https://bugs.openvz.org/browse/OVZ-7188

https://bugzilla.redhat.com/show_bug.cgi?id=1850716

https://patchwork.ozlabs.org/project/netfilter-devel/patch/c2385b5c-309c-cc64-2e10-a0ef62897502@virtuozzo.com/

https://security.netapp.com/advisory/ntap-20201210-0004/

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - mwifiex_cmd_802_11_ad_hoc_start in     drivers/net/wireless/marvell/mwifiex/join.c in the     Linux kernel through 5.10.4 might allow remote     attackers to execute arbitrary code via a long SSID     value, aka CID-5c455c5ab332.(CVE-2020-36158)

  - Incomplete cleanup from specific special register read     operations in some Intel(R) Processors may allow an     authenticated user to potentially enable information     disclosure via local access.(CVE-2020-0543)

  - An infinite loop issue was found in the vhost_net     kernel module in Linux Kernel up to and including     v5.1-rc6, while handling incoming packets in     handle_rx(). It could occur if one end sends packets     faster than the other end can process them. A guest     user, maybe remote one, could use this flaw to stall     the vhost_net kernel thread, resulting in a DoS     scenario.(CVE-2019-3900)

  - In pppol2tp_connect, there is possible memory     corruption due to a use after free. This could lead to     local escalation of privilege with System execution     privileges needed. User interaction is not needed for     exploitation. Product: Android. Versions: Android     kernel. Android ID: A-38159931.(CVE-2018-9517)

  - A flaw was found in the fix for CVE-2019-11135, in the     Linux upstream kernel versions before 5.5 where, the     way Intel CPUs handle speculative execution of     instructions when a TSX Asynchronous Abort (TAA) error     occurs. When a guest is running on a host CPU affected     by the TAA flaw (TAA_NO=0), but is not affected by the     MDS issue (MDS_NO=1), the guest was to clear the     affected buffers by using a VERW instruction mechanism.
    But when the MDS_NO=1 bit was exported to the guests,     the guests did not use the VERW mechanism to clear the     affected buffers. This issue affects guests running on     Cascade Lake CPUs and requires that host has 'TSX'     enabled. Confidentiality of data is the highest threat     associated with this vulnerability.(CVE-2019-19338)

  - There is a use-after-free in kernel versions before 5.5     due to a race condition between the release of     ptp_clock and cdev while resource deallocation. When a     (high privileged) process allocates a ptp device file     (like /dev/ptpX) and voluntarily goes to sleep. During     this time if the underlying device is removed, it can     cause an exploitable condition as the process wakes up     to terminate and clean all attached files. The system     crashes due to the cdev structure being invalid (as     already freed) which is pointed to by the     inode.(CVE-2020-10690)

  - Improper input validation in BlueZ may allow an     unauthenticated user to potentially enable escalation     of privilege via adjacent access.(CVE-2020-12351)

  - A flaw was found in the Linux kernels implementation of     MIDI, where an attacker with a local account and the     permissions to issue an ioctl commands to midi devices,     could trigger a use-after-free. A write to this     specific memory while freed and before use could cause     the flow of execution to change and possibly allow for     memory corruption or privilege     escalation.(CVE-2020-27786)

  - use-after-free read in sunkbd_reinit in     drivers/input/keyboard/sunkbd.c(CVE-2020-25669)

  - A flaw was found in the way RTAS handled memory     accesses in userspace to kernel communication. On a     locked down (usually due to Secure Boot) guest system     running on top of PowerVM or KVM hypervisors (pseries     platform) a root like local user could use this flaw to     further increase their privileges to that of a running     kernel.(CVE-2020-27777)

  - A locking inconsistency issue was discovered in the tty     subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)

  - A locking issue was discovered in the tty subsystem of     the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free     attack against TIOCSPGRP, aka     CID-54ffccbf053b.(CVE-2020-29661)

  - An out-of-bounds memory write flaw was found in how the     Linux kernel's Voice Over IP H.323 connection tracking     functionality handled connections on ipv6 port 1720.
    This flaw allows an unauthenticated remote user to     crash the system, causing a denial of service. The     highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-14305)

  - An issue was discovered in the Linux kernel before     5.2.6. On NUMA systems, the Linux fair scheduler has a     use-after-free in show_numa_stats() because NUMA fault     statistics are inappropriately freed, aka     CID-16d51a590a8c.(CVE-2019-20934)

  - IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors     could allow a local user to obtain sensitive     information from the data in the L1 cache under     extenuating circumstances. IBM X-Force ID:
    189296.(CVE-2020-4788)

  - A flaw memory leak in the Linux kernel performance     monitoring subsystem was found in the way if using     PERF_EVENT_IOC_SET_FILTER. A local user could use this     flaw to starve the resources causing denial of     service.(CVE-2020-25704)

  - An issue was discovered in kmem_cache_alloc_bulk in     mm/slub.c in the Linux kernel before 5.5.11. The     slowpath lacks the required TID increment, aka     CID-fd4d9c7d0c71.(CVE-2020-29370)

  - A slab-out-of-bounds read in fbcon in the Linux kernel     before 5.9.7 could be used by local attackers to read     privileged information or potentially crash the kernel,     aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for     manipulations such as font height.(CVE-2020-28974)

  - A buffer over-read (at the framebuffer layer) in the     fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)

  - An issue was discovered in romfs_dev_read in     fs/romfs/storage.c in the Linux kernel before 5.8.4.
    Uninitialized memory leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)

  - Use-after-free vulnerability in fs/block_dev.c in the     Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging     improper access to a certain error     field.(CVE-2020-15436)

  - The Linux kernel before version 5.8 is vulnerable to a     NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - mwifiex_cmd_802_11_ad_hoc_start in     drivers/net/wireless/marvell/mwifiex/join.c in the     Linux kernel through 5.10.4 might allow remote     attackers to execute arbitrary code via a long SSID     value, aka CID-5c455c5ab332.(CVE-2020-36158)

  - A flaw was found in the Linux kernel. A use-after-free     was found in the way the console subsystem was using     ioctls KDGKBSENT and KDSKBSENT. A local user could use     this flaw to get read memory access out of bounds. The     highest threat from this vulnerability is to data     confidentiality.(CVE-2020-25656)

  - A flaw was found in the Linux kernel. A use-after-free     memory flaw was found in the perf subsystem allowing a     local attacker with permission to monitor perf events     to corrupt memory and possibly escalate privileges. The     highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-14351)

  - A flaw was found in the way RTAS handled memory     accesses in userspace to kernel communication. On a     locked down (usually due to Secure Boot) guest system     running on top of PowerVM or KVM hypervisors (pseries     platform) a root like local user could use this flaw to     further increase their privileges to that of a running     kernel.(CVE-2020-27777)

  - A locking issue was discovered in the tty subsystem of     the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free     attack against TIOCSPGRP, aka     CID-54ffccbf053b.(CVE-2020-29661)

  - A locking inconsistency issue was discovered in the tty     subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)

  - An issue was discovered in the Linux kernel before     5.2.6. On NUMA systems, the Linux fair scheduler has a     use-after-free in show_numa_stats() because NUMA fault     statistics are inappropriately freed, aka     CID-16d51a590a8c.(CVE-2019-20934)

  - A flaw was found in the Linux kernels implementation of     MIDI, where an attacker with a local account and the     permissions to issue an ioctl commands to midi devices,     could trigger a use-after-free. A write to this     specific memory while freed and before use could cause     the flow of execution to change and possibly allow for     memory corruption or privilege     escalation.(CVE-2020-27786)

  - An issue was discovered in romfs_dev_read in     fs/romfs/storage.c in the Linux kernel before 5.8.4.
    Uninitialized memory leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)

  - In the Android kernel in Pixel C USB monitor driver     there is a possible OOB write due to a missing bounds     check. This could lead to local escalation of privilege     with System execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2019-9456)

  - A stack information leak flaw was found in s390/s390x     in the Linux kernel's memory manager functionality,     where it incorrectly writes to the     /proc/sys/vm/cmm_timeout file. This flaw allows a local     user to see the kernel data.(CVE-2020-10773)

  - A pivot_root race condition in fs/namespace.c in the     Linux kernel 4.4.x before 4.4.221, 4.9.x before     4.9.221, 4.14.x before 4.14.178, 4.19.x before     4.19.119, and 5.x before 5.3 allows local users to     cause a denial of service (panic) by corrupting a     mountpoint reference counter.(CVE-2020-12114)

  - An out-of-bounds memory write flaw was found in how the     Linux kernel's Voice Over IP H.323 connection tracking     functionality handled connections on ipv6 port 1720.
    This flaw allows an unauthenticated remote user to     crash the system, causing a denial of service. The     highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-14305)

  - Use-after-free vulnerability in fs/block_dev.c in the     Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging     improper access to a certain error     field.(CVE-2020-15436)

  - The Linux kernel before version 5.8 is vulnerable to a     NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)

  - A buffer over-read (at the framebuffer layer) in the     fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)

  - A slab-out-of-bounds read in fbcon in the Linux kernel     before 5.9.7 could be used by local attackers to read     privileged information or potentially crash the kernel,     aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for     manipulations such as font height.(CVE-2020-28974)

  - In cdev_get of char_dev.c, there is a possible     use-after-free due to a race condition. This could lead     to local escalation of privilege with System execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions:
    Android-10Android ID: A-153467744(CVE-2020-0305)

  - Improper access control in BlueZ may allow an     unauthenticated user to potentially enable information     disclosure via adjacent access.(CVE-2020-12352)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A stack information leak flaw was found in s390/s390x     in the Linux kernel's memory manager functionality,     where it incorrectly writes to the     /proc/sys/vm/cmm_timeout file. This flaw allows a local     user to see the kernel data.(CVE-2020-10773)

  - In the Android kernel in the video driver there is a     use after free due to a race condition. This could lead     to local escalation of privilege with no additional     execution privileges needed. User interaction is not     needed for exploitation.(CVE-2019-9458)

  - An issue was discovered in the Linux kernel before     5.2.6. On NUMA systems, the Linux fair scheduler has a     use-after-free in show_numa_stats() because NUMA fault     statistics are inappropriately freed, aka     CID-16d51a590a8c.(CVE-2019-20934)

  - A locking inconsistency issue was discovered in the tty     subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)

  - An out-of-bounds memory write flaw was found in how the     Linux kernel's Voice Over IP H.323 connection tracking     functionality handled connections on ipv6 port 1720.
    This flaw allows an unauthenticated remote user to     crash the system, causing a denial of service. The     highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-14305)

  - A locking issue was discovered in the tty subsystem of     the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free     attack against TIOCSPGRP, aka     CID-54ffccbf053b.(CVE-2020-29661)

  - An issue was discovered in romfs_dev_read in     fs/romfs/storage.c in the Linux kernel before 5.8.4.
    Uninitialized memory leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)

  - Use-after-free vulnerability in fs/block_dev.c in the     Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging     improper access to a certain error     field.(CVE-2020-15436)

  - The Linux kernel before version 5.8 is vulnerable to a     NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)

  - An issue was discovered in kmem_cache_alloc_bulk in     mm/slub.c in the Linux kernel before 5.5.11. The     slowpath lacks the required TID increment, aka     CID-fd4d9c7d0c71.(CVE-2020-29370)

  - A flaw was found in the Linux kernel. A use-after-free     memory flaw was found in the perf subsystem allowing a     local attacker with permission to monitor perf events     to corrupt memory and possibly escalate privileges. The     highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-14351)

  - A buffer over-read (at the framebuffer layer) in the     fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)

  - A slab-out-of-bounds read in fbcon in the Linux kernel     before 5.9.7 could be used by local attackers to read     privileged information or potentially crash the kernel,     aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for     manipulations such as font height.(CVE-2020-28974)

  - Improper access control in BlueZ may allow an     unauthenticated user to potentially enable information     disclosure via adjacent access.(CVE-2020-12352)

  - In cdev_get of char_dev.c, there is a possible     use-after-free due to a race condition. This could lead     to local escalation of privilege with System execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions:
    Android-10Android ID: A-153467744(CVE-2020-0305)

  - A flaw was found in the HDLC_PPP module of the Linux     kernel in versions before 5.9-rc7. Memory corruption     and a read overflow is caused by improper input     validation in the ppp_cp_parse_cr function which can     cause the system to crash or cause a denial of service.
    The highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-25643)

  - An issue was discovered in can_can_gw_rcv in     net/can/gw.c in the Linux kernel through 4.19.13. The     CAN frame modification rules allow bitwise logical     operations that can be also applied to the can_dlc     field. The privileged user 'root' with CAP_NET_ADMIN     can create a CAN frame modification rule that makes the     data length code a higher value than the available CAN     frame data size. In combination with a configured     checksum calculation where the result is stored     relatively to the end of the data (e.g.
    cgw_csum_xor_rel) the tail of the skb (e.g. frag_list     pointer in skb_shared_info) can be rewritten which     finally can cause a system crash. Because of a missing     check, the CAN drivers may write arbitrary content     beyond the data registers in the CAN controller's I/O     memory when processing can-gw manipulated outgoing     frames.(CVE-2019-3701)

  - In the Android kernel in Pixel C USB monitor driver     there is a possible OOB write due to a missing bounds     check. This could lead to local escalation of privilege     with System execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2019-9456)

  - A pivot_root race condition in fs/ namespace.c in the     Linux kernel 4.4.x before 4.4.221, 4.9.x before     4.9.221, 4.14.x before 4.14.178, 4.19.x before     4.19.119, and 5.x before 5.3 allows local users to     cause a denial of service (panic) by corrupting a     mountpoint reference counter.(CVE-2020-12114)

  - A flaw was found in the Linux kernel in versions before     5.9-rc7. Traffic between two Geneve endpoints may be     unencrypted when IPsec is configured to encrypt traffic     for the specific UDP port used by the GENEVE tunnel     allowing anyone between the two endpoints to read the     traffic unencrypted. The main threat from this     vulnerability is to data     confidentiality.(CVE-2020-25645)

  - In kbd_keycode of keyboard.c, there is a possible out     of bounds write due to a missing bounds check. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-144161459(CVE-2020-0431)

  - In blk_mq_queue_tag_busy_iter of blk-mq-tag.c, there is     a possible use after free due to improper locking. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-151939299(CVE-2020-0433)

  - In the Linux kernel through 5.8.7, local attackers able     to inject conntrack netlink configuration could     overflow a local buffer, causing crashes or triggering     use of incorrect protocol numbers in     ctnetlink_parse_tuple_filter in net/ netfilter/     nf_conntrack_netlink.c, aka     CID-1cc5ef91d2ff.(CVE-2020-25211)

  - A memory out-of-bounds read flaw was found in the Linux     kernel before 5.9-rc2 with the ext3/ext4 file system,     in the way it accesses a directory with broken     indexing. This flaw allows a local user to crash the     system if the directory exists. The highest threat from     this vulnerability is to system     availability.(CVE-2020-14314)

  - A TOCTOU mismatch in the NFS client code in the Linux     kernel before 5.8.3 could be used by local attackers to     corrupt memory or possibly have unspecified other     impact because a size check is in fs/ nfs/ nfs4proc.c     instead of fs/ nfs/ nfs4xdr.c, aka     CID-b4487b935452.(CVE-2020-25212)

  - The rbd block device driver in drivers/block/rbd.c in     the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which     could be leveraged by local attackers to map or unmap     rbd block devices, aka     CID-f44d04e696fe.(CVE-2020-25284)

  - A race condition between hugetlb sysctl handlers in     mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL     pointer dereference, or possibly have unspecified other     impact, aka CID-17743798d812.(CVE-2020-25285)

  - A flaw was found in the Linux kernel before 5.9-rc4.
    Memory corruption can be exploited to gain root     privileges from unprivileged processes. The highest     threat from this vulnerability is to data     confidentiality and integrity.(CVE-2020-14386)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - mwifiex: fix possible heap overflow in     mwifiex_process_country_ie (Ganapathi Bhat) [Orabug:
    30781859] (CVE-2019-14895) (CVE-2019-14895)

  - ext4: fix ext4_empty_dir for directories with holes (Jan     Kara) [Orabug: 31265320] (CVE-2019-19037)     (CVE-2019-19037)

  - netlabel: cope with NULL catmap (Paolo Abeni) [Orabug:
    31350493] (CVE-2020-10711)

  - scsi: mptfusion: Fix double fetch bug in ioctl (Dan     Carpenter) [Orabug: 31350941] (CVE-2020-12652)

  - scsi: mptfusion: Add bounds check in     mptctl_hp_targetinfo (Dan Carpenter) [Orabug: 31350941]     (CVE-2020-12652)

  - USB: core: Fix free-while-in-use bug in the USB     S-Glibrary (Alan Stern) [Orabug: 31350967]     (CVE-2020-12464)

  - drivers: usb: core: Minimize irq disabling in     usb_sg_cancel (David Mosberger) [Orabug: 31350967]     (CVE-2020-12464)

  - drivers: usb: core: Don't disable irqs in usb_sg_wait     during URB submit. (David Mosberger) [Orabug: 31350967]     (CVE-2020-12464)

  - ext4: work around deleting a file with i_nlink == 0     safely (Theodore Ts'o) [Orabug: 31351014]     (CVE-2019-19447)

  - xen/events: avoid removing an event channel while     handling it (Juergen Gross) [Orabug: 31984319]

  - xen: fix GCC warning and remove duplicate     EVTCHN_ROW/EVTCHN_COL usage (Josh Abraham) [Orabug:
    31984319]

  - ext4: fix fencepost in s_first_meta_bg validation     (Theodore Ts'o) [Orabug: 32197511]

  - dm crypt: Allow unaligned bio buffer lengths for     skcipher devices (Sudhakar Panneerselvam) [Orabug:
    32202000]

  - sched/fair: Don't free p->numa_faults with concurrent     readers (Jann Horn) [Orabug: 32212524] (CVE-2019-20934)

  - netfilter: nf_conntrack_h323: lost .data_len definition     for Q.931/ipv6 (Vasily Averin) [Orabug: 32222844]     (CVE-2020-14305)

  - perf/core: Fix race in the perf_mmap_close function     (Jiri Olsa) [Orabug: 32233360] (CVE-2020-14351)

  - ext4: fix calculation of meta_bg descriptor backups     (Andy Leiserson) [Orabug: 32245133]

  - ocfs2: initialize ip_next_orphan (Wengang Wang) [Orabug:
    31780626]

  - Fonts: Support FONT_EXTRA_WORDS macros for built-in     fonts (Peilin Ye) [Orabug: 32176264] (CVE-2020-28915)

  - fbdev, newport_con: Move FONT_EXTRA_WORDS macros into     linux/font.h (Peilin Ye) [Orabug: 32176264]     (CVE-2020-28915)

  - page_frag: Recover from memory pressure (Dongli Zhang)     [Orabug: 32177993]

  - vt: Disable KD_FONT_OP_COPY (Daniel Vetter) [Orabug:
    32187749] (CVE-2020-28974)

  - block: Fix use-after-free in blkdev_get (Jason Yan)     [Orabug: 32194609] (CVE-2020-15436)

  - icmp: randomize the global rate limiter (Eric Dumazet)     [Orabug: 32227971] (CVE-2020-25705)

  - KVM: x86: minor code refactor and comments fixup around     dirty logging (Anthony Yznaga) [Orabug: 31722767]

  - KVM: x86: Manually flush collapsible SPTEs only when     toggling flags (Sean Christopherson) [Orabug: 31722767]

  - KVM: x86: avoid unnecessary rmap walks when     creating/moving slots (Anthony Yznaga) [Orabug:
    31722767]

  - KVM: x86: remove unnecessary rmap walk of read-only     memslots (Anthony Yznaga) [Orabug: 31722767]

  - xfs: catch inode allocation state mismatch corruption     (Gautham Ananthakrishna) [Orabug: 32071488]

  - tty: make FONTX ioctl use the tty pointer they were     actually passed (Linus Torvalds) [Orabug: 32122731]     (CVE-2020-25668)

  - IB/mlx4: Adjust delayed work when a dup is observed     (H&aring kon Bugge) [Orabug: 32136900]

  - IB/mlx4: Add support for REJ due to timeout (H&aring kon     Bugge) [Orabug: 32136900]

  - IB/mlx4: Fix starvation in paravirt mux/demux     (H&aring kon Bugge) [Orabug: 32136900]

  - IB/mlx4: Separate tunnel and wire bufs parameters     (H&aring kon Bugge) [Orabug: 32136900]

  - IB/mlx4: Add support for MRA (H&aring kon Bugge)     [Orabug: 32136900]

  - IB/mlx4: Add and improve logging (H&aring kon Bugge)     [Orabug: 32136900]

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9002 advisory.

  - A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before     4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection     negotiation during the handling of the remote devices country settings. This could allow the remote device     to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895)

  - A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7.
    This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into     the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO     restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate     that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer     dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network     user to crash the system kernel, resulting in a denial of service. (CVE-2020-10711)

  - usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because     a transfer occurs without a reference, aka CID-056ad39ee925. (CVE-2020-12464)

  - The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows     local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a     double fetch vulnerability, aka CID-28d76df18f0a. NOTE: the vendor states The security impact of this     bug is not as bad as it could have been because these operations are all privileged and root already has     enormous destructive power. (CVE-2020-12652)

  - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and     unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list     in fs/ext4/super.c. (CVE-2019-19447)

  - ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference     because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero. (CVE-2019-19037)

  - An out-of-bounds memory write flaw was found in how the Linux kernels Voice Over IP H.323 connection     tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote     user to crash the system, causing a denial of service. The highest threat from this vulnerability is to     confidentiality, integrity, as well as system availability. (CVE-2020-14305)

  - To fix this vulnerability, update the affected packages: linux linux-esx (CVE-2020-25668)

  - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka CID-6735b4632def. (CVE-2020-28915)

  - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to     read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height. (CVE-2020-28974)

  - An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a     use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka     CID-16d51a590a8c. (CVE-2019-20934)

  - Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging improper access to a certain error field.
    (CVE-2020-15436)

  - A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem     allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate     privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as     system availability. (CVE-2020-14351)

  - A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows     to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source     port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly     integrity, because software that relies on UDP source port randomization are indirectly affected as well.
    Kernel versions before 5.10 may be vulnerable to this issue. (CVE-2020-25705)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update corrects a regression in some Xen virtual machine environments. For reference the original advisory text follows.

Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks.

CVE-2019-9445

A potential out-of-bounds read was discovered in the F2FS implementation. A user permitted to mount and access arbitrary filesystems could potentially use this to cause a denial of service (crash) or to read sensitive information.

CVE-2019-19073, CVE-2019-19074

Navid Emamdoost discovered potential memory leaks in the ath9k and ath9k_htc drivers. The security impact of these is unclear.

CVE-2019-19448

'Team bobfuzzer' reported a bug in Btrfs that could lead to a use-after-free, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-12351

Andy Nguyen discovered a flaw in the Bluetooth implementation in the way L2CAP packets with A2MP CID are handled. A remote attacker within a short distance, knowing the victim's Bluetooth device address, can send a malicious l2cap packet and cause a denial of service or possibly arbitrary code execution with kernel privileges.

CVE-2020-12352

Andy Nguyen discovered a flaw in the Bluetooth implementation. Stack memory is not properly initialised when handling certain AMP packets.
A remote attacker within a short distance, knowing the victim's Bluetooth device address address, can retrieve kernel stack information.

CVE-2020-12655

Zheng Bin reported that crafted XFS volumes could trigger a system hang. An attacker able to mount such a volume could use this to cause a denial of service.

CVE-2020-12771

Zhiqiang Liu reported a bug in the bcache block driver that could lead to a system hang. The security impact of this is unclear.

CVE-2020-12888

It was discovered that the PCIe Virtual Function I/O (vfio-pci) driver allowed users to disable a device's memory space while it was still mapped into a process. On some hardware platforms, local users or guest virtual machines permitted to access PCIe Virtual Functions could use this to cause a denial of service (hardware error and crash).

CVE-2020-14305

Vasily Averin of Virtuozzo discovered a potential heap buffer overflow in the netfilter nf_contrack_h323 module. When this module is used to perform connection tracking for TCP/IPv6, a remote attacker could use this to cause a denial of service (crash or memory corruption) or possibly for remote code execution with kernel privilege.

CVE-2020-14314

A bug was discovered in the ext4 filesystem that could lead to an out-of-bound read. A local user permitted to mount and access arbitrary filesystem images could use this to cause a denial of service (crash).

CVE-2020-14331

A bug was discovered in the VGA console driver's soft-scrollback feature that could lead to a heap buffer overflow. On a system with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK enabled, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-14356, CVE-2020-25220

A bug was discovered in the cgroup subsystem's handling of socket references to cgroups. In some cgroup configurations, this could lead to a use-after-free. A local user might be able to use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

The original fix for this bug introudced a new security issue, which is also addressed in this update.

CVE-2020-14386

Or Cohen discovered a bug in the packet socket (AF_PACKET) implementation which could lead to a heap buffer overflow. A local user with the CAP_NET_RAW capability (in any user namespace) could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-14390

Minh Yuan discovered a bug in the framebuffer console driver's scrollback feature that could lead to a heap buffer overflow. On a system using framebuffer consoles, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

The scrollback feature has been disabled for now, as no other fix was available for this issue.

CVE-2020-15393

Kyungtae Kim reported a memory leak in the usbtest driver. The security impact of this is unclear.

CVE-2020-16166

Amit Klein reported that the random number generator used by the network stack might not be re-seeded for long periods of time, making e.g. client port number allocations more predictable. This made it easier for remote attackers to carry out some network- based attacks such as DNS cache poisoning or device tracking.

CVE-2020-24490

Andy Nguyen discovered a flaw in the Bluetooth implementation that can lead to a heap buffer overflow. On systems with a Bluetooth 5 hardware interface, a remote attacker within a short distance can use this to cause a denial of service (crash or memory corruption) or possibly for remote code execution with kernel privilege.

CVE-2020-25211

A flaw was discovered in netfilter subsystem. A local attacker able to inject conntrack Netlink configuration can cause a denial of service.

CVE-2020-25212

A bug was discovered in the NFSv4 client implementation that could lead to a heap buffer overflow. A malicious NFS server could use this to cause a denial of service (crash or memory corruption) or possibly to execute arbitrary code on the client.

CVE-2020-25284

It was discovered that the Rados block device (rbd) driver allowed tasks running as uid 0 to add and remove rbd devices, even if they dropped capabilities. On a system with the rbd driver loaded, this might allow privilege escalation from a container with a task running as root.

CVE-2020-25285

A race condition was discovered in the hugetlb filesystem's sysctl handlers, that could lead to stack corruption. A local user permitted to write to hugepages sysctls could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. By default only the root user can do this.

CVE-2020-25641

The syzbot tool found a bug in the block layer that could lead to an infinite loop. A local user with access to a raw block device could use this to cause a denial of service (unbounded CPU use and possible system hang).

CVE-2020-25643

ChenNan Of Chaitin Security Research Lab discovered a flaw in the hdlc_ppp module. Improper input validation in the ppp_cp_parse_cr() function may lead to memory corruption and information disclosure.

CVE-2020-26088

It was discovered that the NFC (Near Field Communication) socket implementation allowed any user to create raw sockets. On a system with an NFC interface, this allowed local users to evade local network security policy.

For Debian 9 stretch, these problems have been fixed in version 4.9.240-1. This update additionally includes many more bug fixes from stable updates 4.9.229-4.9.240 inclusive.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security Fix(es) :

  - kernel: use-after-free in sound/core/timer.c     (CVE-2019-19807)

  - kernel: out of bounds write in function     i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c     (CVE-2017-18551)

  - kernel: race condition in smp_task_timedout() and     smp_task_done() in drivers/scsi/libsas/sas_expander.c     leads to use-after-free (CVE-2018-20836)

  - kernel: out of bounds write in i2c driver leads to local     escalation of privilege (CVE-2019-9454)

  - kernel: use after free due to race condition in the     video driver leads to local privilege escalation     (CVE-2019-9458)

The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:4060 advisory.

  - kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c     (CVE-2017-18551)

  - kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c     leads to use-after-free (CVE-2018-20836)

  - kernel: null pointer dereference in dlpar_parse_cc_property in arch/powerrc/platforms/pseries/dlpar.c     causing denial of service (CVE-2019-12614)

  - kernel: null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver (CVE-2019-15217)

  - kernel: Memory leak in drivers/scsi/libsas/sas_expander.c (CVE-2019-15807)

  - kernel: use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)

  - kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c (CVE-2019-16231)

  - kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c (CVE-2019-16233)

  - kernel: Memory leak in sit_init_net() in net/ipv6/sit.c (CVE-2019-16994)

  - kernel: unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol (CVE-2019-17053)

  - kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol (CVE-2019-17055)

  - kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c (CVE-2019-18808)

  - kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c     (CVE-2019-19046)

  - kernel: memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c allows DoS     (CVE-2019-19055)

  - kernel: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c     allows for a DoS (CVE-2019-19058)

  - kernel: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in     drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c allows for a DoS (CVE-2019-19059)

  - kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS     (CVE-2019-19062)

  - kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c     allow for a DoS (CVE-2019-19063)

  - Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)

  - kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a     use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver     (CVE-2019-19523)

  - kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver     (CVE-2019-19530)

  - kernel: information leak bug caused by a malicious USB device in the     drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (CVE-2019-19534)

  - kernel: race condition caused by a malicious USB device in the USB character device driver layer     (CVE-2019-19537)

  - kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c     and fs/ext4/super.c (CVE-2019-19767)

  - kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)

  - kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c (CVE-2019-20054)

  - kernel: memory leak in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c (CVE-2019-20095)

  - kernel: out-of-bounds write via crafted keycode table (CVE-2019-20636)

  - kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)

  - kernel: use after free due to race condition in the video driver leads to local privilege escalation     (CVE-2019-9458)

  - kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open     (CVE-2020-10690)

  - kernel: uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)

  - kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic     (CVE-2020-10742)

  - kernel: SELinux netlink permission check bypass (CVE-2020-10751)

  - kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942)

  - kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565)

  - kernel: sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770)

  - kernel: possible to send arbitrary signals to a privileged (suidroot) parent process (CVE-2020-12826)

  - kernel: memory corruption in Voice over IP nf_conntrack_h323 module (CVE-2020-14305)

  - kernel: some ipv6 protocols not encrypted over ipsec tunnel (CVE-2020-1749)

  - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources (CVE-2020-2732)

  - kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647)

  - kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c     (CVE-2020-8649)

  - kernel: out-of-bounds read in set_fdc in drivers/block/floppy.c (CVE-2020-9383)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4060 advisory.

  - kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c     (CVE-2017-18551)

  - kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c     leads to use-after-free (CVE-2018-20836)

  - kernel: null pointer dereference in dlpar_parse_cc_property in arch/powerrc/platforms/pseries/dlpar.c     causing denial of service (CVE-2019-12614)

  - kernel: null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver (CVE-2019-15217)

  - kernel: Memory leak in drivers/scsi/libsas/sas_expander.c (CVE-2019-15807)

  - kernel: use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)

  - kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c (CVE-2019-16231)

  - kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c (CVE-2019-16233)

  - kernel: Memory leak in sit_init_net() in net/ipv6/sit.c (CVE-2019-16994)

  - kernel: unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol (CVE-2019-17053)

  - kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol (CVE-2019-17055)

  - kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c (CVE-2019-18808)

  - kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c     (CVE-2019-19046)

  - kernel: memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c allows DoS     (CVE-2019-19055)

  - kernel: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c     allows for a DoS (CVE-2019-19058)

  - kernel: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in     drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c allows for a DoS (CVE-2019-19059)

  - kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS     (CVE-2019-19062)

  - kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c     allow for a DoS (CVE-2019-19063)

  - Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)

  - kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a     use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver     (CVE-2019-19523)

  - kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver     (CVE-2019-19530)

  - kernel: information leak bug caused by a malicious USB device in the     drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (CVE-2019-19534)

  - kernel: race condition caused by a malicious USB device in the USB character device driver layer     (CVE-2019-19537)

  - kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c     and fs/ext4/super.c (CVE-2019-19767)

  - kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)

  - kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c (CVE-2019-20054)

  - kernel: memory leak in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c (CVE-2019-20095)

  - kernel: out-of-bounds write via crafted keycode table (CVE-2019-20636)

  - kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)

  - kernel: use after free due to race condition in the video driver leads to local privilege escalation     (CVE-2019-9458)

  - kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open     (CVE-2020-10690)

  - kernel: uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)

  - kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic     (CVE-2020-10742)

  - kernel: SELinux netlink permission check bypass (CVE-2020-10751)

  - kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942)

  - kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565)

  - kernel: sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770)

  - kernel: possible to send arbitrary signals to a privileged (suidroot) parent process (CVE-2020-12826)

  - kernel: memory corruption in Voice over IP nf_conntrack_h323 module (CVE-2020-14305)

  - kernel: some ipv6 protocols not encrypted over ipsec tunnel (CVE-2020-1749)

  - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources (CVE-2020-2732)

  - kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647)

  - kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c     (CVE-2020-8649)

  - kernel: out-of-bounds read in set_fdc in drivers/block/floppy.c (CVE-2020-9383)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4062 advisory.

  - kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c     (CVE-2017-18551)

  - kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c     leads to use-after-free (CVE-2018-20836)

  - kernel: null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver (CVE-2019-15217)

  - kernel: Memory leak in drivers/scsi/libsas/sas_expander.c (CVE-2019-15807)

  - kernel: use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)

  - kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c (CVE-2019-16231)

  - kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c (CVE-2019-16233)

  - kernel: Memory leak in sit_init_net() in net/ipv6/sit.c (CVE-2019-16994)

  - kernel: unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol (CVE-2019-17053)

  - kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol (CVE-2019-17055)

  - kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c (CVE-2019-18808)

  - kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c     (CVE-2019-19046)

  - kernel: memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c allows DoS     (CVE-2019-19055)

  - kernel: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c     allows for a DoS (CVE-2019-19058)

  - kernel: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in     drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c allows for a DoS (CVE-2019-19059)

  - kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS     (CVE-2019-19062)

  - kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c     allow for a DoS (CVE-2019-19063)

  - Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)

  - kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a     use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver     (CVE-2019-19523)

  - kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver     (CVE-2019-19530)

  - kernel: information leak bug caused by a malicious USB device in the     drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (CVE-2019-19534)

  - kernel: race condition caused by a malicious USB device in the USB character device driver layer     (CVE-2019-19537)

  - kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c     and fs/ext4/super.c (CVE-2019-19767)

  - kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)

  - kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c (CVE-2019-20054)

  - kernel: memory leak in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c (CVE-2019-20095)

  - kernel: out-of-bounds write via crafted keycode table (CVE-2019-20636)

  - kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)

  - kernel: use after free due to race condition in the video driver leads to local privilege escalation     (CVE-2019-9458)

  - kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open     (CVE-2020-10690)

  - kernel: uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)

  - kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic     (CVE-2020-10742)

  - kernel: SELinux netlink permission check bypass (CVE-2020-10751)

  - kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942)

  - kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565)

  - kernel: sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770)

  - kernel: possible to send arbitrary signals to a privileged (suidroot) parent process (CVE-2020-12826)

  - kernel: memory corruption in Voice over IP nf_conntrack_h323 module (CVE-2020-14305)

  - kernel: some ipv6 protocols not encrypted over ipsec tunnel (CVE-2020-1749)

  - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources (CVE-2020-2732)

  - kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647)

  - kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c     (CVE-2020-8649)

  - kernel: out-of-bounds read in set_fdc in drivers/block/floppy.c (CVE-2020-9383)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
148041	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-1684)	Nessus	Huawei Local Security Checks	high
146701	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2021-1311)	Nessus	Huawei Local Security Checks	high
145201	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2021-1079)	Nessus	Huawei Local Security Checks	high
144837	OracleVM 3.4 : Unbreakable / etc (OVMSA-2021-0001)	Nessus	OracleVM Local Security Checks	high
144802	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2021-9002)	Nessus	Oracle Linux Local Security Checks	high
142176	Debian DLA-2420-2 : linux regression update	Nessus	Debian Local Security Checks	high
141727	Scientific Linux Security Update : kernel on SL7.x x86_64 (20201001)	Nessus	Scientific Linux Local Security Checks	high
141619	CentOS 7 : kernel (CESA-2020:4060)	Nessus	CentOS Local Security Checks	high
141057	RHEL 7 : kernel (RHSA-2020:4060)	Nessus	Red Hat Local Security Checks	high
141026	RHEL 7 : kernel-rt (RHSA-2020:4062)	Nessus	Red Hat Local Security Checks	high

CVE-2020-14305

HIGH

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high

high