https://bugzilla.redhat.com/show_bug.cgi?id=1901709

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-1578 advisory.

  - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB     device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)

  - An issue was discovered in the Linux kernel before 5.6.1. drivers/media/usb/gspca/ov519.c allows NULL     pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints, aka     CID-998912346c0d. (CVE-2020-11608)

  - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB     device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d. (CVE-2019-19528)

  - usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because     a transfer occurs without a reference, aka CID-056ad39ee925. (CVE-2020-12464)

  - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new     filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the     current umask is not considered. (CVE-2020-24394)

  - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before     4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a     denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114)

  - A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem in versions before 5.7.10 was found     in the way when reboot the system. A local user could use this flaw to crash the system or escalate their     privileges on the system. (CVE-2020-14356)

  - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption     and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause     the system to crash or cause a denial of service. The highest threat from this vulnerability is to data     confidentiality and integrity as well as system availability. (CVE-2020-25643)

  - A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using     PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of     service. (CVE-2020-25704)

  - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to     read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height. (CVE-2020-28974)

  - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file     system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash     the system if the directory exists. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14314)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

  - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap     rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)

  - A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified     other impact, aka CID-17743798d812. (CVE-2020-25285)

  - A flaw possibility of race condition and incorrect initialization of the process id was found in the Linux     kernel child/parent process identification handling while filtering signal handlers. A local attacker is     able to abuse this flaw to bypass checks to send any signal to a privileged process. (CVE-2020-35508)

  - A memory leak in the sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering     sof_get_ctrl_copy_params() failures, aka CID-45c1380358b1. (CVE-2019-18811)

  - The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial     of service by using the p->serial_in pointer which uninitialized. (CVE-2020-15437)

  - A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the     way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system.
    (CVE-2020-27835)

  - Integer overflow in the firmware for some Intel(R) Graphics Drivers for Windows * before version     26.20.100.7212 and before Linux kernel version 5.5 may allow a privileged user to potentially enable an     escalation of privilege via local access. (CVE-2020-12362)

  - An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system     crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as     CVE-2021-28950. (CVE-2020-36322)

  - In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to     local escalation of privilege with System execution privileges required. User interaction is not required     for exploitation. Product: Android; Versions: Android kernel; Android ID: A-146554327. (CVE-2021-0342)

  - In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This     could lead to local escalation of privilege with no additional execution privileges needed. User     interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-144161459     (CVE-2020-0431)

  - A flaw was found in the Linux kernels implementation of MIDI, where an attacker with a local account and     the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to     this specific memory while freed and before use causes the flow of execution to change and possibly allow     for memory corruption or privilege escalation. The highest threat from this vulnerability is to     confidentiality, integrity, as well as system availability. (CVE-2020-27786)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:1578 advisory.

  - kernel: memory leak in sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c (CVE-2019-18811)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver     (CVE-2019-19523)

  - kernel: use-after-free bug caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver     (CVE-2019-19528)

  - kernel: possible out of bounds write in kbd_keycode of keyboard.c (CVE-2020-0431)

  - kernel: NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs in     drivers/media/usb/gspca/ov519.c (CVE-2020-11608)

  - kernel: DoS by corrupting mountpoint reference counter (CVE-2020-12114)

  - kernel: Integer overflow in Intel(R) Graphics Drivers (CVE-2020-12362)

  - kernel: use-after-free in usb_sg_cancel function in drivers/usb/core/message.c (CVE-2020-12464)

  - kernel: buffer uses out of index in ext3/4 filesystem (CVE-2020-14314)

  - kernel: Use After Free vulnerability in cgroup BPF component (CVE-2020-14356)

  - kernel: NULL pointer dereference in serial8250_isa_init_ports function in     drivers/tty/serial/8250/8250_core.c (CVE-2020-15437)

  - kernel: umask not applied on filesystem without ACL support (CVE-2020-24394)

  - kernel: TOCTOU mismatch in the NFS client code (CVE-2020-25212)

  - kernel: incomplete permission checking for access to rbd devices (CVE-2020-25284)

  - kernel: race condition between hugetlb sysctl handlers in mm/hugetlb.c (CVE-2020-25285)

  - kernel: improper input validation in ppp_cp_parse_cr function leads to memory corruption and read overflow     (CVE-2020-25643)

  - kernel: perf_event_parse_addr_filter memory (CVE-2020-25704)

  - kernel: use-after-free in kernel midi subsystem (CVE-2020-27786)

  - kernel: child process is able to access parent mm through hfi dev file handle (CVE-2020-27835)

  - kernel: slab-out-of-bounds read in fbcon (CVE-2020-28974)

  - kernel: fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent (CVE-2020-35508)

  - kernel: fuse: fuse_do_getattr() calls make_bad_inode() in inappropriate situations (CVE-2020-36322)

  - kernel: use after free in tun_get_user of tun.c could lead to local escalation of privilege     (CVE-2021-0342)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1578 advisory.

  - kernel: memory leak in sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c (CVE-2019-18811)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver     (CVE-2019-19523)

  - kernel: use-after-free bug caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver     (CVE-2019-19528)

  - kernel: possible out of bounds write in kbd_keycode of keyboard.c (CVE-2020-0431)

  - kernel: NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs in     drivers/media/usb/gspca/ov519.c (CVE-2020-11608)

  - kernel: DoS by corrupting mountpoint reference counter (CVE-2020-12114)

  - kernel: Integer overflow in Intel(R) Graphics Drivers (CVE-2020-12362)

  - kernel: Improper input validation in some Intel(R) Graphics Drivers (CVE-2020-12363)

  - kernel: Null pointer dereference in some Intel(R) Graphics Drivers (CVE-2020-12364)

  - kernel: use-after-free in usb_sg_cancel function in drivers/usb/core/message.c (CVE-2020-12464)

  - kernel: buffer uses out of index in ext3/4 filesystem (CVE-2020-14314)

  - kernel: Use After Free vulnerability in cgroup BPF component (CVE-2020-14356)

  - kernel: NULL pointer dereference in serial8250_isa_init_ports function in     drivers/tty/serial/8250/8250_core.c (CVE-2020-15437)

  - kernel: umask not applied on filesystem without ACL support (CVE-2020-24394)

  - kernel: TOCTOU mismatch in the NFS client code (CVE-2020-25212)

  - kernel: incomplete permission checking for access to rbd devices (CVE-2020-25284)

  - kernel: race condition between hugetlb sysctl handlers in mm/hugetlb.c (CVE-2020-25285)

  - kernel: improper input validation in ppp_cp_parse_cr function leads to memory corruption and read overflow     (CVE-2020-25643)

  - kernel: perf_event_parse_addr_filter memory (CVE-2020-25704)

  - kernel: use-after-free in kernel midi subsystem (CVE-2020-27786)

  - kernel: child process is able to access parent mm through hfi dev file handle (CVE-2020-27835)

  - kernel: slab-out-of-bounds read in fbcon (CVE-2020-28974)

  - kernel: fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent (CVE-2020-35508)

  - kernel: fuse: fuse_do_getattr() calls make_bad_inode() in inappropriate situations (CVE-2020-36322)

  - kernel: use after free in tun_get_user of tun.c could lead to local escalation of privilege     (CVE-2021-0342)

  - kernel: In pfkey_dump() dplen and splen can both be specified to access the xfrm_address_t structure out     of bounds (CVE-2021-0605)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1739 advisory.

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver     (CVE-2019-19523)

  - kernel: use-after-free bug caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver     (CVE-2019-19528)

  - kernel: possible out of bounds write in kbd_keycode of keyboard.c (CVE-2020-0431)

  - kernel: NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs in     drivers/media/usb/gspca/ov519.c (CVE-2020-11608)

  - kernel: DoS by corrupting mountpoint reference counter (CVE-2020-12114)

  - kernel: Integer overflow in Intel(R) Graphics Drivers (CVE-2020-12362)

  - kernel: Improper input validation in some Intel(R) Graphics Drivers (CVE-2020-12363)

  - kernel: Null pointer dereference in some Intel(R) Graphics Drivers (CVE-2020-12364)

  - kernel: use-after-free in usb_sg_cancel function in drivers/usb/core/message.c (CVE-2020-12464)

  - kernel: buffer uses out of index in ext3/4 filesystem (CVE-2020-14314)

  - kernel: Use After Free vulnerability in cgroup BPF component (CVE-2020-14356)

  - kernel: NULL pointer dereference in serial8250_isa_init_ports function in     drivers/tty/serial/8250/8250_core.c (CVE-2020-15437)

  - kernel: umask not applied on filesystem without ACL support (CVE-2020-24394)

  - kernel: TOCTOU mismatch in the NFS client code (CVE-2020-25212)

  - kernel: incomplete permission checking for access to rbd devices (CVE-2020-25284)

  - kernel: race condition between hugetlb sysctl handlers in mm/hugetlb.c (CVE-2020-25285)

  - kernel: improper input validation in ppp_cp_parse_cr function leads to memory corruption and read overflow     (CVE-2020-25643)

  - kernel: perf_event_parse_addr_filter memory (CVE-2020-25704)

  - kernel: use-after-free in kernel midi subsystem (CVE-2020-27786)

  - kernel: child process is able to access parent mm through hfi dev file handle (CVE-2020-27835)

  - kernel: slab-out-of-bounds read in fbcon (CVE-2020-28974)

  - kernel: fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent (CVE-2020-35508)

  - kernel: use after free in tun_get_user of tun.c could lead to local escalation of privilege     (CVE-2021-0342)

  - kernel: In pfkey_dump() dplen and splen can both be specified to access the xfrm_address_t structure out     of bounds (CVE-2021-0605)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4751-1 advisory.

  - A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was     using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of     bounds. The highest threat from this vulnerability is to data confidentiality. (CVE-2020-25656)

  - A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using     PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of     service. (CVE-2020-25704)

  - An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users     can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
    (CVE-2020-27673)

  - An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x.
    drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race     condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash     via events for an in-reconfiguration paravirtualized device, aka CID-073d0552ead5. (CVE-2020-27675)

  - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked     down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries     platform) a root like local user could use this flaw to further increase their privileges to that of a     running kernel. (CVE-2020-27777)

  - A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the     way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system.
    (CVE-2020-27835)

  - An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9.
    Local attackers on systems with the speakup driver could cause a local denial of service attack, aka     CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.
    (CVE-2020-28941)

  - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to     read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height. (CVE-2020-28974)

  - An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are     processing watch events using a single thread. If the events are received faster than the thread is able     to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the     backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. (CVE-2020-29568)

  - An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux     kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped.
    However, the handler may not have time to run if the frontend quickly toggles between the states connect     and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving     guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege     escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
    (CVE-2020-29569)

  - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,     aka CID-c8bcd9c5be24. (CVE-2020-29660)

  - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.
    (CVE-2020-29661)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).

CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).

CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).

CVE-2020-15437: Fixed a NULL pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).

CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).

CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation (bnc#1105322).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2020-10781: A flaw was found in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device.
With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable (bnc#1173074).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).

CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).

CVE-2020-29371: An issue was discovered in romfs_dev_read in fs/romfs/storage.c where uninitialized memory leaks to userspace (bnc#1179429).

CVE-2020-15437: Fixed a NULL pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).

CVE-2019-20806: Fixed a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service (bnc#1172199).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket() that could be triggered by local attackers (with access to the nbd device) via an I/O request (bnc#1181504).

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29371: Fixed uninitialized memory leaks to userspace (bsc#1179429).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).

CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).

CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).

CVE-2020-15437: Fixed a NULL pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 realtime kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395).

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-36158: Fixed an issue wich might have allowed a remote attackers to execute arbitrary code via a long SSID value in mwifiex_cmd_802_11_ad_hoc_start() (bnc#1180559).

CVE-2020-28374: Fixed a vulnerability caused by insufficient identifier checking in the LIO SCSI target code. This could have been used by a remote attackers to read or write files via directory traversal in an XCOPY request (bnc#1178372).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
149914	Oracle Linux 8 : kernel (ELSA-2021-1578)	Nessus	Oracle Linux Local Security Checks	high
149874	CentOS 8 : kernel (CESA-2021:1578)	Nessus	CentOS Local Security Checks	high
149670	RHEL 8 : kernel (RHSA-2021:1578)	Nessus	Red Hat Local Security Checks	high
149660	RHEL 8 : kernel-rt (RHSA-2021:1739)	Nessus	Red Hat Local Security Checks	high
147978	Ubuntu 20.04 LTS / 20.10 : Linux kernel vulnerabilities (USN-4751-1)	Nessus	Ubuntu Local Security Checks	high
146685	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0532-1)	Nessus	SuSE Local Security Checks	high
146511	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0452-1)	Nessus	SuSE Local Security Checks	high
146474	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0438-1)	Nessus	SuSE Local Security Checks	high
146470	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0434-1)	Nessus	SuSE Local Security Checks	high
146406	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0427-1)	Nessus	SuSE Local Security Checks	high
146366	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:0354-1)	Nessus	SuSE Local Security Checks	high
146362	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0348-1)	Nessus	SuSE Local Security Checks	high
146359	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0353-1)	Nessus	SuSE Local Security Checks	high
145320	openSUSE Security Update : the Linux Kernel (openSUSE-2021-60)	Nessus	SuSE Local Security Checks	medium

CVE-2020-27835

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

medium