https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3f777e19d171670ab558a6d5e6b1ac7f9b6c574f

FEDORA-2020-b453269c4e

FEDORA-2020-16f9239805

FEDORA-2020-64d46a6e29

https://security.netapp.com/advisory/ntap-20200608-0001/

USN-4342-1

USN-4343-1

USN-4345-1

DSA-4667

The remote NewStart CGSL host, running version MAIN 6.01, has kernel packages installed that are affected by multiple vulnerabilities:

  - A flaw was found in the Linux kernel's NFS     implementation, all versions 3.x and all versions 4.x up     to 4.20. An attacker, who is able to mount an exported     NFS filesystem, is able to trigger a null pointer     dereference by using an invalid NFS sequence. This can     panic the machine and deny access to the NFS server. Any     outstanding disk writes to the NFS server will be lost.
    (CVE-2018-16871)

  - ieee802154_create in net/ieee802154/socket.c in the     AF_IEEE802154 network module in the Linux kernel through     5.3.2 does not enforce CAP_NET_RAW, which means that     unprivileged users can create a raw socket, aka     CID-e69dbd4619e7. (CVE-2019-17053)

  - base_sock_create in drivers/isdn/mISDN/socket.c in the     AF_ISDN network module in the Linux kernel through 5.3.2     does not enforce CAP_NET_RAW, which means that     unprivileged users can create a raw socket, aka     CID-b91ee4aa2a21. (CVE-2019-17055)

  - The flow_dissector feature in the Linux kernel 4.3     through 5.x before 5.3.10 has a device tracking     vulnerability, aka CID-55667441c84f. This occurs because     the auto flowlabel of a UDP IPv6 packet relies on a     32-bit hashrnd value as a secret, and because jhash     (instead of siphash) is used. The hashrnd value remains     the same starting from boot time, and can be inferred by     an attacker. This affects net/core/flow_dissector.c and     related code. (CVE-2019-18282)

  - An issue was discovered in net/ipv4/sysctl_net_ipv4.c in     the Linux kernel before 5.0.11. There is a     net/ipv4/tcp_input.c signed integer overflow in     tcp_ack_update_rtt() when userspace writes a very large     integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading     to a denial of service or possibly unspecified other     impact, aka CID-19fad20d15a6. (CVE-2019-18805)

  - A memory leak in the mlx5_fpga_conn_create_cq() function     in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c     in the Linux kernel before 5.3.11 allows attackers to     cause a denial of service (memory consumption) by     triggering mlx5_vector2eqn() failures, aka     CID-c8c2a057fdc7. (CVE-2019-19045)

  - ** DISPUTED ** A memory leak in the     nl80211_get_ftm_responder_stats() function in     net/wireless/nl80211.c in the Linux kernel through     5.3.11 allows attackers to cause a denial of service     (memory consumption) by triggering nl80211hdr_put()     failures, aka CID-1399c59fa929. NOTE: third parties     dispute the relevance of this because it occurs on a     code path where a successful allocation has already     occurred. (CVE-2019-19055)

  - A memory leak in the bnxt_re_create_srq() function in     drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux     kernel through 5.3.11 allows attackers to cause a denial     of service (memory consumption) by triggering copy to     udata failures, aka CID-4a9d46a9fe14. (CVE-2019-19077)

  - In the Linux kernel before 5.3.9, there are multiple     out-of-bounds write bugs that can be caused by a     malicious USB device in the Linux kernel HID drivers,     aka CID-d9d4b1e46d95. This affects drivers/hid/hid-     axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c,     drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c,     drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c,     drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c,     drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-     microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-     tmff.c, and drivers/hid/hid-zpff.c. (CVE-2019-19532)

  - In the Linux kernel before 5.3.11, there is an info-leak     bug that can be caused by a malicious USB device in the     drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka     CID-f7a1337f0d29. (CVE-2019-19534)

  - In the Linux kernel 5.4.0-rc2, there is a use-after-free     (read) in the __blk_add_trace function in     kernel/trace/blktrace.c (which is used to fill out a     blk_io_trace structure and place it in a per-cpu sub-     buffer). (CVE-2019-19768)

  - A memory leak in the kernel_read_file function in     fs/exec.c in the Linux kernel through 4.20.11 allows     attackers to cause a denial of service (memory     consumption) by triggering vfs_read failures.
    (CVE-2019-8980)

  - A NULL pointer dereference flaw was found in the Linux     kernel's SELinux subsystem in versions before 5.7. This     flaw occurs while importing the Commercial IP Security     Option (CIPSO) protocol's category bitmap into the     SELinux extensible bitmap via the'     ebitmap_netlbl_import' routine. While processing the     CIPSO restricted bitmap tag in the     'cipso_v4_parsetag_rbm' routine, it sets the security     attribute to indicate that the category bitmap is     present, even if it has not been allocated. This issue     leads to a NULL pointer dereference issue while     importing the same category bitmap into SELinux. This     flaw allows a remote network user to crash the system     kernel, resulting in a denial of service.
    (CVE-2020-10711)

  - In the Linux kernel through 5.6.7 on the s390 platform,     code execution may occur because of a race condition, as     demonstrated by code in enable_sacf_uaccess in     arch/s390/lib/uaccess.c that fails to protect against a     concurrent page table upgrade, aka CID-3f777e19d171. A     crash could also occur. (CVE-2020-11884)

  - An issue was discovered in the Linux kernel before     5.6.5. There is a use-after-free in block/bfq-iosched.c     related to bfq_idle_slice_timer_body. (CVE-2020-12657)

  - A flaw was discovered in the way that the KVM hypervisor     handled instruction emulation for an L2 guest when     nested virtualisation is enabled. Under some     circumstances, an L2 guest may trick the L0 guest into     accessing sensitive L1 resources that should be     inaccessible to the L2 guest. (CVE-2020-2732)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2429 advisory.

  - kernel: powerpc: incomplete Spectre-RSB mitigation leads     to information exposure (CVE-2019-18660)

  - Kernel: NetLabel: null pointer dereference while     receiving CIPSO packet with null category may cause     kernel panic (CVE-2020-10711)

  - Kernel: s390: page table upgrade in secondary address     mode may lead to privilege escalation (CVE-2020-11884)

  - kernel: use-after-free in block/bfq-iosched.c related to     bfq_idle_slice_timer_body (CVE-2020-12657)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the linux package has been released.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel's implementation     of GRO. This flaw allows an attacker with local access     to crash the system.(CVE-2020-10720)

  - A NULL pointer dereference flaw was found in the Linux     kernel's SELinux subsystem. This flaw occurs while     importing the Commercial IP Security Option (CIPSO)     protocol's category bitmap into the SELinux extensible     bitmap via the' ebitmap_netlbl_import' routine. While     processing the CIPSO restricted bitmap tag in the     'cipso_v4_parsetag_rbm' routine, it sets the security     attribute to indicate that the category bitmap is     present, even if it has not been allocated. This issue     leads to a NULL pointer dereference issue while     importing the same category bitmap into SELinux. This     flaw allows a remote network user to crash the system     kernel, resulting in a denial of     service.(CVE-2020-10711)

  - A signal access-control issue was discovered in the     Linux kernel before 5.6.5, aka CID-7395ea4e65c2.
    Because exec_id in include/linux/sched.h is only 32     bits, an integer overflow can interfere with a     do_notify_parent protection mechanism. A child process     can send an arbitrary signal to a parent process in a     different security domain. Exploitation limitations     include the amount of elapsed time before an integer     overflow occurs, and the lack of scenarios where     signals to a parent process present a substantial     operational threat.(CVE-2020-12826)

  - An issue was discovered in the Linux kernel before     5.4.17. drivers/spi/spi-dw.c allows attackers to cause     a panic via concurrent calls to dw_spi_irq and     dw_spi_transfer_one, aka     CID-19b61392c5a8.(CVE-2020-12769)

  - An issue was discovered in the Linux kernel through     5.6.11. sg_write lacks an sg_remove_request call in a     certain failure case, aka     CID-83c6f2390040.(CVE-2020-12770)

  - An issue was discovered in the Linux kernel through     5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c     has a deadlock if a coalescing operation     fails.(CVE-2020-12771)

  - The __mptctl_ioctl function in     drivers/message/fusion/mptctl.c in the Linux kernel     before 5.4.14 allows local users to hold an incorrect     lock during the ioctl operation and trigger a race     condition, i.e., a 'double fetch' vulnerability, aka     CID-28d76df18f0a. NOTE: the vendor states 'The security     impact of this bug is not as bad as it could have been     because these operations are all privileged and root     already has enormous destructive     power.'(CVE-2020-12652)

  - An issue was discovered in xfs_agf_verify in     fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through     5.6.10. Attackers may trigger a sync of excessive     duration via an XFS v5 image with crafted metadata, aka     CID-d0c7feaf8767.(CVE-2020-12655)

  - A pivot_root race condition in fs amespace.c in the     Linux kernel 4.4.x before 4.4.221, 4.9.x before     4.9.221, 4.14.x before 4.14.178, 4.19.x before     4.19.119, and 5.x before 5.3 allows local users to     cause a denial of service (panic) by corrupting a     mountpoint reference counter.(CVE-2020-12114)

  - An issue was discovered in the Linux kernel before     5.6.5. There is a use-after-free in block/bfq-iosched.c     related to bfq_idle_slice_timer_body.(CVE-2020-12657)

  - usb_sg_cancel in drivers/usb/core/message.c in the     Linux kernel before 5.6.8 has a use-after-free because     a transfer occurs without a reference, aka     CID-056ad39ee925.(CVE-2020-12464)

  - An issue was found in Linux kernel before 5.5.4. The     mwifiex_cmd_append_vsie_tlv() function in drivers     et/wireless/marvell/mwifiex/scan.c allows local users     to gain privileges or cause a denial of service because     of an incorrect memcpy and buffer overflow, aka     CID-b70261a288ea.(CVE-2020-12653)

  - gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c     in the rpcsec_gss_krb5 implementation in the Linux     kernel through 5.6.10 lacks certain domain_release     calls, leading to a memory leak.(CVE-2020-12656)

  - An issue was discovered in the Linux kernel before     5.6.7. xdp_umem_reg in net/xdp/xdp_umem.c has an     out-of-bounds write (by a user with the CAP_NET_ADMIN     capability) because of a lack of headroom     validation.(CVE-2020-12659)

  - An array overflow was discovered in mt76_add_fragment     in drivers et/wireless/mediatek/mt76/dma.c in the Linux     kernel before 5.5.10, aka CID-b102f0c522cf. An     oversized packet with too many rx fragments can corrupt     memory of adjacent pages.(CVE-2020-12465)

  - An issue was found in Linux kernel before 5.5.4.
    mwifiex_ret_wmm_get_status() in drivers     et/wireless/marvell/mwifiex/wmm.c allows a remote AP to     trigger a heap-based buffer overflow because of an     incorrect memcpy, aka CID-3a9b153c5591.(CVE-2020-12654)

  - In the Linux kernel through 5.6.7 on the s390 platform,     code execution may occur because of a race condition,     as demonstrated by code in enable_sacf_uaccess in     arch/s390/lib/uaccess.c that fails to protect against a     concurrent page table upgrade, aka CID-3f777e19d171. A     crash could also occur.(CVE-2020-11884)

  - relay_open in kernel/relay.c in the Linux kernel     through 5.4.1 allows local users to cause a denial of     service (such as relay blockage) by triggering a NULL     alloc_percpu result.(CVE-2019-19462)

  - In the Linux kernel 5.0.21, mounting a crafted btrfs     filesystem image, performing some operations, and     unmounting can lead to a use-after-free in     btrfs_queue_work in     fs/btrfs/async-thread.c.(CVE-2019-19377)

  - In the Linux kernel before 5.5.8, get_raw_socket in     drivers/vhost et.c lacks validation of an sk_family     field, which might allow attackers to trigger kernel     stack corruption via crafted system     calls.(CVE-2020-10942)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2199 advisory.

  - kernel: use-after-free in __blk_add_trace in     kernel/trace/blktrace.c (CVE-2019-19768)

  - Kernel: NetLabel: null pointer dereference while     receiving CIPSO packet with null category may cause     kernel panic (CVE-2020-10711)

  - Kernel: s390: page table upgrade in secondary address     mode may lead to privilege escalation (CVE-2020-11884)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2020:2102 :

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2102 advisory.

  - Kernel: NetLabel: null pointer dereference while     receiving CIPSO packet with null category may cause     kernel panic (CVE-2020-10711)

  - Kernel: s390: page table upgrade in secondary address     mode may lead to privilege escalation (CVE-2020-11884)

  - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor     to access sensitive L1 resources (CVE-2020-2732)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2102 advisory.

  - Kernel: NetLabel: null pointer dereference while     receiving CIPSO packet with null category may cause     kernel panic (CVE-2020-10711)

  - Kernel: s390: page table upgrade in secondary address     mode may lead to privilege escalation (CVE-2020-11884)

  - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor     to access sensitive L1 resources (CVE-2020-2732)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The 5.6.8 stable kernel update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak.

  - CVE-2020-2732     Paulo Bonzini discovered that the KVM implementation for     Intel processors did not properly handle instruction     emulation for L2 guests when nested virtualization is     enabled. This could allow an L2 guest to cause privilege     escalation, denial of service, or information leaks in     the L1 guest.

  - CVE-2020-8428     Al Viro discovered a use-after-free vulnerability in the     VFS layer. This allowed local users to cause a     denial-of-service (crash) or obtain sensitive     information from kernel memory.

  - CVE-2020-10942     It was discovered that the vhost_net driver did not     properly validate the type of sockets set as back-ends.
    A local user permitted to access /dev/vhost-net could     use this to cause a stack corruption via crafted system     calls, resulting in denial of service (crash) or     possibly privilege escalation.

  - CVE-2020-11565     Entropy Moe reported that the shared memory filesystem     (tmpfs) did not correctly handle an 'mpol' mount option     specifying an empty node list, leading to a stack-based     out-of-bounds write. If user namespaces are enabled, a     local user could use this to cause a denial of service     (crash) or possibly for privilege escalation.

  - CVE-2020-11884     Al Viro reported a race condition in memory management     code for IBM Z (s390x architecture), that can result in     the kernel executing code from the user address space. A     local user could use this for privilege escalation.

Al Viro discovered that the Linux kernel for s390x systems did not properly perform page table upgrades for kernel sections that use secondary address mode. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.
(CVE-2020-11884)

It was discovered that the Intel Wi-Fi driver in the Linux kernel did not properly check for errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash).
(CVE-2019-16234)

Tristan Madani discovered that the block I/O tracing implementation in the Linux kernel contained a race condition. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2019-19768)

It was discovered that the vhost net driver in the Linux kernel contained a stack buffer overflow. A local attacker with the ability to perform ioctl() calls on /dev/vhost-net could use this to cause a denial of service (system crash). (CVE-2020-10942)

It was discovered that the OV51x USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11608)

It was discovered that the STV06XX USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11609)

It was discovered that the Xirlink C-It USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11668)

It was discovered that the virtual terminal implementation in the Linux kernel contained a race condition. A local attacker could possibly use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2020-8648)

Jordy Zomer discovered that the floppy driver in the Linux kernel did not properly check for errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2020-9383).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Al Viro discovered that the Linux kernel for s390x systems did not properly perform page table upgrades for kernel sections that use secondary address mode. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Al Viro discovered that the Linux kernel for s390x systems did not properly perform page table upgrades for kernel sections that use secondary address mode. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.
(CVE-2020-11884)

It was discovered that the Intel Wi-Fi driver in the Linux kernel did not properly check for errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash).
(CVE-2019-16234)

Tristan Madani discovered that the block I/O tracing implementation in the Linux kernel contained a race condition. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2019-19768)

It was discovered that the vhost net driver in the Linux kernel contained a stack buffer overflow. A local attacker with the ability to perform ioctl() calls on /dev/vhost-net could use this to cause a denial of service (system crash). (CVE-2020-10942)

It was discovered that the virtual terminal implementation in the Linux kernel contained a race condition. A local attacker could possibly use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2020-8648)

Shijie Luo discovered that the ext4 file system implementation in the Linux kernel did not properly check for a too-large journal size. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (soft lockup).
(CVE-2020-8992)

Jordy Zomer discovered that the floppy driver in the Linux kernel did not properly check for errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2020-9383).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
138766	NewStart CGSL MAIN 6.01 : kernel Multiple Vulnerabilities (NS-SA-2020-0030)	Nessus	NewStart CGSL Local Security Checks	high
137275	RHEL 8 : kernel (RHSA-2020:2429)	Nessus	Red Hat Local Security Checks	medium
137190	Photon OS 3.0: Linux PHSA-2020-3.0-0100	Nessus	PhotonOS Local Security Checks	high
136870	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1592)	Nessus	Huawei Local Security Checks	high
136717	RHEL 8 : kernel (RHSA-2020:2199)	Nessus	Red Hat Local Security Checks	medium
136646	Oracle Linux 8 : kernel (ELSA-2020-2102)	Nessus	Oracle Linux Local Security Checks	medium
136526	RHEL 8 : kernel (RHSA-2020:2102)	Nessus	Red Hat Local Security Checks	medium
136298	Fedora 31 : kernel (2020-b453269c4e)	Nessus	Fedora Local Security Checks	medium
136295	Fedora 30 : kernel (2020-64d46a6e29)	Nessus	Fedora Local Security Checks	medium
136124	Debian DSA-4667-1 : linux - security update	Nessus	Debian Local Security Checks	medium
136088	Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4345-1)	Nessus	Ubuntu Local Security Checks	medium
136086	Ubuntu 20.04 : Linux kernel vulnerability (USN-4343-1)	Nessus	Ubuntu Local Security Checks	medium
136085	Ubuntu 18.04 LTS / 19.10 : Linux kernel vulnerabilities (USN-4342-1)	Nessus	Ubuntu Local Security Checks	medium

CVE-2020-11884

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins