https://source.android.com/security/bulletin/2020-12-01

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9164 advisory.

  - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI     subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the     pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)

  - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)

  - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a     Netlink message. (CVE-2021-27365)

  - In audit_free_lsm_field of auditfilter.c, there is a possible bad kfree due to a logic error in     audit_data_to_entry. This could lead to local escalation of privilege with no additional execution     privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-150693166References: Upstream kernel (CVE-2020-0444)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A locking inconsistency issue was discovered in the tty     subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)

  - A locking vulnerability was found in the tty subsystem     of the Linux kernel in drivers/tty/tty_jobctrl.c. This     flaw allows a local attacker to possibly corrupt memory     or escalate privileges. The highest threat from this     vulnerability is to confidentiality, integrity, as well     as system availability.(CVE-2020-29661)

  - The Linux kernel is the kernel used by the open source     operating system Linux released by the Linux     Foundation. The Linux kernel con_font_op() has a code     problem vulnerability, which can force the use of freed     memory, resulting in denial of service or execution of     custom code.(CVE-2020-25668 CVE-2020-4788     CVE-2020-27830)

  - A flaw was found in the Linux kernel's implementation     of MIDI, where an attacker with a local account and the     permissions to issue ioctl commands to midi devices     could trigger a use-after-free issue. A write to this     specific memory while freed and before use causes the     flow of execution to change and possibly allow for     memory corruption or privilege escalation. The highest     threat from this vulnerability is to confidentiality,     integrity, as well as system (CVE-2020-27786)

  - In various methods of hid-multitouch.c, there is a     possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-162844689References: Upstream kernel(CVE-2020-0465)

  - In the nl80211_policy policy of nl80211.c, there is a     possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure     with System execution privileges needed. User     interaction is not required for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-119770583(CVE-2020-27068)

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-147802478References: Upstream kernel(CVE-2020-0466)

  - In audit_free_lsm_field of auditfilter.c, there is a     possible bad kfree due to a logic error in     audit_data_to_entry. This could lead to local     escalation of privilege with no additional execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-150693166References: Upstream     kernel(CVE-2020-0444)

  - No description is available for this     CVE.(CVE-2020-27815)

  - A flaw was found in the Linux kernel. The marvell wifi     driver could allow a local attacker to execute     arbitrary code via a long SSID value in     mwifiex_cmd_802_11_ad_hoc_start function. The highest     threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-36158)

  - In create_pinctrl of core.c, there is a possible out of     bounds read due to a use after free. This could lead to     local information disclosure with no additional     execution privileges needed. User interaction is not     needed for exploitation.Product: AndroidVersions:
    Android kernelAndroid ID: A-140550171(CVE-2020-0427)

  - In binder_release_work of binder.c, there is a possible     use-after-free due to improper locking. This could lead     to local escalation of privilege in the kernel with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-161151868References: N/A(CVE-2020-0423)

  - In drivers/target/target_core_xcopy.c in the Linux     kernel before 5.10.7, insufficient identifier checking     in the LIO SCSI target code can be used by remote     attackers to read or write files via directory     traversal in an XCOPY request, aka CID-2896c93811e3.
    For example, an attack can occur over a network if the     attacker has access to one iSCSI LUN. The attacker     gains control over file access because I/O operations     are proxied via an attacker-selected     backstore.(CVE-2020-28374)

  - A flaw in the way reply ICMP packets are limited in the     Linux kernel functionality was found that allows to     quickly scan open UDP ports. This flaw allows an     off-path remote user to effectively bypassing source     port UDP randomization. The highest threat from this     vulnerability is to confidentiality and possibly     integrity, because software that relies on UDP source     port randomization are indirectly affected as well.
    Kernel versions before 5.10 may be vulnerable to this     issue.(CVE-2020-25705)

  - Insufficient access control in the Linux kernel driver     for some Intel(R) Processors may allow an authenticated     user to potentially enable information disclosure via     local access.(CVE-2020-8694)

  - A flaw was found in the Linux kernel's futex     implementation. This flaw allows a local attacker to     corrupt system memory or escalate their privileges when     creating a futex on a filesystem that is about to be     unmounted. The highest threat from this vulnerability     is to confidentiality, integrity, as well as system     availability.(CVE-2020-14381)

  - In tun_get_user of tun.c, there is possible memory     corruption due to a use after free. This could lead to     local escalation of privilege with System execution     privileges required. User interaction is not required     for exploitation. Product: Android Versions: Android     kernel Android ID: A-146554327.(CVE-2021-0342)

  - A flaw was found in the Linux kernel. A use-after-free     memory flaw in the Fast Userspace Mutexes functionality     allowing a local user to crash the system or escalate     their privileges on the system. The highest threat from     this vulnerability is to data confidentiality and     integrity as well as system     availability.(CVE-2021-3347)

  - A use after free flaw in the Linux kernel network block     device (NBD) subsystem was found in the way user calls     an ioctl NBD_SET_SOCK at a certain point during device     setup.(CVE-2021-3348)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-147802478References: Upstream kernel(CVE-2020-0466)

  - In the l2tp subsystem, there is a possible use after     free due to a race condition. This could lead to local     escalation of privilege with System execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-152409173(CVE-2020-27067)

  - In the nl80211_policy policy of nl80211.c, there is a     possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure     with System execution privileges needed. User     interaction is not required for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-119770583(CVE-2020-27068)

  - In audit_free_lsm_field of auditfilter.c, there is a     possible bad kfree due to a logic error in     audit_data_to_entry. This could lead to local     escalation of privilege with no additional execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-150693166References: Upstream     kernel(CVE-2020-0444)

  - In various methods of hid-multitouch.c, there is a     possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-162844689References: Upstream kernel(CVE-2020-0465)

  - Use-after-free vulnerability in fs/block_dev.c in the     Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging     improper access to a certain error     field.(CVE-2020-15436)

  - The Linux kernel before version 5.8 is vulnerable to a     NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)

  - A flaw was found in the Linux kernels implementation of     MIDI, where an attacker with a local account and the     permissions to issue an ioctl commands to midi devices,     could trigger a use-after-free. A write to this     specific memory while freed and before use could cause     the flow of execution to change and possibly allow for     memory corruption or privilege     escalation.(CVE-2020-27786)

  - No description is available for this     CVE.(CVE-2020-27815)

  - NULL-ptr deref in the spk_ttyio_receive_buf2() function     in spk_ttyio.c(CVE-2020-27830)

  - An issue was discovered in __split_huge_pmd in     mm/huge_memory.c in the Linux kernel before 5.7.5. The     copy-on-write implementation can grant unintended write     access because of a race condition in a THP mapcount     check, aka CID-c444eb564fb1.(CVE-2020-29368)

  - An issue was discovered in kmem_cache_alloc_bulk in     mm/slub.c in the Linux kernel before 5.5.11. The     slowpath lacks the required TID increment, aka     CID-fd4d9c7d0c71.(CVE-2020-29370)

  - An issue was discovered in romfs_dev_read in     fs/romfs/storage.c in the Linux kernel before 5.8.4.
    Uninitialized memory leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)

  - A locking inconsistency issue was discovered in the tty     subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)

  - A locking issue was discovered in the tty subsystem of     the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free     attack against TIOCSPGRP, aka     CID-54ffccbf053b.(CVE-2020-29661)

  - A slab-out-of-bounds read in fbcon in the Linux kernel     before 5.9.7 could be used by local attackers to read     privileged information or potentially crash the kernel,     aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for     manipulations such as font height.(CVE-2020-28974)

  - An issue was discovered in the Linux kernel through     5.9.1, as used with Xen through 4.14.x. Guest OS users     can cause a denial of service (host OS hang) via a high     rate of events to dom0, aka     CID-e99502f76271.(CVE-2020-27673)

  - An issue was discovered in     drivers/accessibility/speakup/spk_ttyio.c in the Linux     kernel through 5.9.9. Local attackers on systems with     the speakup driver could cause a local denial of     service attack, aka CID-d41227544427. This occurs     because of an invalid free when the line discipline is     used more than once.(CVE-2020-28941)

  - An issue was discovered in the Linux kernel through     5.9.1, as used with Xen through 4.14.x.
    drivers/xen/events/events_base.c allows event-channel     removal during the event-handling loop (a race     condition). This can cause a use-after-free or NULL     pointer dereference, as demonstrated by a dom0 crash     via events for an in-reconfiguration paravirtualized     device, aka CID-073d0552ead5.(CVE-2020-27675)

  - A buffer over-read (at the framebuffer layer) in the     fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)

  - A flaw was found in the Linux kernel. A use-after-free     memory flaw was found in the perf subsystem allowing a     local attacker with permission to monitor perf events     to corrupt memory and possibly escalate privileges. The     highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-14351)

  - A flaw in the way reply ICMP packets are limited in the     Linux kernel functionality was found that allows to     quickly scan open UDP ports. This flaw allows an     off-path remote user to effectively bypassing source     port UDP randomization. The highest threat from this     vulnerability is to confidentiality and possibly     integrity, because software that relies on UDP source     port randomization are indirectly affected as well.
    Kernel versions before 5.10 may be vulnerable to this     issue.(CVE-2020-25705)

  - No description is available for this     CVE.(CVE-2020-25668)

  - No description is available for this     CVE.(CVE-2020-25669)

  - A flaw was found in the way RTAS handled memory     accesses in userspace to kernel communication. On a     locked down (usually due to Secure Boot) guest system     running on top of PowerVM or KVM hypervisors (pseries     platform) a root like local user could use this flaw to     further increase their privileges to that of a running     kernel.(CVE-2020-27777)

  - kernel: perf_event_parse_addr_filter     memory(CVE-2020-25704)

  - Insufficient access control in the Linux kernel driver     for some Intel(R) Processors may allow an authenticated     user to potentially enable information disclosure via     local access.(CVE-2020-8694)

  - A flaw was found in the Linux kernel. A use-after-free     was found in the way the console subsystem was using     ioctls KDGKBSENT and KDSKBSENT. A local user could use     this flaw to get read memory access out of bounds. The     highest threat from this vulnerability is to data     confidentiality.(CVE-2020-25656)

  - In kbd_keycode of keyboard.c, there is a possible out     of bounds write due to a missing bounds check. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-144161459(CVE-2020-0431)

  - A flaw was found in the HDLC_PPP module of the Linux     kernel in versions before 5.9-rc7. Memory corruption     and a read overflow is caused by improper input     validation in the ppp_cp_parse_cr function which can     cause the system to crash or cause a denial of service.
    The highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-25643)

  - A flaw was found in the Linux kernel in versions before     5.9-rc7. Traffic between two Geneve endpoints may be     unencrypted when IPsec is configured to encrypt traffic     for the specific UDP port used by the GENEVE tunnel     allowing anyone between the two endpoints to read the     traffic unencrypted. The main threat from this     vulnerability is to data     confidentiality.(CVE-2020-25645)

  - Vulnerability Summary for     CVE-2020-12351(CVE-2020-12351)

  - Vulnerability Summary for     CVE-2020-12352(CVE-2020-12352)

  - Vulnerability Summary for     CVE-2020-24490(CVE-2020-24490)

  - A missing CAP_NET_RAW check in NFC socket creation in     net/nfc/rawsock.c in the Linux kernel before 5.8.2     could be used by local attackers to create raw sockets,     bypassing security mechanisms, aka     CID-26896f01467a.(CVE-2020-26088)

  - A flaw was found in the Linux kernel's implementation     of biovecs in versions before 5.9-rc7. A zero-length     biovec request issued by the block subsystem could     cause the kernel to enter an infinite loop, causing a     denial of service. This flaw allows a local attacker     with basic privileges to issue requests to a block     device, resulting in a denial of service. The highest     threat from this vulnerability is to system     availability.(CVE-2020-25641)

  - In skb_to_mamac of networking.c, there is a possible     out of bounds write due to an integer overflow. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-143560807(CVE-2020-0432)

  - A race condition between hugetlb sysctl handlers in     mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL     pointer dereference, or possibly have unspecified other     impact, aka CID-17743798d812.(CVE-2020-25285)

  - A flaw was found in the Linux kernel in versions from     2.2.3 through 5.9.rc5. When changing screen size, an     out-of-bounds memory write can occur leading to memory     corruption or a denial of service. This highest threat     from this vulnerability is to system     availability.(CVE-2020-14390)

  - A flaw was found in the Linux kernel before 5.9-rc4.
    Memory corruption can be exploited to gain root     privileges from unprivileged processes. The highest     threat from this vulnerability is to data     confidentiality and integrity.(CVE-2020-14386)

  - Insufficient input validation in i40e driver for     Intel(R) Ethernet 700 Series Controllers versions     before 7.0 may allow an authenticated user to     potentially enable a denial of service via local     access.(CVE-2019-0147)

  - A TOCTOU mismatch in the NFS client code in the Linux     kernel before 5.8.3 could be used by local attackers to     corrupt memory or possibly have unspecified other     impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka     CID-b4487b935452.(CVE-2020-25212)

  - A flaw was found in the Linux kernel before 5.9-rc4. A     failure of the file system metadata validator in XFS     can cause an inode with a valid, user-creatable     extended attribute to be flagged as corrupt. This can     lead to the filesystem being shutdown, or otherwise     rendered inaccessible until it is remounted, leading to     a denial of service. The highest threat from this     vulnerability is to system     availability.(CVE-2020-14385)

  - In uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-111893654References: Upstream     kernel(CVE-2020-0404)

  - The rbd block device driver in drivers/block/rbd.c in     the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which     could be leveraged by local attackers to map or unmap     rbd block devices, aka     CID-f44d04e696fe.(CVE-2020-25284)

  - A memory out-of-bounds read flaw was found in the Linux     kernel before 5.9-rc2 with the ext3/ext4 file system,     in the way it accesses a directory with broken     indexing. This flaw allows a local user to crash the     system if the directory exists. The highest threat from     this vulnerability is to system     availability.(CVE-2020-14314)

  - A flaw null pointer dereference in the Linux kernel     cgroupv2 subsystem in versions before 5.7.10 was found     in the way when reboot the system. A local user could     use this flaw to crash the system or escalate their     privileges on the system.(CVE-2020-24394)

  - A flaw was found in the Linux kernel's implementation     of the invert video code on VGA consoles when a local     attacker attempts to resize the console, calling an     ioctl VT_RESIZE, which causes an out-of-bounds write to     occur. This flaw allows a local user with access to the     VGA console to crash the system, potentially escalating     their privileges on the system. The highest threat from     this vulnerability is to data confidentiality and     integrity as well as system     availability.(CVE-2020-14331)

  - The Linux kernel, as used in Red Hat Enterprise Linux     7, kernel-rt, and Enterprise MRG 2 and when booted with     UEFI Secure Boot enabled, allows local users to bypass     intended securelevel/secureboot restrictions by     leveraging improper handling of secure_boot flag across     kexec reboot.(CVE-2015-7837)

  - In the Linux kernel through 5.8.7, local attackers able     to inject conntrack netlink configuration could     overflow a local buffer, causing crashes or triggering     use of incorrect protocol numbers in     ctnetlink_parse_tuple_filter in     net/netfilter/nf_conntrack_netlink.c, aka     CID-1cc5ef91d2ff.(CVE-2020-25211)

  - A flaw null pointer dereference in the Linux kernel     cgroupv2 subsystem in versions before 5.7.10 was found     in the way when reboot the system. A local user could     use this flaw to crash the system or escalate their     privileges on the system.(CVE-2020-14356)

  - Buffer overflow in i40e driver for Intel(R) Ethernet     700 Series Controllers versions before 7.0 may allow an     authenticated user to potentially enable an escalation     of privilege via local access.(CVE-2019-0145)

  - The Linux kernel through 5.7.11 allows remote attackers     to make observations that help to obtain sensitive     information about the internal state of the network     RNG, aka CID-f227e3ec3b5c. This is related to     drivers/char/random.c and     kernel/time/timer.c.(CVE-2020-16166)

  - The VFIO PCI driver in the Linux kernel through 5.6.13     mishandles attempts to access disabled memory     space.(CVE-2020-12888)

  - In the Linux kernel through 5.7.6, usbtest_disconnect     in drivers/usb/misc/usbtest.c has a memory leak, aka     CID-28ebeb8db770.(CVE-2020-15393)

  - A logic bug was found in the Linux kernels     implementation of SSBD. A bug in the logic handling can     allow an attacker with a local account to disable SSBD     protection during a context switch when additional     speculative execution mitigations are in     place.(CVE-2020-10766)

  - The prctl() function can be used to enable indirect     branch speculation even after it has been disabled.
    This same call will incorrectly report it being 'force     disabled' when it is not.(CVE-2020-10768)

  - A flaw was found in the Linux kernel's implementation     of the Enhanced IBPB (Indirect Branch Prediction     Barrier). The IBPB mitigation will be disabled when     STIBP is not available or when the Enhanced Indirect     Branch Restricted Speculation (IBRS) is available. This     flaw allows a local attacker to perform a Spectre V2     style attack when this configuration is active. The     highest threat from this vulnerability is to     confidentiality.(CVE-2020-10767)

  - A flaw was found in the ZRAM kernel module, where a     user with a local account and the ability to read the     /sys/class/zram-control/hot_add file can create ZRAM     device nodes in the /dev/ directory. This read     allocates kernel memory and is not accounted for a user     that triggers the creation of that ZRAM device. With     this vulnerability, continually reading the device may     consume a large amount of system memory and cause the     Out-of-Memory (OOM) killer to activate and terminate     random userspace processes, possibly making the system     inoperable.(CVE-2020-10781)

  - A flaw was found in the Linux kernel. An index buffer     overflow during Direct IO write leading to the NFS     client to crash. In some cases, a reach out of the     index after one memory allocation by kmalloc will cause     a kernel panic. The highest threat from this     vulnerability is to data confidentiality and system     availability.(CVE-2020-10742)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0763 advisory.

  - kernel: bad kfree in auditfilter.c may lead to escalation of privilege (CVE-2020-0444)

  - kernel: Local buffer overflow in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c     (CVE-2020-25211)

  - kernel: locking issue in drivers/tty/tty_jobctrl.c can lead to an use-after-free (CVE-2020-29661)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0774 advisory.

  - kernel: bad kfree in auditfilter.c may lead to escalation of privilege (CVE-2020-0444)

  - kernel: performance counters race condition use-after-free (CVE-2020-14351)

  - kernel: Local buffer overflow in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c     (CVE-2020-25211)

  - kernel: ICMP rate limiting can be used for DNS poisoning attack (CVE-2020-25705)

  - kernel: locking issue in drivers/tty/tty_jobctrl.c can lead to an use-after-free (CVE-2020-29661)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0765 advisory.

  - kernel: bad kfree in auditfilter.c may lead to escalation of privilege (CVE-2020-0444)

  - kernel: performance counters race condition use-after-free (CVE-2020-14351)

  - kernel: Local buffer overflow in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c     (CVE-2020-25211)

  - kernel: ICMP rate limiting can be used for DNS poisoning attack (CVE-2020-25705)

  - kernel: locking issue in drivers/tty/tty_jobctrl.c can lead to an use-after-free (CVE-2020-29661)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0686 advisory.

  - kernel: bad kfree in auditfilter.c may lead to escalation of privilege (CVE-2020-0444)

  - kernel: performance counters race condition use-after-free (CVE-2020-14351)

  - kernel: ICMP rate limiting can be used for DNS poisoning attack (CVE-2020-25705)

  - kernel: locking issue in drivers/tty/tty_jobctrl.c can lead to an use-after-free (CVE-2020-29661)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0689 advisory.

  - kernel: bad kfree in auditfilter.c may lead to escalation of privilege (CVE-2020-0444)

  - kernel: locking issue in drivers/tty/tty_jobctrl.c can lead to an use-after-free (CVE-2020-29661)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).

CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).

CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).

CVE-2020-15437: Fixed a NULL pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).

CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).

CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation (bnc#1105322).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).

CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).

CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).

CVE-2020-25285: A race condition between hugetlb sysctl handlers in mm/hugetlb.c could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact (bnc#1176485 ).

CVE-2020-15437: Fixed a NULL pointer dereference which could have allowed local users to cause a denial of service (bsc#1179140).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).

CVE-2020-25668: Fixed a use-after-free in con_font_op() (bsc#1178123).

CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411)

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).

CVE-2019-19063: Fixed two memory leaks in the rtl_usb_probe() which could eventually have allowed attackers to cause a denial of service (memory consumption) (bnc#1157298 ).

CVE-2019-6133: Fixed an issue where the 'start time' protection mechanism could have been bypassed and therefore authorization decisions are improperly cached (bsc#1128172).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2020-10781: A flaw was found in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device.
With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable (bnc#1173074).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).

CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).

CVE-2020-29371: An issue was discovered in romfs_dev_read in fs/romfs/storage.c where uninitialized memory leaks to userspace (bnc#1179429).

CVE-2020-15437: Fixed a NULL pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).

CVE-2019-20806: Fixed a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service (bnc#1172199).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket() that could be triggered by local attackers (with access to the nbd device) via an I/O request (bnc#1181504).

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29371: Fixed uninitialized memory leaks to userspace (bsc#1179429).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).

CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).

CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).

CVE-2020-15437: Fixed a NULL pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update syncs the RT kernel from the SUSE Linux Enterprise 15-SP2 codestream. This update was imported from the SUSE:SLE-15-SP2:Update update project.

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-28374: Fixed a LIO security issue (bsc#1178372).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed, aka CID-16d51a590a8c (bsc#1179663).

CVE-2020-27786: Fixed a use after free in kernel midi subsystem snd_rawmidi_kernel_read1() (bsc#1179601).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2018-20669: Fixed an improper check i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c (bsc#1122971).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-29373: Fixed an unsafe handling of the root directory during path lookups in fs/io_uring.c (bnc#1179434).

CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).

CVE-2020-27830: Fixed a NULL pointer dereference in speakup (bsc#1179656).

CVE-2020-29370: Fixed a race condition in kmem_cache_alloc_bulk (bnc#1179435).

CVE-2020-27786: Fixed a use after free in kernel midi subsystem snd_rawmidi_kernel_read1() (bsc#1179601).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed, aka CID-16d51a590a8c (bsc#1179663).

CVE-2020-27786: Fixed a use after free in kernel midi subsystem snd_rawmidi_kernel_read1() (bsc#1179601).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-29373: Fixed an unsafe handling of the root directory during path lookups in fs/io_uring.c (bnc#1179434).

CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).

CVE-2020-27830: Fixed a NULL pointer dereference in speakup (bsc#1179656).

CVE-2020-29370: Fixed a race condition in kmem_cache_alloc_bulk (bnc#1179435).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-20669: Fixed an improper check i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c (bsc#1122971).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed, aka CID-16d51a590a8c (bsc#1179663).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29371: Fixed uninitialized memory leaks to userspace (bsc#1179429).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):In do_epoll_ctl and     ep_loop_check_proc of eventpoll.c, there is a possible     use after free due to a logic error. This could lead to     local escalation of privilege with no additional     execution privileges needed.(CVE-2020-0466)In the l2tp     subsystem, there is a possible use after free due to a     race condition. This could lead to local escalation of     privilege with System execution privileges     needed.(CVE-2020-27067)In the nl80211_policy policy of     nl80211.c, there is a possible out of bounds read due     to a missing bounds check. This could lead to local     information disclosure with System execution privileges     needed.(CVE-2020-27068)In audit_free_lsm_field of     auditfilter.c, there is a possible bad kfree due to a     logic error in audit_data_to_entry. This could lead to     local escalation of privilege with no additional     execution privileges needed.(CVE-2020-0444)In various     methods of hid-multitouch.c, there is a possible out of     bounds write due to a missing bounds check. This could     lead to local escalation of privilege with no     additional execution privileges     needed.(CVE-2020-0465)Use-after-free vulnerability in     fs/block_dev.c in the Linux kernel before 5.8 allows     local users to gain privileges or cause a denial of     service by leveraging improper access to a certain     error field.(CVE-2020-15436)The Linux kernel before     version 5.8 is vulnerable to a NULL pointer dereference     in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)A flaw was found in the     Linux kernels implementation of MIDI, where an attacker     with a local account and the permissions to issue an     ioctl commands to midi devices, could trigger a     use-after-free. A write to this specific memory while     freed and before use could cause the flow of execution     to change and possibly allow for memory corruption or     privilege escalation.(CVE-2020-27786)Array index out of     bounds access when setting extended attributes on     journaling filesystems.(CVE-2020-27815)NULL-ptr deref     in the spk_ttyio_receive_buf2() function in     spk_ttyio.c(CVE-2020-27830)An issue was discovered in
    __split_huge_pmd in mm/huge_memory.c in the Linux     kernel before 5.7.5. The copy-on-write implementation     can grant unintended write access because of a race     condition in a THP mapcount check, aka     CID-c444eb564fb1.(CVE-2020-29368)An issue was     discovered in kmem_cache_alloc_bulk in mm/slub.c in the     Linux kernel before 5.5.11. The slowpath lacks the     required TID increment, aka     CID-fd4d9c7d0c71.(CVE-2020-29370)An issue was     discovered in romfs_dev_read in fs/romfs/storage.c in     the Linux kernel before 5.8.4. Uninitialized memory     leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)A locking     inconsistency issue was discovered in the tty subsystem     of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)A locking issue was     discovered in the tty subsystem of the Linux kernel     through 5.9.13. drivers/tty/tty_jobctrl.c allows a     use-after-free attack against TIOCSPGRP, aka     CID-54ffccbf053b.(CVE-2020-29661)A slab-out-of-bounds     read in fbcon in the Linux kernel before 5.9.7 could be     used by local attackers to read privileged information     or potentially crash the kernel, aka CID-3c4e0dff2095.
    This occurs because KD_FONT_OP_COPY in     drivers/tty/vt/vt.c can be used for manipulations such     as font height.(CVE-2020-28974) An issue was discovered     in the Linux kernel through 5.9.1, as used with Xen     through 4.14.x. Guest OS users can cause a denial of     service (host OS hang) via a high rate of events to     dom0, aka CID-e99502f76271.(CVE-2020-27673)An issue was     discovered in drivers/accessibility/speakup/spk_ttyio.c     in the Linux kernel through 5.9.9. Local attackers on     systems with the speakup driver could cause a local     denial of service attack, aka CID-d41227544427. This     occurs because of an invalid free when the line     discipline is used more than once.(CVE-2020-28941)An     issue was discovered in the Linux kernel through 5.9.1,     as used with Xen through 4.14.x.
    drivers/xen/events/events_base.c allows event-channel     removal during the event-handling loop (a race     condition). This can cause a use-after-free or NULL     pointer dereference, as demonstrated by a dom0 crash     via events for an in-reconfiguration paravirtualized     device, aka CID-073d0552ead5.(CVE-2020-27675)A buffer     over-read (at the framebuffer layer) in the fbcon code     in the Linux kernel before 5.8.15 could be used by     local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)A flaw was found in     the Linux kernel. A use-after-free memory flaw was     found in the perf subsystem allowing a local attacker     with permission to monitor perf events to corrupt     memory and possibly escalate privileges. The highest     threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-14351)A flaw in the way reply     ICMP packets are limited in the Linux kernel     functionality was found that allows to quickly scan     open UDP ports. This flaw allows an off-path remote     user to effectively bypassing source port UDP     randomization. The highest threat from this     vulnerability is to confidentiality and possibly     integrity, because software that relies on UDP source     port randomization are indirectly affected as well.
    Kernel versions before 5.10 may be vulnerable to this     issue.(CVE-2020-25705)race condition in fg_console can     lead to use-after-free in     con_font_op.(CVE-2020-25668)use-after-free read in     sunkbd_reinit in     drivers/input/keyboard/sunkbd.c.(CVE-2020-25669)A flaw     was found in the way RTAS handled memory accesses in     userspace to kernel communication. On a locked down     (usually due to Secure Boot) guest system running on     top of PowerVM or KVM hypervisors (pseries platform) a     root like local user could use this flaw to further     increase their privileges to that of a running     kernel.(CVE-2020-27777)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
148380	Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2021-9164)	Nessus	Oracle Linux Local Security Checks	high
147588	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2021-1386)	Nessus	Huawei Local Security Checks	high
147512	EulerOS : kernel (EulerOS-SA-2021-1604)	Nessus	Huawei Local Security Checks	high
147215	RHEL 8 : kpatch-patch (RHSA-2021:0763)	Nessus	Red Hat Local Security Checks	high
147212	RHEL 8 : kernel-rt (RHSA-2021:0774)	Nessus	Red Hat Local Security Checks	high
147207	RHEL 8 : kernel (RHSA-2021:0765)	Nessus	Red Hat Local Security Checks	high
147011	RHEL 8 : kernel (RHSA-2021:0686)	Nessus	Red Hat Local Security Checks	high
147010	RHEL 8 : kpatch-patch (RHSA-2021:0689)	Nessus	Red Hat Local Security Checks	high
146511	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0452-1)	Nessus	SuSE Local Security Checks	high
146476	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0437-1)	Nessus	SuSE Local Security Checks	high
146474	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0438-1)	Nessus	SuSE Local Security Checks	high
146470	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0434-1)	Nessus	SuSE Local Security Checks	high
146282	openSUSE Security Update : RT kernel (openSUSE-2021-242)	Nessus	SuSE Local Security Checks	high
145320	openSUSE Security Update : the Linux Kernel (openSUSE-2021-60)	Nessus	SuSE Local Security Checks	high
145287	openSUSE Security Update : the Linux Kernel (openSUSE-2021-75)	Nessus	SuSE Local Security Checks	high
145120	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0133-1)	Nessus	SuSE Local Security Checks	high
145025	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:0117-1)	Nessus	SuSE Local Security Checks	high
145018	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:0118-1)	Nessus	SuSE Local Security Checks	high
144959	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0108-1)	Nessus	SuSE Local Security Checks	high
144914	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0098-1)	Nessus	SuSE Local Security Checks	high
144908	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0095-1)	Nessus	SuSE Local Security Checks	high
144693	EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-1028)	Nessus	Huawei Local Security Checks	high

CVE-2020-0444

HIGH

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high