https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c444eb564fb16645c172d550359cb3d75fe8a040

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.5

https://bugs.chromium.org/p/project-zero/issues/detail?id=2045

https://security.netapp.com/advisory/ntap-20210108-0002/

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-4356 advisory.

  - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to     cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h     lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
    (CVE-2021-29650)

  - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur     because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)

  - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some     Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS     status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)

  - A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an     attacker with a local account to leak information about kernel internal addresses. The highest threat from     this vulnerability is to confidentiality. (CVE-2021-20239)

  - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel     5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in     order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The     issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.
    An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the     context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)

  - nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-     free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a     certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)

  - In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could     lead to local information disclosure with no additional execution privileges needed. User interaction is     not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171     (CVE-2020-0427)

  - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,     aka CID-c8bcd9c5be24. (CVE-2020-29660)

  - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through     5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.
    (CVE-2020-36158)

  - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-     device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with     special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or     a leak of internal kernel information. The highest threat from this vulnerability is to system     availability. (CVE-2021-31916)

  - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel     privilege escalation from the context of a network service or an unprivileged process. If     sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the     auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network     service privileges to escalate to root or from the context of an unprivileged user directly if a     BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)

  - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked     down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries     platform) a root like local user could use this flaw to further increase their privileges to that of a     running kernel. (CVE-2020-27777)

  - A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way     user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev()     together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(),     hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their     privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5. (CVE-2021-3573)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and     WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to     inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)

  - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was     found in the way user uses trace ring buffer in a specific way. Only privileged local users (with     CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
    (CVE-2021-3679)

  - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size     was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel     and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny     reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4,     v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier     support for it) (v5.8-rc1). (CVE-2021-3489)

  - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and     WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can     abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042     (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26144)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations     reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate     selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the     WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by     design. (CVE-2020-26146)

  - An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-     bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf. (CVE-2020-36386)

  - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer     arithmetic operations, the pointer modification performed by the first operation is not correctly     accounted for when restricting subsequent operations. (CVE-2021-29155)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading     to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not     protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized     data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in     the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the     system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)

  - Improper access control in BlueZ may allow an authenticated user to potentially enable information     disclosure via adjacent access. (CVE-2021-0129)

  - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files     (CVE-2021-3732)

  - Improper input validation in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4     and before version 1.4.29.0 for Windows*, may allow an authenticated user to potentially enable a denial     of service via local access. (CVE-2020-24502)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root. In particular, there is a corner case where the off     reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
    (CVE-2021-33200)

  - Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4     may allow an authenticated user to potentially enable information disclosure via local access.
    (CVE-2020-24503)

  - Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers for Linux before version     1.0.4 may allow an authenticated user to potentially enable denial of service via local access.
    (CVE-2020-24504)

  - An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The     copy-on-write implementation can grant unintended write access because of a race condition in a THP     mapcount check, aka CID-c444eb564fb1. (CVE-2020-29368)

  - There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config     params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y ,     CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution,     the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap     overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly     privileges escalation. (CVE-2021-20194)

  - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)

  - A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with     root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.
    (CVE-2021-3635)

  - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)

  - An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does     not properly validate certain data sizes, aka CID-0217ed2848e8. (CVE-2021-29646)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4356 advisory.

  - kernel: Intel graphics card information leak. (CVE-2019-14615)

  - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)

  - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)

  - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)

  - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)

  - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)

  - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)

  - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)

  - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)

  - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)

  - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)

  - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)

  - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)

  - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)

  - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)

  - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)

  - kernel: powerpc: RTAS calls can be used to compromise kernel integrity (CVE-2020-27777)

  - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in     a THP mapcount check (CVE-2020-29368)

  - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-     after-free (CVE-2020-29660)

  - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in     drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)

  - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c     (CVE-2020-36312)

  - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c     (CVE-2020-36386)

  - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)

  - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)

  - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)

  - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)

  - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode     (CVE-2021-28950)

  - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)

  - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds     loads can be bypassed to leak content of kernel memory (CVE-2021-29155)

  - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)

  - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c     and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)

  - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)

  - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content     of kernel memory (CVE-2021-31829)

  - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)

  - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)

  - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations     by BPF verifier (CVE-2021-33200)

  - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)

  - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)

  - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)

  - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)

  - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)

  - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)

  - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)

  - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)

  - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files     (CVE-2021-3732)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4140 advisory.

  - kernel: Intel graphics card information leak. (CVE-2019-14615)

  - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)

  - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)

  - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)

  - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)

  - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)

  - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)

  - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)

  - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)

  - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)

  - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)

  - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)

  - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)

  - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)

  - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)

  - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)

  - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in     a THP mapcount check (CVE-2020-29368)

  - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-     after-free (CVE-2020-29660)

  - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in     drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)

  - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c     (CVE-2020-36312)

  - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c     (CVE-2020-36386)

  - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)

  - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)

  - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)

  - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)

  - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode     (CVE-2021-28950)

  - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)

  - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds     loads can be bypassed to leak content of kernel memory (CVE-2021-29155)

  - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)

  - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c     and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)

  - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)

  - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content     of kernel memory (CVE-2021-31829)

  - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)

  - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)

  - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations     by BPF verifier (CVE-2021-33200)

  - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)

  - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)

  - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)

  - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)

  - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)

  - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)

  - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)

  - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)

  - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files     (CVE-2021-3732)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:4356 advisory.

  - kernel: Intel graphics card information leak. (CVE-2019-14615)

  - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)

  - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)

  - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)

  - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)

  - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)

  - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)

  - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)

  - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)

  - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)

  - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)

  - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)

  - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)

  - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)

  - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)

  - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)

  - kernel: powerpc: RTAS calls can be used to compromise kernel integrity (CVE-2020-27777)

  - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in     a THP mapcount check (CVE-2020-29368)

  - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-     after-free (CVE-2020-29660)

  - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in     drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)

  - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c     (CVE-2020-36312)

  - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c     (CVE-2020-36386)

  - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)

  - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)

  - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)

  - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)

  - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode     (CVE-2021-28950)

  - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)

  - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds     loads can be bypassed to leak content of kernel memory (CVE-2021-29155)

  - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)

  - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c     and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)

  - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)

  - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content     of kernel memory (CVE-2021-31829)

  - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)

  - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)

  - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations     by BPF verifier (CVE-2021-33200)

  - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)

  - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)

  - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)

  - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)

  - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)

  - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)

  - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)

  - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)

  - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files     (CVE-2021-3732)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:4140 advisory.

  - kernel: Intel graphics card information leak. (CVE-2019-14615)

  - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)

  - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)

  - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)

  - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)

  - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)

  - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)

  - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)

  - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)

  - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)

  - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)

  - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)

  - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)

  - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)

  - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)

  - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)

  - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in     a THP mapcount check (CVE-2020-29368)

  - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-     after-free (CVE-2020-29660)

  - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in     drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)

  - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c     (CVE-2020-36312)

  - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c     (CVE-2020-36386)

  - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)

  - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)

  - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)

  - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)

  - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode     (CVE-2021-28950)

  - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)

  - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds     loads can be bypassed to leak content of kernel memory (CVE-2021-29155)

  - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)

  - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c     and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)

  - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)

  - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content     of kernel memory (CVE-2021-31829)

  - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)

  - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)

  - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations     by BPF verifier (CVE-2021-33200)

  - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)

  - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)

  - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)

  - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)

  - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)

  - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)

  - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)

  - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)

  - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files     (CVE-2021-3732)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc. Security Fix(es):A vulnerability was found     in the Linux Kernel where the function sunkbd_reinit     having been scheduled by sunkbd_interrupt before sunkbd     being freed. Though the dangling pointer is set to NULL     in sunkbd_disconnect, there is still an alias in     sunkbd_reinit causing Use After Free.(CVE-2020-25669)An     issue was discovered in the Linux kernel through 5.9.1,     as used with Xen through 4.14.x.
    drivers/xen/events/events_base.c allows event-channel     removal during the event-handling loop (a race     condition). This can cause a use-after-free or NULL     pointer dereference, as demonstrated by a dom0 crash     via events for an in-reconfiguration paravirtualized     device, aka CID-073d0552ead5.(CVE-2020-27675)An issue     was discovered in the Linux kernel through 5.9.1, as     used with Xen through 4.14.x. Guest OS users can cause     a denial of service (host OS hang) via a high rate of     events to dom0, aka CID-e99502f76271.(CVE-2020-27673)An     issue was discovered in __split_huge_pmd in     mm/huge_memory.c in the Linux kernel before 5.7.5. The     copy-on-write implementation can grant unintended write     access because of a race condition in a THP mapcount     check, aka CID-c444eb564fb1.(CVE-2020-29368)An issue     was discovered in     drivers/accessibility/speakup/spk_ttyio.c in the Linux     kernel through 5.9.9. Local attackers on systems with     the speakup driver could cause a local denial of     service attack, aka CID-d41227544427. This occurs     because of an invalid free when the line discipline is     used more than once.(CVE-2020-28941)** DISPUTED **     fsfsd fs3xdr.c in the Linux kernel through 5.10.8, when     there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)An issue was discovered in the     Linux kernel through 5.11.3.
    drivers/scsi/scsi_transport_iscsi.c is adversely     affected by the ability of an unprivileged user to     craft Netlink messages.(CVE-2021-27364)An issue was     discovered in the Linux kernel through 5.11.3. A kernel     pointer leak can be used to determine the address of     the iscsi_transport structure. When an iSCSI transport     is registered with the iSCSI subsystem, the transport's     handle is available to unprivileged users via the sysfs     file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)ntfs_read_locked_inode     in the ntfs.ko filesystem driver in the Linux kernel     4.15.0 allows attackers to trigger a use-after-free     read and possibly cause a denial of service (kernel     oops or panic) via a crafted ntfs     filesystem.(CVE-2018-12929)In the Linux kernel 4.15.0,     a NULL pointer dereference was discovered in     hfs_ext_read_extent in hfs.ko. This can occur during a     mount of a crafted hfs     filesystem.(CVE-2018-12928)rtw_wx_set_scan in     drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the     Linux kernel through 5.11.6 allows writing beyond the     end of the ->ssid[] array. NOTE: from the perspective     of kernel.org releases, CVE IDs are not normally used     for drivers/staging/* (unfinished work) however, system     integrators may have situations in which a     drivers/staging issue is relevant to their own customer     base.(CVE-2021-28660)There is a flaw reported in the     Linux kernel in versions before 5.9 in drivers/gpu/drm     ouveau ouveau_sgdma.c in nouveau_sgdma_create_ttm in     Nouveau DRM subsystem. The issue results from the lack     of validating the existence of an object prior to     performing operations on the object. An attacker with a     local account with a root privilege, can leverage this     vulnerability to escalate privileges and execute code     in the context of the kernel.(CVE-2021-20292)A flaw was     found in the Nosy driver in the Linux kernel. This     issue allows a device to be inserted twice into a     doubly-linked list, leading to a use-after-free when     one of these devices is removed. The highest threat     from this vulnerability is to confidentiality,     integrity, as well as system availability. Versions     before kernel 5.12-rc6 are affected(CVE-2021-3483)In     drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux     kernel through 5.11.8, the RPA PCI Hotplug driver has a     user-tolerable buffer overflow when writing a new     device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame     directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination,     aka CID-cc7a0bb058b8.(CVE-2021-28972)A race condition     was discovered in get_old_root in fs/btrfs/ctree.c in     the Linux kernel through 5.11.8. It allows attackers to     cause a denial of service (BUG) because of a lack of     locking on an extent buffer before a cloning operation,     aka CID-dbcc7d57bffc.(CVE-2021-28964)An issue was     discovered in the Linux kernel before 5.11.7.
    usbip_sockfd_store in drivers/usb/usbip/stub_dev.c     allows attackers to cause a denial of service (GPF)     because the stub-up sequence has race conditions during     an update of the local and shared status, aka     CID-9380afd6df70.(CVE-2021-29265)The fix for XSA-365     includes initialization of pointers such that     subsequent cleanup code wouldn't use uninitialized or     stale values. This initialization went too far and may     under certain conditions also overwrite pointers which     are in need of cleaning up. The lack of cleanup would     result in leaking persistent grants. The leak in turn     would prevent fully cleaning up after a respective     guest has died, leaving around zombie domains. All     Linux versions having the fix for XSA-365 applied are     vulnerable. XSA-365 was classified to affect versions     back to at least 3.11.(CVE-2021-28688)An issue was     discovered in the Linux kernel before 5.11.3 when a     webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak     for large arguments, aka     CID-fb18802a338b.(CVE-2021-30002)An issue was     discovered in the Linux kernel before 5.8.10.
    virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev     memory leak upon a kmalloc failure, aka     CID-f65886606c2d.(CVE-2020-36312)An issue was     discovered in the Linux kernel before 5.9.
    arch/x86/kvm/svm/sev.c allows attackers to cause a     denial of service (soft lockup) by triggering     destruction of a large SEV VM (which requires     unregistering many encrypted regions), aka     CID-7be74942f184.(CVE-2020-36311)An issue was     discovered in the Linux kernel before 5.11.11.
    qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to     obtain sensitive information from kernel memory because     of a partially uninitialized data structure, aka     CID-50535249f624.(CVE-2021-29647)An issue was     discovered in the Linux kernel through 5.11.10.
    driverset/ethernet/freescale/gianfar.c in the Freescale     Gianfar Ethernet driver allows attackers to cause a     system crash because a negative fragment size is     calculated in situations involving an rx queue overrun     when jumbo packets are used and NAPI is enabled, aka     CID-d8861bab48b6.(CVE-2021-29264)An out-of-bounds (OOB)     memory access flaw was found in x25_bind in     net/x25/af_x25.c in the Linux kernel version v5.12-rc5.
    A bounds check failure allows a local attacker with a     user account on the system to gain access to     out-of-bounds memory, leading to a system crash or a     leak of internal kernel information. The highest threat     from this vulnerability is to confidentiality,     integrity, as well as system     availability.(CVE-2020-35519)An issue was discovered in     the Linux kernel before 5.11.8. kernel/bpf/verifier.c     has an off-by-one error (with a resultant integer     underflow) affecting out-of-bounds speculation on     pointer arithmetic, leading to side-channel attacks     that defeat Spectre mitigations and obtain sensitive     information from kernel memory, aka     CID-10d2bb2e6b1d.(CVE-2020-27171)An issue was     discovered in the Linux kernel before 5.11.8.
    kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic,     leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from     kernel memory, aka CID-f232326f6966. This affects     pointer types that do not define a     ptr_limit.(CVE-2020-27170)BPF JIT compilers in the     Linux kernel through 5.11.12 have incorrect computation     of branch displacements, allowing them to execute     arbitrary code within the kernel context. This affects     arch/x86 et/bpf_jit_comp.c and arch/x86     et/bpf_jit_comp32.c.(CVE-2021-29154)A race condition in     Linux kernel SCTP sockets (net/sctp/socket.c) before     5.12-rc8 can lead to kernel privilege escalation from     the context of a network service or an unprivileged     process. If sctp_destroy_sock is called without     sock_net(sk)->sctp.addr_wq_lock then an element is     removed from the auto_asconf_splist list without any     proper locking. This can be exploited by an attacker     with network service privileges to escalate to root or     from the context of an unprivileged user directly if a     BPF_CGROUP_INET_SOCK_CREATE is attached which denies     creation of some SCTP socket.(CVE-2021-23133)An issue     was discovered in the FUSE filesystem implementation in     the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf.
    fuse_do_getattr() calls make_bad_inode() in     inappropriate situations, causing a system crash. NOTE:
    the original fix for this vulnerability was incomplete,     and its incompleteness is tracked as     CVE-2021-28950.(CVE-2020-36322)An out-of-bounds (OOB)     memory write flaw was found in list_devices in     drivers/md/dm-ioctl.c in the Multi-device driver module     in the Linux kernel before 5.12. A bound check failure     allows an attacker with special user (CAP_SYS_ADMIN)     privilege to gain access to out-of-bounds memory     leading to a system crash or a leak of internal kernel     information. The highest threat from this vulnerability     is to system availability.(CVE-2021-31916)An issue was     discovered in the Linux kernel through 5.11.x.
    kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic,     leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from     kernel memory. Specifically, for sequences of pointer     arithmetic operations, the pointer modification     performed by the first operation is not correctly     accounted for when restricting subsequent     operations.(CVE-2021-29155)kernel/bpf/verifier.c in the     Linux kernel through 5.12.1 performs undesirable     speculative loads, leading to disclosure of stack     content via side-channel attacks, aka CID-801c6058d14a.
    The specific concern is not protecting the BPF stack     area against speculative loads. Also, the BPF stack can     contain uninitialized data that might represent     sensitive information previously operated on by the     kernel.(CVE-2021-31829)The Linux kernel before 5.11.14     has a use-after-free in cipso_v4_genopt in     net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO     refcounting for the DOI definitions is mishandled, aka     CID-ad5d07f4a9cd. This leads to writing an arbitrary     value.(CVE-2021-33033)kernel/bpf/verifier.c in the     Linux kernel through 5.12.7 enforces incorrect limits     for pointer arithmetic operations, aka     CID-bb01a1bba579. This can be abused to perform     out-of-bounds reads and writes in kernel memory,     leading to local privilege escalation to root. In     particular, there is a corner case where the off reg     causes a masking direction change, which then results     in an incorrect final aux->alu_limit.(CVE-2021-33200)An     issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184170).

CVE-2021-3428: Fixed an integer overflow in ext4_es_cache_extent (bsc#1173485).

CVE-2021-29647: Fixed an issue in qrtr_recvmsg which could have allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bsc#1184192 ).

CVE-2021-29265: Fixed an issue in usbip_sockfd_store which could have allowed attackers to cause a denial of service due to race conditions during an update of the local and shared status (bsc#1184167).

CVE-2021-29264: Fixed an issue in the Freescale Gianfar Ethernet driver which could have allowed attackers to cause a system crash due to a calculation of negative fragment size (bsc#1184168).

CVE-2021-28972: Fixed a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly (bsc#1184198).

CVE-2021-28971: Fixed an issue in intel_pmu_drain_pebs_nhm which could have caused a system crash because the PEBS status in a PEBS record was mishandled (bsc#1184196 ).

CVE-2021-28964: Fixed a race condition in get_old_root which could have allowed attackers to cause a denial of service (bsc#1184193).

CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc#1183646).

CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#1183593 ).

CVE-2021-28038: Fixed an issue with the netback driver which was lacking necessary treatment of errors such as failed memory allocations (bsc#1183022).

CVE-2021-27365: Fixed an issue where an unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bsc#1182715).

CVE-2021-27364: Fixed an issue where an attacker could craft Netlink messages (bsc#1182717).

CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1182716).

CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747).

CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).

CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).

CVE-2020-35519: Fixed an out-of-bounds memory access was found in x25_bind (bsc#1183696).

CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access (bsc#1179660, bsc#1179428).

CVE-2020-27815: Fixed an issue in JFS filesystem where could have allowed an attacker to execute code (bsc#1179454).

CVE-2020-27171: Fixed an off-by-one error affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183775).

CVE-2020-27170: Fixed potential side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183686).

CVE-2020-0433: Fixed a use after free due to improper locking which could have led to local escalation of privilege (bsc#1176720).

CVE-2021-3483: Fixed a use-after-free in nosy.c (bsc#1184393).

CVE-2021-30002: Fixed a memory leak for large arguments in video_usercopy (bsc#1184120).

CVE-2021-29154: Fixed incorrect computation of branch displacements, allowing arbitrary code execution (bsc#1184391).

CVE-2021-20219: Fixed a denial of service in n_tty_receive_char_special (bsc#1184397).

CVE-2020-36311: Fixed a denial of service (soft lockup) by triggering destruction of a large SEV VM (bsc#1184511).

CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673: Fixed multiple bugs in NFC subsytem (bsc#1178181).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184170).

CVE-2021-3428: Fixed an integer overflow in ext4_es_cache_extent (bsc#1173485).

CVE-2021-29647: Fixed an issue in qrtr_recvmsg which could have allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bsc#1184192 ).

CVE-2021-29265: Fixed an issue in usbip_sockfd_store which could have allowed attackers to cause a denial of service due to race conditions during an update of the local and shared status (bsc#1184167).

CVE-2021-29264: Fixed an issue in the Freescale Gianfar Ethernet driver which could have allowed attackers to cause a system crash due to a calculation of negative fragment size (bsc#1184168).

CVE-2021-28972: Fixed a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly (bsc#1184198).

CVE-2021-28971: Fixed an issue in intel_pmu_drain_pebs_nhm which could have caused a system crash because the PEBS status in a PEBS record was mishandled (bsc#1184196 ).

CVE-2021-28964: Fixed a race condition in get_old_root which could have allowed attackers to cause a denial of service (bsc#1184193).

CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc#1183646).

CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#1183593 ).

CVE-2021-28038: Fixed an issue with the netback driver which was lacking necessary treatment of errors such as failed memory allocations (bsc#1183022).

CVE-2021-27365: Fixed an issue where an unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bsc#1182715).

CVE-2021-27364: Fixed an issue where an attacker could craft Netlink messages (bsc#1182717).

CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1182716).

CVE-2020-35519: Fixed an out-of-bounds memory access was found in x25_bind (bsc#1183696).

CVE-2020-27815: Fixed an issue in JFS filesystem where could have allowed an attacker to execute code (bsc#1179454).

CVE-2020-27171: Fixed an off-by-one error affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183775).

CVE-2020-27170: Fixed potential side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183686).

CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).

CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).

CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747).

CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428).

CVE-2020-0433: Fixed a use after free due to improper locking which could have led to local escalation of privilege (bsc#1176720).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4752-1 advisory.

  - Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2     and earlier may allow an unauthenticated user to complete authentication without pairing credentials via     adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or     slave to pair with a previously paired remote device to successfully complete the authentication procedure     without knowing the link key. (CVE-2020-10135)

  - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file     system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash     the system if the directory exists. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14314)

  - Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging improper access to a certain error field.
    (CVE-2020-15436)

  - The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial     of service by using the p->serial_in pointer which uninitialized. (CVE-2020-15437)

  - Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of     service via adjacent access. This affects all Linux kernel versions that support BlueZ. (CVE-2020-24490)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

  - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap     rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)

  - A flaw was found in the Linux kernel's implementation of biovecs in versions before 5.9-rc7. A zero-length     biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a     denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block     device, resulting in a denial of service. The highest threat from this vulnerability is to system     availability. (CVE-2020-25641)

  - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption     and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause     the system to crash or cause a denial of service. The highest threat from this vulnerability is to data     confidentiality and integrity as well as system availability. (CVE-2020-25643)

  - A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using     PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of     service. (CVE-2020-25704)

  - An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c in the Linux kernel before     5.9.2. It has an infinite loop related to improper interaction between a resampler and edge triggering,     aka CID-77377064c3a9. (CVE-2020-27152)

  - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka CID-6735b4632def. (CVE-2020-28915)

  - An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The     copy-on-write implementation can grant unintended write access because of a race condition in a THP     mapcount check, aka CID-c444eb564fb1. (CVE-2020-29368)

  - An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between     certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an     munmap call, aka CID-246c320a8cfe. (CVE-2020-29369)

  - An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4.
    Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd. (CVE-2020-29371)

  - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,     aka CID-c8bcd9c5be24. (CVE-2020-29660)

  - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.
    (CVE-2020-29661)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In create_pinctrl of core.c, there is a possible out of     bounds read due to a use after free. This could lead to     local information disclosure with no additional     execution privileges needed.(CVE-2020-0427)

  - NULL-ptr deref in the spk_ttyio_receive_buf2() function     in spk_ttyio.c.(CVE-2020-27830)

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges     needed.(CVE-2020-0466)

  - In the nl80211_policy policy of nl80211.c, there is a     possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure     with System execution privileges     needed.(CVE-2020-27068)

  - use-after-free read in sunkbd_reinit in     drivers/input/keyboard/sunkbd.c.(CVE-2020-25669)

  - A flaw was found in the Linux kernels implementation of     MIDI, where an attacker with a local account and the     permissions to issue an ioctl commands to midi devices,     could trigger a use-after-free. A write to this     specific memory while freed and before use could cause     the flow of execution to change and possibly allow for     memory corruption or privilege     escalation.(CVE-2020-27786)

  - An issue was discovered in romfs_dev_read in     fs/romfs/storage.c in the Linux kernel before 5.8.4.
    Uninitialized memory leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)

  - A slab-out-of-bounds read in fbcon in the Linux kernel     before 5.9.7 could be used by local attackers to read     privileged information or potentially crash the kernel,     aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for     manipulations such as font height.(CVE-2020-28974)

  - A locking inconsistency issue was discovered in the tty     subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)

  - A locking issue was discovered in the tty subsystem of     the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free     attack against TIOCSPGRP, aka     CID-54ffccbf053b.(CVE-2020-29661)

  - An issue was discovered in     drivers/accessibility/speakup/spk_ttyio.c in the Linux     kernel through 5.9.9. Local attackers on systems with     the speakup driver could cause a local denial of     service attack, aka CID-d41227544427. This occurs     because of an invalid free when the line discipline is     used more than once.(CVE-2020-28941)

  - A buffer over-read (at the framebuffer layer) in the     fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)

  - A flaw in the way reply ICMP packets are limited in the     Linux kernel functionality was found that allows to     quickly scan open UDP ports. This flaw allows an     off-path remote user to effectively bypassing source     port UDP randomization. The highest threat from this     vulnerability is to confidentiality and possibly     integrity, because software that relies on UDP source     port randomization are indirectly affected as well.
    Kernel versions before 5.10 may be vulnerable to this     issue.(CVE-2020-25705)

  - race condition in fg_console can lead to use-after-free     in con_font_op.(CVE-2020-25668)

  - The Linux kernel before version 5.8 is vulnerable to a     NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)

  - An issue was discovered in the Linux kernel through     5.9.1, as used with Xen through 4.14.x. Guest OS users     can cause a denial of service (host OS hang) via a high     rate of events to dom0, aka     CID-e99502f76271.(CVE-2020-27673)

  - An issue was discovered in __split_huge_pmd in     mm/huge_memory.c in the Linux kernel before 5.7.5. The     copy-on-write implementation can grant unintended write     access because of a race condition in a THP mapcount     check, aka CID-c444eb564fb1.(CVE-2020-29368)

  - An issue was discovered in the Linux kernel through     5.9.1, as used with Xen through 4.14.x.
    drivers/xen/events/events_base.c allows event-channel     removal during the event-handling loop (a race     condition). This can cause a use-after-free or NULL     pointer dereference, as demonstrated by a dom0 crash     via events for an in-reconfiguration paravirtualized     device, aka CID-073d0552ead5.(CVE-2020-27675)

  - A flaw was found in the way RTAS handled memory     accesses in userspace to kernel communication. On a     locked down (usually due to Secure Boot) guest system     running on top of PowerVM or KVM hypervisors (pseries     platform) a root like local user could use this flaw to     further increase their privileges to that of a running     kernel.(CVE-2020-27777)

  - There is a memory leak in     perf_event_parse_addr_filter.(CVE-2020-25704)

  - Insufficient access control in the Linux kernel driver     for some Intel(R) Processors may allow an authenticated     user to potentially enable information disclosure via     local access.(CVE-2020-8694)

  - A flaw was found in the Linux kernel. A use-after-free     was found in the way the console subsystem was using     ioctls KDGKBSENT and KDSKBSENT. A local user could use     this flaw to get read memory access out of bounds. The     highest threat from this vulnerability is to data     confidentiality.(CVE-2020-25656)

  - In kbd_keycode of keyboard.c, there is a possible out     of bounds write due to a missing bounds check. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-144161459(CVE-2020-0431)

  - A flaw was found in the HDLC_PPP module of the Linux     kernel in versions before 5.9-rc7. Memory corruption     and a read overflow is caused by improper input     validation in the ppp_cp_parse_cr function which can     cause the system to crash or cause a denial of service.
    The highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-25643)

  - A flaw was found in the Linux kernel in versions before     5.9-rc7. Traffic between two Geneve endpoints may be     unencrypted when IPsec is configured to encrypt traffic     for the specific UDP port used by the GENEVE tunnel     allowing anyone between the two endpoints to read the     traffic unencrypted. The main threat from this     vulnerability is to data     confidentiality.(CVE-2020-25645)

  - An information leak flaw was found in the way the Linux     kernel's Bluetooth stack implementation handled     initialization of stack memory when handling certain     AMP packets. A remote attacker in adjacent range could     use this flaw to leak small portions of stack memory on     the system by sending a specially crafted AMP packets.
    The highest threat from this vulnerability is to data     confidentiality.(CVE-2020-12352)

  - A flaw was found in the way the Linux kernel Bluetooth     implementation handled L2CAP packets with A2MP CID. A     remote attacker in adjacent range could use this flaw     to crash the system causing denial of service or     potentially execute arbitrary code on the system by     sending a specially crafted L2CAP packet. The highest     threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-12351)

  - A missing CAP_NET_RAW check in NFC socket creation in     net/nfc/rawsock.c in the Linux kernel before 5.8.2     could be used by local attackers to create raw sockets,     bypassing security mechanisms, aka     CID-26896f01467a.(CVE-2020-26088)

  - A flaw was found in the Linux kernel's implementation     of biovecs in versions before 5.9-rc7. A zero-length     biovec request issued by the block subsystem could     cause the kernel to enter an infinite loop, causing a     denial of service. This flaw allows a local attacker     with basic privileges to issue requests to a block     device, resulting in a denial of service. The highest     threat from this vulnerability is to system     availability.(CVE-2020-25641)

  - In skb_to_mamac of networking.c, there is a possible     out of bounds write due to an integer overflow. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-143560807(CVE-2020-0432)

  - A TOCTOU mismatch in the NFS client code in the Linux     kernel before 5.8.3 could be used by local attackers to     corrupt memory or possibly have unspecified other     impact because a size check is in fs/ nfs/ nfs4proc.c     instead of fs/ nfs/ nfs4xdr.c, aka     CID-b4487b935452..(CVE-2020-25212)

  - A flaw was found in the Linux kernel before 5.9-rc4. A     failure of the file system metadata validator in XFS     can cause an inode with a valid, user-creatable     extended attribute to be flagged as corrupt. This can     lead to the filesystem being shutdown, or otherwise     rendered inaccessible until it is remounted, leading to     a denial of service. The highest threat from this     vulnerability is to system     availability.(CVE-2020-14385)

  - In uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-111893654References: Upstream     kernel(CVE-2020-0404)

  - The rbd block device driver in drivers/block/rbd.c in     the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which     could be leveraged by local attackers to map or unmap     rbd block devices, aka     CID-f44d04e696fe.(CVE-2020-25284)

  - A race condition between hugetlb sysctl handlers in     mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL     pointer dereference, or possibly have unspecified other     impact, aka CID-17743798d812.(CVE-2020-25285)

  - A memory out-of-bounds read flaw was found in the Linux     kernel before 5.9-rc2 with the ext3/ext4 file system,     in the way it accesses a directory with broken     indexing. This flaw allows a local user to crash the     system if the directory exists. The highest threat from     this vulnerability is to system     availability.(CVE-2020-14314)

  - A flaw was found in the Linux kernel before 5.9-rc4.
    Memory corruption can be exploited to gain root     privileges from unprivileged processes. The highest     threat from this vulnerability is to data     confidentiality and integrity.(CVE-2020-14386)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 kernel RT was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).

CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).

CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372).

CVE-2020-12362: Fixed an integer overflow in the firmware which may have allowed a privileged user to potentially enable an escalation of privilege via local access (bsc#1181720).

CVE-2020-12363: Fixed an improper input validation which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181735).

CVE-2020-12364: Fixed a NULL pointer reference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181736 ).

CVE-2020-12373: Fixed an expired pointer dereference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181738).

CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).

CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).

CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372).

CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).

CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).

CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372).

CVE-2020-12362: Fixed an integer overflow in the firmware which may have allowed a privileged user to potentially enable an escalation of privilege via local access (bsc#1181720).

CVE-2020-12363: Fixed an improper input validation which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181735).

CVE-2020-12364: Fixed a NULL pointer reference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181736 ).

CVE-2020-12373: Fixed an expired pointer dereference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181738).

CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).

CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).

CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372).

CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-147802478References: Upstream kernel(CVE-2020-0466)

  - In the l2tp subsystem, there is a possible use after     free due to a race condition. This could lead to local     escalation of privilege with System execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-152409173(CVE-2020-27067)

  - In the nl80211_policy policy of nl80211.c, there is a     possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure     with System execution privileges needed. User     interaction is not required for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-119770583(CVE-2020-27068)

  - In audit_free_lsm_field of auditfilter.c, there is a     possible bad kfree due to a logic error in     audit_data_to_entry. This could lead to local     escalation of privilege with no additional execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-150693166References: Upstream     kernel(CVE-2020-0444)

  - In various methods of hid-multitouch.c, there is a     possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-162844689References: Upstream kernel(CVE-2020-0465)

  - Use-after-free vulnerability in fs/block_dev.c in the     Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging     improper access to a certain error     field.(CVE-2020-15436)

  - The Linux kernel before version 5.8 is vulnerable to a     NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)

  - A flaw was found in the Linux kernels implementation of     MIDI, where an attacker with a local account and the     permissions to issue an ioctl commands to midi devices,     could trigger a use-after-free. A write to this     specific memory while freed and before use could cause     the flow of execution to change and possibly allow for     memory corruption or privilege     escalation.(CVE-2020-27786)

  - No description is available for this     CVE.(CVE-2020-27815)

  - NULL-ptr deref in the spk_ttyio_receive_buf2() function     in spk_ttyio.c(CVE-2020-27830)

  - An issue was discovered in __split_huge_pmd in     mm/huge_memory.c in the Linux kernel before 5.7.5. The     copy-on-write implementation can grant unintended write     access because of a race condition in a THP mapcount     check, aka CID-c444eb564fb1.(CVE-2020-29368)

  - An issue was discovered in kmem_cache_alloc_bulk in     mm/slub.c in the Linux kernel before 5.5.11. The     slowpath lacks the required TID increment, aka     CID-fd4d9c7d0c71.(CVE-2020-29370)

  - An issue was discovered in romfs_dev_read in     fs/romfs/storage.c in the Linux kernel before 5.8.4.
    Uninitialized memory leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)

  - A locking inconsistency issue was discovered in the tty     subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)

  - A locking issue was discovered in the tty subsystem of     the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free     attack against TIOCSPGRP, aka     CID-54ffccbf053b.(CVE-2020-29661)

  - A slab-out-of-bounds read in fbcon in the Linux kernel     before 5.9.7 could be used by local attackers to read     privileged information or potentially crash the kernel,     aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for     manipulations such as font height.(CVE-2020-28974)

  - An issue was discovered in the Linux kernel through     5.9.1, as used with Xen through 4.14.x. Guest OS users     can cause a denial of service (host OS hang) via a high     rate of events to dom0, aka     CID-e99502f76271.(CVE-2020-27673)

  - An issue was discovered in     drivers/accessibility/speakup/spk_ttyio.c in the Linux     kernel through 5.9.9. Local attackers on systems with     the speakup driver could cause a local denial of     service attack, aka CID-d41227544427. This occurs     because of an invalid free when the line discipline is     used more than once.(CVE-2020-28941)

  - An issue was discovered in the Linux kernel through     5.9.1, as used with Xen through 4.14.x.
    drivers/xen/events/events_base.c allows event-channel     removal during the event-handling loop (a race     condition). This can cause a use-after-free or NULL     pointer dereference, as demonstrated by a dom0 crash     via events for an in-reconfiguration paravirtualized     device, aka CID-073d0552ead5.(CVE-2020-27675)

  - A buffer over-read (at the framebuffer layer) in the     fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)

  - A flaw was found in the Linux kernel. A use-after-free     memory flaw was found in the perf subsystem allowing a     local attacker with permission to monitor perf events     to corrupt memory and possibly escalate privileges. The     highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-14351)

  - A flaw in the way reply ICMP packets are limited in the     Linux kernel functionality was found that allows to     quickly scan open UDP ports. This flaw allows an     off-path remote user to effectively bypassing source     port UDP randomization. The highest threat from this     vulnerability is to confidentiality and possibly     integrity, because software that relies on UDP source     port randomization are indirectly affected as well.
    Kernel versions before 5.10 may be vulnerable to this     issue.(CVE-2020-25705)

  - No description is available for this     CVE.(CVE-2020-25668)

  - No description is available for this     CVE.(CVE-2020-25669)

  - A flaw was found in the way RTAS handled memory     accesses in userspace to kernel communication. On a     locked down (usually due to Secure Boot) guest system     running on top of PowerVM or KVM hypervisors (pseries     platform) a root like local user could use this flaw to     further increase their privileges to that of a running     kernel.(CVE-2020-27777)

  - kernel: perf_event_parse_addr_filter     memory(CVE-2020-25704)

  - Insufficient access control in the Linux kernel driver     for some Intel(R) Processors may allow an authenticated     user to potentially enable information disclosure via     local access.(CVE-2020-8694)

  - A flaw was found in the Linux kernel. A use-after-free     was found in the way the console subsystem was using     ioctls KDGKBSENT and KDSKBSENT. A local user could use     this flaw to get read memory access out of bounds. The     highest threat from this vulnerability is to data     confidentiality.(CVE-2020-25656)

  - In kbd_keycode of keyboard.c, there is a possible out     of bounds write due to a missing bounds check. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-144161459(CVE-2020-0431)

  - A flaw was found in the HDLC_PPP module of the Linux     kernel in versions before 5.9-rc7. Memory corruption     and a read overflow is caused by improper input     validation in the ppp_cp_parse_cr function which can     cause the system to crash or cause a denial of service.
    The highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-25643)

  - A flaw was found in the Linux kernel in versions before     5.9-rc7. Traffic between two Geneve endpoints may be     unencrypted when IPsec is configured to encrypt traffic     for the specific UDP port used by the GENEVE tunnel     allowing anyone between the two endpoints to read the     traffic unencrypted. The main threat from this     vulnerability is to data     confidentiality.(CVE-2020-25645)

  - Vulnerability Summary for     CVE-2020-12351(CVE-2020-12351)

  - Vulnerability Summary for     CVE-2020-12352(CVE-2020-12352)

  - Vulnerability Summary for     CVE-2020-24490(CVE-2020-24490)

  - A missing CAP_NET_RAW check in NFC socket creation in     net/nfc/rawsock.c in the Linux kernel before 5.8.2     could be used by local attackers to create raw sockets,     bypassing security mechanisms, aka     CID-26896f01467a.(CVE-2020-26088)

  - A flaw was found in the Linux kernel's implementation     of biovecs in versions before 5.9-rc7. A zero-length     biovec request issued by the block subsystem could     cause the kernel to enter an infinite loop, causing a     denial of service. This flaw allows a local attacker     with basic privileges to issue requests to a block     device, resulting in a denial of service. The highest     threat from this vulnerability is to system     availability.(CVE-2020-25641)

  - In skb_to_mamac of networking.c, there is a possible     out of bounds write due to an integer overflow. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-143560807(CVE-2020-0432)

  - A race condition between hugetlb sysctl handlers in     mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL     pointer dereference, or possibly have unspecified other     impact, aka CID-17743798d812.(CVE-2020-25285)

  - A flaw was found in the Linux kernel in versions from     2.2.3 through 5.9.rc5. When changing screen size, an     out-of-bounds memory write can occur leading to memory     corruption or a denial of service. This highest threat     from this vulnerability is to system     availability.(CVE-2020-14390)

  - A flaw was found in the Linux kernel before 5.9-rc4.
    Memory corruption can be exploited to gain root     privileges from unprivileged processes. The highest     threat from this vulnerability is to data     confidentiality and integrity.(CVE-2020-14386)

  - Insufficient input validation in i40e driver for     Intel(R) Ethernet 700 Series Controllers versions     before 7.0 may allow an authenticated user to     potentially enable a denial of service via local     access.(CVE-2019-0147)

  - A TOCTOU mismatch in the NFS client code in the Linux     kernel before 5.8.3 could be used by local attackers to     corrupt memory or possibly have unspecified other     impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka     CID-b4487b935452.(CVE-2020-25212)

  - A flaw was found in the Linux kernel before 5.9-rc4. A     failure of the file system metadata validator in XFS     can cause an inode with a valid, user-creatable     extended attribute to be flagged as corrupt. This can     lead to the filesystem being shutdown, or otherwise     rendered inaccessible until it is remounted, leading to     a denial of service. The highest threat from this     vulnerability is to system     availability.(CVE-2020-14385)

  - In uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-111893654References: Upstream     kernel(CVE-2020-0404)

  - The rbd block device driver in drivers/block/rbd.c in     the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which     could be leveraged by local attackers to map or unmap     rbd block devices, aka     CID-f44d04e696fe.(CVE-2020-25284)

  - A memory out-of-bounds read flaw was found in the Linux     kernel before 5.9-rc2 with the ext3/ext4 file system,     in the way it accesses a directory with broken     indexing. This flaw allows a local user to crash the     system if the directory exists. The highest threat from     this vulnerability is to system     availability.(CVE-2020-14314)

  - A flaw null pointer dereference in the Linux kernel     cgroupv2 subsystem in versions before 5.7.10 was found     in the way when reboot the system. A local user could     use this flaw to crash the system or escalate their     privileges on the system.(CVE-2020-24394)

  - A flaw was found in the Linux kernel's implementation     of the invert video code on VGA consoles when a local     attacker attempts to resize the console, calling an     ioctl VT_RESIZE, which causes an out-of-bounds write to     occur. This flaw allows a local user with access to the     VGA console to crash the system, potentially escalating     their privileges on the system. The highest threat from     this vulnerability is to data confidentiality and     integrity as well as system     availability.(CVE-2020-14331)

  - The Linux kernel, as used in Red Hat Enterprise Linux     7, kernel-rt, and Enterprise MRG 2 and when booted with     UEFI Secure Boot enabled, allows local users to bypass     intended securelevel/secureboot restrictions by     leveraging improper handling of secure_boot flag across     kexec reboot.(CVE-2015-7837)

  - In the Linux kernel through 5.8.7, local attackers able     to inject conntrack netlink configuration could     overflow a local buffer, causing crashes or triggering     use of incorrect protocol numbers in     ctnetlink_parse_tuple_filter in     net/netfilter/nf_conntrack_netlink.c, aka     CID-1cc5ef91d2ff.(CVE-2020-25211)

  - A flaw null pointer dereference in the Linux kernel     cgroupv2 subsystem in versions before 5.7.10 was found     in the way when reboot the system. A local user could     use this flaw to crash the system or escalate their     privileges on the system.(CVE-2020-14356)

  - Buffer overflow in i40e driver for Intel(R) Ethernet     700 Series Controllers versions before 7.0 may allow an     authenticated user to potentially enable an escalation     of privilege via local access.(CVE-2019-0145)

  - The Linux kernel through 5.7.11 allows remote attackers     to make observations that help to obtain sensitive     information about the internal state of the network     RNG, aka CID-f227e3ec3b5c. This is related to     drivers/char/random.c and     kernel/time/timer.c.(CVE-2020-16166)

  - The VFIO PCI driver in the Linux kernel through 5.6.13     mishandles attempts to access disabled memory     space.(CVE-2020-12888)

  - In the Linux kernel through 5.7.6, usbtest_disconnect     in drivers/usb/misc/usbtest.c has a memory leak, aka     CID-28ebeb8db770.(CVE-2020-15393)

  - A logic bug was found in the Linux kernels     implementation of SSBD. A bug in the logic handling can     allow an attacker with a local account to disable SSBD     protection during a context switch when additional     speculative execution mitigations are in     place.(CVE-2020-10766)

  - The prctl() function can be used to enable indirect     branch speculation even after it has been disabled.
    This same call will incorrectly report it being 'force     disabled' when it is not.(CVE-2020-10768)

  - A flaw was found in the Linux kernel's implementation     of the Enhanced IBPB (Indirect Branch Prediction     Barrier). The IBPB mitigation will be disabled when     STIBP is not available or when the Enhanced Indirect     Branch Restricted Speculation (IBRS) is available. This     flaw allows a local attacker to perform a Spectre V2     style attack when this configuration is active. The     highest threat from this vulnerability is to     confidentiality.(CVE-2020-10767)

  - A flaw was found in the ZRAM kernel module, where a     user with a local account and the ability to read the     /sys/class/zram-control/hot_add file can create ZRAM     device nodes in the /dev/ directory. This read     allocates kernel memory and is not accounted for a user     that triggers the creation of that ZRAM device. With     this vulnerability, continually reading the device may     consume a large amount of system memory and cause the     Out-of-Memory (OOM) killer to activate and terminate     random userspace processes, possibly making the system     inoperable.(CVE-2020-10781)

  - A flaw was found in the Linux kernel. An index buffer     overflow during Direct IO write leading to the NFS     client to crash. In some cases, a reach out of the     index after one memory allocation by kmalloc will cause     a kernel panic. The highest threat from this     vulnerability is to data confidentiality and system     availability.(CVE-2020-10742)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 kernel was updated receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).

CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).

CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372).

CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):In do_epoll_ctl and     ep_loop_check_proc of eventpoll.c, there is a possible     use after free due to a logic error. This could lead to     local escalation of privilege with no additional     execution privileges needed.(CVE-2020-0466)In the l2tp     subsystem, there is a possible use after free due to a     race condition. This could lead to local escalation of     privilege with System execution privileges     needed.(CVE-2020-27067)In the nl80211_policy policy of     nl80211.c, there is a possible out of bounds read due     to a missing bounds check. This could lead to local     information disclosure with System execution privileges     needed.(CVE-2020-27068)In audit_free_lsm_field of     auditfilter.c, there is a possible bad kfree due to a     logic error in audit_data_to_entry. This could lead to     local escalation of privilege with no additional     execution privileges needed.(CVE-2020-0444)In various     methods of hid-multitouch.c, there is a possible out of     bounds write due to a missing bounds check. This could     lead to local escalation of privilege with no     additional execution privileges     needed.(CVE-2020-0465)Use-after-free vulnerability in     fs/block_dev.c in the Linux kernel before 5.8 allows     local users to gain privileges or cause a denial of     service by leveraging improper access to a certain     error field.(CVE-2020-15436)The Linux kernel before     version 5.8 is vulnerable to a NULL pointer dereference     in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)A flaw was found in the     Linux kernels implementation of MIDI, where an attacker     with a local account and the permissions to issue an     ioctl commands to midi devices, could trigger a     use-after-free. A write to this specific memory while     freed and before use could cause the flow of execution     to change and possibly allow for memory corruption or     privilege escalation.(CVE-2020-27786)Array index out of     bounds access when setting extended attributes on     journaling filesystems.(CVE-2020-27815)NULL-ptr deref     in the spk_ttyio_receive_buf2() function in     spk_ttyio.c(CVE-2020-27830)An issue was discovered in
    __split_huge_pmd in mm/huge_memory.c in the Linux     kernel before 5.7.5. The copy-on-write implementation     can grant unintended write access because of a race     condition in a THP mapcount check, aka     CID-c444eb564fb1.(CVE-2020-29368)An issue was     discovered in kmem_cache_alloc_bulk in mm/slub.c in the     Linux kernel before 5.5.11. The slowpath lacks the     required TID increment, aka     CID-fd4d9c7d0c71.(CVE-2020-29370)An issue was     discovered in romfs_dev_read in fs/romfs/storage.c in     the Linux kernel before 5.8.4. Uninitialized memory     leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)A locking     inconsistency issue was discovered in the tty subsystem     of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)A locking issue was     discovered in the tty subsystem of the Linux kernel     through 5.9.13. drivers/tty/tty_jobctrl.c allows a     use-after-free attack against TIOCSPGRP, aka     CID-54ffccbf053b.(CVE-2020-29661)A slab-out-of-bounds     read in fbcon in the Linux kernel before 5.9.7 could be     used by local attackers to read privileged information     or potentially crash the kernel, aka CID-3c4e0dff2095.
    This occurs because KD_FONT_OP_COPY in     drivers/tty/vt/vt.c can be used for manipulations such     as font height.(CVE-2020-28974) An issue was discovered     in the Linux kernel through 5.9.1, as used with Xen     through 4.14.x. Guest OS users can cause a denial of     service (host OS hang) via a high rate of events to     dom0, aka CID-e99502f76271.(CVE-2020-27673)An issue was     discovered in drivers/accessibility/speakup/spk_ttyio.c     in the Linux kernel through 5.9.9. Local attackers on     systems with the speakup driver could cause a local     denial of service attack, aka CID-d41227544427. This     occurs because of an invalid free when the line     discipline is used more than once.(CVE-2020-28941)An     issue was discovered in the Linux kernel through 5.9.1,     as used with Xen through 4.14.x.
    drivers/xen/events/events_base.c allows event-channel     removal during the event-handling loop (a race     condition). This can cause a use-after-free or NULL     pointer dereference, as demonstrated by a dom0 crash     via events for an in-reconfiguration paravirtualized     device, aka CID-073d0552ead5.(CVE-2020-27675)A buffer     over-read (at the framebuffer layer) in the fbcon code     in the Linux kernel before 5.8.15 could be used by     local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)A flaw was found in     the Linux kernel. A use-after-free memory flaw was     found in the perf subsystem allowing a local attacker     with permission to monitor perf events to corrupt     memory and possibly escalate privileges. The highest     threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-14351)A flaw in the way reply     ICMP packets are limited in the Linux kernel     functionality was found that allows to quickly scan     open UDP ports. This flaw allows an off-path remote     user to effectively bypassing source port UDP     randomization. The highest threat from this     vulnerability is to confidentiality and possibly     integrity, because software that relies on UDP source     port randomization are indirectly affected as well.
    Kernel versions before 5.10 may be vulnerable to this     issue.(CVE-2020-25705)race condition in fg_console can     lead to use-after-free in     con_font_op.(CVE-2020-25668)use-after-free read in     sunkbd_reinit in     drivers/input/keyboard/sunkbd.c.(CVE-2020-25669)A flaw     was found in the way RTAS handled memory accesses in     userspace to kernel communication. On a locked down     (usually due to Secure Boot) guest system running on     top of PowerVM or KVM hypervisors (pseries platform) a     root like local user could use this flaw to further     increase their privileges to that of a running     kernel.(CVE-2020-27777)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):In create_pinctrl of     core.c, there is a possible out of bounds read due to a     use after free. This could lead to local information     disclosure with no additional execution privileges     needed.(CVE-2020-0427)NULL-ptr deref in the     spk_ttyio_receive_buf2() function in     spk_ttyio.c.(CVE-2020-27830)In do_epoll_ctl and     ep_loop_check_proc of eventpoll.c, there is a possible     use after free due to a logic error. This could lead to     local escalation of privilege with no additional     execution privileges needed.(CVE-2020-0466)In the     nl80211_policy policy of nl80211.c, there is a possible     out of bounds read due to a missing bounds check. This     could lead to local information disclosure with System     execution privileges     needed.(CVE-2020-27068)use-after-free read in     sunkbd_reinit in     drivers/input/keyboard/sunkbd.c.(CVE-2020-25669)A flaw     was found in the Linux kernels implementation of MIDI,     where an attacker with a local account and the     permissions to issue an ioctl commands to midi devices,     could trigger a use-after-free. A write to this     specific memory while freed and before use could cause     the flow of execution to change and possibly allow for     memory corruption or privilege     escalation.(CVE-2020-27786)An issue was discovered in     romfs_dev_read in fs/romfs/storage.c in the Linux     kernel before 5.8.4. Uninitialized memory leaks to     userspace, aka CID-bcf85fcedfdd.(CVE-2020-29371)A     slab-out-of-bounds read in fbcon in the Linux kernel     before 5.9.7 could be used by local attackers to read     privileged information or potentially crash the kernel,     aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for     manipulations such as font height.(CVE-2020-28974)A     locking inconsistency issue was discovered in the tty     subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)A locking issue was     discovered in the tty subsystem of the Linux kernel     through 5.9.13. drivers/tty/tty_jobctrl.c allows a     use-after-free attack against TIOCSPGRP, aka     CID-54ffccbf053b.(CVE-2020-29661)An issue was     discovered in drivers/accessibility/speakup/spk_ttyio.c     in the Linux kernel through 5.9.9. Local attackers on     systems with the speakup driver could cause a local     denial of service attack, aka CID-d41227544427. This     occurs because of an invalid free when the line     discipline is used more than once.(CVE-2020-28941)A     buffer over-read (at the framebuffer layer) in the     fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)A flaw in the way     reply ICMP packets are limited in the Linux kernel     functionality was found that allows to quickly scan     open UDP ports. This flaw allows an off-path remote     user to effectively bypassing source port UDP     randomization. The highest threat from this     vulnerability is to confidentiality and possibly     integrity, because software that relies on UDP source     port randomization are indirectly affected as well.
    Kernel versions before 5.10 may be vulnerable to this     issue.(CVE-2020-25705)race condition in fg_console can     lead to use-after-free in     con_font_op.(CVE-2020-25668)The Linux kernel before     version 5.8 is vulnerable to a NULL pointer dereference     in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)An issue was discovered     in the Linux kernel through 5.9.1, as used with Xen     through 4.14.x. Guest OS users can cause a denial of     service (host OS hang) via a high rate of events to     dom0, aka CID-e99502f76271.(CVE-2020-27673)An issue was     discovered in __split_huge_pmd in mm/huge_memory.c in     the Linux kernel before 5.7.5. The copy-on-write     implementation can grant unintended write access     because of a race condition in a THP mapcount check,     aka CID-c444eb564fb1.(CVE-2020-29368)An issue was     discovered in the Linux kernel through 5.9.1, as used     with Xen through 4.14.x.
    drivers/xen/events/events_base.c allows event-channel     removal during the event-handling loop (a race     condition). This can cause a use-after-free or NULL     pointer dereference, as demonstrated by a dom0 crash     via events for an in-reconfiguration paravirtualized     device, aka CID-073d0552ead5.(CVE-2020-27675)A flaw was     found in the way RTAS handled memory accesses in     userspace to kernel communication. On a locked down     (usually due to Secure Boot) guest system running on     top of PowerVM or KVM hypervisors (pseries platform) a     root like local user could use this flaw to further     increase their privileges to that of a running     kernel.(CVE-2020-27777)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):An issue was discovered in
    __split_huge_pmd in mm/huge_memory.c in the Linux     kernel before 5.7.5. The copy-on-write implementation     can grant unintended write access because of a race     condition in a THP mapcount check, aka     CID-c444eb564fb1.(CVE-2020-29368)An issue was     discovered in kmem_cache_alloc_bulk in mm/slub.c in the     Linux kernel before 5.5.11. The slowpath lacks the     required TID increment, aka     CID-fd4d9c7d0c71.(CVE-2020-29370)An issue was     discovered in romfs_dev_read in fs/romfs/storage.c in     the Linux kernel before 5.8.4. Uninitialized memory     leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)An issue was     discovered in the Linux kernel before 5.2.6. On NUMA     systems, the Linux fair scheduler has a use-after-free     in show_numa_stats() because NUMA fault statistics are     inappropriately freed, aka     CID-16d51a590a8c.(CVE-2019-20934)kernel:use-after-free     read in sunkbd_reinit in     drivers/input/keyboard/sunkbd.c(CVE-2020-25669)A buffer     over-read (at the framebuffer layer) in the fbcon code     in the Linux kernel before 5.8.15 could be used by     local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)IBM Power9 (AIX 7.1,     7.2, and VIOS 3.1) processors could allow a local user     to obtain sensitive information from the data in the L1     cache under extenuating circumstances. IBM X-Force ID:
    189296.(CVE-2020-4788)kernel: powerpc: RTAS calls can     be used to compromise kernel     integrity(CVE-2020-27777)There is a use-after-free in     kernel versions before 5.5 due to a race condition     between the release of ptp_clock and cdev while     resource deallocation. When a (high privileged) process     allocates a ptp device file (like /dev/ptpX) and     voluntarily goes to sleep. During this time if the     underlying device is removed, it can cause an     exploitable condition as the process wakes up to     terminate and clean all attached files. The system     crashes due to the cdev structure being invalid (as     already freed) which is pointed to by the     inode.(CVE-2020-10690)An issue was discovered in the     Linux kernel through 5.9.1, as used with Xen through     4.14.x. Guest OS users can cause a denial of service     (host OS hang) via a high rate of events to dom0, aka     CID-e99502f76271.(CVE-2020-27673)An issue was     discovered in the Linux kernel through 5.9.1, as used     with Xen through 4.14.x.
    drivers/xen/events/events_base.c allows event-channel     removal during the event-handling loop (a race     condition). This can cause a use-after-free or NULL     pointer dereference, as demonstrated by a dom0 crash     via events for an in-reconfiguration paravirtualized     device, aka CID-073d0552ead5.(CVE-2020-27675)A flaw     memory leak in the Linux kernel performance monitoring     subsystem was found in the way if using     PERF_EVENT_IOC_SET_FILTER. A local user could use this     flaw to starve the resources causing denial of     service.(CVE-2020-25704)Insufficient access control in     the Linux kernel driver for some Intel(R) Processors     may allow an authenticated user to potentially enable     information disclosure via local     access.(CVE-2020-8694)kernel: race condition in     fg_console can lead to use-after-free in     con_font_op(CVE-2020-25668)A flaw in the way reply ICMP     packets are limited in the Linux kernel functionality     was found that allows to quickly scan open UDP ports.
    This flaw allows an off-path remote user to effectively     bypassing source port UDP randomization. The highest     threat from this vulnerability is to confidentiality     and possibly integrity, because software that relies on     UDP source port randomization are indirectly affected     as well. Kernel versions before 5.10 may be vulnerable     to this issue.(CVE-2020-25705)A slab-out-of-bounds read     in fbcon in the Linux kernel before 5.9.7 could be used     by local attackers to read privileged information or     potentially crash the kernel, aka CID-3c4e0dff2095.
    This occurs because KD_FONT_OP_COPY in     drivers/tty/vt/vt.c can be used for manipulations such     as font height.(CVE-2020-28974)A flaw was found in the     Linux kernel. A use-after-free was found in the way the     console subsystem was using ioctls KDGKBSENT and     KDSKBSENT. A local user could use this flaw to get read     memory access out of bounds. The highest threat from     this vulnerability is to data     confidentiality.(CVE-2020-25656)In kbd_keycode of     keyboard.c, there is a possible out of bounds write due     to a missing bounds check. This could lead to local     escalation of privilege with no additional execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-144161459(CVE-2020-0431)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
155425	Oracle Linux 8 : kernel (ELSA-2021-4356)	Nessus	Oracle Linux Local Security Checks	high
155219	RHEL 8 : kernel (RHSA-2021:4356)	Nessus	Red Hat Local Security Checks	high
155172	RHEL 8 : kernel-rt (RHSA-2021:4140)	Nessus	Red Hat Local Security Checks	high
155145	CentOS 8 : kernel (CESA-2021:4356)	Nessus	CentOS Local Security Checks	high
155070	CentOS 8 : kernel-rt (CESA-2021:4140)	Nessus	CentOS Local Security Checks	high
151307	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2021-2075)	Nessus	Huawei Local Security Checks	high
148700	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1210-1)	Nessus	SuSE Local Security Checks	high
148509	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1175-1)	Nessus	SuSE Local Security Checks	medium
147982	Ubuntu 20.04 LTS : Linux kernel (OEM) vulnerabilities (USN-4752-1)	Nessus	Ubuntu Local Security Checks	high
147690	EulerOS Virtualization 2.9.0 : kernel (EulerOS-SA-2021-1642)	Nessus	Huawei Local Security Checks	high
147591	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0735-1)	Nessus	SuSE Local Security Checks	high
147586	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0740-1)	Nessus	SuSE Local Security Checks	high
147579	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:0741-1)	Nessus	SuSE Local Security Checks	high
147568	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0736-1)	Nessus	SuSE Local Security Checks	high
147563	openSUSE Security Update : the Linux Kernel (openSUSE-2021-393)	Nessus	SuSE Local Security Checks	high
147512	EulerOS Virtualization 2.9.1 : kernel (EulerOS-SA-2021-1604)	Nessus	Huawei Local Security Checks	high
147464	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0737-1)	Nessus	SuSE Local Security Checks	high
144693	EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-1028)	Nessus	Huawei Local Security Checks	high
144687	EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-1009)	Nessus	Huawei Local Security Checks	high
144168	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-2514)	Nessus	Huawei Local Security Checks	medium

CVE-2020-29368

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

medium

high

high

high

high

high

high

high

high

high

high

high

medium