     kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-     buffer). (CVE-2019-19768)

  - In the Linux kernel through 5.4.6, there is a NULL pointer dereference in     drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related     to a PHY down race condition, aka CID-f70267f379b5. (CVE-2019-19965)

  - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in     fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)

  - In the Linux kernel before 5.1, there is a memory leak in __feat_register_sp() in net/dccp/feat.c, which     may cause denial of service, aka CID-1d3ff0950e2b. (CVE-2019-20096)

  - An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka CID-b43d1f9f7067. (CVE-2019-20812)

  - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN     and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't     correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would     allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this     vulnerability is to data confidentiality. (CVE-2020-1749)

  - A flaw was found in the Linux kernel's implementation of GRO in versions before 5.2. This flaw allows an     attacker with local access to crash the system. (CVE-2020-10720)

  - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it     incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly     only validate the first netlink message in the skb and allow or deny the rest of the messages within the     skb with the granted permission without further processing. (CVE-2020-10751)

  - A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in     crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4     bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat,     leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of     service. (CVE-2020-10769)

  - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file     system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash     the system if the directory exists. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14314)

  - A flaw was found in the Linux kernels implementation of the invert video code on VGA consoles when a     local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds     write to occur. This flaw allows a local user with access to the VGA console to crash the system,     potentially escalating their privileges on the system. The highest threat from this vulnerability is to     data confidentiality and integrity as well as system availability. (CVE-2020-14331)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

  - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap     rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)

  - A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified     other impact, aka CID-17743798d812. (CVE-2020-25285)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The Linux kernel through 5.7.11 allows remote attackers     to make observations that help to obtain sensitive     information about the internal state of the network     RNG, aka CID-f227e3ec3b5c. This is related to     drivers/char/random.c and     kernel/time/timer.c.(CVE-2020-16166)

  - A flaw was found in the Linux kernel's implementation     of the invert video code on VGA consoles when a local     attacker attempts to resize the console, calling an     ioctl VT_RESIZE, which causes an out-of-bounds write to     occur. This flaw allows a local user with access to the     VGA console to crash the system, potentially escalating     their privileges on the system. The highest threat from     this vulnerability is to data confidentiality and     integrity as well as system     availability.(CVE-2020-14331)

  - A buffer over-read flaw was found in RH kernel versions     before 5.0 in crypto_authenc_extractkeys in     crypto/authenc.c in the IPsec Cryptographic algorithm's     module, authenc. When a payload longer than 4 bytes,     and is not following 4-byte alignment boundary     guidelines, it causes a buffer over-read threat,     leading to a system crash. This flaw allows a local     attacker with user privileges to cause a denial of     service.(CVE-2020-10769)

  - An issue was discovered in the Linux kernel through     5.7.1. drivers/tty/vt/keyboard.c has an integer     overflow if k_ascii is called several times in a row,     aka CID-b86dab054059. NOTE: Members in the community     argue that the integer overflow does not lead to a     security issue in this case.(CVE-2020-13974)

  - In the Linux kernel through 5.7.6, usbtest_disconnect     in drivers/usb/misc/usbtest.c has a memory leak, aka     CID-28ebeb8db770.(CVE-2020-15393)

  - The VFIO PCI driver in the Linux kernel through 5.6.13     mishandles attempts to access disabled memory     space.(CVE-2020-12888)

  - go7007_snd_init in     drivers/media/usb/go7007/snd-go7007.c in the Linux     kernel before 5.6 does not call snd_card_free for a     failure path, which causes a memory leak, aka     CID-9453264ef586.(CVE-2019-20810)

  - An issue was discovered in the Linux kernel before     5.0.6. In rx_queue_add_kobject() and     netdev_queue_add_kobject() in net/core/net-sysfs.c, a     reference count is mishandled, aka     CID-a3e23f719f5c.(CVE-2019-20811)

  - An issue was discovered in the Linux kernel before     5.4.7. The prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of     service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka     CID-b43d1f9f7067.(CVE-2019-20812)

  - A flaw was found in the Linux kernel's implementation     of Userspace core dumps. This flaw allows an attacker     with a local account to crash a trivial program and     exfiltrate private kernel data.(CVE-2020-10732)

  - A flaw was found in the Linux kernels SELinux LSM hook     implementation before version 5.7, where it incorrectly     assumed that an skb would only contain a single netlink     message. The hook would incorrectly only validate the     first netlink message in the skb and allow or deny the     rest of the messages within the skb with the granted     permission without further processing.(CVE-2020-10751)

  - gadget_dev_desc_UDC_store in     drivers/usb/gadget/configfs.c in the Linux kernel     through 5.6.13 relies on kstrdup without considering     the possibility of an internal '\0' value, which allows     attackers to trigger an out-of-bounds read, aka     CID-15753588bcd4.(CVE-2020-13143)

  - A signal access-control issue was discovered in the     Linux kernel before 5.6.5, aka CID-7395ea4e65c2.
    Because exec_id in include/linux/sched.h is only 32     bits, an integer overflow can interfere with a     do_notify_parent protection mechanism. A child process     can send an arbitrary signal to a parent process in a     different security domain. Exploitation limitations     include the amount of elapsed time before an integer     overflow occurs, and the lack of scenarios where     signals to a parent process present a substantial     operational threat.(CVE-2020-12826)

  - The __mptctl_ioctl function in     drivers/message/fusion/mptctl.c in the Linux kernel     before 5.4.14 allows local users to hold an incorrect     lock during the ioctl operation and trigger a race     condition, i.e., a 'double fetch' vulnerability, aka     CID-28d76df18f0a. NOTE: the vendor states 'The security     impact of this bug is not as bad as it could have been     because these operations are all privileged and root     already has enormous destructive     power.'(CVE-2020-12652)

  - An issue was found in Linux kernel before 5.5.4. The     mwifiex_cmd_append_vsie_tlv() function in     drivers/net/wireless/marvell/mwifiex/scan.c allows     local users to gain privileges or cause a denial of     service because of an incorrect memcpy and buffer     overflow, aka CID-b70261a288ea.(CVE-2020-12653)

  - An issue was found in Linux kernel before 5.5.4.
    mwifiex_ret_wmm_get_status() in     drivers/net/wireless/marvell/mwifiex/wmm.c allows a     remote AP to trigger a heap-based buffer overflow     because of an incorrect memcpy, aka     CID-3a9b153c5591.(CVE-2020-12654)

  - An issue was discovered in xfs_agf_verify in     fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through     5.6.10. Attackers may trigger a sync of excessive     duration via an XFS v5 image with crafted metadata, aka     CID-d0c7feaf8767.(CVE-2020-12655)

  - A flaw was found in the Linux kernel's implementation     of GRO in versions before 5.2. This flaw allows an     attacker with local access to crash the     system.(CVE-2020-10720)

  - An issue was discovered in the Linux kernel through     5.6.11. sg_write lacks an sg_remove_request call in a     certain failure case, aka     CID-83c6f2390040.(CVE-2020-12770)

  - In the Linux kernel before 5.4.12,     drivers/input/input.c has out-of-bounds writes via a     crafted keycode table, as demonstrated by     input_set_keycode, aka     CID-cb222aed03d7.(CVE-2019-20636)

  - An issue was discovered in the stv06xx subsystem in the     Linux kernel before 5.6.1.
    drivers/media/usb/gspca/stv06xx/stv06xx.c and     drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c     mishandle invalid descriptors, as demonstrated by a     NULL pointer dereference, aka     CID-485b06aadb93.(CVE-2020-11609)

  - In the netlink driver, there is a possible out of     bounds write due to a race condition. This could lead     to local escalation of privilege with System execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-65025077(CVE-2020-0066)

  - In the Linux kernel before 5.5.8, get_raw_socket in     drivers/vhost/net.c lacks validation of an sk_family     field, which might allow attackers to trigger kernel     stack corruption via crafted system     calls.(CVE-2020-10942)

  - An issue was discovered in slc_bump in     drivers/net/can/slcan.c in the Linux kernel through     5.6.2. It allows attackers to read uninitialized     can_frame data, potentially containing sensitive     information from kernel stack memory, if the     configuration lacks CONFIG_INIT_STACK_ALL, aka     CID-b9258a2cece4.(CVE-2020-11494)

  - An issue was discovered in the Linux kernel through     5.6.2. mpol_parse_str in mm/mempolicy.c has a     stack-based out-of-bounds write because an empty     nodelist is mishandled during mount option parsing, aka     CID-aa9f7d5172fa. NOTE: Someone in the security     community disagrees that this is a vulnerability     because the issue 'is a bug in parsing mount options     which can only be specified by a privileged user, so     triggering the bug does not grant any powers not     already held.'.(CVE-2020-11565)

  - An issue was discovered in the Linux kernel before     5.6.1. drivers/media/usb/gspca/ov519.c allows NULL     pointer dereferences in ov511_mode_init_regs and     ov518_mode_init_regs when there are zero endpoints, aka     CID-998912346c0d.(CVE-2020-11608)

  - The kernel in Red Hat Enterprise Linux 7 and MRG-2 does     not clear garbage data for SG_IO buffer, which may     leaking sensitive information to     userspace.(CVE-2014-8181)

  - In the Linux kernel 5.0.21, mounting a crafted ext4     filesystem image, performing some operations, and     unmounting can lead to a use-after-free in     ext4_put_super in fs/ext4/super.c, related to     dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5845 advisory.

  - An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in     io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item     validation in check_leaf_item in fs/btrfs/tree-checker.c. (CVE-2018-14613)

  - A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network     namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-     free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system     panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2018-16884)

  - The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An     attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are     believed to be vulnerable. (CVE-2019-3874)

  - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including     v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster     than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the     vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)

  - An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An     attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations     before the required authentication process has completed. This could lead to different denial-of-service     scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already     existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge     Authentication and Association Request packets to trigger this vulnerability. (CVE-2019-5108)

  - In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel     produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple     destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and     thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page     that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses. (CVE-2019-10638)

  - The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel     address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel     image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and     ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash     collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This     key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via     enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the     attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled     IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic     is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the     attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP     addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to     have a dependency on an address associated with a network namespace. (CVE-2019-10639)

  - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-     free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could     use this flaw to obtain sensitive information, cause a denial of service, or possibly have other     unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.
    (CVE-2019-14898)

  - An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a     malicious USB device in the drivers/media/usb/siano/smsusb.c driver. (CVE-2019-15218)

  - An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check     the length of variable elements in a beacon head, leading to a buffer overflow. (CVE-2019-16746)

  - An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has security relevance. (CVE-2019-17075)

  - In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a     long SSID IE, leading to a Buffer Overflow. (CVE-2019-17133)

  - fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer     dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka     CID-09ba3bc9dd15. (CVE-2019-18885)

  - A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel before     5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb()     failures, aka CID-fb5be6a7b486. (CVE-2019-19052)

  - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the     Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka     CID-3f9361695113. (CVE-2019-19063)

  - A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering     bfa_port_get_stats() failures, aka CID-0e62395da2bd. (CVE-2019-19066)

  - Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow     attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout()     failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the     htc_connect_service() function, aka CID-853acf7caf10. (CVE-2019-19073)

  - A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
    (CVE-2019-19074)

  - A memory leak in the ath10k_usb_hif_tx_sg() function in drivers/net/wireless/ath/ath10k/usb.c in the Linux     kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering     usb_submit_urb() failures, aka CID-b8d17e7d93d2. (CVE-2019-19078)

  - In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device     in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042. (CVE-2019-19535)

  - kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with     Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by     generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words,     although this slice expiration would typically be seen with benign workloads, it is possible that an     attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a     low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray     requests. An attack does not affect the stability of the kernel; it only causes mismanagement of     application execution.) (CVE-2019-19922)

  - An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka CID-b43d1f9f7067. (CVE-2019-20812)

  - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it     incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly     only validate the first netlink message in the skb and allow or deny the rest of the messages within the     skb with the granted permission without further processing. (CVE-2020-10751)

  - A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in     crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4     bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat,     leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of     service. (CVE-2020-10769)

  - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before     4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a     denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114)

  - An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c     has a deadlock if a coalescing operation fails. (CVE-2020-12771)

  - The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive     information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to     drivers/char/random.c and kernel/time/timer.c. (CVE-2020-16166)

  - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new     filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the     current umask is not considered. (CVE-2020-24394)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5841 advisory.

  - A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network     namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-     free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system     panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2018-16884)

  - An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka CID-b43d1f9f7067. (CVE-2019-20812)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The SUSE Linux Enterprise 15 SP1 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-10135: Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2 and earlier may have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key (bnc#1171988).

CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462).

CVE-2019-20908: An issue was discovered in drivers/firmware/efi/efi.c where incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032 (bnc#1173567).

CVE-2020-10781: zram sysfs resource consumption was fixed (bnc#1173074).

CVE-2020-15780: An issue was discovered in drivers/acpi/acpi_configfs.c where injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30 (bnc#1173573).

CVE-2020-15393: usbtest_disconnect in drivers/usb/misc/usbtest.c had a memory leak, aka CID-28ebeb8db770 (bnc#1173514).

CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c had a deadlock if a coalescing operation fails (bnc#1171732).

CVE-2020-12888: The VFIO PCI driver mishandled attempts to access disabled memory space (bnc#1171868).

CVE-2020-10769: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allowed a local attacker with user privileges to cause a denial of service (bnc#1173265).

CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed (bnc#1172999).

CVE-2020-14416: A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).

CVE-2020-10766: Fixed an issue which allowed an attacker with a local account to disable SSBD protection (bnc#1172781).

CVE-2020-10767: Fixed an issue where Indirect Branch Prediction Barrier was disabled in certain circumstances, leaving the system open to a spectre v2 style attack (bnc#1172782).

CVE-2020-10768: Fixed an issue with the prctl() function, where indirect branch speculation could be enabled even though it was diabled before (bnc#1172783).

CVE-2020-13974: Fixed a integer overflow in drivers/tty/vt/keyboard.c, if k_ascii is called several times in a row (bnc#1172775).

CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).

CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).

CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).

CVE-2020-12659: Fixed an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) due to improper headroom validation (bsc#1171214).

CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).

CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).

CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).

CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).

CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).

CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).

CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).

CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).

CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390).

CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).

CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).

CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).

CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

CVE-2020-10711: Fixed a NULL pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).

CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).

CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).

CVE-2019-20806: Fixed a NULL pointer dereference which may had lead to denial of service (bsc#1172199).

CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).

CVE-2019-20810: go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c did not call snd_card_free for a failure path, which caused a memory leak, aka CID-9453264ef586 (bnc#1172458).

CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc. Security Fix(es):In the Android kernel in     F2FS driver there is a possible out of bounds read due     to a missing bounds check. This could lead to local     information disclosure with system execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2019-9445)In calc_vm_may_flags of     ashmem.c, there is a possible arbitrary write to shared     memory due to a permissions bypass. This could lead to     local escalation of privilege by corrupting memory     shared between processes, with no additional execution     privileges needed. User interaction is not needed for     exploitation. Product: Android Versions: Android kernel     Android ID: A-142938932(CVE-2020-0009)A new domain     bypass transient execution attack known as Special     Register Buffer Data Sampling (SRBDS) has been found.
    This flaw allows data values from special internal     registers to be leaked by an attacker able to execute     code on any core of the CPU. An unprivileged, local     attacker can use this flaw to infer values returned by     affected instructions known to be commonly used during     cryptographic operations that rely on uniqueness,     secrecy, or both.(CVE-2020-0543)A flaw was found in the     Linux kernel's implementation of the BTRFS file system.
    A local attacker, with the ability to mount a file     system, can create a use-after-free memory fault after     the file system has been unmounted. This may lead to     memory corruption or privilege     escalation.(CVE-2019-19377)A NULL pointer dereference     flaw may occur in the Linux kernel's relay_open in     kernel/relay.c. if the alloc_percpu() function is not     validated in time of failure and used as a valid     address for access. An attacker could use this flaw to     cause a denial of service.(CVE-2019-19462)A NULL     pointer dereference flaw was found in     tw5864_handle_frame function in     drivers/media/pci/tw5864/tw5864-video.c in the TW5864     Series Video media driver. The pointer 'vb' is     assigned, but not validated before its use, and can     lead to a denial of service. This flaw allows a local     attacker with special user or root privileges to crash     the system or leak internal kernel     information.(CVE-2019-20806)go7007_snd_init in     drivers/media/usb/go7007/snd-go7007.c in the Linux     kernel before 5.6 does not call snd_card_free for a     failure path, which causes a memory leak, aka     CID-9453264ef586.(CVE-2019-20810)An issue was     discovered in the Linux kernel before 5.0.6. In     rx_queue_add_kobject() and netdev_queue_add_kobject()     in net/core/net-sysfs.c, a reference count is     mishandled, aka CID-a3e23f719f5c.(CVE-2019-20811)A flaw     was found in the way the af_packet functionality in the     Linux kernel handled the retirement timer setting for     TPACKET_v3 when getting settings from the underlying     network device errors out. This flaw allows a local     user who can open the af_packet domain socket and who     can hit the error path, to use this vulnerability to     starve the system.(CVE-2019-20812)A NULL pointer     dereference flaw was found in the Linux kernel's     SELinux subsystem. This flaw occurs while importing the     Commercial IP Security Option (CIPSO) protocol's     category bitmap into the SELinux extensible bitmap via     the' ebitmap_netlbl_import' routine. While processing     the CIPSO restricted bitmap tag in the     'cipso_v4_parsetag_rbm' routine, it sets the security     attribute to indicate that the category bitmap is     present, even if it has not been allocated. This issue     leads to a NULL pointer dereference issue while     importing the same category bitmap into SELinux. This     flaw allows a remote network user to crash the system     kernel, resulting in a denial of     service.(CVE-2020-10711)A flaw was found in the Linux     kernel's SELinux LSM hook implementation, where it     anticipated the skb would only contain a single Netlink     message. The hook incorrectly validated the first     Netlink message in the skb only, to allow or deny the     rest of the messages within the skb with the granted     permissions and without further processing. At this     time, there is no known ability for an attacker to     abuse this flaw.(CVE-2020-10751)A flaw was found in the     Linux Kernel in versions after 4.5-rc1 in the way     mremap handled DAX Huge Pages. This flaw allows a local     attacker with access to a DAX enabled storage to     escalate their privileges on the     system.(CVE-2020-10757)A logic bug flaw was found in     the Linux kernel's implementation of SSBD. A bug in the     logic handling allows an attacker with a local account     to disable SSBD protection during a context switch when     additional speculative execution mitigations are in     place. This issue was introduced when the per     task/process conditional STIPB switching was added on     top of the existing SSBD switching. The highest threat     from this vulnerability is to     confidentiality.(CVE-2020-10766)A flaw was found in the     Linux kernel's implementation of the Enhanced IBPB     (Indirect Branch Prediction Barrier). The IBPB     mitigation will be disabled when STIBP is not available     or when the Enhanced Indirect Branch Restricted     Speculation (IBRS) is available. This flaw allows a     local attacker to perform a Spectre V2 style attack     when this configuration is active. The highest threat     from this vulnerability is to     confidentiality.(CVE-2020-10767)A flaw was found in the     prctl() function, where it can be used to enable     indirect branch speculation after it has been disabled.
    This call incorrectly reports it as being 'force     disabled' when it is not and opens the system to     Spectre v2 attacks. The highest threat from this     vulnerability is to confidentiality.(CVE-2020-10768)A     flaw was found in the ZRAM kernel module, where a user     with a local account and the ability to read the     /sys/class/zram-control/hot_add file can create ZRAM     device nodes in the /dev/ directory. This read     allocates kernel memory and is not accounted for a user     that triggers the creation of that ZRAM device. With     this vulnerability, continually reading the device may     consume a large amount of system memory and cause the     Out-of-Memory (OOM) killer to activate and terminate     random userspace processes, possibly making the system     inoperable.(CVE-2020-10781)A stack buffer overflow     issue was found in the get_raw_socket() routine of the     Host kernel accelerator for virtio net (vhost-net)     driver. It could occur while doing an     ictol(VHOST_NET_SET_BACKEND) call, and retrieving     socket name in a kernel stack variable via     get_raw_socket(). A user able to perform ioctl(2) calls     on the '/dev/vhost-net' device may use this flaw to     crash the kernel resulting in DoS     issue.(CVE-2020-10942)A flaw was found in the Linux     kernel's implementation of the pivot_root syscall. This     flaw allows a local privileged user (root outside or     root inside a privileged container) to exploit a race     condition to manipulate the reference count of the root     filesystem. To be able to abuse this flaw, the process     or user calling pivot_root must have advanced     permissions. The highest threat from this vulnerability     is to system availability.(CVE-2020-12114)A     use-after-free flaw was found in usb_sg_cancel in     drivers/usb/core/message.c in the USB core subsystem.
    This flaw allows a local attacker with a special user     or root privileges to crash the system due to a race     problem in the scatter-gather cancellation and transfer     completion in usb_sg_wait. This vulnerability can also     lead to a leak of internal kernel     information.(CVE-2020-12464)A memory overflow and data     corruption flaw were found in the Mediatek MT76 driver     module for WiFi in mt76_add_fragment in     drivers/net/wireless/mediatek/mt76/dma.c. An oversized     packet with too many rx fragments causes an overflow     and corruption in memory of adjacent pages. A local     attacker with a special user or root privileges can     cause a denial of service or a leak of internal kernel     information.(CVE-2020-12465)A vulnerability was found     in __mptctl_ioctl in drivers/message/fusion/mptctl.c in     Fusion MPT base driver 'mptctl' in the SCSI device     module, where an incorrect lock leads to a race     problem. This flaw allows an attacker with local access     and special user (or root) privileges to cause a denial     of service.(CVE-2020-12652)A flaw was found in the way     the mwifiex_cmd_append_vsie_tlv() in Linux kernel's     Marvell WiFi-Ex driver handled vendor specific     information elements. A local user could use this flaw     to escalate their privileges on the     system.(CVE-2020-12653)A flaw was found in the Linux     kernel. The Marvell mwifiex driver allows a remote WiFi     access point to trigger a heap-based memory buffer     overflow due to an incorrect memcpy operation. The     highest threat from this vulnerability is to data     integrity and system availability.(CVE-2020-12654)A     flaw was discovered in the XFS source in the Linux     kernel. This flaw allows an attacker with the ability     to mount an XFS filesystem, to trigger a denial of     service while attempting to sync a file located on an     XFS v5 image with crafted metadata.(CVE-2020-12655)An     out-of-bounds (OOB) memory access flaw was found in the     Network XDP (the eXpress Data Path) module in the Linux     kernel's xdp_umem_reg function in net/xdp/xdp_umem.c.
    When a user with special user privilege of     CAP_NET_ADMIN (or root) calls setsockopt to register     umem ring on XDP socket, passing the headroom value     larger than the available space in the chunk, it leads     to an out-of-bounds write, causing panic or possible     memory corruption. This flaw may lead to privilege     escalation if a local end-user is granted permission to     influence the execution of code in this     manner.(CVE-2020-12659)A vulnerability was found in     sg_write in drivers/scsi/sg.c in the SCSI generic (sg)     driver subsystem. This flaw allows an attacker with     local access and special user or root privileges to     cause a denial of service if the allocated list is not     cleaned with an invalid (Sg_fd * sfp) pointer at the     time of failure, also possibly causing a kernel     internal information leak problem.(CVE-2020-12770)An     issue was discovered in the Linux kernel through     5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c     has a deadlock if a coalescing operation     fails.(CVE-2020-12771)A flaw was found in the Linux     kernel loose validation of child/parent process     identification handling while filtering signal     handlers. A local attacker is able to abuse this flaw     to bypass checks to send any signal to a privileged     process.(CVE-2020-12826)A flaw was found in the Linux     kernel, where it allows userspace processes, for     example, a guest VM, to directly access h/w devices via     its VFIO driver modules. The VFIO modules allow users     to enable or disable access to the devices' MMIO memory     address spaces. If a user attempts to access the     read/write devices' MMIO address space when it is     disabled, some h/w devices issue an interrupt to the     CPU to indicate a fatal error condition, crashing the     system. This flaw allows a guest user or process to     crash the host system resulting in a denial of     service.(CVE-2020-12888)gadget_dev_desc_UDC_store in     drivers/usb/gadget/configfs.c in the Linux kernel     through 5.6.13 relies on kstrdup without considering     the possibility of an internal '\0' value, which allows     attackers to trigger an out-of-bounds read, aka     CID-15753588bcd4.(CVE-2020-13143)** DISPUTED ** An     issue was discovered in the Linux kernel through 5.7.1.
    drivers/tty/vt/keyboard.c has an integer overflow if     k_ascii is called several times in a row, aka     CID-b86dab054059. NOTE: Members in the community argue     that the integer overflow does not lead to a security     issue in this case.(CVE-2020-13974)A use-after-free     flaw was found in slcan_write_wakeup in     drivers/net/can/slcan.c in the serial CAN module slcan.
    A race condition occurs when communicating with can     using slcan between the write (scheduling the transmit)     and closing (flushing out any pending queues) the SLCAN     channel. This flaw allows a local attacker with special     user or root privileges to cause a denial of service or     a kernel information leak. The highest threat from this     vulnerability is to system     availability.(CVE-2020-14416)In the Linux kernel     through 5.7.6, usbtest_disconnect in     drivers/usb/misc/usbtest.c has a memory leak, aka     CID-28ebeb8db770.(CVE-2020-15393)The Linux kernel     through 5.7.11 allows remote attackers to make     observations that help to obtain sensitive information     about the internal state of the network RNG, aka     CID-f227e3ec3b5c. This is related to     drivers/char/random.c and     kernel/time/timer.c.(CVE-2020-16166)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - In calc_vm_may_flags of ashmem.c, there is a possible     arbitrary write to shared memory due to a permissions     bypass. This could lead to local escalation of     privilege by corrupting memory shared between     processes, with no additional execution privileges     needed. User interaction is not needed for     exploitation. Product: Android Versions: Android kernel     Android ID: A-142938932(CVE-2020-0009)

  - A flaw was found in the Linux Kernel in versions after     4.5-rc1 in the way mremap handled DAX Huge Pages. This     flaw allows a local attacker with access to a DAX     enabled storage to escalate their privileges on the     system.(CVE-2020-10757)

  - go7007_snd_init in     drivers/media/usb/go7007/snd-go7007.c in the Linux     kernel before 5.6 does not call snd_card_free for a     failure path, which causes a memory leak, aka     CID-9453264ef586.(CVE-2019-20810)

  - In the Android kernel in F2FS driver there is a     possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure     with system execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2019-9445)

  - A flaw was found in the Linux kernels SELinux LSM hook     implementation before version 5.7, where it incorrectly     assumed that an skb would only contain a single netlink     message. The hook would incorrectly only validate the     first netlink message in the skb and allow or deny the     rest of the messages within the skb with the granted     permission without further processing.(CVE-2020-10751)

  - An issue was discovered in the Linux kernel before     5.4.7. The prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of     service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka     CID-b43d1f9f7067.(CVE-2019-20812)

  - ** DISPUTED ** An issue was discovered in the Linux     kernel through 5.7.1. drivers/tty/vt/keyboard.c has an     integer overflow if k_ascii is called several times in     a row, aka CID-b86dab054059. NOTE: Members in the     community argue that the integer overflow does not lead     to a security issue in this case.(CVE-2020-13974)

  - An issue was discovered in the Linux kernel before     5.0.6. In rx_queue_add_kobject() and     netdev_queue_add_kobject() in net/core/net-sysfs.c, a     reference count is mishandled, aka     CID-a3e23f719f5c.(CVE-2019-20811)

  - A flaw was found in the prctl() function, where it can     be used to enable indirect branch speculation after it     has been disabled. This call incorrectly reports it as     being 'force disabled' when it is not and opens the     system to Spectre v2 attacks. The highest threat from     this vulnerability is to     confidentiality.(CVE-2020-10768)

  - A flaw was found in the Linux kernel's implementation     of the Enhanced IBPB (Indirect Branch Prediction     Barrier). The IBPB mitigation will be disabled when     STIBP is not available or when the Enhanced Indirect     Branch Restricted Speculation (IBRS) is available. This     flaw allows a local attacker to perform a Spectre V2     style attack when this configuration is active. The     highest threat from this vulnerability is to     confidentiality.(CVE-2020-10767)

  - A logic bug flaw was found in the Linux kernel's     implementation of SSBD. A bug in the logic handling     allows an attacker with a local account to disable SSBD     protection during a context switch when additional     speculative execution mitigations are in place. This     issue was introduced when the per task/process     conditional STIPB switching was added on top of the     existing SSBD switching. The highest threat from this     vulnerability is to confidentiality.(CVE-2020-10766)

  - A new domain bypass transient execution attack known as     Special Register Buffer Data Sampling (SRBDS) has been     found. This flaw allows data values from special     internal registers to be leaked by an attacker able to     execute code on any core of the CPU. An unprivileged,     local attacker can use this flaw to infer values     returned by affected instructions known to be commonly     used during cryptographic operations that rely on     uniqueness, secrecy, or both.(CVE-2020-0543)

  - In the Linux kernel before 5.4.16, a race condition in     tty->disc_data handling in the slip and slcan line     discipline could lead to a use-after-free, aka     CID-0ace17d56824. This affects drivers/net/slip/slip.c     and drivers/net/can/slcan.c.(CVE-2020-14416)

  - The flow_dissector feature in the Linux kernel 4.3     through 5.x before 5.3.10 has a device tracking     vulnerability, aka CID-55667441c84f. This occurs     because the auto flowlabel of a UDP IPv6 packet relies     on a 32-bit hashrnd value as a secret, and because     jhash (instead of siphash) is used. The hashrnd value     remains the same starting from boot time, and can be     inferred by an attacker. This affects     net/core/flow_dissector.c and related     code.(CVE-2019-18282)

  - The VFIO PCI driver in the Linux kernel through 5.6.13     mishandles attempts to access disabled memory     space.(CVE-2020-12888)

  - In the Linux kernel through 5.7.6, usbtest_disconnect     in drivers/usb/misc/usbtest.c has a memory leak, aka     CID-28ebeb8db770.(CVE-2020-15393)

  - A flaw was found in the ZRAM kernel module, where a     user with a local account and the ability to read the     /sys/class/zram-control/hot_add file can create ZRAM     device nodes in the /dev/ directory. This read     allocates kernel memory and is not accounted for a user     that triggers the creation of that ZRAM device. With     this vulnerability, continually reading the device may     consume a large amount of system memory and cause the     Out-of-Memory (OOM) killer to activate and terminate     random userspace processes, possibly making the system     inoperable.(CVE-2020-10781)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-10135: Legacy pairing and secure-connections pairing authentication in Bluetooth may have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key (bnc#1171988).

CVE-2020-10711: A NULL pointer dereference flaw was found in the SELinux subsystem. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. This flaw allowed a remote network user to crash the system kernel, resulting in a denial of service (bnc#1171191).

CVE-2020-10751: A flaw was found in the SELinux LSM hook implementation, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing (bnc#1171189).

CVE-2019-20812: An issue was discovered in the prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067 (bnc#1172453).

CVE-2020-10732: A flaw was found in the implementation of userspace core dumps. This flaw allowed an attacker with a local account to crash a trivial program and exfiltrate private kernel data (bnc#1171220).

CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462).

CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c had a deadlock if a coalescing operation fails (bnc#1171732).

CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed (bnc#1172999).

CVE-2020-14416: A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).

CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059.
(bnc#1172775).

CVE-2019-20810: go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel did not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586 (bnc#1172458).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-10135: Legacy pairing and secure-connections pairing authentication in Bluetooth may have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key (bnc#1171988).

CVE-2020-10711: A NULL pointer dereference flaw was found in the SELinux subsystem. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. This flaw allowed a remote network user to crash the system kernel, resulting in a denial of service (bnc#1171191).

CVE-2020-10751: A flaw was found in the SELinux LSM hook implementation, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing (bnc#1171189).

CVE-2019-20812: An issue was discovered in the prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067 (bnc#1172453).

CVE-2020-10732: A flaw was found in the implementation of userspace core dumps. This flaw allowed an attacker with a local account to crash a trivial program and exfiltrate private kernel data (bnc#1171220).

CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462).

CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c had a deadlock if a coalescing operation fails (bnc#1171732).

CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed (bnc#1172999).

CVE-2020-14416: A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).

CVE-2020-10768: Indirect branch speculation could have been enabled after it was force-disabled by the PR_SPEC_FORCE_DISABLE prctl command. (bnc#1172783).

CVE-2020-10766: Fixed Rogue cross-process SSBD shutdown, where a Linux scheduler logical bug allows an attacker to turn off the SSBD protection. (bnc#1172781).

CVE-2020-10767: Indirect Branch Prediction Barrier was force-disabled when STIBP is unavailable or enhanced IBRS is available.
(bnc#1172782).

CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059.
(bnc#1172775).

CVE-2019-20810: go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel did not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586 (bnc#1172458).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2019-19462: relay_open in kernel/relay.c in the Linux kernel allowed local users to cause a denial of service (such as relay blockage) by triggering a NULL alloc_percpu result (bnc#1158265).

CVE-2019-20810: Fixed a memory leak in go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c because it did not call snd_card_free for a failure path (bnc#1172458).

CVE-2019-20812: An issue was discovered in the prb_calc_retire_blk_tmo() function in net/packet/af_packet.c could result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3 (bnc#1172453).

CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462).

CVE-2020-10135: Legacy pairing and secure-connections pairing authentication in Bluetooth&Acirc;&reg; BR/EDR Core Specification v5.2 and earlier may have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key (bnc#1171988).

CVE-2020-10711: A NULL pointer dereference flaw was found in the SELinux subsystem in versions This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine.
This flaw allowed a remote network user to crash the system kernel, resulting in a denial of service (bnc#1171191).

CVE-2020-10732: A flaw was found in the implementation of Userspace core dumps. This flaw allowed an attacker with a local account to crash a trivial program and exfiltrate private kernel data (bnc#1171220).

CVE-2020-10751: A flaw was found in the SELinux LSM hook implementation, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing (bnc#1171189).

CVE-2020-10766: Fixed an issue which allowed an attacker with a local account to disable SSBD protection (bnc#1172781).

CVE-2020-10767: Fixed an issue where Indirect Branch Prediction Barrier was disabled in certain circumstances, leaving the system open to a spectre v2 style attack (bnc#1172782).

CVE-2020-10768: Fixed an issue with the prctl() function, where indirect branch speculation could be enabled even though it was diabled before (bnc#1172783).

CVE-2020-10773: Fixed a memory leak on s390/s390x, in the cmm_timeout_hander in file arch/s390/mm/cmm.c (bnc#1172999).

CVE-2020-10781: A zram sysfs resource consumption was fixed (bnc#1173074).

CVE-2020-12656: Fixed a memory leak in gss_mech_free in the rpcsec_gss_krb5 implementation, caused by a lack of certain domain_release calls (bnc#1171219).

CVE-2020-12769: An issue was discovered in drivers/spi/spi-dw.c allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bnc#1171983).

CVE-2020-12771: An issue was discovered in btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails (bnc#1171732).

CVE-2020-12888: The VFIO PCI driver mishandled attempts to access disabled memory space (bnc#1171868).

CVE-2020-13143: gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c relies on kstrdup without considering the possibility of an internal '\0' value, which allowed attackers to trigger an out-of-bounds read (bnc#1171982).

CVE-2020-13974: Fixed a integer overflow in drivers/tty/vt/keyboard.c, if k_ascii is called several times in a row (bnc#1172775).

CVE-2020-14416: Fixed a race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free.
This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).

CVE-2020-15393: Fixed a memory leak in usbtest_disconnect (bnc#1173514).

CVE-2020-15780: An issue was discovered in drivers/acpi/acpi_configfs.c where injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30 (bnc#1173573).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):An issue was discovered in     the Linux kernel before 5.2. There is a NULL pointer     dereference in tw5864_handle_frame() in     drivers/media/pci/tw5864/tw5864-video.c, which may     cause denial of service, aka     CID-2e7682ebfc75.(CVE-2019-20806)A flaw was found in     the ZRAM kernel module, where a user with a local     account and the ability to read the     /sys/class/zram-control/hot_add file can create ZRAM     device nodes in the /dev/ directory. This read     allocates kernel memory and is not accounted for a user     that triggers the creation of that ZRAM device. With     this vulnerability, continually reading the device may     consume a large amount of system memory and cause the     Out-of-Memory (OOM) killer to activate and terminate     random userspace processes, possibly making the system     inoperable.(CVE-2020-10781)In the Linux kernel before     5.4.16, a race condition in tty->disc_data handling in     the slip and slcan line discipline could lead to a     use-after-free, aka CID-0ace17d56824. This affects     drivers/ net/slip/slip.c and drivers/     net/can/slcan.c.(CVE-2020-14416)The VFIO PCI driver in     the Linux kernel through 5.6.13 mishandles attempts to     access disabled memory space.(CVE-2020-12888)The     flow_dissector feature in the Linux kernel 4.3 through     5.x before 5.3.10 has a device tracking vulnerability,     aka CID-55667441c84f. This occurs because the auto     flowlabel of a UDP IPv6 packet relies on a 32-bit     hashrnd value as a secret, and because jhash (instead     of siphash) is used. The hashrnd value remains the same     starting from boot time, and can be inferred by an     attacker. This affects net/core/flow_dissector.c and     related code.(CVE-2019-18282)In the Linux kernel     through 5.7.6, usbtest_disconnect in     drivers/usb/misc/usbtest.c has a memory leak, aka     CID-28ebeb8db770.(CVE-2020-15393)An issue was     discovered in the Linux kernel before 5.0.6. In     rx_queue_add_kobject() and netdev_queue_add_kobject()     in net/core/ net-sysfs.c, a reference count is     mishandled, aka CID-a3e23f719f5c.(CVE-2019-20811)A flaw     was found in the Linux kernels SELinux LSM hook     implementation before version 5.7, where it incorrectly     assumed that an skb would only contain a single netlink     message. The hook would incorrectly only validate the     first netlink message in the skb and allow or deny the     rest of the messages within the skb with the granted     permission without further     processing.(CVE-2020-10751)In the Android kernel in     F2FS driver there is a possible out of bounds read due     to a missing bounds check. This could lead to local     information disclosure with system execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2019-9445)A flaw was found in the     Linux kernel's implementation of Userspace core dumps.
    This flaw allows an attacker with a local account to     crash a trivial program and exfiltrate private kernel     data.(CVE-2020-10732)go7007_snd_init in     drivers/media/usb/go7007/snd-go7007.c in the Linux     kernel before 5.6 does not call snd_card_free for a     failure path, which causes a memory leak, aka     CID-9453264ef586.(CVE-2019-20810)Legacy pairing and     secure-connections pairing authentication in Bluetooth(r)     BR/EDR Core Specification v5.2 and earlier may allow an     unauthenticated user to complete authentication without     pairing credentials via adjacent access. An     unauthenticated, adjacent attacker could impersonate a     Bluetooth BR/EDR master or slave to pair with a     previously paired remote device to successfully     complete the authentication procedure without knowing     the link key.(CVE-2020-10135)An issue was discovered in     the Linux kernel before 5.4.7. The     prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of     service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka     CID-b43d1f9f7067.(CVE-2019-20812)An issue was     discovered in the Linux kernel through 5.7.1.
    drivers/tty/vt/keyboard.c has an integer overflow if     k_ascii is called several times in a row, aka     CID-b86dab054059. NOTE: Members in the community argue     that the integer overflow does not lead to a security     issue in this case.(CVE-2020-13974)In calc_vm_may_flags     of ashmem.c, there is a possible arbitrary write to     shared memory due to a permissions bypass. This could     lead to local escalation of privilege by corrupting     memory shared between processes, with no additional     execution privileges needed. User interaction is not     needed for exploitation. Product: Android Versions:
    Android kernel Android ID: A-142938932(CVE-2020-0009)A     flaw was found in the Linux Kernel in versions after     4.5-rc1 in the way mremap handled DAX Huge Pages. This     flaw allows a local attacker with access to a DAX     enabled storage to escalate their privileges on the     system.(CVE-2020-10757)gadget_dev_desc_UDC_store in     drivers/usb/gadget/configfs.c in the Linux kernel     through 5.6.13 relies on kstrdup without considering     the possibility of an internal '\0' value, which allows     attackers to trigger an out-of-bounds read, aka     CID-15753588bcd4.(CVE-2020-13143)Incomplete cleanup     from specific special register read operations in some     Intel(R) Processors may allow an authenticated user to     potentially enable information disclosure via local     access.(CVE-2020-0543)A flaw was found in the prctl()     function, where it can be used to enable indirect     branch speculation after it has been disabled. This     call incorrectly reports it as being 'force disabled'     when it is not and opens the system to Spectre v2     attacks. The highest threat from this vulnerability is     to confidentiality.(CVE-2020-10768)A flaw was found in     the Linux kernel's implementation of the Enhanced IBPB     (Indirect Branch Prediction Barrier). The IBPB     mitigation will be disabled when STIBP is not available     or when the Enhanced Indirect Branch Restricted     Speculation (IBRS) is available. This flaw allows a     local attacker to perform a Spectre V2 style attack     when this configuration is active. The highest threat     from this vulnerability is to     confidentiality.(CVE-2020-10767)A logic bug flaw was     found in the Linux kernel's implementation of SSBD. A     bug in the logic handling allows an attacker with a     local account to disable SSBD protection during a     context switch when additional speculative execution     mitigations are in place. This issue was introduced     when the per task/process conditional STIPB switching     was added on top of the existing SSBD switching. The     highest threat from this vulnerability is to     confidentiality.(CVE-2020-10766)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).

CVE-2020-9383: Fixed an out-of-bounds read due to improper error condition check of FDC index (bsc#1165111).

CVE-2020-8992: Fixed an issue which could have allowed attackers to cause a soft lockup via a crafted journal size (bsc#1164069).

CVE-2020-8834: Fixed a stack corruption which could have lead to kernel panic (bsc#1168276).

CVE-2020-8649: Fixed a use-after-free in the vgacon_invert_region function in drivers/video/console/vgacon.c (bsc#1162931).

CVE-2020-8648: Fixed a use-after-free in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bsc#1162928).

CVE-2020-8647: Fixed a use-after-free in the vc_do_resize function in drivers/tty/vt/vt.c (bsc#1162929).

CVE-2020-8428: Fixed a use-after-free which could have allowed local users to cause a denial of service (bsc#1162109).

CVE-2020-7053: Fixed a use-after-free in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c (bsc#1160966).

CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971).

CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).

CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).

CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).

CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).

CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).

CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).

CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).

CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).

CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).

CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).

CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390).

CVE-2020-11609: Fixed a NULL pointer dereference due to improper handling of descriptors (bsc#1168854).

CVE-2020-11608: Fixed a NULL pointer dereferences via a crafted USB (bsc#1168829).

CVE-2020-11494: Fixed an issue which could have allowed attackers to read uninitialized can_frame data (bsc#1168424).

CVE-2020-10942: Fixed a kernel stack corruption via crafted system calls (bsc#1167629).

CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).

CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).

CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).

CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

CVE-2020-10711: Fixed a NULL pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).

CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

CVE-2019-9458: Fixed a use after free due to a race condition which could have led to privilege escalation of privilege (bsc#1168295).

CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).

CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bsc#1120386).

CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).

CVE-2019-20810: Fixed a memory leak in due to not calling of snd_card_free (bsc#1172458).

CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which could have caused denial of service (bsc#1159908).

CVE-2019-20095: Fixed an improper error-handling cases that did not free allocated hostcmd memory which was causing memory leak (bsc#1159909).

CVE-2019-20054: Fixed a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bsc#1159910).

CVE-2019-19966: Fixed a use-after-free in cpia2_exit() which could have caused denial of service (bsc#1159841).

CVE-2019-19965: Fixed a NULL pointer dereference, due to mishandling of port disconnection during discovery (bsc#1159911).

CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198).

CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bsc#1159285).

CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).

CVE-2019-19447: Fixed a user after free via a crafted ext4 filesystem image (bsc#1158819).

CVE-2019-19319: Fixed a user after free when a large old_size value is used in a memset call (bsc#1158021).

CVE-2019-19318: Fixed a use after free via a crafted btrfs image (bsc#1158026).

CVE-2019-19054: Fixed a memory leak in the cx23888_ir_probe() which could have allowed attackers to cause a denial of service (bsc#1161518).

CVE-2019-19045: Fixed a memory leak in which could have allowed attackers to cause a denial of service (bsc#1161522).

CVE-2019-19036: Fixed a NULL pointer dereference in btrfs_root_node (bsc#1157692).

CVE-2019-16994: Fixed a memory leak which might have caused denial of service (bsc#1161523).

CVE-2019-14897: Fixed a stack overflow in Marvell Wifi Driver (bsc#1157155).

CVE-2019-14896: Fixed a heap overflow in Marvell Wifi Driver (bsc#1157157).

CVE-2019-14615: Fixed an improper control flow in certain data structures which could have led to information disclosure (bsc#1160195).

CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).

CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).

CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).

CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736).

CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).

CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).

CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).

CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).

CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).

CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).

CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).

CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).

CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).

CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).

CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).

CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

CVE-2020-10711: Fixed a NULL pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).

CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).

CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).

CVE-2019-20806: Fixed a NULL pointer dereference which may had lead to denial of service (bsc#1172199).

CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).

CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).

CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).

CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).

CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736).

CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).

CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).

CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).

CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).

CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).

CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).

CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).

CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).

CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).

CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).

CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).

CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

CVE-2020-10711: Fixed a NULL pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).

CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).

CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).

CVE-2019-20806: Fixed a NULL pointer dereference which may had lead to denial of service (bsc#1172199).

CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).

CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).

CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).

CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).

CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736).

CVE-2020-12659: Fixed an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) due to improper headroom validation (bsc#1171214).

CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).

CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).

CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).

CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).

CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).

CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).

CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).

CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).

CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).

CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).

CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).

CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

CVE-2020-10711: Fixed a NULL pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).

CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).

CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).

CVE-2019-20806: Fixed a NULL pointer dereference which may had lead to denial of service (bsc#1172199).

CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).

CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).

CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).

CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).

CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736).

CVE-2020-12659: Fixed an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) due to improper headroom validation (bsc#1171214).

CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).

CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).

CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).

CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).

CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).

CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).

CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).

CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).

CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).

CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).

CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).

CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

CVE-2020-10711: Fixed a NULL pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).

CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).

CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).

CVE-2019-20806: Fixed a NULL pointer dereference which may had lead to denial of service (bsc#1172199).

CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).

CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).

CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).

CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).

CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736).

CVE-2020-12659: Fixed an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) due to improper headroom validation (bsc#1171214).

CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).

CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).

CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).

CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).

CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).

CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).

CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).

CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).

CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).

CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).

CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).

CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

CVE-2020-10711: Fixed a NULL pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).

CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).

CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).

CVE-2019-20806: Fixed a NULL pointer dereference which may had lead to denial of service (bsc#1172199).

CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).

CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
146282	openSUSE Security Update : RT kernel (openSUSE-2021-242)	Nessus	SuSE Local Security Checks	high
142240	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2020-2353)	Nessus	Huawei Local Security Checks	high
141697	EulerOS Virtualization 3.0.2.2 : kernel (EulerOS-SA-2020-2222)	Nessus	Huawei Local Security Checks	high
141374	OracleVM 3.4 : Unbreakable / etc (OVMSA-2020-0044)	Nessus	OracleVM Local Security Checks	critical
141207	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5866)	Nessus	Oracle Linux Local Security Checks	critical
140917	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2020-2150)	Nessus	Huawei Local Security Checks	high
140499	Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2020-5845)	Nessus	Oracle Linux Local Security Checks	high
140496	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5841)	Nessus	Oracle Linux Local Security Checks	high
140378	SUSE SLES15 Security Update : kernel (SUSE-SU-2020:2487-1)	Nessus	SuSE Local Security Checks	high
140328	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2020-1958)	Nessus	Huawei Local Security Checks	high
139995	EulerOS Virtualization for ARM 64 3.0.6.0 : kernel (EulerOS-SA-2020-1892)	Nessus	Huawei Local Security Checks	high
139408	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:2152-1)	Nessus	SuSE Local Security Checks	high
139364	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:2134-1)	Nessus	SuSE Local Security Checks	high
139308	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2020:2105-1)	Nessus	SuSE Local Security Checks	high
139137	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1807)	Nessus	Huawei Local Security Checks	high
138727	openSUSE Security Update : the Linux Kernel (openSUSE-2020-935)	Nessus	SuSE Local Security Checks	high
138679	openSUSE Security Update : the Linux Kernel (openSUSE-2020-801)	Nessus	SuSE Local Security Checks	high
138272	SUSE SLES15 Security Update : kernel (SUSE-SU-2020:1663-1)	Nessus	SuSE Local Security Checks	critical
137617	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:1605-1)	Nessus	SuSE Local Security Checks	high
137616	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:1603-1)	Nessus	SuSE Local Security Checks	high
137615	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:1602-1)	Nessus	SuSE Local Security Checks	high
137613	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2020:1599-1)	Nessus	SuSE Local Security Checks	high
137608	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:1587-1)	Nessus	SuSE Local Security Checks	high

CVE-2019-20812

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

critical

critical

high

high

high

high

high

high

high

high

high

high

high

high

critical

high

high

high

high

high