https://bugs.openvz.org/browse/OVZ-7188

https://bugzilla.redhat.com/show_bug.cgi?id=1850716

https://patchwork.ozlabs.org/project/netfilter-devel/patch/c2385b5c-309c-cc64-2e10-a0ef62897502@virtuozzo.com/

https://security.netapp.com/advisory/ntap-20201210-0004/

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Use-after-free vulnerability in fs/block_dev.c in the     Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging     improper access to a certain error     field.(CVE-2020-15436)

  - An out-of-bounds memory write flaw was found in how the     Linux kernel's Voice Over IP H.323 connection tracking     functionality handled connections on ipv6 port 1720.
    This flaw allows an unauthenticated remote user to     crash the system, causing a denial of service. The     highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-14305)

  - Improper input validation in BlueZ may allow an     unauthenticated user to potentially enable escalation     of privilege via adjacent access.(CVE-2020-12351)

  - In the Linux kernel 4.14 longterm through 4.14.165 and     4.19 longterm through 4.19.96 (and 5.x before 5.2),     there is a use-after-free (write) in the     i915_ppgtt_close function in     drivers/gpu/drm/i915/i915_gem_gtt.c, aka     CID-7dc40713618c. This is related to     i915_gem_context_destroy_ioctl in     drivers/gpu/drm/i915/i915_gem_context.c.(CVE-2020-7053)

  - In kbd_keycode of keyboard.c, there is a possible out     of bounds write due to a missing bounds check. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-144161459(CVE-2020-0431)

  - In various methods of hid-multitouch.c, there is a     possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-162844689References: Upstream kernel(CVE-2020-0465)

  - mwifiex_cmd_802_11_ad_hoc_start in     drivers/net/wireless/marvell/mwifiex/join.c in the     Linux kernel through 5.10.4 might allow remote     attackers to execute arbitrary code via a long SSID     value, aka CID-5c455c5ab332.(CVE-2020-36158)

  - A flaw was found in the way RTAS handled memory     accesses in userspace to kernel communication. On a     locked down (usually due to Secure Boot) guest system     running on top of PowerVM or KVM hypervisors (pseries     platform) a root like local user could use this flaw to     further increase their privileges to that of a running     kernel.(CVE-2020-27777)

  - An issue was discovered in romfs_dev_read in     fs/romfs/storage.c in the Linux kernel before 5.8.4.
    Uninitialized memory leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)

  - An issue was discovered in kmem_cache_alloc_bulk in     mm/slub.c in the Linux kernel before 5.5.11. The     slowpath lacks the required TID increment, aka     CID-fd4d9c7d0c71.(CVE-2020-29370)

  - There is a use-after-free vulnerability in the Linux     kernel through 5.5.2 in the n_tty_receive_buf_common     function in drivers/tty/n_tty.c.(CVE-2020-8648)

  - A buffer over-read (at the framebuffer layer) in the     fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)

  - In the Linux kernel 5.0.21, mounting a crafted btrfs     filesystem image, performing some operations, and then     making a syncfs system call can lead to a     use-after-free in __mutex_lock in     kernel/locking/mutex.c. This is related to     mutex_can_spin_on_owner in kernel/locking/mutex.c,
    __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and     btrfs_insert_delayed_items in     fs/btrfs/delayed-inode.c.(CVE-2019-19813)

  - gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c     in the rpcsec_gss_krb5 implementation in the Linux     kernel through 5.6.10 lacks certain domain_release     calls, leading to a memory leak.(CVE-2020-12656)

  - A flaw was found in the Linux kernels implementation of     MIDI, where an attacker with a local account and the     permissions to issue an ioctl commands to midi devices,     could trigger a use-after-free. A write to this     specific memory while freed and before use could cause     the flow of execution to change and possibly allow for     memory corruption or privilege     escalation.(CVE-2020-27786)

  - A flaw memory leak in the Linux kernel performance     monitoring subsystem was found in the way if using     PERF_EVENT_IOC_SET_FILTER. A local user could use this     flaw to starve the resources causing denial of     service.(CVE-2020-25704)

  - A flaw was found in the Linux Kernel before 5.8-rc6 in     the ZRAM kernel module, where a user with a local     account and the ability to read the     /sys/class/zram-control/hot_add file can create ZRAM     device nodes in the /dev/ directory. This read     allocates kernel memory and is not accounted for a user     that triggers the creation of that ZRAM device. With     this vulnerability, continually reading the device may     consume a large amount of system memory and cause the     Out-of-Memory (OOM) killer to activate and terminate     random userspace processes, possibly making the system     inoperable.(CVE-2020-10781)

  - go7007_snd_init in     drivers/media/usb/go7007/snd-go7007.c in the Linux     kernel before 5.6 does not call snd_card_free for a     failure path, which causes a memory leak, aka     CID-9453264ef586.(CVE-2019-20810)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - A vulnerability was found in the Linux Kernel where the     function sunkbd_reinit having been scheduled by     sunkbd_interrupt before sunkbd being freed. Though the     dangling pointer is set to NULL in sunkbd_disconnect,     there is still an alias in sunkbd_reinit causing Use     After Free.(CVE-2020-25669)

  - A flaw was found in the Linux kernel. A use-after-free     was found in the way the console subsystem was using     ioctls KDGKBSENT and KDSKBSENT. A local user could use     this flaw to get read memory access out of bounds. The     highest threat from this vulnerability is to data     confidentiality.(CVE-2020-25656)

  - The Linux kernel before version 5.8 is vulnerable to a     NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)

  - An issue was discovered in slc_bump in     drivers/net/can/slcan.c in the Linux kernel through     5.6.2. It allows attackers to read uninitialized     can_frame data, potentially containing sensitive     information from kernel stack memory, if the     configuration lacks CONFIG_INIT_STACK_ALL, aka     CID-b9258a2cece4.(CVE-2020-11494)

  - A stack information leak flaw was found in s390/s390x     in the Linux kernel's memory manager functionality,     where it incorrectly writes to the     /proc/sys/vm/cmm_timeout file. This flaw allows a local     user to see the kernel data.(CVE-2020-10773)

  - ** DISPUTED ** drivers/gpu/drm/radeon/radeon_display.c     in the Linux kernel 5.2.14 does not check the     alloc_workqueue return value, leading to a NULL pointer     dereference. NOTE: A third-party software maintainer     states that the work queue allocation is happening     during device initialization, which for a graphics card     occurs during boot. It is not attacker controllable and     OOM at that time is highly unlikely.(CVE-2019-16230)

  - A flaw was found in the Linux Kernel in versions after     4.5-rc1 in the way mremap handled DAX Huge Pages. This     flaw allows a local attacker with access to a DAX     enabled storage to escalate their privileges on the     system.(CVE-2020-10757)

  - A pivot_root race condition in fs/namespace.c in the     Linux kernel 4.4.x before 4.4.221, 4.9.x before     4.9.221, 4.14.x before 4.14.178, 4.19.x before     4.19.119, and 5.x before 5.3 allows local users to     cause a denial of service (panic) by corrupting a     mountpoint reference counter.(CVE-2020-12114)

  - A slab-out-of-bounds read in fbcon in the Linux kernel     before 5.9.7 could be used by local attackers to read     privileged information or potentially crash the kernel,     aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for     manipulations such as font height.(CVE-2020-28974)

  - Insufficient control flow in certain data structures     for some Intel(R) Processors with Intel(R) Processor     Graphics may allow an unauthenticated user to     potentially enable information disclosure via local     access.(CVE-2019-14615)

  - In the Linux kernel 5.0.21, mounting a crafted btrfs     filesystem image, performing some operations, and     unmounting can lead to a use-after-free in     btrfs_queue_work in     fs/btrfs/async-thread.c.(CVE-2019-19377)

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-147802478References: Upstream kernel(CVE-2020-0466)

  - ** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel     through 5.10.8, when there is an NFS export of a     subdirectory of a filesystem, allows remote attackers     to traverse to other parts of the filesystem via     READDIRPLUS. NOTE: some parties argue that such a     subdirectory export is not intended to prevent this     attack see also the exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - A flaw was found in the Linux kernels eBPF     implementation. By default, accessing the eBPF verifier     is only accessible to privileged users with     CAP_SYS_ADMIN. A local user with the ability to insert     eBPF instructions can abuse a flaw in eBPF to corrupt     memory. The highest threat from this vulnerability is     to confidentiality, integrity, as well as system     availability.(CVE-2021-29154)

  - A flaw memory leak in the Linux kernel webcam device     functionality was found in the way user calls ioctl     that triggers video_usercopy function. The highest     threat from this vulnerability is to system     availability.(CVE-2021-30002)

  - A flaw was found in the Nosy driver in the Linux     kernel. This issue allows a device to be inserted twice     into a doubly-linked list, leading to a use-after-free     when one of these devices is removed. The highest     threat from this vulnerability is to confidentiality,     integrity, as well as system     availability.(CVE-2021-3483)

  - A flaw in the Linux kernels implementation of the RPA     PCI Hotplug driver for power-pc. A user with     permissions to write to the sysfs settings for this     driver can trigger a buffer overflow when writing a new     device name to the driver from userspace, overwriting     data in the kernel's stack.(CVE-2021-28972)

  - A race condition flaw was found in get_old_root in     fs/btrfs/ctree.c in the Linux kernel in btrfs     file-system. This flaw allows a local attacker with a     special user privilege to cause a denial of service due     to not locking an extent buffer before a cloning     operation. The highest threat from this vulnerability     is to system availability.(CVE-2021-28964)

  - A flaw was found in the Linux kernel. The usbip driver     allows attackers to cause a denial of service (GPF)     because the stub-up sequence has race conditions during     an update of the local and shared status. The highest     threat from this vulnerability is to system     availability.(CVE-2021-29265)

  - An out-of-bounds (OOB) memory access flaw was found in     x25_bind in net/x25/af_x25.c in the Linux kernel. A     bounds check failure allows a local attacker with a     user account on the system to gain access to     out-of-bounds memory, leading to a system crash or a     leak of internal kernel information. The highest threat     from this vulnerability is to confidentiality,     integrity, as well as system     availability.(CVE-2020-35519)

  - There is a flaw reported in     drivers/gpu/drm/nouveau/nouveau_sgdma.c in     nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The     issue results from the lack of validating the existence     of an object prior to performing operations on the     object. An attacker with a local account with a root     privilege, can leverage this vulnerability to escalate     privileges and execute code in the context of the     kernel.(CVE-2021-20292)

  - A flaw was found in the JFS filesystem code. This flaw     allows a local attacker with the ability to set     extended attributes to panic the system, causing memory     corruption or escalating privileges. The highest threat     from this vulnerability is to confidentiality,     integrity, as well as system     availability.(CVE-2020-27815)

  - A flaw was found in the Linux kernel. A denial of     service problem is identified if an extent tree is     corrupted in a crafted ext4 filesystem in     fs/ext4/extents.c in ext4_es_cache_extent. Fabricating     an integer overflow, A local attacker with a special     user privilege may cause a system crash problem which     can lead to an availability threat.(CVE-2021-3428)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - mwifiex_cmd_802_11_ad_hoc_start in     drivers/net/wireless/marvell/mwifiex/join.c in the     Linux kernel through 5.10.4 might allow remote     attackers to execute arbitrary code via a long SSID     value, aka CID-5c455c5ab332.(CVE-2020-36158)

  - Incomplete cleanup from specific special register read     operations in some Intel(R) Processors may allow an     authenticated user to potentially enable information     disclosure via local access.(CVE-2020-0543)

  - An infinite loop issue was found in the vhost_net     kernel module in Linux Kernel up to and including     v5.1-rc6, while handling incoming packets in     handle_rx(). It could occur if one end sends packets     faster than the other end can process them. A guest     user, maybe remote one, could use this flaw to stall     the vhost_net kernel thread, resulting in a DoS     scenario.(CVE-2019-3900)

  - In pppol2tp_connect, there is possible memory     corruption due to a use after free. This could lead to     local escalation of privilege with System execution     privileges needed. User interaction is not needed for     exploitation. Product: Android. Versions: Android     kernel. Android ID: A-38159931.(CVE-2018-9517)

  - A flaw was found in the fix for CVE-2019-11135, in the     Linux upstream kernel versions before 5.5 where, the     way Intel CPUs handle speculative execution of     instructions when a TSX Asynchronous Abort (TAA) error     occurs. When a guest is running on a host CPU affected     by the TAA flaw (TAA_NO=0), but is not affected by the     MDS issue (MDS_NO=1), the guest was to clear the     affected buffers by using a VERW instruction mechanism.
    But when the MDS_NO=1 bit was exported to the guests,     the guests did not use the VERW mechanism to clear the     affected buffers. This issue affects guests running on     Cascade Lake CPUs and requires that host has 'TSX'     enabled. Confidentiality of data is the highest threat     associated with this vulnerability.(CVE-2019-19338)

  - There is a use-after-free in kernel versions before 5.5     due to a race condition between the release of     ptp_clock and cdev while resource deallocation. When a     (high privileged) process allocates a ptp device file     (like /dev/ptpX) and voluntarily goes to sleep. During     this time if the underlying device is removed, it can     cause an exploitable condition as the process wakes up     to terminate and clean all attached files. The system     crashes due to the cdev structure being invalid (as     already freed) which is pointed to by the     inode.(CVE-2020-10690)

  - Improper input validation in BlueZ may allow an     unauthenticated user to potentially enable escalation     of privilege via adjacent access.(CVE-2020-12351)

  - A flaw was found in the Linux kernels implementation of     MIDI, where an attacker with a local account and the     permissions to issue an ioctl commands to midi devices,     could trigger a use-after-free. A write to this     specific memory while freed and before use could cause     the flow of execution to change and possibly allow for     memory corruption or privilege     escalation.(CVE-2020-27786)

  - use-after-free read in sunkbd_reinit in     drivers/input/keyboard/sunkbd.c(CVE-2020-25669)

  - A flaw was found in the way RTAS handled memory     accesses in userspace to kernel communication. On a     locked down (usually due to Secure Boot) guest system     running on top of PowerVM or KVM hypervisors (pseries     platform) a root like local user could use this flaw to     further increase their privileges to that of a running     kernel.(CVE-2020-27777)

  - A locking inconsistency issue was discovered in the tty     subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)

  - A locking issue was discovered in the tty subsystem of     the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free     attack against TIOCSPGRP, aka     CID-54ffccbf053b.(CVE-2020-29661)

  - An out-of-bounds memory write flaw was found in how the     Linux kernel's Voice Over IP H.323 connection tracking     functionality handled connections on ipv6 port 1720.
    This flaw allows an unauthenticated remote user to     crash the system, causing a denial of service. The     highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-14305)

  - An issue was discovered in the Linux kernel before     5.2.6. On NUMA systems, the Linux fair scheduler has a     use-after-free in show_numa_stats() because NUMA fault     statistics are inappropriately freed, aka     CID-16d51a590a8c.(CVE-2019-20934)

  - IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors     could allow a local user to obtain sensitive     information from the data in the L1 cache under     extenuating circumstances. IBM X-Force ID:
    189296.(CVE-2020-4788)

  - A flaw memory leak in the Linux kernel performance     monitoring subsystem was found in the way if using     PERF_EVENT_IOC_SET_FILTER. A local user could use this     flaw to starve the resources causing denial of     service.(CVE-2020-25704)

  - An issue was discovered in kmem_cache_alloc_bulk in     mm/slub.c in the Linux kernel before 5.5.11. The     slowpath lacks the required TID increment, aka     CID-fd4d9c7d0c71.(CVE-2020-29370)

  - A slab-out-of-bounds read in fbcon in the Linux kernel     before 5.9.7 could be used by local attackers to read     privileged information or potentially crash the kernel,     aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for     manipulations such as font height.(CVE-2020-28974)

  - A buffer over-read (at the framebuffer layer) in the     fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)

  - An issue was discovered in romfs_dev_read in     fs/romfs/storage.c in the Linux kernel before 5.8.4.
    Uninitialized memory leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)

  - Use-after-free vulnerability in fs/block_dev.c in the     Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging     improper access to a certain error     field.(CVE-2020-15436)

  - The Linux kernel before version 5.8 is vulnerable to a     NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - mwifiex_cmd_802_11_ad_hoc_start in     drivers/net/wireless/marvell/mwifiex/join.c in the     Linux kernel through 5.10.4 might allow remote     attackers to execute arbitrary code via a long SSID     value, aka CID-5c455c5ab332.(CVE-2020-36158)

  - A flaw was found in the Linux kernel. A use-after-free     was found in the way the console subsystem was using     ioctls KDGKBSENT and KDSKBSENT. A local user could use     this flaw to get read memory access out of bounds. The     highest threat from this vulnerability is to data     confidentiality.(CVE-2020-25656)

  - A flaw was found in the Linux kernel. A use-after-free     memory flaw was found in the perf subsystem allowing a     local attacker with permission to monitor perf events     to corrupt memory and possibly escalate privileges. The     highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-14351)

  - A flaw was found in the way RTAS handled memory     accesses in userspace to kernel communication. On a     locked down (usually due to Secure Boot) guest system     running on top of PowerVM or KVM hypervisors (pseries     platform) a root like local user could use this flaw to     further increase their privileges to that of a running     kernel.(CVE-2020-27777)

  - A locking issue was discovered in the tty subsystem of     the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free     attack against TIOCSPGRP, aka     CID-54ffccbf053b.(CVE-2020-29661)

  - A locking inconsistency issue was discovered in the tty     subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)

  - An issue was discovered in the Linux kernel before     5.2.6. On NUMA systems, the Linux fair scheduler has a     use-after-free in show_numa_stats() because NUMA fault     statistics are inappropriately freed, aka     CID-16d51a590a8c.(CVE-2019-20934)

  - A flaw was found in the Linux kernels implementation of     MIDI, where an attacker with a local account and the     permissions to issue an ioctl commands to midi devices,     could trigger a use-after-free. A write to this     specific memory while freed and before use could cause     the flow of execution to change and possibly allow for     memory corruption or privilege     escalation.(CVE-2020-27786)

  - An issue was discovered in romfs_dev_read in     fs/romfs/storage.c in the Linux kernel before 5.8.4.
    Uninitialized memory leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)

  - In the Android kernel in Pixel C USB monitor driver     there is a possible OOB write due to a missing bounds     check. This could lead to local escalation of privilege     with System execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2019-9456)

  - A stack information leak flaw was found in s390/s390x     in the Linux kernel's memory manager functionality,     where it incorrectly writes to the     /proc/sys/vm/cmm_timeout file. This flaw allows a local     user to see the kernel data.(CVE-2020-10773)

  - A pivot_root race condition in fs/namespace.c in the     Linux kernel 4.4.x before 4.4.221, 4.9.x before     4.9.221, 4.14.x before 4.14.178, 4.19.x before     4.19.119, and 5.x before 5.3 allows local users to     cause a denial of service (panic) by corrupting a     mountpoint reference counter.(CVE-2020-12114)

  - An out-of-bounds memory write flaw was found in how the     Linux kernel's Voice Over IP H.323 connection tracking     functionality handled connections on ipv6 port 1720.
    This flaw allows an unauthenticated remote user to     crash the system, causing a denial of service. The     highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-14305)

  - Use-after-free vulnerability in fs/block_dev.c in the     Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging     improper access to a certain error     field.(CVE-2020-15436)

  - The Linux kernel before version 5.8 is vulnerable to a     NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)

  - A buffer over-read (at the framebuffer layer) in the     fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)

  - A slab-out-of-bounds read in fbcon in the Linux kernel     before 5.9.7 could be used by local attackers to read     privileged information or potentially crash the kernel,     aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for     manipulations such as font height.(CVE-2020-28974)

  - In cdev_get of char_dev.c, there is a possible     use-after-free due to a race condition. This could lead     to local escalation of privilege with System execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions:
    Android-10Android ID: A-153467744(CVE-2020-0305)

  - Improper access control in BlueZ may allow an     unauthenticated user to potentially enable information     disclosure via adjacent access.(CVE-2020-12352)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A stack information leak flaw was found in s390/s390x     in the Linux kernel's memory manager functionality,     where it incorrectly writes to the     /proc/sys/vm/cmm_timeout file. This flaw allows a local     user to see the kernel data.(CVE-2020-10773)

  - In the Android kernel in the video driver there is a     use after free due to a race condition. This could lead     to local escalation of privilege with no additional     execution privileges needed. User interaction is not     needed for exploitation.(CVE-2019-9458)

  - An issue was discovered in the Linux kernel before     5.2.6. On NUMA systems, the Linux fair scheduler has a     use-after-free in show_numa_stats() because NUMA fault     statistics are inappropriately freed, aka     CID-16d51a590a8c.(CVE-2019-20934)

  - A locking inconsistency issue was discovered in the tty     subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)

  - An out-of-bounds memory write flaw was found in how the     Linux kernel's Voice Over IP H.323 connection tracking     functionality handled connections on ipv6 port 1720.
    This flaw allows an unauthenticated remote user to     crash the system, causing a denial of service. The     highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-14305)

  - A locking issue was discovered in the tty subsystem of     the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free     attack against TIOCSPGRP, aka     CID-54ffccbf053b.(CVE-2020-29661)

  - An issue was discovered in romfs_dev_read in     fs/romfs/storage.c in the Linux kernel before 5.8.4.
    Uninitialized memory leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)

  - Use-after-free vulnerability in fs/block_dev.c in the     Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging     improper access to a certain error     field.(CVE-2020-15436)

  - The Linux kernel before version 5.8 is vulnerable to a     NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)

  - An issue was discovered in kmem_cache_alloc_bulk in     mm/slub.c in the Linux kernel before 5.5.11. The     slowpath lacks the required TID increment, aka     CID-fd4d9c7d0c71.(CVE-2020-29370)

  - A flaw was found in the Linux kernel. A use-after-free     memory flaw was found in the perf subsystem allowing a     local attacker with permission to monitor perf events     to corrupt memory and possibly escalate privileges. The     highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-14351)

  - A buffer over-read (at the framebuffer layer) in the     fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)

  - A slab-out-of-bounds read in fbcon in the Linux kernel     before 5.9.7 could be used by local attackers to read     privileged information or potentially crash the kernel,     aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for     manipulations such as font height.(CVE-2020-28974)

  - Improper access control in BlueZ may allow an     unauthenticated user to potentially enable information     disclosure via adjacent access.(CVE-2020-12352)

  - In cdev_get of char_dev.c, there is a possible     use-after-free due to a race condition. This could lead     to local escalation of privilege with System execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions:
    Android-10Android ID: A-153467744(CVE-2020-0305)

  - A flaw was found in the HDLC_PPP module of the Linux     kernel in versions before 5.9-rc7. Memory corruption     and a read overflow is caused by improper input     validation in the ppp_cp_parse_cr function which can     cause the system to crash or cause a denial of service.
    The highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-25643)

  - An issue was discovered in can_can_gw_rcv in     net/can/gw.c in the Linux kernel through 4.19.13. The     CAN frame modification rules allow bitwise logical     operations that can be also applied to the can_dlc     field. The privileged user 'root' with CAP_NET_ADMIN     can create a CAN frame modification rule that makes the     data length code a higher value than the available CAN     frame data size. In combination with a configured     checksum calculation where the result is stored     relatively to the end of the data (e.g.
    cgw_csum_xor_rel) the tail of the skb (e.g. frag_list     pointer in skb_shared_info) can be rewritten which     finally can cause a system crash. Because of a missing     check, the CAN drivers may write arbitrary content     beyond the data registers in the CAN controller's I/O     memory when processing can-gw manipulated outgoing     frames.(CVE-2019-3701)

  - In the Android kernel in Pixel C USB monitor driver     there is a possible OOB write due to a missing bounds     check. This could lead to local escalation of privilege     with System execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2019-9456)

  - A pivot_root race condition in fs/ namespace.c in the     Linux kernel 4.4.x before 4.4.221, 4.9.x before     4.9.221, 4.14.x before 4.14.178, 4.19.x before     4.19.119, and 5.x before 5.3 allows local users to     cause a denial of service (panic) by corrupting a     mountpoint reference counter.(CVE-2020-12114)

  - A flaw was found in the Linux kernel in versions before     5.9-rc7. Traffic between two Geneve endpoints may be     unencrypted when IPsec is configured to encrypt traffic     for the specific UDP port used by the GENEVE tunnel     allowing anyone between the two endpoints to read the     traffic unencrypted. The main threat from this     vulnerability is to data     confidentiality.(CVE-2020-25645)

  - In kbd_keycode of keyboard.c, there is a possible out     of bounds write due to a missing bounds check. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-144161459(CVE-2020-0431)

  - In blk_mq_queue_tag_busy_iter of blk-mq-tag.c, there is     a possible use after free due to improper locking. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-151939299(CVE-2020-0433)

  - In the Linux kernel through 5.8.7, local attackers able     to inject conntrack netlink configuration could     overflow a local buffer, causing crashes or triggering     use of incorrect protocol numbers in     ctnetlink_parse_tuple_filter in net/ netfilter/     nf_conntrack_netlink.c, aka     CID-1cc5ef91d2ff.(CVE-2020-25211)

  - A memory out-of-bounds read flaw was found in the Linux     kernel before 5.9-rc2 with the ext3/ext4 file system,     in the way it accesses a directory with broken     indexing. This flaw allows a local user to crash the     system if the directory exists. The highest threat from     this vulnerability is to system     availability.(CVE-2020-14314)

  - A TOCTOU mismatch in the NFS client code in the Linux     kernel before 5.8.3 could be used by local attackers to     corrupt memory or possibly have unspecified other     impact because a size check is in fs/ nfs/ nfs4proc.c     instead of fs/ nfs/ nfs4xdr.c, aka     CID-b4487b935452.(CVE-2020-25212)

  - The rbd block device driver in drivers/block/rbd.c in     the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which     could be leveraged by local attackers to map or unmap     rbd block devices, aka     CID-f44d04e696fe.(CVE-2020-25284)

  - A race condition between hugetlb sysctl handlers in     mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL     pointer dereference, or possibly have unspecified other     impact, aka CID-17743798d812.(CVE-2020-25285)

  - A flaw was found in the Linux kernel before 5.9-rc4.
    Memory corruption can be exploited to gain root     privileges from unprivileged processes. The highest     threat from this vulnerability is to data     confidentiality and integrity.(CVE-2020-14386)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - mwifiex: fix possible heap overflow in     mwifiex_process_country_ie (Ganapathi Bhat) [Orabug:
    30781859] (CVE-2019-14895) (CVE-2019-14895)

  - ext4: fix ext4_empty_dir for directories with holes (Jan     Kara) [Orabug: 31265320] (CVE-2019-19037)     (CVE-2019-19037)

  - netlabel: cope with NULL catmap (Paolo Abeni) [Orabug:
    31350493] (CVE-2020-10711)

  - scsi: mptfusion: Fix double fetch bug in ioctl (Dan     Carpenter) [Orabug: 31350941] (CVE-2020-12652)

  - scsi: mptfusion: Add bounds check in     mptctl_hp_targetinfo (Dan Carpenter) [Orabug: 31350941]     (CVE-2020-12652)

  - USB: core: Fix free-while-in-use bug in the USB     S-Glibrary (Alan Stern) [Orabug: 31350967]     (CVE-2020-12464)

  - drivers: usb: core: Minimize irq disabling in     usb_sg_cancel (David Mosberger) [Orabug: 31350967]     (CVE-2020-12464)

  - drivers: usb: core: Don't disable irqs in usb_sg_wait     during URB submit. (David Mosberger) [Orabug: 31350967]     (CVE-2020-12464)

  - ext4: work around deleting a file with i_nlink == 0     safely (Theodore Ts'o) [Orabug: 31351014]     (CVE-2019-19447)

  - xen/events: avoid removing an event channel while     handling it (Juergen Gross) [Orabug: 31984319]

  - xen: fix GCC warning and remove duplicate     EVTCHN_ROW/EVTCHN_COL usage (Josh Abraham) [Orabug:
    31984319]

  - ext4: fix fencepost in s_first_meta_bg validation     (Theodore Ts'o) [Orabug: 32197511]

  - dm crypt: Allow unaligned bio buffer lengths for     skcipher devices (Sudhakar Panneerselvam) [Orabug:
    32202000]

  - sched/fair: Don't free p->numa_faults with concurrent     readers (Jann Horn) [Orabug: 32212524] (CVE-2019-20934)

  - netfilter: nf_conntrack_h323: lost .data_len definition     for Q.931/ipv6 (Vasily Averin) [Orabug: 32222844]     (CVE-2020-14305)

  - perf/core: Fix race in the perf_mmap_close function     (Jiri Olsa) [Orabug: 32233360] (CVE-2020-14351)

  - ext4: fix calculation of meta_bg descriptor backups     (Andy Leiserson) [Orabug: 32245133]

  - ocfs2: initialize ip_next_orphan (Wengang Wang) [Orabug:
    31780626]

  - Fonts: Support FONT_EXTRA_WORDS macros for built-in     fonts (Peilin Ye) [Orabug: 32176264] (CVE-2020-28915)

  - fbdev, newport_con: Move FONT_EXTRA_WORDS macros into     linux/font.h (Peilin Ye) [Orabug: 32176264]     (CVE-2020-28915)

  - page_frag: Recover from memory pressure (Dongli Zhang)     [Orabug: 32177993]

  - vt: Disable KD_FONT_OP_COPY (Daniel Vetter) [Orabug:
    32187749] (CVE-2020-28974)

  - block: Fix use-after-free in blkdev_get (Jason Yan)     [Orabug: 32194609] (CVE-2020-15436)

  - icmp: randomize the global rate limiter (Eric Dumazet)     [Orabug: 32227971] (CVE-2020-25705)

  - KVM: x86: minor code refactor and comments fixup around     dirty logging (Anthony Yznaga) [Orabug: 31722767]

  - KVM: x86: Manually flush collapsible SPTEs only when     toggling flags (Sean Christopherson) [Orabug: 31722767]

  - KVM: x86: avoid unnecessary rmap walks when     creating/moving slots (Anthony Yznaga) [Orabug:
    31722767]

  - KVM: x86: remove unnecessary rmap walk of read-only     memslots (Anthony Yznaga) [Orabug: 31722767]

  - xfs: catch inode allocation state mismatch corruption     (Gautham Ananthakrishna) [Orabug: 32071488]

  - tty: make FONTX ioctl use the tty pointer they were     actually passed (Linus Torvalds) [Orabug: 32122731]     (CVE-2020-25668)

  - IB/mlx4: Adjust delayed work when a dup is observed     (H&aring kon Bugge) [Orabug: 32136900]

  - IB/mlx4: Add support for REJ due to timeout (H&aring kon     Bugge) [Orabug: 32136900]

  - IB/mlx4: Fix starvation in paravirt mux/demux     (H&aring kon Bugge) [Orabug: 32136900]

  - IB/mlx4: Separate tunnel and wire bufs parameters     (H&aring kon Bugge) [Orabug: 32136900]

  - IB/mlx4: Add support for MRA (H&aring kon Bugge)     [Orabug: 32136900]

  - IB/mlx4: Add and improve logging (H&aring kon Bugge)     [Orabug: 32136900]

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9002 advisory.

  - A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before     4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection     negotiation during the handling of the remote devices country settings. This could allow the remote device     to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895)

  - A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7.
    This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into     the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO     restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate     that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer     dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network     user to crash the system kernel, resulting in a denial of service. (CVE-2020-10711)

  - usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because     a transfer occurs without a reference, aka CID-056ad39ee925. (CVE-2020-12464)

  - The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows     local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a     double fetch vulnerability, aka CID-28d76df18f0a. NOTE: the vendor states The security impact of this     bug is not as bad as it could have been because these operations are all privileged and root already has     enormous destructive power. (CVE-2020-12652)

  - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and     unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list     in fs/ext4/super.c. (CVE-2019-19447)

  - ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference     because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero. (CVE-2019-19037)

  - An out-of-bounds memory write flaw was found in how the Linux kernels Voice Over IP H.323 connection     tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote     user to crash the system, causing a denial of service. The highest threat from this vulnerability is to     confidentiality, integrity, as well as system availability. (CVE-2020-14305)

  - A flaw was found in Linux Kernel because access to the global variable fg_console is not properly     synchronized leading to a use after free in con_font_op. (CVE-2020-25668)

  - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka CID-6735b4632def. (CVE-2020-28915)

  - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to     read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height. (CVE-2020-28974)

  - An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a     use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka     CID-16d51a590a8c. (CVE-2019-20934)

  - Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging improper access to a certain error field.
    (CVE-2020-15436)

  - A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem     allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate     privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as     system availability. (CVE-2020-14351)

  - A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw     allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that     relies on UDP source port randomization are indirectly affected as well on the Linux Based Products     (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4,     SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE     W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All     versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7     LTE EU: Version (CVE-2020-25705)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update corrects a regression in some Xen virtual machine environments. For reference the original advisory text follows.

Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks.

CVE-2019-9445

A potential out-of-bounds read was discovered in the F2FS implementation. A user permitted to mount and access arbitrary filesystems could potentially use this to cause a denial of service (crash) or to read sensitive information.

CVE-2019-19073, CVE-2019-19074

Navid Emamdoost discovered potential memory leaks in the ath9k and ath9k_htc drivers. The security impact of these is unclear.

CVE-2019-19448

'Team bobfuzzer' reported a bug in Btrfs that could lead to a use-after-free, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-12351

Andy Nguyen discovered a flaw in the Bluetooth implementation in the way L2CAP packets with A2MP CID are handled. A remote attacker within a short distance, knowing the victim's Bluetooth device address, can send a malicious l2cap packet and cause a denial of service or possibly arbitrary code execution with kernel privileges.

CVE-2020-12352

Andy Nguyen discovered a flaw in the Bluetooth implementation. Stack memory is not properly initialised when handling certain AMP packets.
A remote attacker within a short distance, knowing the victim's Bluetooth device address address, can retrieve kernel stack information.

CVE-2020-12655

Zheng Bin reported that crafted XFS volumes could trigger a system hang. An attacker able to mount such a volume could use this to cause a denial of service.

CVE-2020-12771

Zhiqiang Liu reported a bug in the bcache block driver that could lead to a system hang. The security impact of this is unclear.

CVE-2020-12888

It was discovered that the PCIe Virtual Function I/O (vfio-pci) driver allowed users to disable a device's memory space while it was still mapped into a process. On some hardware platforms, local users or guest virtual machines permitted to access PCIe Virtual Functions could use this to cause a denial of service (hardware error and crash).

CVE-2020-14305

Vasily Averin of Virtuozzo discovered a potential heap buffer overflow in the netfilter nf_contrack_h323 module. When this module is used to perform connection tracking for TCP/IPv6, a remote attacker could use this to cause a denial of service (crash or memory corruption) or possibly for remote code execution with kernel privilege.

CVE-2020-14314

A bug was discovered in the ext4 filesystem that could lead to an out-of-bound read. A local user permitted to mount and access arbitrary filesystem images could use this to cause a denial of service (crash).

CVE-2020-14331

A bug was discovered in the VGA console driver's soft-scrollback feature that could lead to a heap buffer overflow. On a system with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK enabled, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-14356, CVE-2020-25220

A bug was discovered in the cgroup subsystem's handling of socket references to cgroups. In some cgroup configurations, this could lead to a use-after-free. A local user might be able to use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

The original fix for this bug introudced a new security issue, which is also addressed in this update.

CVE-2020-14386

Or Cohen discovered a bug in the packet socket (AF_PACKET) implementation which could lead to a heap buffer overflow. A local user with the CAP_NET_RAW capability (in any user namespace) could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-14390

Minh Yuan discovered a bug in the framebuffer console driver's scrollback feature that could lead to a heap buffer overflow. On a system using framebuffer consoles, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

The scrollback feature has been disabled for now, as no other fix was available for this issue.

CVE-2020-15393

Kyungtae Kim reported a memory leak in the usbtest driver. The security impact of this is unclear.

CVE-2020-16166

Amit Klein reported that the random number generator used by the network stack might not be re-seeded for long periods of time, making e.g. client port number allocations more predictable. This made it easier for remote attackers to carry out some network- based attacks such as DNS cache poisoning or device tracking.

CVE-2020-24490

Andy Nguyen discovered a flaw in the Bluetooth implementation that can lead to a heap buffer overflow. On systems with a Bluetooth 5 hardware interface, a remote attacker within a short distance can use this to cause a denial of service (crash or memory corruption) or possibly for remote code execution with kernel privilege.

CVE-2020-25211

A flaw was discovered in netfilter subsystem. A local attacker able to inject conntrack Netlink configuration can cause a denial of service.

CVE-2020-25212

A bug was discovered in the NFSv4 client implementation that could lead to a heap buffer overflow. A malicious NFS server could use this to cause a denial of service (crash or memory corruption) or possibly to execute arbitrary code on the client.

CVE-2020-25284

It was discovered that the Rados block device (rbd) driver allowed tasks running as uid 0 to add and remove rbd devices, even if they dropped capabilities. On a system with the rbd driver loaded, this might allow privilege escalation from a container with a task running as root.

CVE-2020-25285

A race condition was discovered in the hugetlb filesystem's sysctl handlers, that could lead to stack corruption. A local user permitted to write to hugepages sysctls could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. By default only the root user can do this.

CVE-2020-25641

The syzbot tool found a bug in the block layer that could lead to an infinite loop. A local user with access to a raw block device could use this to cause a denial of service (unbounded CPU use and possible system hang).

CVE-2020-25643

ChenNan Of Chaitin Security Research Lab discovered a flaw in the hdlc_ppp module. Improper input validation in the ppp_cp_parse_cr() function may lead to memory corruption and information disclosure.

CVE-2020-26088

It was discovered that the NFC (Near Field Communication) socket implementation allowed any user to create raw sockets. On a system with an NFC interface, this allowed local users to evade local network security policy.

For Debian 9 stretch, these problems have been fixed in version 4.9.240-1. This update additionally includes many more bug fixes from stable updates 4.9.229-4.9.240 inclusive.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security Fix(es) :

  - kernel: use-after-free in sound/core/timer.c     (CVE-2019-19807)

  - kernel: out of bounds write in function     i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c     (CVE-2017-18551)

  - kernel: race condition in smp_task_timedout() and     smp_task_done() in drivers/scsi/libsas/sas_expander.c     leads to use-after-free (CVE-2018-20836)

  - kernel: out of bounds write in i2c driver leads to local     escalation of privilege (CVE-2019-9454)

  - kernel: use after free due to race condition in the     video driver leads to local privilege escalation     (CVE-2019-9458)

The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:4060 advisory.

  - kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c     (CVE-2017-18551)

  - kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c     leads to use-after-free (CVE-2018-20836)

  - kernel: null pointer dereference in dlpar_parse_cc_property in arch/powerrc/platforms/pseries/dlpar.c     causing denial of service (CVE-2019-12614)

  - kernel: null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver (CVE-2019-15217)

  - kernel: Memory leak in drivers/scsi/libsas/sas_expander.c (CVE-2019-15807)

  - kernel: use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)

  - kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c (CVE-2019-16231)

  - kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c (CVE-2019-16233)

  - kernel: Memory leak in sit_init_net() in net/ipv6/sit.c (CVE-2019-16994)

  - kernel: unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol (CVE-2019-17053)

  - kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol (CVE-2019-17055)

  - kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c (CVE-2019-18808)

  - kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c     (CVE-2019-19046)

  - kernel: memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c allows DoS     (CVE-2019-19055)

  - kernel: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c     allows for a DoS (CVE-2019-19058)

  - kernel: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in     drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c allows for a DoS (CVE-2019-19059)

  - kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS     (CVE-2019-19062)

  - kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c     allow for a DoS (CVE-2019-19063)

  - Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)

  - kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a     use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver     (CVE-2019-19523)

  - kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver     (CVE-2019-19530)

  - kernel: information leak bug caused by a malicious USB device in the     drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (CVE-2019-19534)

  - kernel: race condition caused by a malicious USB device in the USB character device driver layer     (CVE-2019-19537)

  - kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c     and fs/ext4/super.c (CVE-2019-19767)

  - kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)

  - kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c (CVE-2019-20054)

  - kernel: memory leak in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c (CVE-2019-20095)

  - kernel: out-of-bounds write via crafted keycode table (CVE-2019-20636)

  - kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)

  - kernel: use after free due to race condition in the video driver leads to local privilege escalation     (CVE-2019-9458)

  - kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open     (CVE-2020-10690)

  - kernel: uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)

  - kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic     (CVE-2020-10742)

  - kernel: SELinux netlink permission check bypass (CVE-2020-10751)

  - kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942)

  - kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565)

  - kernel: sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770)

  - kernel: possible to send arbitrary signals to a privileged (suidroot) parent process (CVE-2020-12826)

  - kernel: memory corruption in Voice over IP nf_conntrack_h323 module (CVE-2020-14305)

  - kernel: some ipv6 protocols not encrypted over ipsec tunnel (CVE-2020-1749)

  - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources (CVE-2020-2732)

  - kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647)

  - kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c     (CVE-2020-8649)

  - kernel: out-of-bounds read in set_fdc in drivers/block/floppy.c (CVE-2020-9383)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4060 advisory.

  - kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c     (CVE-2017-18551)

  - kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c     leads to use-after-free (CVE-2018-20836)

  - kernel: null pointer dereference in dlpar_parse_cc_property in arch/powerrc/platforms/pseries/dlpar.c     causing denial of service (CVE-2019-12614)

  - kernel: null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver (CVE-2019-15217)

  - kernel: Memory leak in drivers/scsi/libsas/sas_expander.c (CVE-2019-15807)

  - kernel: use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)

  - kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c (CVE-2019-16231)

  - kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c (CVE-2019-16233)

  - kernel: Memory leak in sit_init_net() in net/ipv6/sit.c (CVE-2019-16994)

  - kernel: unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol (CVE-2019-17053)

  - kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol (CVE-2019-17055)

  - kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c (CVE-2019-18808)

  - kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c     (CVE-2019-19046)

  - kernel: memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c allows DoS     (CVE-2019-19055)

  - kernel: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c     allows for a DoS (CVE-2019-19058)

  - kernel: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in     drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c allows for a DoS (CVE-2019-19059)

  - kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS     (CVE-2019-19062)

  - kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c     allow for a DoS (CVE-2019-19063)

  - Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)

  - kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a     use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver     (CVE-2019-19523)

  - kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver     (CVE-2019-19530)

  - kernel: information leak bug caused by a malicious USB device in the     drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (CVE-2019-19534)

  - kernel: race condition caused by a malicious USB device in the USB character device driver layer     (CVE-2019-19537)

  - kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c     and fs/ext4/super.c (CVE-2019-19767)

  - kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)

  - kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c (CVE-2019-20054)

  - kernel: memory leak in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c (CVE-2019-20095)

  - kernel: out-of-bounds write via crafted keycode table (CVE-2019-20636)

  - kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)

  - kernel: use after free due to race condition in the video driver leads to local privilege escalation     (CVE-2019-9458)

  - kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open     (CVE-2020-10690)

  - kernel: uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)

  - kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic     (CVE-2020-10742)

  - kernel: SELinux netlink permission check bypass (CVE-2020-10751)

  - kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942)

  - kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565)

  - kernel: sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770)

  - kernel: possible to send arbitrary signals to a privileged (suidroot) parent process (CVE-2020-12826)

  - kernel: memory corruption in Voice over IP nf_conntrack_h323 module (CVE-2020-14305)

  - kernel: some ipv6 protocols not encrypted over ipsec tunnel (CVE-2020-1749)

  - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources (CVE-2020-2732)

  - kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647)

  - kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c     (CVE-2020-8649)

  - kernel: out-of-bounds read in set_fdc in drivers/block/floppy.c (CVE-2020-9383)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4062 advisory.

  - kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c     (CVE-2017-18551)

  - kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c     leads to use-after-free (CVE-2018-20836)

  - kernel: null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver (CVE-2019-15217)

  - kernel: Memory leak in drivers/scsi/libsas/sas_expander.c (CVE-2019-15807)

  - kernel: use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)

  - kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c (CVE-2019-16231)

  - kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c (CVE-2019-16233)

  - kernel: Memory leak in sit_init_net() in net/ipv6/sit.c (CVE-2019-16994)

  - kernel: unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol (CVE-2019-17053)

  - kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol (CVE-2019-17055)

  - kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c (CVE-2019-18808)

  - kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c     (CVE-2019-19046)

  - kernel: memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c allows DoS     (CVE-2019-19055)

  - kernel: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c     allows for a DoS (CVE-2019-19058)

  - kernel: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in     drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c allows for a DoS (CVE-2019-19059)

  - kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS     (CVE-2019-19062)

  - kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c     allow for a DoS (CVE-2019-19063)

  - Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)

  - kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a     use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver     (CVE-2019-19523)

  - kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver     (CVE-2019-19530)

  - kernel: information leak bug caused by a malicious USB device in the     drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (CVE-2019-19534)

  - kernel: race condition caused by a malicious USB device in the USB character device driver layer     (CVE-2019-19537)

  - kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c     and fs/ext4/super.c (CVE-2019-19767)

  - kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)

  - kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c (CVE-2019-20054)

  - kernel: memory leak in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c (CVE-2019-20095)

  - kernel: out-of-bounds write via crafted keycode table (CVE-2019-20636)

  - kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)

  - kernel: use after free due to race condition in the video driver leads to local privilege escalation     (CVE-2019-9458)

  - kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open     (CVE-2020-10690)

  - kernel: uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)

  - kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic     (CVE-2020-10742)

  - kernel: SELinux netlink permission check bypass (CVE-2020-10751)

  - kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942)

  - kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565)

  - kernel: sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770)

  - kernel: possible to send arbitrary signals to a privileged (suidroot) parent process (CVE-2020-12826)

  - kernel: memory corruption in Voice over IP nf_conntrack_h323 module (CVE-2020-14305)

  - kernel: some ipv6 protocols not encrypted over ipsec tunnel (CVE-2020-1749)

  - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources (CVE-2020-2732)

  - kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647)

  - kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c     (CVE-2020-8649)

  - kernel: out-of-bounds read in set_fdc in drivers/block/floppy.c (CVE-2020-9383)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
151229	EulerOS Virtualization 3.0.6.6 : kernel (EulerOS-SA-2021-2040)	Nessus	Huawei Local Security Checks	high
148041	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-1684)	Nessus	Huawei Local Security Checks	high
146701	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2021-1311)	Nessus	Huawei Local Security Checks	high
145201	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2021-1079)	Nessus	Huawei Local Security Checks	high
144837	OracleVM 3.4 : Unbreakable / etc (OVMSA-2021-0001)	Nessus	OracleVM Local Security Checks	high
144802	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2021-9002)	Nessus	Oracle Linux Local Security Checks	high
142176	Debian DLA-2420-2 : linux regression update	Nessus	Debian Local Security Checks	high
141727	Scientific Linux Security Update : kernel on SL7.x x86_64 (20201001)	Nessus	Scientific Linux Local Security Checks	high
141619	CentOS 7 : kernel (CESA-2020:4060)	Nessus	CentOS Local Security Checks	high
141057	RHEL 7 : kernel (RHSA-2020:4060)	Nessus	Red Hat Local Security Checks	high
141026	RHEL 7 : kernel-rt (RHSA-2020:4062)	Nessus	Red Hat Local Security Checks	high

CVE-2020-14305

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high