openSUSE-SU-2020:1655

openSUSE-SU-2020:1682

openSUSE-SU-2020:1698

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.8.3

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b4487b93545214a9db8cbf32e86411677b0cca21

[debian-lts-announce] 20200928 [SECURITY] [DLA 2385-1] linux-4.19 security update

https://twitter.com/grsecurity/status/1303370421958578179

USN-4525-1

USN-4527-1

USN-4578-1

The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2020-1437 advisory.

  - In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some     operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in     fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to     a right data structure. (CVE-2019-19448)

  - The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory     space. (CVE-2020-12888)

  - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file     system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash     the system if the directory exists. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14314)

  - A flaw was found in the Linux kernels implementation of the invert video code on VGA consoles when a     local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds     write to occur. This flaw allows a local user with access to the VGA console to crash the system,     potentially escalating their privileges on the system. The highest threat from this vulnerability is to     data confidentiality and integrity as well as system availability. (CVE-2020-14331)

  - A flaw was found in the Linux kernel in versions before 5.9-rc6. When changing screen size, an out-of-     bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of     the flaw, privilege escalation cannot be fully ruled out. (CVE-2020-14390)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

  - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap     rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)

  - A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified     other impact, aka CID-17743798d812. (CVE-2020-25285)

  - A flaw was found in the Linux kernel's implementation of biovecs in versions before 5.9-rc7. A zero-length     biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a     denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block     device, resulting in a denial of service. The highest threat from this vulnerability is to system     availability. (CVE-2020-25641)

  - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption     and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause     the system to crash or cause a denial of service. The highest threat from this vulnerability is to data     confidentiality and integrity as well as system availability. (CVE-2020-25643)

  - A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may     be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE     tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from     this vulnerability is to data confidentiality. (CVE-2020-25645)

  - A missing CAP_NET_RAW check in NFC socket creation in net/nfc/rawsock.c in the Linux kernel before 5.8.2     could be used by local attackers to create raw sockets, bypassing security mechanisms, aka     CID-26896f01467a. (CVE-2020-26088)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

New kernel packages are available for Slackware 14.2 to fix security issues.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4279 advisory.

  - kernel: net: bluetooth: type confusion while processing AMP packets (CVE-2020-12351)

  - kernel: net: bluetooth: information leak when processing certain AMP packets (CVE-2020-12352)

  - kernel: information exposure in drivers/char/random.c and kernel/time/timer.c (CVE-2020-16166)

  - kernel: TOCTOU mismatch in the NFS client code (CVE-2020-25212)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The openSUSE Leap 15.1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2020-12351: A type confusion while processing AMP     packets could be used by physical close attackers to     crash the kernel or potentially execute code was fixed     (bsc#1177724).

  - CVE-2020-12352: A stack information leak when handling     certain AMP packets could be used by physical close     attackers to leak information from the kernel was fixed     (bsc#1177725).

  - CVE-2020-25212: A TOCTOU mismatch in the NFS client code     could be used by local attackers to corrupt memory or     possibly have unspecified other impact because a size     check is in fs/nfs/nfs4proc.c instead of     fs/nfs/nfs4xdr.c, aka CID-b4487b935452 (bnc#1176381).

  - CVE-2020-25645: Traffic between two Geneve endpoints may     be unencrypted when IPsec is configured to encrypt     traffic for the specific UDP port used by the GENEVE     tunnel allowing anyone between the two endpoints to read     the traffic unencrypted. The main threat from this     vulnerability is to data confidentiality (bnc#1177511).

The following non-security bugs were fixed :

  - 59c7c3caaaf8 ('nvme: fix possible hang when ns scanning     fails during error recovery')

  - NFS: On fatal writeback errors, we need to call     nfs_inode_remove_request() (bsc#1177340).

  - NFS: Revalidate the file mapping on all fatal writeback     errors (bsc#1177340).

  - drm/sun4i: mixer: Extend regmap max_register     (git-fixes).

  - ea43d9709f72 ('nvme: fix identify error status silent     ignore')

  - i2c: meson: fix clock setting overwrite (git-fixes).

  - iommu/vt-d: Correctly calculate agaw in domain_init()     (bsc#1176400).

  - mac80211: do not allow bigger VHT MPDUs than the     hardware supports (git-fixes).

  - macsec: avoid use-after-free in macsec_handle_frame()     (git-fixes).

  - mm: memcg: switch to css_tryget() in     get_mem_cgroup_from_mm() (bsc#1177685).

  - mmc: core: do not set limits.discard_granularity as 0     (git-fixes).

  - nvme-multipath: do not reset on unknown status     (bsc#1174748).

  - nvme-rdma: Avoid double freeing of async event data     (bsc#1174748).

  - nvme: Fix ctrl use-after-free during sysfs deletion     (bsc#1174748).

  - nvme: Namepace identification descriptor list is     optional (bsc#1174748).

  - nvme: add a Identify Namespace Identification Descriptor     list quirk (bsc#1174748).

  - nvme: fix deadlock caused by ANA update wrong locking     (bsc#1174748).

  - nvme: fix possible io failures when removing multipathed     ns (bsc#1174748).

  - nvme: make nvme_identify_ns propagate errors back     (bsc#1174748).

  - nvme: make nvme_report_ns_ids propagate error back     (bsc#1174748).

  - nvme: pass status to nvme_error_status (bsc#1174748).

  - nvme: return error from nvme_alloc_ns() (bsc#1174748).

  - powerpc/dma: Fix dma_map_ops::get_required_mask     (bsc#1065729).

  - scsi: hisi_sas: Add debugfs ITCT file and add file     operations (bsc#1140683).

  - scsi: hisi_sas: Add manual trigger for debugfs dump     (bsc#1140683).

  - scsi: hisi_sas: Add missing seq_printf() call in     hisi_sas_show_row_32() (bsc#1140683).

  - scsi: hisi_sas: Change return variable type in     phy_up_v3_hw() (bsc#1140683).

  - scsi: hisi_sas: Correct memory allocation size for DQ     debugfs (bsc#1140683).

  - scsi: hisi_sas: Do some more tidy-up (bsc#1140683).

  - scsi: hisi_sas: Fix a timeout race of driver internal     and SMP IO (bsc#1140683).

  - scsi: hisi_sas: Fix type casting and missing static     qualifier in debugfs code (bsc#1140683). Refresh :

  - scsi: hisi_sas: No need to check return value of     debugfs_create functions (bsc#1140683). Update :

  - scsi: hisi_sas: Some misc tidy-up (bsc#1140683).

  - scsi: qla2xxx: Add IOCB resource tracking (bsc#1176946     bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Add SLER and PI control support     (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Add rport fields in debugfs (bsc#1176946     bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Allow dev_loss_tmo setting for FC-NVMe     devices (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Correct the check for sscanf() return     value (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Fix I/O errors during LIP reset tests     (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Fix I/O failures during remote port     toggle testing (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Fix MPI reset needed message (bsc#1176946     bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Fix buffer-buffer credit extraction error     (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Fix crash on session cleanup with unload     (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Fix inconsistent format argument type in     qla_dbg.c (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Fix inconsistent format argument type in     tcm_qla2xxx.c (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Fix inconsistent format argument type in     qla_os.c (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Fix memory size truncation (bsc#1176946     bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Fix point-to-point (N2N) device discovery     issue (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Fix reset of MPI firmware (bsc#1176946     bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Honor status qualifier in FCP_RSP per     spec (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Make tgt_port_database available in     initiator mode (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Performance tweak (bsc#1176946     bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Reduce duplicate code in reporting speed     (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Remove unneeded variable 'rval'     (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Setup debugfs entries for remote ports     (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Update version to 10.02.00.102-k     (bsc#1176946 bsc#1175520 bsc#1172538).

  - scsi: qla2xxx: Update version to 10.02.00.103-k     (bsc#1176946 bsc#1175520 bsc#1172538).

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4578-1 advisory.

  - The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows     local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a     crafted xfs image. (CVE-2018-10322)

  - In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some     operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in     fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to     a right data structure. (CVE-2019-19448)

  - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file     system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash     the system if the directory exists. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14314)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

  - A missing CAP_NET_RAW check in NFC socket creation in net/nfc/rawsock.c in the Linux kernel before 5.8.2     could be used by local attackers to create raw sockets, bypassing security mechanisms, aka     CID-26896f01467a. (CVE-2020-26088)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the linux package has been released.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5885 advisory.

  - An issue where a provided address with access_ok() is not checked was discovered in     i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux kernel through     4.19.13. A local attacker can craft a malicious IOCTL function call to overwrite arbitrary kernel memory,     resulting in a Denial of Service or privilege escalation. (CVE-2018-20669)

  - The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An     attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are     believed to be vulnerable. (CVE-2019-3874)

  - fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer     dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka     CID-09ba3bc9dd15. (CVE-2019-18885)

  - A flaw was found in the Linux kernel before 5.8-rc1 in the implementation of the Enhanced IBPB (Indirect     Branch Prediction Barrier). The IBPB mitigation will be disabled when STIBP is not available or when the     Enhanced Indirect Branch Restricted Speculation (IBRS) is available. This flaw allows a local attacker to     perform a Spectre V2 style attack when this configuration is active. The highest threat from this     vulnerability is to confidentiality. (CVE-2020-10767)

  - A flaw was found in the Linux Kernel before 5.8-rc6 in the ZRAM kernel module, where a user with a local     account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in     the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the     creation of that ZRAM device. With this vulnerability, continually reading the device may consume a large     amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random     userspace processes, possibly making the system inoperable. (CVE-2020-10781)

  - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file     system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash     the system if the directory exists. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14314)

  - A flaw was found in the Linux kernels implementation of the invert video code on VGA consoles when a     local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds     write to occur. This flaw allows a local user with access to the VGA console to crash the system,     potentially escalating their privileges on the system. The highest threat from this vulnerability is to     data confidentiality and integrity as well as system availability. (CVE-2020-14331)

  - A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root     privileges from unprivileged processes. The highest threat from this vulnerability is to data     confidentiality and integrity. (CVE-2020-14386)

  - The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive     information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to     drivers/char/random.c and kernel/time/timer.c. (CVE-2020-16166)

  - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new     filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the     current umask is not considered. (CVE-2020-24394)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

  - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap     rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)

  - A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified     other impact, aka CID-17743798d812. (CVE-2020-25285)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5884 advisory.

  - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file     system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash     the system if the directory exists. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14314)

  - A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem in versions before 5.7.10 was found     in the way when reboot the system. A local user could use this flaw to crash the system or escalate their     privileges on the system. (CVE-2020-14356)

  - A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in     XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can     lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading     to a denial of service. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14385)

  - A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root     privileges from unprivileged processes. The highest threat from this vulnerability is to data     confidentiality and integrity. (CVE-2020-14386)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

  - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap     rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)

  - A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified     other impact, aka CID-17743798d812. (CVE-2020-25285)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2020-0044 for details.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A race condition between hugetlb sysctl handlers in     mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL     pointer dereference, or possibly have unspecified other     impact, aka CID-17743798d812.(CVE-2020-25285)

  - A flaw was found in the Linux kernel in versions from     2.2.3 through 5.9.rc5. When changing screen size, an     out-of-bounds memory write can occur leading to memory     corruption or a denial of service. This highest threat     from this vulnerability is to system     availability.(CVE-2020-14390)

  - A flaw was found in the Linux kernel before 5.9-rc4.
    Memory corruption can be exploited to gain root     privileges from unprivileged processes. The highest     threat from this vulnerability is to data     confidentiality and integrity.(CVE-2020-14386)

  - Insufficient input validation in i40e driver for     Intel(R) Ethernet 700 Series Controllers versions     before 7.0 may allow an authenticated user to     potentially enable a denial of service via local     access.(CVE-2019-0147)

  - A TOCTOU mismatch in the NFS client code in the Linux     kernel before 5.8.3 could be used by local attackers to     corrupt memory or possibly have unspecified other     impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka     CID-b4487b935452.(CVE-2020-25212)

  - A flaw was found in the Linux kernel before 5.9-rc4. A     failure of the file system metadata validator in XFS     can cause an inode with a valid, user-creatable     extended attribute to be flagged as corrupt. This can     lead to the filesystem being shutdown, or otherwise     rendered inaccessible until it is remounted, leading to     a denial of service. The highest threat from this     vulnerability is to system     availability.(CVE-2020-14385)

  - In uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-111893654References: Upstream     kernel(CVE-2020-0404)

  - The rbd block device driver in drivers/block/rbd.c in     the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which     could be leveraged by local attackers to map or unmap     rbd block devices, aka     CID-f44d04e696fe.(CVE-2020-25284)

  - A memory out-of-bounds read flaw was found in the Linux     kernel before 5.9-rc2 with the ext3/ext4 file system,     in the way it accesses a directory with broken     indexing. This flaw allows a local user to crash the     system if the directory exists. The highest threat from     this vulnerability is to system     availability.(CVE-2020-14314)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A TOCTOU mismatch in the NFS client code in the Linux     kernel before 5.8.3 could be used by local attackers to     corrupt memory or possibly have unspecified other     impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka     CID-b4487b935452.(CVE-2020-25212)

  - A flaw was found in the Linux kernel before 5.9-rc4. A     failure of the file system metadata validator in XFS     can cause an inode with a valid, user-creatable     extended attribute to be flagged as corrupt. This can     lead to the filesystem being shutdown, or otherwise     rendered inaccessible until it is remounted, leading to     a denial of service. The highest threat from this     vulnerability is to system     availability.(CVE-2020-14385)

  - In uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-111893654References: Upstream     kernel(CVE-2020-0404)

  - The rbd block device driver in drivers/block/rbd.c in     the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which     could be leveraged by local attackers to map or unmap     rbd block devices, aka     CID-f44d04e696fe.(CVE-2020-25284)

  - A race condition between hugetlb sysctl handlers in     mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL     pointer dereference, or possibly have unspecified other     impact, aka CID-17743798d812.(CVE-2020-25285)

  - A flaw was found in the Linux kernel in versions from     2.2.3 through 5.9.rc5. When changing screen size, an     out-of-bounds memory write can occur leading to memory     corruption or a denial of service. This highest threat     from this vulnerability is to system     availability.(CVE-2020-14390)

  - A memory out-of-bounds read flaw was found in the Linux     kernel before 5.9-rc2 with the ext3/ext4 file system,     in the way it accesses a directory with broken     indexing. This flaw allows a local user to crash the     system if the directory exists. The highest threat from     this vulnerability is to system     availability.(CVE-2020-14314)

  - A flaw was found in the Linux kernel before 5.9-rc4.
    Memory corruption can be exploited to gain root     privileges from unprivileged processes. The highest     threat from this vulnerability is to data     confidentiality and integrity.(CVE-2020-14386)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5866 advisory.

  - An issue was discovered in fs/gfs2/rgrp.c in the Linux kernel before 4.8. A use-after-free is caused by     the functions gfs2_clear_rgrpd and read_rindex_entry. (CVE-2016-10905)

  - An issue was discovered in drivers/net/ethernet/arc/emac_main.c in the Linux kernel before 4.5. A use-     after-free is caused by a race condition between the functions arc_emac_tx and arc_emac_tx_clean.
    (CVE-2016-10906)

  - The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel before 4.10.4 allows     local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer     underflow. (CVE-2017-8924)

  - The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel before 4.10.4 allows local     users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling.
    (CVE-2017-8925)

  - sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local users to cause a denial of service     (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a     crafted USB device. (CVE-2017-16528)

  - In driver_override_store and driver_override_show of bus.c, there is a possible double free due to     improper locking. This could lead to local escalation of privilege with System execution privileges     needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android     ID: A-69129004 References: Upstream kernel. (CVE-2018-9415)

  - A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network     namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-     free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system     panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2018-16884)

  - An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an
    __blk_drain_queue() use-after-free because a certain error case is mishandled. (CVE-2018-20856)

  - A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the     mwifiex kernel module while connecting to a malicious wireless network. (CVE-2019-3846)

  - The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An     attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are     believed to be vulnerable. (CVE-2019-3874)

  - An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An     attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations     before the required authentication process has completed. This could lead to different denial-of-service     scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already     existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge     Authentication and Association Request packets to trigger this vulnerability. (CVE-2019-5108)

  - In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference     counting because of a race condition, leading to a use-after-free. (CVE-2019-6974)

  - The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free. (CVE-2019-7221)

  - The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. (CVE-2019-7222)

  - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-     free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could     use this flaw to obtain sensitive information, cause a denial of service, or possibly have other     unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.
    (CVE-2019-14898)

  - An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a     malicious USB device in the drivers/media/usb/siano/smsusb.c driver. (CVE-2019-15218)

  - drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through 5.2.9 has an out-of-bounds read via     crafted USB device traffic (which may be remote via usbip or usbredir). (CVE-2019-15505)

  - An issue was discovered in the Linux kernel before 4.20.2. An out-of-bounds access exists in the function     build_audio_procunit in the file sound/usb/mixer.c. (CVE-2019-15927)

  - An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check     the length of variable elements in a beacon head, leading to a buffer overflow. (CVE-2019-16746)

  - An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has security relevance. (CVE-2019-17075)

  - fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer     dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka     CID-09ba3bc9dd15. (CVE-2019-18885)

  - A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel before     5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb()     failures, aka CID-fb5be6a7b486. (CVE-2019-19052)

  - Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow     attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout()     failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the     htc_connect_service() function, aka CID-853acf7caf10. (CVE-2019-19073)

  - In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in     kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-     buffer). (CVE-2019-19768)

  - In the Linux kernel through 5.4.6, there is a NULL pointer dereference in     drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related     to a PHY down race condition, aka CID-f70267f379b5. (CVE-2019-19965)

  - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in     fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)

  - In the Linux kernel before 5.1, there is a memory leak in __feat_register_sp() in net/dccp/feat.c, which     may cause denial of service, aka CID-1d3ff0950e2b. (CVE-2019-20096)

  - An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in     net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain     failure case involving TPACKET_V3, aka CID-b43d1f9f7067. (CVE-2019-20812)

  - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN     and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't     correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would     allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this     vulnerability is to data confidentiality. (CVE-2020-1749)

  - A flaw was found in the Linux kernel's implementation of GRO in versions before 5.2. This flaw allows an     attacker with local access to crash the system. (CVE-2020-10720)

  - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it     incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly     only validate the first netlink message in the skb and allow or deny the rest of the messages within the     skb with the granted permission without further processing. (CVE-2020-10751)

  - A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in     crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4     bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat,     leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of     service. (CVE-2020-10769)

  - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file     system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash     the system if the directory exists. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14314)

  - A flaw was found in the Linux kernels implementation of the invert video code on VGA consoles when a     local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds     write to occur. This flaw allows a local user with access to the VGA console to crash the system,     potentially escalating their privileges on the system. The highest threat from this vulnerability is to     data confidentiality and integrity as well as system availability. (CVE-2020-14331)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

  - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap     rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)

  - A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified     other impact, aka CID-17743798d812. (CVE-2020-25285)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2020-1495 advisory.

  - In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some     operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in     fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to     a right data structure. (CVE-2019-19448)

  - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file     system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash     the system if the directory exists. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14314)

  - A flaw was found in the Linux kernels implementation of the invert video code on VGA consoles when a     local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds     write to occur. This flaw allows a local user with access to the VGA console to crash the system,     potentially escalating their privileges on the system. The highest threat from this vulnerability is to     data confidentiality and integrity as well as system availability. (CVE-2020-14331)

  - In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could     overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in     ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.
    (CVE-2020-25211)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

  - A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified     other impact, aka CID-17743798d812. (CVE-2020-25285)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Buffer overflow in i40e driver for Intel(R) Ethernet     700 Series Controllers versions before 7.0 may allow an     authenticated user to potentially enable an escalation     of privilege via local access.(CVE-2019-0145)

  - Insufficient input validation in i40e driver for     Intel(R) Ethernet 700 Series Controllers versions     before 7.0 may allow an authenticated user to     potentially enable a denial of service via local     access.(CVE-2019-0147)

  - In the Linux kernel through 5.8.7, local attackers able     to inject conntrack netlink configuration could     overflow a local buffer, causing crashes or triggering     use of incorrect protocol numbers in     ctnetlink_parse_tuple_filter in     net/netfilter/nf_conntrack_netlink.c, aka     CID-1cc5ef91d2ff.(CVE-2020-25211)

  - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the     NFS server) can set incorrect permissions on new     filesystem objects when the filesystem lacks ACL     support, aka CID-22cf8419f131. This occurs because the     current umask is not considered.(CVE-2020-24394)

  - A flaw was found in the Linux kernel in versions from     2.2.3 through 5.9.rc5. When changing screen size, an     out-of-bounds memory write can occur leading to memory     corruption or a denial of service. This highest threat     from this vulnerability is to system     availability.(CVE-2020-14390)

  - A flaw was found in the Linux kernel before 5.9-rc4. A     failure of the file system metadata validator in XFS     can cause an inode with a valid, user-creatable     extended attribute to be flagged as corrupt. This can     lead to the filesystem being shutdown, or otherwise     rendered inaccessible until it is remounted, leading to     a denial of service. The highest threat from this     vulnerability is to system     availability.(CVE-2020-14385)

  - The rbd block device driver in drivers/block/rbd.c in     the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which     could be leveraged by local attackers to map or unmap     rbd block devices, aka     CID-f44d04e696fe.(CVE-2020-25284)

  - In uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-111893654References: Upstream     kernel(CVE-2020-0404)

  - A TOCTOU mismatch in the NFS client code in the Linux     kernel before 5.8.3 could be used by local attackers to     corrupt memory or possibly have unspecified other     impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka     CID-b4487b935452.(CVE-2020-25212)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The Linux kernel through 5.7.11 allows remote attackers     to make observations that help to obtain sensitive     information about the internal state of the network     RNG, aka CID-f227e3ec3b5c. This is related to     drivers/char/random.c and     kernel/time/timer.c.(CVE-2020-16166)

  - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the     NFS server) can set incorrect permissions on new     filesystem objects when the filesystem lacks ACL     support, aka CID-22cf8419f131. This occurs because the     current umask is not considered.(CVE-2020-24394)

  - In uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-111893654References: Upstream     kernel(CVE-2020-0404)

  - A TOCTOU mismatch in the NFS client code in the Linux     kernel before 5.8.3 could be used by local attackers to     corrupt memory or possibly have unspecified other     impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka     CID-b4487b935452.(CVE-2020-25212)

  - A flaw was found in the Linux kernel before 5.9-rc4. A     failure of the file system metadata validator in XFS     can cause an inode with a valid, user-creatable     extended attribute to be flagged as corrupt. This can     lead to the filesystem being shutdown, or otherwise     rendered inaccessible until it is remounted, leading to     a denial of service. The highest threat from this     vulnerability is to system     availability.(CVE-2020-14385)

  - The rbd block device driver in drivers/block/rbd.c in     the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which     could be leveraged by local attackers to map or unmap     rbd block devices, aka     CID-f44d04e696fe.(CVE-2020-25284)

  - A flaw was found in the Linux kernel in versions from     2.2.3 through 5.9.rc5. When changing screen size, an     out-of-bounds memory write can occur leading to memory     corruption or a denial of service. This highest threat     from this vulnerability is to system     availability.(CVE-2020-14390)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak.

CVE-2019-3874

Kernel buffers allocated by the SCTP network protocol were not limited by the memory cgroup controller. A local user could potentially use this to evade container memory limits and to cause a denial of service (excessive memory use).

CVE-2019-19448, CVE-2019-19813, CVE-2019-19816

'Team bobfuzzer' reported bugs in Btrfs that could lead to a use-after-free or heap buffer overflow, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use these to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-10781

Luca Bruno of Red Hat discovered that the zram control file /sys/class/zram-control/hot_add was readable by all users. On a system with zram enabled, a local user could use this to cause a denial of service (memory exhaustion).

CVE-2020-12888

It was discovered that the PCIe Virtual Function I/O (vfio-pci) driver allowed users to disable a device's memory space while it was still mapped into a process. On some hardware platforms, local users or guest virtual machines permitted to access PCIe Virtual Functions could use this to cause a denial of service (hardware error and crash).

CVE-2020-14314

A bug was discovered in the ext4 filesystem that could lead to an out-of-bound read. A local user permitted to mount and access arbitrary filesystem images could use this to cause a denial of service (crash).

CVE-2020-14331

A bug was discovered in the VGA console driver's soft-scrollback feature that could lead to a heap buffer overflow. On a system with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK enabled, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-14356

A bug was discovered in the cgroup subsystem's handling of socket references to cgroups. In some cgroup configurations, this could lead to a use-after-free. A local user might be able to use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-14385

A bug was discovered in XFS, which could lead to an extended attribute (xattr) wrongly being detected as invalid. A local user with access to an XFS filesystem could use this to cause a denial of service (filesystem shutdown).

CVE-2020-14386

Or Cohen discovered a bug in the packet socket (AF_PACKET) implementation which could lead to a heap buffer overflow. A local user with the CAP_NET_RAW capability (in any user namespace) could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-14390

Minh Yuan discovered a bug in the framebuffer console driver's scrollback feature that could lead to a heap buffer overflow. On a system using framebuffer consoles, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

The scrollback feature has been disabled for now, as no other fix was available for this issue.

CVE-2020-16166

Amit Klein reported that the random number generator used by the network stack might not be re-seeded for long periods of time, making e.g. client port number allocations more predictable. This made it easier for remote attackers to carry out some network- based attacks such as DNS cache poisoning or device tracking.

CVE-2020-25212

A bug was discovered in the NFSv4 client implementation that could lead to a heap buffer overflow. A malicious NFS server could use this to cause a denial of service (crash or memory corruption) or possibly to execute arbitrary code on the client.

CVE-2020-25284

It was discovered that the Rados block device (rbd) driver allowed tasks running as uid 0 to add and remove rbd devices, even if they dropped capabilities. On a system with the rbd driver loaded, this might allow privilege escalation from a container with a task running as root.

CVE-2020-25285

A race condition was discovered in the hugetlb filesystem's sysctl handlers, that could lead to stack corruption. A local user permitted to write to hugepages sysctls could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. By default only the root user can do this.

CVE-2020-25641

The syzbot tool found a bug in the block layer that could lead to an infinite loop. A local user with access to a raw block device could use this to cause a denial of service (unbounded CPU use and possible system hang).

CVE-2020-26088

It was discovered that the NFC (Near Field Communication) socket implementation allowed any user to create raw sockets. On a system with an NFC interface, this allowed local users to evade local network security policy.

For Debian 9 stretch, these problems have been fixed in version 4.19.146-1~deb9u1. This update additionally fixes Debian bugs #966846, #966917, and #968567; and includes many more bug fixes from stable updates 4.19.133-4.19.146 inclusive.

We recommend that you upgrade your linux-4.19 packages.

For the detailed security status of linux-4.19 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux-4.19

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4527-1 advisory.

  - In the Android kernel in F2FS driver there is a possible out of bounds read due to a missing bounds check.
    This could lead to local information disclosure with system execution privileges needed. User interaction     is not needed for exploitation. (CVE-2019-9445)

  - In the Android kernel in F2FS touch driver there is a possible out of bounds read due to improper input     validation. This could lead to local information disclosure with system execution privileges needed. User     interaction is not needed for exploitation. (CVE-2019-9453)

  - A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux     kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering     kfifo_alloc() failures, aka CID-a7b2df76b42b. (CVE-2019-19054)

  - Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow     attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout()     failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the     htc_connect_service() function, aka CID-853acf7caf10. (CVE-2019-19073)

  - A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
    (CVE-2019-19074)

  - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and     netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.
    (CVE-2019-20811)

  - In f2fs_xattr_generic_list of xattr.c, there is a possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure with System execution privileges needed. User     interaction is not required for exploitation.Product: Android. Versions: Android kernel. Android ID:
    A-120551147. (CVE-2020-0067)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4525-1 advisory.

  - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.
    (CVE-2019-18808)

  - A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux     kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering     kfifo_alloc() failures, aka CID-a7b2df76b42b. (CVE-2019-19054)

  - The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory     space. (CVE-2020-12888)

  - The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive     information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to     drivers/char/random.c and kernel/time/timer.c. (CVE-2020-16166)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
141961	Amazon Linux AMI : kernel (ALAS-2020-1437)	Nessus	Amazon Linux Local Security Checks	high
141789	Slackware 14.2 : Slackware 14.2 kernel (SSA:2020-295-01)	Nessus	Slackware Local Security Checks	high
141559	openSUSE Security Update : the Linux Kernel (openSUSE-2020-1698)	Nessus	SuSE Local Security Checks	high
141546	RHEL 7 : kernel-alt (RHSA-2020:4279)	Nessus	Red Hat Local Security Checks	medium
141514	openSUSE Security Update : the Linux Kernel (openSUSE-2020-1682)	Nessus	SuSE Local Security Checks	medium
141448	Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4578-1)	Nessus	Ubuntu Local Security Checks	medium
141445	Photon OS 2.0: Linux PHSA-2020-2.0-0288	Nessus	PhotonOS Local Security Checks	high
141396	Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2020-5885)	Nessus	Oracle Linux Local Security Checks	high
141395	Oracle Linux 8 : Unbreakable Enterprise kernel (ELSA-2020-5884)	Nessus	Oracle Linux Local Security Checks	high
141388	openSUSE Security Update : the Linux Kernel (openSUSE-2020-1655)	Nessus	SuSE Local Security Checks	high
141374	OracleVM 3.4 : Unbreakable / etc (OVMSA-2020-0044)	Nessus	OracleVM Local Security Checks	critical
141332	EulerOS 2.0 SP9 : kernel (EulerOS-SA-2020-2166)	Nessus	Huawei Local Security Checks	high
141329	EulerOS : kernel (EulerOS-SA-2020-2176)	Nessus	Huawei Local Security Checks	high
141207	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5866)	Nessus	Oracle Linux Local Security Checks	critical
141106	Amazon Linux 2 : kernel (ALAS-2020-1495)	Nessus	Amazon Linux Local Security Checks	high
140999	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-2151)	Nessus	Huawei Local Security Checks	high
140959	EulerOS Virtualization for ARM 64 3.0.6.0 : kernel (EulerOS-SA-2020-2011)	Nessus	Huawei Local Security Checks	high
140933	Debian DLA-2385-1 : linux-4.19 security update	Nessus	Debian Local Security Checks	high
140724	Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4527-1)	Nessus	Ubuntu Local Security Checks	medium
140723	Ubuntu 20.04 LTS : Linux kernel vulnerabilities (USN-4525-1)	Nessus	Ubuntu Local Security Checks	medium
140708	Photon OS 3.0: Linux PHSA-2020-3.0-0142	Nessus	PhotonOS Local Security Checks	medium

CVE-2020-25212

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins