https://bugzilla.redhat.com/show_bug.cgi?id=1876995

FEDORA-2021-1db4ab0a3d

FEDORA-2021-a2d3ad5dda

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - A NULL pointer dereference flaw was found in the Linux     kernel's GPU Nouveau driver functionality in versions     prior to 5.12-rc1 in the way the user calls ioctl     DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw allows a     local user to crash the system.(CVE-2020-25639)

  - Overlayfs did not properly perform permission checking     when copying up files in an overlayfs and could be     exploited from within a user namespace, if, for     example, unprivileged user namespaces were allowed. It     was possible to have a file not readable by an     unprivileged user to be copied to a mountpoint     controlled by the user, like a removable device. This     was introduced in kernel version 4.19 by commit d1d04ef     ('ovl: stack file ops'). This was fixed in kernel     version 5.8 by commits 56230d9 ('ovl: verify     permissions in ovl_path_open()'), 48bd024 ('ovl: switch     to mounter creds in readdir') and 05acefb ('ovl: check     permission to open real file'). Additionally, commits     130fdbc ('ovl: pass correct flags for opening real     directory') and 292f902 ('ovl: call secutiry hook in     ovl_real_ioctl()') in kernel 5.8 might also be desired     or necessary. These additional commits introduced a     regression in overlay mounts within user namespaces     which prevented access to files with ownership outside     of the user namespace. This regression was mitigated by     subsequent commit b6650da ('ovl: do not fail because of     O_NOATIMEi') in kernel 5.11.(CVE-2020-16120)

  - In various methods of hid-multitouch.c, there is a     possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-162844689References: Upstream kernel(CVE-2020-0465)

  - nbd_add_socket in drivers/block/nbd.c in the Linux     kernel through 5.10.12 has an ndb_queue_rq     use-after-free that could be triggered by local     attackers (with access to the nbd device) via an I/O     request at a certain point during device setup, aka     CID-b98e762e3d71.(CVE-2021-3348)

  - An issue was discovered in the Linux kernel through     5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute     code in the kernel, aka     CID-34b1a1ce1458.(CVE-2021-3347)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4945-2 advisory.

  - A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in     versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw     allows a local user to crash the system. (CVE-2020-25639)

  - An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the     netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of     changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior     of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.
    (CVE-2021-28038)

  - An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in     drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka     CID-20c40794eb85. This is a related issue to CVE-2019-2308. (CVE-2021-28375)

  - rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6     allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases,     CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may     have situations in which a drivers/staging issue is relevant to their own customer base. (CVE-2021-28660)

  - An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in     drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up     sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.
    (CVE-2021-29265)

  - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to     cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h     lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
    (CVE-2021-29650)

  - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.
    (CVE-2021-30002)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4945-1 advisory.

  - A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in     versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw     allows a local user to crash the system. (CVE-2020-25639)

  - An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the     netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of     changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior     of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.
    (CVE-2021-28038)

  - An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in     drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka     CID-20c40794eb85. This is a related issue to CVE-2019-2308. (CVE-2021-28375)

  - rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6     allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases,     CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may     have situations in which a drivers/staging issue is relevant to their own customer base. (CVE-2021-28660)

  - An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in     drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up     sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.
    (CVE-2021-29265)

  - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to     cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h     lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
    (CVE-2021-29650)

  - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.
    (CVE-2021-30002)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4949-1 advisory.

  - A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in     versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw     allows a local user to crash the system. (CVE-2020-25639)

  - An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests to     the PV backend, the driver maps grant references provided by the frontend. In this process, errors may be     encountered. In one case, an error encountered earlier might be discarded by later processing, resulting     in the caller assuming successful mapping, and hence subsequent operations trying to access space that     wasn't mapped. In another case, internal state would be insufficiently updated, preventing safe recovery     from the error. This affects drivers/block/xen-blkback/blkback.c. (CVE-2021-26930)

  - An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI     backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially     being at least under the influence of guests (such as out of memory conditions), it isn't correct to     assume a plain bug. Memory allocations potentially causing such crashes occur only when Linux is running     in PV mode, though. This affects drivers/block/xen-blkback/blkback.c and drivers/xen/xen-scsiback.c.
    (CVE-2021-26931)

  - An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in     drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka     CID-20c40794eb85. This is a related issue to CVE-2019-2308. (CVE-2021-28375)

  - An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in     the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment     size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is     enabled, aka CID-d8861bab48b6. (CVE-2021-29264)

  - An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in     drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up     sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.
    (CVE-2021-29265)

  - An issue was discovered in the Linux kernel before 5.11.9. drivers/vhost/vdpa.c has a use-after-free     because v->config_ctx has an invalid value upon re-opening a character device, aka CID-f6bbf0010ba0.
    (CVE-2021-29266)

  - An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does     not properly validate certain data sizes, aka CID-0217ed2848e8. (CVE-2021-29646)

  - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to     cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h     lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
    (CVE-2021-29650)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - Overlayfs did not properly perform permission checking     when copying up files in an overlayfs and could be     exploited from within a user namespace, if, for     example, unprivileged user namespaces were allowed. It     was possible to have a file not readable by an     unprivileged user to be copied to a mountpoint     controlled by the user, like a removable device. This     was introduced in kernel version 4.19 by commit d1d04ef     ('ovl: stack file ops'). This was fixed in kernel     version 5.8 by commits 56230d9 ('ovl: verify     permissions in ovl_path_open()'), 48bd024 ('ovl: switch     to mounter creds in readdir') and 05acefb ('ovl: check     permission to open real file'). Additionally, commits     130fdbc ('ovl: pass correct flags for opening real     directory') and 292f902 ('ovl: call secutiry hook in     ovl_real_ioctl()') in kernel 5.8 might also be desired     or necessary. These additional commits introduced a     regression in overlay mounts within user namespaces     which prevented access to files with ownership outside     of the user namespace. This regression was mitigated by     subsequent commit b6650da ('ovl: do not fail because of     O_NOATIMEi') in kernel 5.11.(CVE-2020-16120)

  - A flaw was found in the Linux kernel's implementation     of string matching within a packet. A privileged user     (with root or CAP_NET_ADMIN) when inserting iptables     rules could insert a rule which can panic the     system.(CVE-2021-20177)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - nbd_add_socket in drivers/block/nbd.c in the Linux     kernel through 5.10.12 has an ndb_queue_rq     use-after-free that could be triggered by local     attackers (with access to the nbd device) via an I/O     request at a certain point during device setup, aka     CID-b98e762e3d71.(CVE-2021-3348)

  - An issue was discovered in the Linux kernel through     5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute     code in the kernel, aka     CID-34b1a1ce1458.(CVE-2021-3347)

  - A flaw use after free in the Linux kernel TUN/TAP     device driver functionality was found in the way user     create and use tun/tap device. A local user could use     this flaw to crash the system or possibly escalate     their privileges on the system.(CVE-2021-0342)

  - A flaw was found in the Linux kernel. A use-after-free     memory flaw was found in the perf subsystem allowing a     local attacker with permission to monitor perf events     to corrupt memory and possibly escalate privileges. The     highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-14351)

  - A flaw was found in the Linux kernel's multi-touch     input system. An out-of-bounds write triggered by a     use-after-free issue could lead to memory corruption or     possible privilege escalation. The highest threat from     this vulnerability is to confidentiality, integrity, as     well as system availability.(CVE-2020-0465)

  - A NULL pointer dereference flaw was found in the Linux     kernel's GPU Nouveau driver functionality in the way     the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC.
    This flaw allows a local user to crash the     system.(CVE-2020-25639)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4911-1 advisory.

  - A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in     versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw     allows a local user to crash the system. (CVE-2020-25639)

  - An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the     netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of     changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior     of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.
    (CVE-2021-28038)

  - An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in     drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka     CID-20c40794eb85. This is a related issue to CVE-2019-2308. (CVE-2021-28375)

  - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur     because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9140 advisory.

  - A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in     versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw     allows a local user to crash the system. (CVE-2020-25639)

  - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-     of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects     pointer types that do not define a ptr_limit. (CVE-2020-27170)

  - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error     (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to     side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory,     aka CID-10d2bb2e6b1d. (CVE-2020-27171)

  - An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1     Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit     631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so its likely that all     versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability,     which leads to the kernel leaking memory contents. (CVE-2020-28588)

  - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when     the source register was known to be 0. A local attacker with the ability to load bpf programs could use     this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and     possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in     the upstream kernel in commit 9b00f1b78809 (bpf: Fix truncation handling for mod32 dst reg wrt zero) and     in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. (CVE-2021-3444)

  - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI     subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the     pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)

  - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)

  - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a     Netlink message. (CVE-2021-27365)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9141 advisory.

  - A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in     versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw     allows a local user to crash the system. (CVE-2020-25639)

  - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-     of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects     pointer types that do not define a ptr_limit. (CVE-2020-27170)

  - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error     (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to     side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory,     aka CID-10d2bb2e6b1d. (CVE-2020-27171)

  - An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1     Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit     631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so its likely that all     versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability,     which leads to the kernel leaking memory contents. (CVE-2020-28588)

  - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when     the source register was known to be 0. A local attacker with the ability to load bpf programs could use     this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and     possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in     the upstream kernel in commit 9b00f1b78809 (bpf: Fix truncation handling for mod32 dst reg wrt zero) and     in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. (CVE-2021-3444)

  - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI     subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the     pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)

  - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)

  - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a     Netlink message. (CVE-2021-27365)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 33 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2021-a2d3ad5dda advisory.

  - A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in     versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw     allows a local user to crash the system. (CVE-2020-25639)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 32 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2021-1db4ab0a3d advisory.

  - A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in     versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw     allows a local user to crash the system. (CVE-2020-25639)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2020-10781: A flaw was found in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device.
With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable (bnc#1173074).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).

CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).

CVE-2020-29371: An issue was discovered in romfs_dev_read in fs/romfs/storage.c where uninitialized memory leaks to userspace (bnc#1179429).

CVE-2020-15437: Fixed a NULL pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).

CVE-2019-20806: Fixed a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service (bnc#1172199).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket() that could be triggered by local attackers (with access to the nbd device) via an I/O request (bnc#1181504).

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29371: Fixed uninitialized memory leaks to userspace (bsc#1179429).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).

CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).

CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).

CVE-2020-15437: Fixed a NULL pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 realtime kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395).

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-36158: Fixed an issue wich might have allowed a remote attackers to execute arbitrary code via a long SSID value in mwifiex_cmd_802_11_ad_hoc_start() (bnc#1180559).

CVE-2020-28374: Fixed a vulnerability caused by insufficient identifier checking in the LIO SCSI target code. This could have been used by a remote attackers to read or write files via directory traversal in an XCOPY request (bnc#1178372).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
150214	EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-1929)	Nessus	Huawei Local Security Checks	high
149661	Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel (Raspberry Pi) vulnerabilities (USN-4945-2)	Nessus	Ubuntu Local Security Checks	high
149416	Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-4945-1)	Nessus	Ubuntu Local Security Checks	high
149411	Ubuntu 20.04 LTS / 20.10 : Linux kernel vulnerabilities (USN-4949-1)	Nessus	Ubuntu Local Security Checks	high
148604	EulerOS Virtualization 2.9.0 : kernel (EulerOS-SA-2021-1751)	Nessus	Huawei Local Security Checks	high
148496	Ubuntu 20.04 LTS : Linux kernel (OEM) vulnerabilities (USN-4911-1)	Nessus	Ubuntu Local Security Checks	high
148459	Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2021-9140)	Nessus	Oracle Linux Local Security Checks	high
148458	Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2021-9141)	Nessus	Oracle Linux Local Security Checks	high
147554	Fedora 33 : kernel / kernel-headers / kernel-tools (2021-a2d3ad5dda)	Nessus	Fedora Local Security Checks	medium
147469	Fedora 32 : kernel / kernel-headers / kernel-tools (2021-1db4ab0a3d)	Nessus	Fedora Local Security Checks	medium
146685	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0532-1)	Nessus	SuSE Local Security Checks	high
146474	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0438-1)	Nessus	SuSE Local Security Checks	high
146470	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0434-1)	Nessus	SuSE Local Security Checks	high
146406	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0427-1)	Nessus	SuSE Local Security Checks	high
146366	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:0354-1)	Nessus	SuSE Local Security Checks	high
146362	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0348-1)	Nessus	SuSE Local Security Checks	high
146359	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0353-1)	Nessus	SuSE Local Security Checks	high
145320	openSUSE Security Update : the Linux Kernel (openSUSE-2021-60)	Nessus	SuSE Local Security Checks	medium
145287	openSUSE Security Update : the Linux Kernel (openSUSE-2021-75)	Nessus	SuSE Local Security Checks	medium

CVE-2020-25639

No Score

New! CVE Severity Now Using CVSS v3

Description

References

Details

Tenable Plugins

high

high

high

high

high

high

high

high

medium

medium

high

high

high

high

high

high

high

medium

medium