https://bugzilla.redhat.com/show_bug.cgi?id=1874311

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8019ad13ef7f64be44d4f892af9c840179009254

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernels futex implementation. This flaw allows a local attacker to corrupt     system memory or escalate their privileges when creating a futex on a filesystem that is about to be     unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system     availability. (CVE-2020-14381)

  - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak     and eventually hanging-up the system. (CVE-2020-25673)

  - The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a     vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85. (CVE-2020-28097)

  - An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-     free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is     called, aka CID-f5449e74802c. (CVE-2020-36385)

  - An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-     bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf. (CVE-2020-36386)

  - Improper access control in BlueZ may allow an authenticated user to potentially enable information     disclosure via adjacent access. (CVE-2021-0129)

  - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A 'stall on CPU' can occur     because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)

  - An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.
    (CVE-2021-3347)

  - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer     allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an     unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)

  - net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from     kernel stack memory because parts of a data structure are uninitialized. (CVE-2021-34693)

  - kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature Verification, aka     CID-0c18f29aae7c. Without CONFIG_MODULE_SIG, verification that a kernel module is signed, for loading via     init_module, does not occur for a module.sig_enforce=1 command-line argument. (CVE-2021-35039)

  - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in     the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the     system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote SUSE Linux SLES11 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:14630-1 advisory.

  - An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check     the length of variable elements in a beacon head, leading to a buffer overflow. (CVE-2019-16746)

  - In uvc_scan_chain_forward of uvc_driver.c, there is a possible linked list corruption due to an unusual     root cause. This could lead to local escalation of privilege in the kernel with no additional execution     privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-111893654References: Upstream kernel (CVE-2020-0404)

  - In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This     could lead to local escalation of privilege with no additional execution privileges needed. User     interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-144161459     (CVE-2020-0431)

  - In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege with no additional execution privileges needed.
    User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
    A-162844689References: Upstream kernel (CVE-2020-0465)

  - In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB     driver) mishandles invalid descriptors, aka CID-a246b4d54770. (CVE-2020-11668)

  - A flaw was found in the Linux kernels implementation of the invert video code on VGA consoles when a     local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds     write to occur. This flaw allows a local user with access to the VGA console to crash the system,     potentially escalating their privileges on the system. The highest threat from this vulnerability is to     data confidentiality and integrity as well as system availability. (CVE-2020-14331)

  - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a     duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this     candidate. All references and descriptions in this candidate have been removed to prevent accidental     usage. (CVE-2020-14353)

  - A flaw was found in the Linux kernels futex implementation. This flaw allows a local attacker to corrupt     system memory or escalate their privileges when creating a futex on a filesystem that is about to be     unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system     availability. (CVE-2020-14381)

  - A flaw was found in the Linux kernel in versions before 5.9-rc6. When changing screen size, an out-of-     bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of     the flaw, privilege escalation cannot be fully ruled out. (CVE-2020-14390)

  - Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging improper access to a certain error field.
    (CVE-2020-15436)

  - The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial     of service by using the p->serial_in pointer which uninitialized. (CVE-2020-15437)

  - In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could     overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in     ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.
    (CVE-2020-25211)

  - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap     rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)

  - A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified     other impact, aka CID-17743798d812. (CVE-2020-25285)

  - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption     and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause     the system to crash or cause a denial of service. The highest threat from this vulnerability is to data     confidentiality and integrity as well as system availability. (CVE-2020-25643)

  - A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was     using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of     bounds. The highest threat from this vulnerability is to data confidentiality. (CVE-2020-25656)

  - A flaw was found in Linux Kernel because access to the global variable fg_console is not properly     synchronized leading to a use after free in con_font_op. (CVE-2020-25668)

  - A vulnerability was found in the Linux Kernel where the function sunkbd_reinit having been scheduled by     sunkbd_interrupt before sunkbd being freed. Though the dangling pointer is set to NULL in     sunkbd_disconnect, there is still an alias in sunkbd_reinit causing Use After Free. (CVE-2020-25669)

  - In the nl80211_policy policy of nl80211.c, there is a possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure with System execution privileges needed. User     interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
    A-119770583 (CVE-2020-27068)

  - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked     down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries     platform) a root like local user could use this flaw to further increase their privileges to that of a     running kernel. (CVE-2020-27777)

  - A flaw was found in the Linux kernels implementation of MIDI, where an attacker with a local account and     the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to     this specific memory while freed and before use causes the flow of execution to change and possibly allow     for memory corruption or privilege escalation. The highest threat from this vulnerability is to     confidentiality, integrity, as well as system availability. (CVE-2020-27786)

  - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka CID-6735b4632def. (CVE-2020-28915)

  - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to     read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height. (CVE-2020-28974)

  - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,     aka CID-c8bcd9c5be24. (CVE-2020-29660)

  - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.
    (CVE-2020-29661)

  - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through     5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.
    (CVE-2020-36158)

  - IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive     information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296.
    (CVE-2020-4788)

  - An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.
    (CVE-2021-3347)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A locking inconsistency issue was discovered in the tty     subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)

  - A locking vulnerability was found in the tty subsystem     of the Linux kernel in drivers/tty/tty_jobctrl.c. This     flaw allows a local attacker to possibly corrupt memory     or escalate privileges. The highest threat from this     vulnerability is to confidentiality, integrity, as well     as system availability.(CVE-2020-29661)

  - The Linux kernel is the kernel used by the open source     operating system Linux released by the Linux     Foundation. The Linux kernel con_font_op() has a code     problem vulnerability, which can force the use of freed     memory, resulting in denial of service or execution of     custom code.(CVE-2020-25668 CVE-2020-4788     CVE-2020-27830)

  - A flaw was found in the Linux kernel's implementation     of MIDI, where an attacker with a local account and the     permissions to issue ioctl commands to midi devices     could trigger a use-after-free issue. A write to this     specific memory while freed and before use causes the     flow of execution to change and possibly allow for     memory corruption or privilege escalation. The highest     threat from this vulnerability is to confidentiality,     integrity, as well as system (CVE-2020-27786)

  - In various methods of hid-multitouch.c, there is a     possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-162844689References: Upstream kernel(CVE-2020-0465)

  - In the nl80211_policy policy of nl80211.c, there is a     possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure     with System execution privileges needed. User     interaction is not required for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-119770583(CVE-2020-27068)

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-147802478References: Upstream kernel(CVE-2020-0466)

  - In audit_free_lsm_field of auditfilter.c, there is a     possible bad kfree due to a logic error in     audit_data_to_entry. This could lead to local     escalation of privilege with no additional execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-150693166References: Upstream     kernel(CVE-2020-0444)

  - No description is available for this     CVE.(CVE-2020-27815)

  - A flaw was found in the Linux kernel. The marvell wifi     driver could allow a local attacker to execute     arbitrary code via a long SSID value in     mwifiex_cmd_802_11_ad_hoc_start function. The highest     threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-36158)

  - In create_pinctrl of core.c, there is a possible out of     bounds read due to a use after free. This could lead to     local information disclosure with no additional     execution privileges needed. User interaction is not     needed for exploitation.Product: AndroidVersions:
    Android kernelAndroid ID: A-140550171(CVE-2020-0427)

  - In binder_release_work of binder.c, there is a possible     use-after-free due to improper locking. This could lead     to local escalation of privilege in the kernel with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-161151868References: N/A(CVE-2020-0423)

  - In drivers/target/target_core_xcopy.c in the Linux     kernel before 5.10.7, insufficient identifier checking     in the LIO SCSI target code can be used by remote     attackers to read or write files via directory     traversal in an XCOPY request, aka CID-2896c93811e3.
    For example, an attack can occur over a network if the     attacker has access to one iSCSI LUN. The attacker     gains control over file access because I/O operations     are proxied via an attacker-selected     backstore.(CVE-2020-28374)

  - A flaw in the way reply ICMP packets are limited in the     Linux kernel functionality was found that allows to     quickly scan open UDP ports. This flaw allows an     off-path remote user to effectively bypassing source     port UDP randomization. The highest threat from this     vulnerability is to confidentiality and possibly     integrity, because software that relies on UDP source     port randomization are indirectly affected as well.
    Kernel versions before 5.10 may be vulnerable to this     issue.(CVE-2020-25705)

  - Insufficient access control in the Linux kernel driver     for some Intel(R) Processors may allow an authenticated     user to potentially enable information disclosure via     local access.(CVE-2020-8694)

  - A flaw was found in the Linux kernel's futex     implementation. This flaw allows a local attacker to     corrupt system memory or escalate their privileges when     creating a futex on a filesystem that is about to be     unmounted. The highest threat from this vulnerability     is to confidentiality, integrity, as well as system     availability.(CVE-2020-14381)

  - In tun_get_user of tun.c, there is possible memory     corruption due to a use after free. This could lead to     local escalation of privilege with System execution     privileges required. User interaction is not required     for exploitation. Product: Android Versions: Android     kernel Android ID: A-146554327.(CVE-2021-0342)

  - A flaw was found in the Linux kernel. A use-after-free     memory flaw in the Fast Userspace Mutexes functionality     allowing a local user to crash the system or escalate     their privileges on the system. The highest threat from     this vulnerability is to data confidentiality and     integrity as well as system     availability.(CVE-2021-3347)

  - A use after free flaw in the Linux kernel network block     device (NBD) subsystem was found in the way user calls     an ioctl NBD_SET_SOCK at a certain point during device     setup.(CVE-2021-3348)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:4431 advisory.

  - kernel: null pointer dereference in dlpar_parse_cc_property in arch/powerrc/platforms/pseries/dlpar.c     causing denial of service (CVE-2019-12614)

  - kernel: use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)

  - kernel: out-of-bounds access in function hclge_tm_schd_mode_vnet_base_cfg (CVE-2019-15925)

  - kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c (CVE-2019-16231)

  - kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c (CVE-2019-16233)

  - kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c (CVE-2019-18808)

  - kernel: memory leak in  af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c     (CVE-2019-18809)

  - kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c     (CVE-2019-19046)

  - kernel: A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in     drivers/net/wireless/marvell/mwifiex/pcie.c allows to cause DoS (CVE-2019-19056)

  - kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS     (CVE-2019-19062)

  - kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c     allow for a DoS (CVE-2019-19063)

  - kernel: A memory leak in the rtl8xxxu_submit_int_urb() function in     drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c allows for a DoS (CVE-2019-19068)

  - kernel: A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c allows for a     DoS (CVE-2019-19072)

  - kernel: out-of-bounds write in ext4_xattr_set_entry in fs/ext4/xattr.c (CVE-2019-19319)

  - Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)

  - kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a     use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447)

  - kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524)

  - kernel: information leak bug caused  by a malicious USB device in the drivers/media/usb/ttusb-     dec/ttusb_dec.c (CVE-2019-19533)

  - kernel: race condition caused by a malicious USB device in the USB character device driver layer     (CVE-2019-19537)

  - kernel: use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c (CVE-2019-19543)

  - kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c     and fs/ext4/super.c (CVE-2019-19767)

  - kernel: use-after-free in debugfs_remove in fs/debugfs/inode.c (CVE-2019-19770)

  - kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c (CVE-2019-20054)

  - kernel: out-of-bounds write via crafted keycode table (CVE-2019-20636)

  - kernel: kernel pointer leak due to WARN_ON statement in video driver leads to local information disclosure     (CVE-2019-9455)

  - kernel: use after free due to race condition in the video driver leads to local privilege escalation     (CVE-2019-9458)

  - kernel: possible use-after-free due to a race condition in cdev_get of char_dev.c (CVE-2020-0305)

  - kernel: uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)

  - kernel: SELinux netlink permission check bypass (CVE-2020-10751)

  - kernel: kernel stack information leak on s390/s390x (CVE-2020-10773)

  - kernel: possibility of memory disclosure when reading the file /proc/sys/kernel/rh_features     (CVE-2020-10774)

  - kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942)

  - kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565)

  - kernel: mishandles invalid descriptors in drivers/media/usb/gspca/xirlink_cit.c (CVE-2020-11668)

  - kernel: buffer overflow in mt76_add_fragment function in drivers/net/wireless/mediatek/mt76/dma.c     (CVE-2020-12465)

  - kernel: sync of excessive duration via an XFS v5 image with crafted metadata (CVE-2020-12655)

  - kernel: xdp_umem_reg in net/xdp/xdp_umem.c has an out-of-bounds write which could result in crash and data     coruption (CVE-2020-12659)

  - kernel: sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770)

  - kernel: possible to send arbitrary signals to a privileged (suidroot) parent process (CVE-2020-12826)

  - kernel: referencing inode of removed superblock in get_futex_key() causes UAF (CVE-2020-14381)

  - kernel: soft-lockups in iov_iter_copy_from_user_atomic() could result in DoS (CVE-2020-25641)

  - kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647)

  - kernel: use-after-free in n_tty_receive_buf_common function in drivers/tty/n_tty.c (CVE-2020-8648)

  - kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c     (CVE-2020-8649)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9006 advisory.

  - A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem     allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate     privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as     system availability. (CVE-2020-14351)

  - A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw     allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that     relies on UDP source port randomization are indirectly affected as well on the Linux Based Products     (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4,     SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE     W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All     versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7     LTE EU: Version (CVE-2020-25705)

  - A flaw was found in the Linux kernels futex implementation. This flaw allows a local attacker to corrupt     system memory or escalate their privileges when creating a futex on a filesystem that is about to be     unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system     availability. (CVE-2020-14381)

  - An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are     processing watch events using a single thread. If the events are received faster than the thread is able     to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the     backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. (CVE-2020-29568)

  - An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux     kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped.
    However, the handler may not have time to run if the frontend quickly toggles between the states connect     and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving     guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege     escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
    (CVE-2020-29569)

  - In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking     in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal     in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker     has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are     proxied via an attacker-selected backstore. (CVE-2020-28374)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9007 advisory.

  - A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem     allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate     privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as     system availability. (CVE-2020-14351)

  - A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw     allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that     relies on UDP source port randomization are indirectly affected as well on the Linux Based Products     (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4,     SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE     W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All     versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7     LTE EU: Version (CVE-2020-25705)

  - A flaw was found in the Linux kernels futex implementation. This flaw allows a local attacker to corrupt     system memory or escalate their privileges when creating a futex on a filesystem that is about to be     unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system     availability. (CVE-2020-14381)

  - An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are     processing watch events using a single thread. If the events are received faster than the thread is able     to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the     backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. (CVE-2020-29568)

  - An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux     kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped.
    However, the handler may not have time to run if the frontend quickly toggles between the states connect     and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving     guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege     escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
    (CVE-2020-29569)

  - In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking     in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal     in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker     has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are     proxied via an attacker-selected backstore. (CVE-2020-28374)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The SUSE Linux Enterprise 15 LTSS kernel was updated to receive various security and bug fixes.

The following security bugs were fixed :

CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782).

CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393).

CVE-2020-25668: Fixed a use-after-free in con_font_op() (bnc#1178123).

CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).

CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485).

CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723).

CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086).

CVE-2020-16120: Fixed permission check to open real file when using overlayfs. It was possible to have a file not readable by an unprivileged user be copied to a mountpoint controlled by that user and then be able to access the file (bsc#1177470).

CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).

CVE-2020-12351: Fixed a type confusion while processing AMP packets aka 'BleedingTooth' aka 'BadKarma' (bsc#1177724).

CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' (bsc#1177725).

CVE-2020-25212: Fixed getxattr kernel panic and memory overflow (bsc#1176381).

CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177511).

CVE-2020-2521: Fixed getxattr kernel panic and memory overflow (bsc#1176381).

CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).

CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206).

CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121).

CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).

CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).

CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).

CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).

CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).

CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).

CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).

CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411)

CVE-2020-27675: Fixed a race condition in event handler which may crash dom0 (XSA-331 bsc#1177410).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bug fixes.

The following security bugs were fixed :

CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782).

CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393).

CVE-2020-25668: Fixed a use-after-free in con_font_op() (bnc#1178123).

CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).

CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485).

CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723).

CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086).

CVE-2020-16120: Fixed a permissions issue in ovl_path_open() (bsc#1177470).

CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).

CVE-2020-12351: Implemented a kABI workaround for bluetooth l2cap_ops filter addition (bsc#1177724).

CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' (bsc#1177725).

CVE-2020-25212: Fixed a TOCTOU mismatch in the NFS client code (bnc#1176381).

CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177511).

CVE-2020-14381: Fixed a UAF in the fast user mutex (futex) wait operation (bsc#1176011).

CVE-2020-25643: Fixed an improper input validation in the ppp_cp_parse_cr function of the HDLC_PPP module (bnc#1177206).

CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121).

CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).

CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).

CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).

CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).

CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).

CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).

CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).

CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411)

CVE-2020-27675: Fixed a race condition in event handler which may crash dom0 (XSA-331 bsc#1177410).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for the Linux Kernel 4.4.180-94_107 fixes several issues.

The following security issues were fixed :

CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)

CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).

CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)

CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).

CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).

CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).

CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).

CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).

CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).

CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).

CVE-2020-25212: Fixed getxattr kernel panic and memory overflow (bsc#1176381).

CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).

CVE-2020-14381: Fixed requeue paths such that filp was valid when dropping the references (bsc#1176011).

CVE-2019-25643: Fixed an improper input validation in ppp_cp_parse_cr function which could have led to memory corruption and read overflow (bsc#1177206).

CVE-2020-25641: Fixed ann issue where length bvec was causing softlockups (bsc#1177121).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-25643: Added range checks in ppp_cp_parse_cr() (bsc#1177206).

CVE-2020-25641: Allowed for_each_bvec to support zero len bvec (bsc#1177121).

CVE-2020-25645: Added transport ports in route lookup for geneve (bsc#1177511).

CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).

CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).

CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).

CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).

CVE-2020-14381: Fixed requeue paths such that filp was valid when dropping the references (bsc#1176011).

CVE-2020-14386: Fixed a memory corruption which could have been exploited to gain root privileges from unprivileged processes (bsc#1176069).

CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).

CVE-2020-1749: Use ip6_dst_lookup_flow instead of ip6_dst_lookup (bsc#1165629).

CVE-2020-25212: Fixed getxattr kernel panic and memory overflow (bsc#1176381).

CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).

CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for the Linux Kernel 4.4.180-94_130 fixes several issues.

The following security issues were fixed :

CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)

CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).

CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)

CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).

CVE-2020-11668: Fixed an out of bounds write to the heap in drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) caused by mishandling invalid descriptors (bsc#1168952).

CVE-2020-1749: A flaw was found in the implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link, rather sending the data unencrypted. This would have allowed anyone in between the two endpoints to read the traffic unencrypted.
(bsc#1165629)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).

CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).

CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).

CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).

CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).

CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).

CVE-2020-25212: Fixed getxattr kernel panic and memory overflow (bsc#1176381).

CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).

CVE-2020-14381: Fixed requeue paths such that filp was valid when dropping the references (bsc#1176011).

CVE-2019-25643: Fixed an improper input validation in ppp_cp_parse_cr function which could have led to memory corruption and read overflow (bsc#1177206).

CVE-2020-25641: Fixed ann issue where length bvec was causing softlockups (bsc#1177121).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).

CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).

CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).

CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).

CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).

CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).

CVE-2020-25212: Fixed getxattr kernel panic and memory overflow (bsc#1176381).

CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).

CVE-2020-14381: Fixed requeue paths such that filp was valid when dropping the references (bsc#1176011).

CVE-2019-25643: Fixed an improper input validation in ppp_cp_parse_cr function which could have led to memory corruption and read overflow (bsc#1177206).

CVE-2020-25641: Fixed ann issue where length bvec was causing softlockups (bsc#1177121).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bug fixes.

The following security bugs were fixed :

CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782).

CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).

CVE-2017-18204: Fixed a denial of service in the ocfs2_setattr function of fs/ocfs2/file.c (bnc#1083244).

CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086).

CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).

CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' (bsc#1177725).

CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177511).

CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).

CVE-2020-25212: Fixed A TOCTOU mismatch in the NFS client code which could have been used by local attackers to corrupt memory (bsc#1176381).

CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).

CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206).

CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).

CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).

CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).

CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).

CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).

CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bug fixes.

The following security bugs were fixed :

CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782).

CVE-2020-25668: Fixed a use-after-free in con_font_op() (bsc#1178123).

CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).

CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086).

CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).

CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' (bsc#1177725).

CVE-2020-25645: Fixed an issue which traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177511).

CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).

CVE-2020-25212: Fixed A TOCTOU mismatch in the NFS client code which could have been used by local attackers to corrupt memory (bsc#1176381).

CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).

CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206).

CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121).

CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).

CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).

CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).

CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).

CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).

CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).

CVE-2019-19063: Fixed two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c, which could have allowed an attacker to cause a denial of service (memory consumption) (bsc#1157298).

CVE-2019-6133: In PolicyKit (aka polkit), the 'start time' protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c (bsc#1121872).

CVE-2017-18204: Fixed a denial of service in the ocfs2_setattr function of fs/ocfs2/file.c (bnc#1083244).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4431 advisory.

  - kernel: null pointer dereference in dlpar_parse_cc_property in arch/powerrc/platforms/pseries/dlpar.c     causing denial of service (CVE-2019-12614)

  - kernel: use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)

  - kernel: out-of-bounds access in function hclge_tm_schd_mode_vnet_base_cfg (CVE-2019-15925)

  - kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c (CVE-2019-16231)

  - kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c (CVE-2019-16233)

  - kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c (CVE-2019-18808)

  - kernel: memory leak in  af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c     (CVE-2019-18809)

  - kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c     (CVE-2019-19046)

  - kernel: A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in     drivers/net/wireless/marvell/mwifiex/pcie.c allows to cause DoS (CVE-2019-19056)

  - kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS     (CVE-2019-19062)

  - kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c     allow for a DoS (CVE-2019-19063)

  - kernel: A memory leak in the rtl8xxxu_submit_int_urb() function in     drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c allows for a DoS (CVE-2019-19068)

  - kernel: A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c allows for a     DoS (CVE-2019-19072)

  - kernel: out-of-bounds write in ext4_xattr_set_entry in fs/ext4/xattr.c (CVE-2019-19319)

  - Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)

  - kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a     use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447)

  - kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524)

  - kernel: information leak bug caused  by a malicious USB device in the drivers/media/usb/ttusb-     dec/ttusb_dec.c (CVE-2019-19533)

  - kernel: race condition caused by a malicious USB device in the USB character device driver layer     (CVE-2019-19537)

  - kernel: use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c (CVE-2019-19543)

  - kernel: cached use of fpu_fpregs_owner_ctx in arch/x86/include/asm/fpu/internal.h can lead to DoS     (CVE-2019-19602)

  - kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c     and fs/ext4/super.c (CVE-2019-19767)

  - kernel: use-after-free in debugfs_remove in fs/debugfs/inode.c (CVE-2019-19770)

  - kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c (CVE-2019-20054)

  - kernel: out-of-bounds write via crafted keycode table (CVE-2019-20636)

  - kernel: af_packet: TPACKET_V3: invalid timer timeout on error (CVE-2019-20812)

  - kernel: kernel pointer leak due to WARN_ON statement in video driver leads to local information disclosure     (CVE-2019-9455)

  - kernel: use after free due to race condition in the video driver leads to local privilege escalation     (CVE-2019-9458)

  - kernel: possible use-after-free due to a race condition in cdev_get of char_dev.c (CVE-2020-0305)

  - kernel: bad kfree in auditfilter.c may lead to escalation of privilege (CVE-2020-0444)

  - kernel: uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)

  - kernel: SELinux netlink permission check bypass (CVE-2020-10751)

  - kernel: kernel stack information leak on s390/s390x (CVE-2020-10773)

  - kernel: possibility of memory disclosure when reading the file /proc/sys/kernel/rh_features     (CVE-2020-10774)

  - kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942)

  - kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565)

  - kernel: mishandles invalid descriptors in drivers/media/usb/gspca/xirlink_cit.c (CVE-2020-11668)

  - kernel: buffer overflow in mt76_add_fragment function in drivers/net/wireless/mediatek/mt76/dma.c     (CVE-2020-12465)

  - kernel: sync of excessive duration via an XFS v5 image with crafted metadata (CVE-2020-12655)

  - kernel: xdp_umem_reg in net/xdp/xdp_umem.c has an out-of-bounds write which could result in crash and data     coruption (CVE-2020-12659)

  - kernel: sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770)

  - kernel: possible to send arbitrary signals to a privileged (suidroot) parent process (CVE-2020-12826)

  - kernel: referencing inode of removed superblock in get_futex_key() causes UAF (CVE-2020-14381)

  - kernel: soft-lockups in iov_iter_copy_from_user_atomic() could result in DoS (CVE-2020-25641)

  - kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647)

  - kernel: use-after-free in n_tty_receive_buf_common function in drivers/tty/n_tty.c (CVE-2020-8648)

  - kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c     (CVE-2020-8649)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4609 advisory.

  - kernel: use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)

  - kernel: out-of-bounds access in function hclge_tm_schd_mode_vnet_base_cfg (CVE-2019-15925)

  - kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c (CVE-2019-16231)

  - kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c (CVE-2019-16233)

  - kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c (CVE-2019-18808)

  - kernel: memory leak in  af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c     (CVE-2019-18809)

  - kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c     (CVE-2019-19046)

  - kernel: A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in     drivers/net/wireless/marvell/mwifiex/pcie.c allows to cause DoS (CVE-2019-19056)

  - kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS     (CVE-2019-19062)

  - kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c     allow for a DoS (CVE-2019-19063)

  - kernel: A memory leak in the rtl8xxxu_submit_int_urb() function in     drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c allows for a DoS (CVE-2019-19068)

  - kernel: A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c allows for a     DoS (CVE-2019-19072)

  - kernel: out-of-bounds write in ext4_xattr_set_entry in fs/ext4/xattr.c (CVE-2019-19319)

  - Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)

  - kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a     use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447)

  - kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524)

  - kernel: information leak bug caused  by a malicious USB device in the drivers/media/usb/ttusb-     dec/ttusb_dec.c (CVE-2019-19533)

  - kernel: race condition caused by a malicious USB device in the USB character device driver layer     (CVE-2019-19537)

  - kernel: use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c (CVE-2019-19543)

  - kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c     and fs/ext4/super.c (CVE-2019-19767)

  - kernel: use-after-free in debugfs_remove in fs/debugfs/inode.c (CVE-2019-19770)

  - kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c (CVE-2019-20054)

  - kernel: out-of-bounds write via crafted keycode table (CVE-2019-20636)

  - kernel: kernel pointer leak due to WARN_ON statement in video driver leads to local information disclosure     (CVE-2019-9455)

  - kernel: use after free due to race condition in the video driver leads to local privilege escalation     (CVE-2019-9458)

  - kernel: possible use-after-free due to a race condition in cdev_get of char_dev.c (CVE-2020-0305)

  - kernel: uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)

  - kernel: SELinux netlink permission check bypass (CVE-2020-10751)

  - kernel: possibility of memory disclosure when reading the file /proc/sys/kernel/rh_features     (CVE-2020-10774)

  - kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942)

  - kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565)

  - kernel: mishandles invalid descriptors in drivers/media/usb/gspca/xirlink_cit.c (CVE-2020-11668)

  - kernel: sync of excessive duration via an XFS v5 image with crafted metadata (CVE-2020-12655)

  - kernel: xdp_umem_reg in net/xdp/xdp_umem.c has an out-of-bounds write which could result in crash and data     coruption (CVE-2020-12659)

  - kernel: sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770)

  - kernel: possible to send arbitrary signals to a privileged (suidroot) parent process (CVE-2020-12826)

  - kernel: referencing inode of removed superblock in get_futex_key() causes UAF (CVE-2020-14381)

  - kernel: soft-lockups in iov_iter_copy_from_user_atomic() could result in DoS (CVE-2020-25641)

  - kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647)

  - kernel: use-after-free in n_tty_receive_buf_common function in drivers/tty/n_tty.c (CVE-2020-8648)

  - kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c     (CVE-2020-8649)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
153692	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-2502)	Nessus	Huawei Local Security Checks	high
150536	SUSE SLES11 Security Update : kernel (SUSE-SU-2021:14630-1)	Nessus	SuSE Local Security Checks	high
147588	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2021-1386)	Nessus	Huawei Local Security Checks	high
145806	CentOS 8 : kernel (CESA-2020:4431)	Nessus	CentOS Local Security Checks	medium
144907	Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2021-9006)	Nessus	Oracle Linux Local Security Checks	high
144906	Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2021-9007)	Nessus	Oracle Linux Local Security Checks	high
143875	SUSE SLES15 Security Update : kernel (SUSE-SU-2020:3532-1)	Nessus	SuSE Local Security Checks	high
143857	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:3544-1)	Nessus	SuSE Local Security Checks	high
143844	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:3225-1)	Nessus	SuSE Local Security Checks	high
143801	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2020:2905-1)	Nessus	SuSE Local Security Checks	high
143784	SUSE SLES15 Security Update : kernel (SUSE-SU-2020:3014-1)	Nessus	SuSE Local Security Checks	high
143772	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:3219-1)	Nessus	SuSE Local Security Checks	high
143708	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:2904-1)	Nessus	SuSE Local Security Checks	high
143699	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:2907-1)	Nessus	SuSE Local Security Checks	high
143654	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:3501-1)	Nessus	SuSE Local Security Checks	high
143639	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:3503-1)	Nessus	SuSE Local Security Checks	high
142430	RHEL 8 : kernel (RHSA-2020:4431)	Nessus	Red Hat Local Security Checks	medium
142382	RHEL 8 : kernel-rt (RHSA-2020:4609)	Nessus	Red Hat Local Security Checks	medium
141388	openSUSE Security Update : the Linux Kernel (openSUSE-2020-1655)	Nessus	SuSE Local Security Checks	high

CVE-2020-14381

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

medium

high

high

high

high

high

high

high

high

high

high

high

high

medium

medium

high