https://source.android.com/security/bulletin/pixel/2020-12-01

The remote OracleVM system is missing necessary patches to address critical security updates :

  - ocfs2: subsystem.su_mutex is required while accessing     the item->ci_parent (alex chen) [Orabug: 29184589]     (CVE-2017-18216)

  - bcache: fix potential deadlock problem in     btree_gc_coalesce (Zhiqiang Liu) (CVE-2020-12771)

  - filldir[64]: remove WARN_ON_ONCE for bad directory     entries (Linus Torvalds) [Orabug: 31351271]     (CVE-2019-10220)

  - Make filldir[64] verify the directory entry filename is     valid (Linus Torvalds) [Orabug: 31351271]     (CVE-2019-10220)

  - ath9k: release allocated buffer if timed out (Navid     Emamdoost) [Orabug: 31351559] (CVE-2019-19074)

  - scsi: bfa: release allocated memory in case of error     (Navid Emamdoost) [Orabug: 31351615] (CVE-2019-19066)

  - rtlwifi: prevent memory leak in rtl_usb_probe (Navid     Emamdoost) [Orabug: 31351626] (CVE-2019-19063)

  - perf/core: Fix perf_event_open vs. execve race (Peter     Zijlstra) [Orabug: 31351766] (CVE-2019-3901)

  - l2tp: pass tunnel pointer to ->session_create (Guillaume     Nault) [Orabug: 31352004] (CVE-2018-9517)

  - net: bonding: add new option arp_allslaves for     arp_ip_target (Venkat Venkatsubra) [Orabug: 33039295]

  - Revert 'uek-rpm: mark /etc/ld.so.conf.d/ files as     %config' (aloktiw) [Orabug: 33359684]

  - ksplice: Fix build warning with ksplice_sysctls (John     Donnelly) [Orabug: 33365274]

  - kvm:vmx Fix build error in kvm/vmx.c (John Donnelly)     [Orabug: 33375485]

  - vmscan: Fix build error in mm/vmscan.c (John Donnelly)     [Orabug: 33375931]

  - constify iov_iter_count and iter_is_iovec (Al Viro)     [Orabug: 33381741]

  - fs/namespace.c: fix mountpoint reference counter race     (Piotr Krysiuk) [Orabug: 31350976] (CVE-2020-12114)     (CVE-2020-12114)

  - btrfs: only search for left_info if there is no     right_info in try_merge_free_space (Josef Bacik)     [Orabug: 31351025] (CVE-2019-19448) (CVE-2019-19448)

  - cfg80211: wext: avoid copying malformed SSIDs (Will     Deacon) [Orabug: 31351800] (CVE-2019-17133)

  - vhost_net: fix possible infinite loop (Jason Wang)     [Orabug: 31351950] (CVE-2019-3900) (CVE-2019-3900)

  - vhost: introduce vhost_exceeds_weight (Jason Wang)     [Orabug: 31351950] (CVE-2019-3900)

  - vhost_net: introduce vhost_exceeds_weight (Jason Wang)     [Orabug: 31351950] (CVE-2019-3900)

  - vhost_net: use packet weight for rx handler, too (Paolo     Abeni) [Orabug: 31351950] (CVE-2019-3900)

  - vhost-net: set packet weight of tx polling to 2 * vq     size (haibinzhang(&#x5F20 &#x6D77 &#x658C )) [Orabug:
    31351950] (CVE-2019-3900)

  - mac80211: extend protection against mixed key and     fragment cache attacks (Wen Gong) [Orabug: 33009788]     (CVE-2020-24586) (CVE-2020-26139) (CVE-2020-24587)     (CVE-2020-24588) (CVE-2020-26139) (CVE-2020-26140)     (CVE-2020-26141) (CVE-2020-26142) (CVE-2020-26143)     (CVE-2020-26144) (CVE-2020-26145) (CVE-2020-26146)     (CVE-2020-26147) (CVE-2020-24586) (CVE-2020-24587)

  - mac80211: do not accept/forward invalid EAPOL frames     (Johannes Berg) [Orabug: 33009788] (CVE-2020-24586)     (CVE-2020-26139) (CVE-2020-24587) (CVE-2020-24588)     (CVE-2020-26139) (CVE-2020-26140) (CVE-2020-26141)     (CVE-2020-26142) (CVE-2020-26143) (CVE-2020-26144)     (CVE-2020-26145) (CVE-2020-26146) (CVE-2020-26147)

  - mac80211: prevent attacks on TKIP/WEP as well (Johannes     Berg) [Orabug: 33009788] (CVE-2020-24586)     (CVE-2020-26139) (CVE-2020-24587) (CVE-2020-24588)     (CVE-2020-26139) (CVE-2020-26140) (CVE-2020-26141)     (CVE-2020-26142) (CVE-2020-26143) (CVE-2020-26144)     (CVE-2020-26145) (CVE-2020-26146) (CVE-2020-26147)

  - mac80211: check defrag PN against current frame     (Johannes Berg) [Orabug: 33009788] (CVE-2020-24586)     (CVE-2020-26139) (CVE-2020-24587) (CVE-2020-24588)     (CVE-2020-26139) (CVE-2020-26140) (CVE-2020-26141)     (CVE-2020-26142) (CVE-2020-26143) (CVE-2020-26144)     (CVE-2020-26145) (CVE-2020-26146) (CVE-2020-26147)

  - mac80211: add fragment cache to sta_info (Johannes Berg)     [Orabug: 33009788] (CVE-2020-24586) (CVE-2020-26139)     (CVE-2020-24587) (CVE-2020-24588) (CVE-2020-26139)     (CVE-2020-26140) (CVE-2020-26141) (CVE-2020-26142)     (CVE-2020-26143) (CVE-2020-26144) (CVE-2020-26145)     (CVE-2020-26146) (CVE-2020-26147)

  - mac80211: drop A-MSDUs on old ciphers (Johannes Berg)     [Orabug: 33009788] (CVE-2020-24586) (CVE-2020-26139)     (CVE-2020-24587) (CVE-2020-24588) (CVE-2020-26139)     (CVE-2020-26140) (CVE-2020-26141) (CVE-2020-26142)     (CVE-2020-26143) (CVE-2020-26144) (CVE-2020-26145)     (CVE-2020-26146) (CVE-2020-26147) (CVE-2020-24588)

  - cfg80211: mitigate A-MSDU aggregation attacks (Mathy     Vanhoef) [Orabug: 33009788] (CVE-2020-24586)     (CVE-2020-26139) (CVE-2020-24587) (CVE-2020-24588)     (CVE-2020-26139) (CVE-2020-26140) (CVE-2020-26141)     (CVE-2020-26142) (CVE-2020-26143) (CVE-2020-26144)     (CVE-2020-26145) (CVE-2020-26146) (CVE-2020-26147)     (CVE-2020-24588)

  - mac80211: properly handle A-MSDUs that start with an RFC     1042 header (Mathy Vanhoef) [Orabug: 33009788]     (CVE-2020-24586) (CVE-2020-26139) (CVE-2020-24587)     (CVE-2020-24588) (CVE-2020-26139) (CVE-2020-26140)     (CVE-2020-26141) (CVE-2020-26142) (CVE-2020-26143)     (CVE-2020-26144) (CVE-2020-26145) (CVE-2020-26146)     (CVE-2020-26147)

  - mac80211: prevent mixed key and fragment cache attacks     (Mathy Vanhoef) [Orabug: 33009788] (CVE-2020-24586)     (CVE-2020-26139) (CVE-2020-24587) (CVE-2020-24588)     (CVE-2020-26139) (CVE-2020-26140) (CVE-2020-26141)     (CVE-2020-26142) (CVE-2020-26143) (CVE-2020-26144)     (CVE-2020-26145) (CVE-2020-26146) (CVE-2020-26147)     (CVE-2020-24587) (CVE-2020-24586)

  - mac80211: assure all fragments are encrypted (Mathy     Vanhoef) [Orabug: 33009788] (CVE-2020-24586)     (CVE-2020-26139) (CVE-2020-24587) (CVE-2020-24588)     (CVE-2020-26139) (CVE-2020-26140) (CVE-2020-26141)     (CVE-2020-26142) (CVE-2020-26143) (CVE-2020-26144)     (CVE-2020-26145) (CVE-2020-26146) (CVE-2020-26147)     (CVE-2020-26147)

  - sctp: validate from_addr_param return (Marcelo Ricardo     Leitner) [Orabug: 33198409] (CVE-2021-3655)

  - virtio_console: Assure used length from device is     limited (Xie Yongji) [Orabug: 33209274] (CVE-2021-38160)

  - net_sched: cls_route: remove the right filter from     hashtable (Cong Wang) [Orabug: 33326887] (CVE-2021-3715)

  - HID: make arrays usage and value to be the same (Will     McVicker) [Orabug: 33326939] (CVE-2021-0512)

  - ext4: fix race writing to an inline_data file while its     xattrs are changing (Theodore Ts'o) [Orabug: 33327200]     (CVE-2021-40490)

  - x86/mm: Fix compiler warning in pageattr.c (John     Donnelly) [Orabug: 33332673]

  - security: Make inode argument of inode_getsecid     non-const (Andreas Gruenbacher) [Orabug: 33337179]

  - security: Make inode argument of inode_getsecurity     non-const (Andreas Gruenbacher) [Orabug: 33337179]

  - cfg80211: Define nla_policy for     NL80211_ATTR_LOCAL_MESH_POWER_MODE (Srinivas Dasari)     [Orabug: 31351335] (CVE-2017-11089)

  - ocfs2: issue zeroout to EOF blocks (Junxiao Bi) [Orabug:
    32974989]

  - ocfs2: fix zero out valid data (Junxiao Bi) [Orabug:
    32974989]

  - ocfs2: fix data corruption by fallocate (Junxiao Bi)     [Orabug: 32974989]

  - l2tp: fix l2tp_eth module loading (Guillaume Nault)     [Orabug: 33114384] (CVE-2020-27067)

  - af_key: pfkey_dump needs parameter validation (Mark     Salyzyn) [Orabug: 33114539] (CVE-2021-0605)

  - af_key: Add lock to key dump (Yuejie Shi) [Orabug:
    33114539] (CVE-2021-0605)

  - Input: joydev - prevent use of not validated data in     JSIOCSBTNMAP ioctl (Alexander Larkin) [Orabug: 33114989]     (CVE-2021-3612)

  - Input: joydev - prevent potential read overflow in ioctl     (Dan Carpenter) [Orabug: 33114989] (CVE-2021-3612)

  - tracing: Fix bug in rb_per_cpu_empty that might cause     deadloop. (Haoran Luo) [Orabug: 33198437]     (CVE-2021-3679)

  - dtrace: Corrects - warning: assignment makes pointer     from integer without a cast (John Donnelly) [Orabug:
    33314947]

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):An issue was discovered in     the Linux kernel before 5.11.3 when a webcam device     exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak     for large arguments, aka     CID-fb18802a338b.(CVE-2021-30002)A flaw was found in     the JFS filesystem code. This flaw allows a local     attacker with the ability to set extended attributes to     panic the system, causing memory corruption or     escalating privileges. The highest threat from this     vulnerability is to confidentiality, integrity, as well     as system availability.(CVE-2020-27815)An out-of-bounds     (OOB) memory access flaw was found in x25_bind in     net/x25/af_x25.c in the Linux kernel. A bounds check     failure allows a local attacker with a user account on     the system to gain access to out-of-bounds memory,     leading to a system crash or a leak of internal kernel     information. The highest threat from this vulnerability     is to confidentiality, integrity, as well as system     availability.(CVE-2020-35519)There is a flaw reported     in drivers/gpu/drm/ nouveau/ nouveau_sgdma.c in     nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The     issue results from the lack of validating the existence     of an object prior to performing operations on the     object. An attacker with a local account with a root     privilege, can leverage this vulnerability to escalate     privileges and execute code in the context of the     kernel.(CVE-2021-20292)In     drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux     kernel through 5.11.8, the RPA PCI Hotplug driver has a     user-tolerable buffer overflow when writing a new     device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame     directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination,     aka CID-cc7a0bb058b8.(CVE-2021-28972)A race condition     was discovered in get_old_root in fs/btrfs/ctree.c in     the Linux kernel through 5.11.8. It allows attackers to     cause a denial of service (BUG) because of a lack of     locking on an extent buffer before a cloning operation,     aka CID-dbcc7d57bffc.(CVE-2021-28964)An issue was     discovered in the Linux kernel before 5.11.7.
    usbip_sockfd_store in drivers/usb/usbip/stub_dev.c     allows attackers to cause a denial of service (GPF)     because the stub-up sequence has race conditions during     an update of the local and shared status, aka     CID-9380afd6df70.(CVE-2021-29265)A flaw was found in     the Linux kernel. A denial of service problem is     identified if an extent tree is corrupted in a crafted     ext4 filesystem in fs/ext4/extents.c in     ext4_es_cache_extent. Fabricating an integer overflow,     A local attacker with a special user privilege may     cause a system crash problem which can lead to an     availability threat.(CVE-2021-3428)BPF JIT compilers in     the Linux kernel through 5.11.12 have incorrect     computation of branch displacements, allowing them to     execute arbitrary code within the kernel context. This     affects arch/x86/ net/bpf_jit_comp.c and arch/x86/     net/bpf_jit_comp32.c.(CVE-2021-29154)A flaw was found     in the way memory resources were freed in the     unix_stream_recvmsg function in the Linux kernel when a     signal was pending. This flaw allows an unprivileged     local user to crash the system by exhausting available     memory. The highest threat from this vulnerability is     to system availability.(CVE-2021-20265)In the l2tp     subsystem, there is a possible use after free due to a     race condition. This could lead to local escalation of     privilege with System execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-152409173(CVE-2020-27067)A flaw was found in the Nosy     driver in the Linux kernel. This issue allows a device     to be inserted twice into a doubly-linked list, leading     to a use-after-free when one of these devices is     removed. The highest threat from this vulnerability is     to confidentiality, integrity, as well as system     availability.(CVE-2021-3483)kernel: memory leak in     llcp_sock_connect()(CVE-2020-25672)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-147802478References: Upstream kernel(CVE-2020-0466)

  - In the l2tp subsystem, there is a possible use after     free due to a race condition. This could lead to local     escalation of privilege with System execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-152409173(CVE-2020-27067)

  - In the nl80211_policy policy of nl80211.c, there is a     possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure     with System execution privileges needed. User     interaction is not required for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-119770583(CVE-2020-27068)

  - In audit_free_lsm_field of auditfilter.c, there is a     possible bad kfree due to a logic error in     audit_data_to_entry. This could lead to local     escalation of privilege with no additional execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-150693166References: Upstream     kernel(CVE-2020-0444)

  - In various methods of hid-multitouch.c, there is a     possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-162844689References: Upstream kernel(CVE-2020-0465)

  - Use-after-free vulnerability in fs/block_dev.c in the     Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging     improper access to a certain error     field.(CVE-2020-15436)

  - The Linux kernel before version 5.8 is vulnerable to a     NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)

  - A flaw was found in the Linux kernels implementation of     MIDI, where an attacker with a local account and the     permissions to issue an ioctl commands to midi devices,     could trigger a use-after-free. A write to this     specific memory while freed and before use could cause     the flow of execution to change and possibly allow for     memory corruption or privilege     escalation.(CVE-2020-27786)

  - No description is available for this     CVE.(CVE-2020-27815)

  - NULL-ptr deref in the spk_ttyio_receive_buf2() function     in spk_ttyio.c(CVE-2020-27830)

  - An issue was discovered in __split_huge_pmd in     mm/huge_memory.c in the Linux kernel before 5.7.5. The     copy-on-write implementation can grant unintended write     access because of a race condition in a THP mapcount     check, aka CID-c444eb564fb1.(CVE-2020-29368)

  - An issue was discovered in kmem_cache_alloc_bulk in     mm/slub.c in the Linux kernel before 5.5.11. The     slowpath lacks the required TID increment, aka     CID-fd4d9c7d0c71.(CVE-2020-29370)

  - An issue was discovered in romfs_dev_read in     fs/romfs/storage.c in the Linux kernel before 5.8.4.
    Uninitialized memory leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)

  - A locking inconsistency issue was discovered in the tty     subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)

  - A locking issue was discovered in the tty subsystem of     the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free     attack against TIOCSPGRP, aka     CID-54ffccbf053b.(CVE-2020-29661)

  - A slab-out-of-bounds read in fbcon in the Linux kernel     before 5.9.7 could be used by local attackers to read     privileged information or potentially crash the kernel,     aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for     manipulations such as font height.(CVE-2020-28974)

  - An issue was discovered in the Linux kernel through     5.9.1, as used with Xen through 4.14.x. Guest OS users     can cause a denial of service (host OS hang) via a high     rate of events to dom0, aka     CID-e99502f76271.(CVE-2020-27673)

  - An issue was discovered in     drivers/accessibility/speakup/spk_ttyio.c in the Linux     kernel through 5.9.9. Local attackers on systems with     the speakup driver could cause a local denial of     service attack, aka CID-d41227544427. This occurs     because of an invalid free when the line discipline is     used more than once.(CVE-2020-28941)

  - An issue was discovered in the Linux kernel through     5.9.1, as used with Xen through 4.14.x.
    drivers/xen/events/events_base.c allows event-channel     removal during the event-handling loop (a race     condition). This can cause a use-after-free or NULL     pointer dereference, as demonstrated by a dom0 crash     via events for an in-reconfiguration paravirtualized     device, aka CID-073d0552ead5.(CVE-2020-27675)

  - A buffer over-read (at the framebuffer layer) in the     fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)

  - A flaw was found in the Linux kernel. A use-after-free     memory flaw was found in the perf subsystem allowing a     local attacker with permission to monitor perf events     to corrupt memory and possibly escalate privileges. The     highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-14351)

  - A flaw in the way reply ICMP packets are limited in the     Linux kernel functionality was found that allows to     quickly scan open UDP ports. This flaw allows an     off-path remote user to effectively bypassing source     port UDP randomization. The highest threat from this     vulnerability is to confidentiality and possibly     integrity, because software that relies on UDP source     port randomization are indirectly affected as well.
    Kernel versions before 5.10 may be vulnerable to this     issue.(CVE-2020-25705)

  - No description is available for this     CVE.(CVE-2020-25668)

  - No description is available for this     CVE.(CVE-2020-25669)

  - A flaw was found in the way RTAS handled memory     accesses in userspace to kernel communication. On a     locked down (usually due to Secure Boot) guest system     running on top of PowerVM or KVM hypervisors (pseries     platform) a root like local user could use this flaw to     further increase their privileges to that of a running     kernel.(CVE-2020-27777)

  - kernel: perf_event_parse_addr_filter     memory(CVE-2020-25704)

  - Insufficient access control in the Linux kernel driver     for some Intel(R) Processors may allow an authenticated     user to potentially enable information disclosure via     local access.(CVE-2020-8694)

  - A flaw was found in the Linux kernel. A use-after-free     was found in the way the console subsystem was using     ioctls KDGKBSENT and KDSKBSENT. A local user could use     this flaw to get read memory access out of bounds. The     highest threat from this vulnerability is to data     confidentiality.(CVE-2020-25656)

  - In kbd_keycode of keyboard.c, there is a possible out     of bounds write due to a missing bounds check. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-144161459(CVE-2020-0431)

  - A flaw was found in the HDLC_PPP module of the Linux     kernel in versions before 5.9-rc7. Memory corruption     and a read overflow is caused by improper input     validation in the ppp_cp_parse_cr function which can     cause the system to crash or cause a denial of service.
    The highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-25643)

  - A flaw was found in the Linux kernel in versions before     5.9-rc7. Traffic between two Geneve endpoints may be     unencrypted when IPsec is configured to encrypt traffic     for the specific UDP port used by the GENEVE tunnel     allowing anyone between the two endpoints to read the     traffic unencrypted. The main threat from this     vulnerability is to data     confidentiality.(CVE-2020-25645)

  - Vulnerability Summary for     CVE-2020-12351(CVE-2020-12351)

  - Vulnerability Summary for     CVE-2020-12352(CVE-2020-12352)

  - Vulnerability Summary for     CVE-2020-24490(CVE-2020-24490)

  - A missing CAP_NET_RAW check in NFC socket creation in     net/nfc/rawsock.c in the Linux kernel before 5.8.2     could be used by local attackers to create raw sockets,     bypassing security mechanisms, aka     CID-26896f01467a.(CVE-2020-26088)

  - A flaw was found in the Linux kernel's implementation     of biovecs in versions before 5.9-rc7. A zero-length     biovec request issued by the block subsystem could     cause the kernel to enter an infinite loop, causing a     denial of service. This flaw allows a local attacker     with basic privileges to issue requests to a block     device, resulting in a denial of service. The highest     threat from this vulnerability is to system     availability.(CVE-2020-25641)

  - In skb_to_mamac of networking.c, there is a possible     out of bounds write due to an integer overflow. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-143560807(CVE-2020-0432)

  - A race condition between hugetlb sysctl handlers in     mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL     pointer dereference, or possibly have unspecified other     impact, aka CID-17743798d812.(CVE-2020-25285)

  - A flaw was found in the Linux kernel in versions from     2.2.3 through 5.9.rc5. When changing screen size, an     out-of-bounds memory write can occur leading to memory     corruption or a denial of service. This highest threat     from this vulnerability is to system     availability.(CVE-2020-14390)

  - A flaw was found in the Linux kernel before 5.9-rc4.
    Memory corruption can be exploited to gain root     privileges from unprivileged processes. The highest     threat from this vulnerability is to data     confidentiality and integrity.(CVE-2020-14386)

  - Insufficient input validation in i40e driver for     Intel(R) Ethernet 700 Series Controllers versions     before 7.0 may allow an authenticated user to     potentially enable a denial of service via local     access.(CVE-2019-0147)

  - A TOCTOU mismatch in the NFS client code in the Linux     kernel before 5.8.3 could be used by local attackers to     corrupt memory or possibly have unspecified other     impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka     CID-b4487b935452.(CVE-2020-25212)

  - A flaw was found in the Linux kernel before 5.9-rc4. A     failure of the file system metadata validator in XFS     can cause an inode with a valid, user-creatable     extended attribute to be flagged as corrupt. This can     lead to the filesystem being shutdown, or otherwise     rendered inaccessible until it is remounted, leading to     a denial of service. The highest threat from this     vulnerability is to system     availability.(CVE-2020-14385)

  - In uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-111893654References: Upstream     kernel(CVE-2020-0404)

  - The rbd block device driver in drivers/block/rbd.c in     the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which     could be leveraged by local attackers to map or unmap     rbd block devices, aka     CID-f44d04e696fe.(CVE-2020-25284)

  - A memory out-of-bounds read flaw was found in the Linux     kernel before 5.9-rc2 with the ext3/ext4 file system,     in the way it accesses a directory with broken     indexing. This flaw allows a local user to crash the     system if the directory exists. The highest threat from     this vulnerability is to system     availability.(CVE-2020-14314)

  - A flaw null pointer dereference in the Linux kernel     cgroupv2 subsystem in versions before 5.7.10 was found     in the way when reboot the system. A local user could     use this flaw to crash the system or escalate their     privileges on the system.(CVE-2020-24394)

  - A flaw was found in the Linux kernel's implementation     of the invert video code on VGA consoles when a local     attacker attempts to resize the console, calling an     ioctl VT_RESIZE, which causes an out-of-bounds write to     occur. This flaw allows a local user with access to the     VGA console to crash the system, potentially escalating     their privileges on the system. The highest threat from     this vulnerability is to data confidentiality and     integrity as well as system     availability.(CVE-2020-14331)

  - The Linux kernel, as used in Red Hat Enterprise Linux     7, kernel-rt, and Enterprise MRG 2 and when booted with     UEFI Secure Boot enabled, allows local users to bypass     intended securelevel/secureboot restrictions by     leveraging improper handling of secure_boot flag across     kexec reboot.(CVE-2015-7837)

  - In the Linux kernel through 5.8.7, local attackers able     to inject conntrack netlink configuration could     overflow a local buffer, causing crashes or triggering     use of incorrect protocol numbers in     ctnetlink_parse_tuple_filter in     net/netfilter/nf_conntrack_netlink.c, aka     CID-1cc5ef91d2ff.(CVE-2020-25211)

  - A flaw null pointer dereference in the Linux kernel     cgroupv2 subsystem in versions before 5.7.10 was found     in the way when reboot the system. A local user could     use this flaw to crash the system or escalate their     privileges on the system.(CVE-2020-14356)

  - Buffer overflow in i40e driver for Intel(R) Ethernet     700 Series Controllers versions before 7.0 may allow an     authenticated user to potentially enable an escalation     of privilege via local access.(CVE-2019-0145)

  - The Linux kernel through 5.7.11 allows remote attackers     to make observations that help to obtain sensitive     information about the internal state of the network     RNG, aka CID-f227e3ec3b5c. This is related to     drivers/char/random.c and     kernel/time/timer.c.(CVE-2020-16166)

  - The VFIO PCI driver in the Linux kernel through 5.6.13     mishandles attempts to access disabled memory     space.(CVE-2020-12888)

  - In the Linux kernel through 5.7.6, usbtest_disconnect     in drivers/usb/misc/usbtest.c has a memory leak, aka     CID-28ebeb8db770.(CVE-2020-15393)

  - A logic bug was found in the Linux kernels     implementation of SSBD. A bug in the logic handling can     allow an attacker with a local account to disable SSBD     protection during a context switch when additional     speculative execution mitigations are in     place.(CVE-2020-10766)

  - The prctl() function can be used to enable indirect     branch speculation even after it has been disabled.
    This same call will incorrectly report it being 'force     disabled' when it is not.(CVE-2020-10768)

  - A flaw was found in the Linux kernel's implementation     of the Enhanced IBPB (Indirect Branch Prediction     Barrier). The IBPB mitigation will be disabled when     STIBP is not available or when the Enhanced Indirect     Branch Restricted Speculation (IBRS) is available. This     flaw allows a local attacker to perform a Spectre V2     style attack when this configuration is active. The     highest threat from this vulnerability is to     confidentiality.(CVE-2020-10767)

  - A flaw was found in the ZRAM kernel module, where a     user with a local account and the ability to read the     /sys/class/zram-control/hot_add file can create ZRAM     device nodes in the /dev/ directory. This read     allocates kernel memory and is not accounted for a user     that triggers the creation of that ZRAM device. With     this vulnerability, continually reading the device may     consume a large amount of system memory and cause the     Out-of-Memory (OOM) killer to activate and terminate     random userspace processes, possibly making the system     inoperable.(CVE-2020-10781)

  - A flaw was found in the Linux kernel. An index buffer     overflow during Direct IO write leading to the NFS     client to crash. In some cases, a reach out of the     index after one memory allocation by kmalloc will cause     a kernel panic. The highest threat from this     vulnerability is to data confidentiality and system     availability.(CVE-2020-10742)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):In do_epoll_ctl and     ep_loop_check_proc of eventpoll.c, there is a possible     use after free due to a logic error. This could lead to     local escalation of privilege with no additional     execution privileges needed.(CVE-2020-0466)In the l2tp     subsystem, there is a possible use after free due to a     race condition. This could lead to local escalation of     privilege with System execution privileges     needed.(CVE-2020-27067)In the nl80211_policy policy of     nl80211.c, there is a possible out of bounds read due     to a missing bounds check. This could lead to local     information disclosure with System execution privileges     needed.(CVE-2020-27068)In audit_free_lsm_field of     auditfilter.c, there is a possible bad kfree due to a     logic error in audit_data_to_entry. This could lead to     local escalation of privilege with no additional     execution privileges needed.(CVE-2020-0444)In various     methods of hid-multitouch.c, there is a possible out of     bounds write due to a missing bounds check. This could     lead to local escalation of privilege with no     additional execution privileges     needed.(CVE-2020-0465)Use-after-free vulnerability in     fs/block_dev.c in the Linux kernel before 5.8 allows     local users to gain privileges or cause a denial of     service by leveraging improper access to a certain     error field.(CVE-2020-15436)The Linux kernel before     version 5.8 is vulnerable to a NULL pointer dereference     in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)A flaw was found in the     Linux kernels implementation of MIDI, where an attacker     with a local account and the permissions to issue an     ioctl commands to midi devices, could trigger a     use-after-free. A write to this specific memory while     freed and before use could cause the flow of execution     to change and possibly allow for memory corruption or     privilege escalation.(CVE-2020-27786)Array index out of     bounds access when setting extended attributes on     journaling filesystems.(CVE-2020-27815)NULL-ptr deref     in the spk_ttyio_receive_buf2() function in     spk_ttyio.c(CVE-2020-27830)An issue was discovered in
    __split_huge_pmd in mm/huge_memory.c in the Linux     kernel before 5.7.5. The copy-on-write implementation     can grant unintended write access because of a race     condition in a THP mapcount check, aka     CID-c444eb564fb1.(CVE-2020-29368)An issue was     discovered in kmem_cache_alloc_bulk in mm/slub.c in the     Linux kernel before 5.5.11. The slowpath lacks the     required TID increment, aka     CID-fd4d9c7d0c71.(CVE-2020-29370)An issue was     discovered in romfs_dev_read in fs/romfs/storage.c in     the Linux kernel before 5.8.4. Uninitialized memory     leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)A locking     inconsistency issue was discovered in the tty subsystem     of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)A locking issue was     discovered in the tty subsystem of the Linux kernel     through 5.9.13. drivers/tty/tty_jobctrl.c allows a     use-after-free attack against TIOCSPGRP, aka     CID-54ffccbf053b.(CVE-2020-29661)A slab-out-of-bounds     read in fbcon in the Linux kernel before 5.9.7 could be     used by local attackers to read privileged information     or potentially crash the kernel, aka CID-3c4e0dff2095.
    This occurs because KD_FONT_OP_COPY in     drivers/tty/vt/vt.c can be used for manipulations such     as font height.(CVE-2020-28974) An issue was discovered     in the Linux kernel through 5.9.1, as used with Xen     through 4.14.x. Guest OS users can cause a denial of     service (host OS hang) via a high rate of events to     dom0, aka CID-e99502f76271.(CVE-2020-27673)An issue was     discovered in drivers/accessibility/speakup/spk_ttyio.c     in the Linux kernel through 5.9.9. Local attackers on     systems with the speakup driver could cause a local     denial of service attack, aka CID-d41227544427. This     occurs because of an invalid free when the line     discipline is used more than once.(CVE-2020-28941)An     issue was discovered in the Linux kernel through 5.9.1,     as used with Xen through 4.14.x.
    drivers/xen/events/events_base.c allows event-channel     removal during the event-handling loop (a race     condition). This can cause a use-after-free or NULL     pointer dereference, as demonstrated by a dom0 crash     via events for an in-reconfiguration paravirtualized     device, aka CID-073d0552ead5.(CVE-2020-27675)A buffer     over-read (at the framebuffer layer) in the fbcon code     in the Linux kernel before 5.8.15 could be used by     local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)A flaw was found in     the Linux kernel. A use-after-free memory flaw was     found in the perf subsystem allowing a local attacker     with permission to monitor perf events to corrupt     memory and possibly escalate privileges. The highest     threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-14351)A flaw in the way reply     ICMP packets are limited in the Linux kernel     functionality was found that allows to quickly scan     open UDP ports. This flaw allows an off-path remote     user to effectively bypassing source port UDP     randomization. The highest threat from this     vulnerability is to confidentiality and possibly     integrity, because software that relies on UDP source     port randomization are indirectly affected as well.
    Kernel versions before 5.10 may be vulnerable to this     issue.(CVE-2020-25705)race condition in fg_console can     lead to use-after-free in     con_font_op.(CVE-2020-25668)use-after-free read in     sunkbd_reinit in     drivers/input/keyboard/sunkbd.c.(CVE-2020-25669)A flaw     was found in the way RTAS handled memory accesses in     userspace to kernel communication. On a locked down     (usually due to Secure Boot) guest system running on     top of PowerVM or KVM hypervisors (pseries platform) a     root like local user could use this flaw to further     increase their privileges to that of a running     kernel.(CVE-2020-27777)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
154016	OracleVM 3.4 : Unbreakable / etc (OVMSA-2021-0035)	Nessus	OracleVM Local Security Checks	high
151767	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-2221)	Nessus	Huawei Local Security Checks	high
147512	EulerOS Virtualization 2.9.1 : kernel (EulerOS-SA-2021-1604)	Nessus	Huawei Local Security Checks	high
144693	EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-1028)	Nessus	Huawei Local Security Checks	high

CVE-2020-27067

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high