[oss-security] 20201103 CVE-2020-27152 Kernel: KVM: host stack overflow via loop due to lazy update IOAPIC

https://bugzilla.kernel.org/show_bug.cgi?id=208767

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.9.2

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=77377064c3a94911339f13ce113b3abf265e06da

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:1093 advisory.

  - kernel: use after free in eventpoll.c may lead to escalation of privilege (CVE-2020-0466)

  - Kernel: KVM: host stack overflow due to lazy update IOAPIC (CVE-2020-27152)

  - kernel: SCSI target (LIO) write to any block on ILO backstore (CVE-2020-28374)

  - kernel: race conditions caused by wrong locking in net/vmw_vsock/af_vsock.c (CVE-2021-26708)

  - kernel: iscsi: unrestricted access to sessions and handles (CVE-2021-27363)

  - kernel: out-of-bounds read in libiscsi module (CVE-2021-27364)

  - kernel: heap buffer overflow in the iSCSI subsystem (CVE-2021-27365)

  - kernel: Use after free via PI futex state (CVE-2021-3347)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-1093 advisory.

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic     error. This could lead to local escalation of privilege with no additional execution privileges needed.
    User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
    A-147802478References: Upstream kernel (CVE-2020-0466)

  - A local privilege escalation was discovered in the Linux kernel before 5.10.13. Multiple race conditions     in the AF_VSOCK implementation are caused by wrong locking in net/vmw_vsock/af_vsock.c. The race     conditions were implicitly introduced in the commits that added VSOCK multi-transport support.
    (CVE-2021-26708)

  - An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c in the Linux kernel before     5.9.2. It has an infinite loop related to improper interaction between a resampler and edge triggering,     aka CID-77377064c3a9. (CVE-2020-27152)

  - An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.
    (CVE-2021-3347)

  - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI     subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the     pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)

  - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)

  - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a     Netlink message. (CVE-2021-27365)

  - In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking     in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal     in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker     has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are     proxied via an attacker-selected backstore. (CVE-2020-28374)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1093 advisory.

  - kernel: use after free in eventpoll.c may lead to escalation of privilege (CVE-2020-0466)

  - Kernel: KVM: host stack overflow due to lazy update IOAPIC (CVE-2020-27152)

  - kernel: SCSI target (LIO) write to any block on ILO backstore (CVE-2020-28374)

  - kernel: race conditions caused by wrong locking in net/vmw_vsock/af_vsock.c (CVE-2021-26708)

  - kernel: iscsi: unrestricted access to sessions and handles (CVE-2021-27363)

  - kernel: out-of-bounds read in libiscsi module (CVE-2021-27364)

  - kernel: heap buffer overflow in the iSCSI subsystem (CVE-2021-27365)

  - kernel: Use after free via PI futex state (CVE-2021-3347)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1081 advisory.

  - kernel: use after free in eventpoll.c may lead to escalation of privilege (CVE-2020-0466)

  - Kernel: KVM: host stack overflow due to lazy update IOAPIC (CVE-2020-27152)

  - kernel: SCSI target (LIO) write to any block on ILO backstore (CVE-2020-28374)

  - kernel: race conditions caused by wrong locking in net/vmw_vsock/af_vsock.c (CVE-2021-26708)

  - kernel: iscsi: unrestricted access to sessions and handles (CVE-2021-27363)

  - kernel: out-of-bounds read in libiscsi module (CVE-2021-27364)

  - kernel: heap buffer overflow in the iSCSI subsystem (CVE-2021-27365)

  - kernel: Use after free via PI futex state (CVE-2021-3347)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4752-1 advisory.

  - Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2     and earlier may allow an unauthenticated user to complete authentication without pairing credentials via     adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or     slave to pair with a previously paired remote device to successfully complete the authentication procedure     without knowing the link key. (CVE-2020-10135)

  - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file     system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash     the system if the directory exists. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14314)

  - Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging improper access to a certain error field.
    (CVE-2020-15436)

  - The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial     of service by using the p->serial_in pointer which uninitialized. (CVE-2020-15437)

  - Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of     service via adjacent access. This affects all Linux kernel versions that support BlueZ. (CVE-2020-24490)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

  - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap     rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)

  - A flaw was found in the Linux kernel's implementation of biovecs in versions before 5.9-rc7. A zero-length     biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a     denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block     device, resulting in a denial of service. The highest threat from this vulnerability is to system     availability. (CVE-2020-25641)

  - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption     and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause     the system to crash or cause a denial of service. The highest threat from this vulnerability is to data     confidentiality and integrity as well as system availability. (CVE-2020-25643)

  - A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using     PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of     service. (CVE-2020-25704)

  - An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c in the Linux kernel before     5.9.2. It has an infinite loop related to improper interaction between a resampler and edge triggering,     aka CID-77377064c3a9. (CVE-2020-27152)

  - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka CID-6735b4632def. (CVE-2020-28915)

  - An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The     copy-on-write implementation can grant unintended write access because of a race condition in a THP     mapcount check, aka CID-c444eb564fb1. (CVE-2020-29368)

  - An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between     certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an     munmap call, aka CID-246c320a8cfe. (CVE-2020-29369)

  - An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4.
    Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd. (CVE-2020-29371)

  - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,     aka CID-c8bcd9c5be24. (CVE-2020-29660)

  - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.
    (CVE-2020-29661)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4659-1 advisory.

  - In binder_release_work of binder.c, there is a possible use-after-free due to improper locking. This could     lead to local escalation of privilege in the kernel with no additional execution privileges needed. User     interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
    A-161151868References: N/A (CVE-2020-0423)

  - IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive     information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296.
    (CVE-2020-4788)

  - Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2     and earlier may allow an unauthenticated user to complete authentication without pairing credentials via     adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or     slave to pair with a previously paired remote device to successfully complete the authentication procedure     without knowing the link key. (CVE-2020-10135)

  - A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows     to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source     port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly     integrity, because software that relies on UDP source port randomization are indirectly affected as well.
    Kernel versions before 5.10 may be vulnerable to this issue. (CVE-2020-25705)

  - An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c in the Linux kernel before     5.9.2. It has an infinite loop related to improper interaction between a resampler and edge triggering,     aka CID-77377064c3a9. (CVE-2020-27152)

  - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka CID-6735b4632def. (CVE-2020-28915)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
148422	CentOS 8 : kernel (CESA-2021:1093)	Nessus	CentOS Local Security Checks	high
148371	Oracle Linux 8 : kernel (ELSA-2021-1093)	Nessus	Oracle Linux Local Security Checks	high
148370	RHEL 8 : kernel (RHSA-2021:1093)	Nessus	Red Hat Local Security Checks	high
148369	RHEL 8 : kernel-rt (RHSA-2021:1081)	Nessus	Red Hat Local Security Checks	high
147982	Ubuntu 20.04 LTS : Linux kernel (OEM) vulnerabilities (USN-4752-1)	Nessus	Ubuntu Local Security Checks	high
143429	Ubuntu 20.10 : Linux kernel vulnerabilities (USN-4659-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2020-27152

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high