https://source.android.com/security/bulletin/pixel/2021-01-01

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel's implementation     of string matching within a packet. A privileged user     (with root or CAP_NET_ADMIN) when inserting iptables     rules could insert a rule which can panic the     system.(CVE-2021-20177)

  - rtw_wx_set_scan in     drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the     Linux kernel through 5.11.6 allows writing beyond the     end of the ->ssid[] array. NOTE: from the perspective     of kernel.org releases, CVE IDs are not normally used     for drivers/staging/* (unfinished work) however, system     integrators may have situations in which a     drivers/staging issue is relevant to their own customer     base.(CVE-2021-28660)

  - There is a flaw reported in     drivers/gpu/drm/nouveau/nouveau_sgdma.c in     nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The     issue results from the lack of validating the existence     of an object prior to performing operations on the     object. An attacker with a local account with a root     privilege, can leverage this vulnerability to escalate     privileges and execute code in the context of the     kernel.(CVE-2021-20292)

  - ntfs_read_locked_inode in the ntfs.ko filesystem driver     in the Linux kernel 4.15.0 allows attackers to trigger     a use-after-free read and possibly cause a denial of     service (kernel oops or panic) via a crafted ntfs     filesystem.(CVE-2018-12929)

  - In the Linux kernel 4.15.0, a NULL pointer dereference     was discovered in hfs_ext_read_extent in hfs.ko. This     can occur during a mount of a crafted hfs     filesystem.(CVE-2018-12928)

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - nbd_add_socket in drivers/block/nbd.c in the Linux     kernel through 5.10.12 has an ndb_queue_rq     use-after-free that could be triggered by local     attackers (with access to the nbd device) via an I/O     request at a certain point during device setup, aka     CID-b98e762e3d71.(CVE-2021-3348)

  - An issue was discovered in the Linux kernel through     5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute     code in the kernel, aka     CID-34b1a1ce1458.(CVE-2021-3347)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - In tun_get_user of tun.c, there is possible memory     corruption due to a use after free. This could lead to     local escalation of privilege with System execution     privileges required. User interaction is not required     for exploitation.(CVE-2021-0342)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-1578 advisory.

  - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB     device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)

  - An issue was discovered in the Linux kernel before 5.6.1. drivers/media/usb/gspca/ov519.c allows NULL     pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints, aka     CID-998912346c0d. (CVE-2020-11608)

  - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB     device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d. (CVE-2019-19528)

  - usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because     a transfer occurs without a reference, aka CID-056ad39ee925. (CVE-2020-12464)

  - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new     filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the     current umask is not considered. (CVE-2020-24394)

  - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before     4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a     denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114)

  - A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem in versions before 5.7.10 was found     in the way when reboot the system. A local user could use this flaw to crash the system or escalate their     privileges on the system. (CVE-2020-14356)

  - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption     and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause     the system to crash or cause a denial of service. The highest threat from this vulnerability is to data     confidentiality and integrity as well as system availability. (CVE-2020-25643)

  - A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using     PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of     service. (CVE-2020-25704)

  - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to     read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height. (CVE-2020-28974)

  - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file     system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash     the system if the directory exists. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14314)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

  - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap     rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)

  - A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified     other impact, aka CID-17743798d812. (CVE-2020-25285)

  - A flaw possibility of race condition and incorrect initialization of the process id was found in the Linux     kernel child/parent process identification handling while filtering signal handlers. A local attacker is     able to abuse this flaw to bypass checks to send any signal to a privileged process. (CVE-2020-35508)

  - A memory leak in the sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering     sof_get_ctrl_copy_params() failures, aka CID-45c1380358b1. (CVE-2019-18811)

  - The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial     of service by using the p->serial_in pointer which uninitialized. (CVE-2020-15437)

  - A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the     way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system.
    (CVE-2020-27835)

  - Integer overflow in the firmware for some Intel(R) Graphics Drivers for Windows * before version     26.20.100.7212 and before Linux kernel version 5.5 may allow a privileged user to potentially enable an     escalation of privilege via local access. (CVE-2020-12362)

  - An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system     crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as     CVE-2021-28950. (CVE-2020-36322)

  - In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to     local escalation of privilege with System execution privileges required. User interaction is not required     for exploitation. Product: Android; Versions: Android kernel; Android ID: A-146554327. (CVE-2021-0342)

  - In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This     could lead to local escalation of privilege with no additional execution privileges needed. User     interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-144161459     (CVE-2020-0431)

  - A flaw was found in the Linux kernels implementation of MIDI, where an attacker with a local account and     the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to     this specific memory while freed and before use causes the flow of execution to change and possibly allow     for memory corruption or privilege escalation. The highest threat from this vulnerability is to     confidentiality, integrity, as well as system availability. (CVE-2020-27786)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:1578 advisory.

  - kernel: memory leak in sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c (CVE-2019-18811)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver     (CVE-2019-19523)

  - kernel: use-after-free bug caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver     (CVE-2019-19528)

  - kernel: possible out of bounds write in kbd_keycode of keyboard.c (CVE-2020-0431)

  - kernel: NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs in     drivers/media/usb/gspca/ov519.c (CVE-2020-11608)

  - kernel: DoS by corrupting mountpoint reference counter (CVE-2020-12114)

  - kernel: Integer overflow in Intel(R) Graphics Drivers (CVE-2020-12362)

  - kernel: use-after-free in usb_sg_cancel function in drivers/usb/core/message.c (CVE-2020-12464)

  - kernel: buffer uses out of index in ext3/4 filesystem (CVE-2020-14314)

  - kernel: Use After Free vulnerability in cgroup BPF component (CVE-2020-14356)

  - kernel: NULL pointer dereference in serial8250_isa_init_ports function in     drivers/tty/serial/8250/8250_core.c (CVE-2020-15437)

  - kernel: umask not applied on filesystem without ACL support (CVE-2020-24394)

  - kernel: TOCTOU mismatch in the NFS client code (CVE-2020-25212)

  - kernel: incomplete permission checking for access to rbd devices (CVE-2020-25284)

  - kernel: race condition between hugetlb sysctl handlers in mm/hugetlb.c (CVE-2020-25285)

  - kernel: improper input validation in ppp_cp_parse_cr function leads to memory corruption and read overflow     (CVE-2020-25643)

  - kernel: perf_event_parse_addr_filter memory (CVE-2020-25704)

  - kernel: use-after-free in kernel midi subsystem (CVE-2020-27786)

  - kernel: child process is able to access parent mm through hfi dev file handle (CVE-2020-27835)

  - kernel: slab-out-of-bounds read in fbcon (CVE-2020-28974)

  - kernel: fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent (CVE-2020-35508)

  - kernel: fuse: fuse_do_getattr() calls make_bad_inode() in inappropriate situations (CVE-2020-36322)

  - kernel: use after free in tun_get_user of tun.c could lead to local escalation of privilege     (CVE-2021-0342)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1578 advisory.

  - kernel: memory leak in sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c (CVE-2019-18811)

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver     (CVE-2019-19523)

  - kernel: use-after-free bug caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver     (CVE-2019-19528)

  - kernel: possible out of bounds write in kbd_keycode of keyboard.c (CVE-2020-0431)

  - kernel: NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs in     drivers/media/usb/gspca/ov519.c (CVE-2020-11608)

  - kernel: DoS by corrupting mountpoint reference counter (CVE-2020-12114)

  - kernel: Integer overflow in Intel(R) Graphics Drivers (CVE-2020-12362)

  - kernel: Improper input validation in some Intel(R) Graphics Drivers (CVE-2020-12363)

  - kernel: Null pointer dereference in some Intel(R) Graphics Drivers (CVE-2020-12364)

  - kernel: use-after-free in usb_sg_cancel function in drivers/usb/core/message.c (CVE-2020-12464)

  - kernel: buffer uses out of index in ext3/4 filesystem (CVE-2020-14314)

  - kernel: Use After Free vulnerability in cgroup BPF component (CVE-2020-14356)

  - kernel: NULL pointer dereference in serial8250_isa_init_ports function in     drivers/tty/serial/8250/8250_core.c (CVE-2020-15437)

  - kernel: umask not applied on filesystem without ACL support (CVE-2020-24394)

  - kernel: TOCTOU mismatch in the NFS client code (CVE-2020-25212)

  - kernel: incomplete permission checking for access to rbd devices (CVE-2020-25284)

  - kernel: race condition between hugetlb sysctl handlers in mm/hugetlb.c (CVE-2020-25285)

  - kernel: improper input validation in ppp_cp_parse_cr function leads to memory corruption and read overflow     (CVE-2020-25643)

  - kernel: perf_event_parse_addr_filter memory (CVE-2020-25704)

  - kernel: use-after-free in kernel midi subsystem (CVE-2020-27786)

  - kernel: child process is able to access parent mm through hfi dev file handle (CVE-2020-27835)

  - kernel: slab-out-of-bounds read in fbcon (CVE-2020-28974)

  - kernel: fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent (CVE-2020-35508)

  - kernel: fuse: fuse_do_getattr() calls make_bad_inode() in inappropriate situations (CVE-2020-36322)

  - kernel: use after free in tun_get_user of tun.c could lead to local escalation of privilege     (CVE-2021-0342)

  - kernel: In pfkey_dump() dplen and splen can both be specified to access the xfrm_address_t structure out     of bounds (CVE-2021-0605)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1739 advisory.

  - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver     (CVE-2019-19523)

  - kernel: use-after-free bug caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver     (CVE-2019-19528)

  - kernel: possible out of bounds write in kbd_keycode of keyboard.c (CVE-2020-0431)

  - kernel: NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs in     drivers/media/usb/gspca/ov519.c (CVE-2020-11608)

  - kernel: DoS by corrupting mountpoint reference counter (CVE-2020-12114)

  - kernel: Integer overflow in Intel(R) Graphics Drivers (CVE-2020-12362)

  - kernel: Improper input validation in some Intel(R) Graphics Drivers (CVE-2020-12363)

  - kernel: Null pointer dereference in some Intel(R) Graphics Drivers (CVE-2020-12364)

  - kernel: use-after-free in usb_sg_cancel function in drivers/usb/core/message.c (CVE-2020-12464)

  - kernel: buffer uses out of index in ext3/4 filesystem (CVE-2020-14314)

  - kernel: Use After Free vulnerability in cgroup BPF component (CVE-2020-14356)

  - kernel: NULL pointer dereference in serial8250_isa_init_ports function in     drivers/tty/serial/8250/8250_core.c (CVE-2020-15437)

  - kernel: umask not applied on filesystem without ACL support (CVE-2020-24394)

  - kernel: TOCTOU mismatch in the NFS client code (CVE-2020-25212)

  - kernel: incomplete permission checking for access to rbd devices (CVE-2020-25284)

  - kernel: race condition between hugetlb sysctl handlers in mm/hugetlb.c (CVE-2020-25285)

  - kernel: improper input validation in ppp_cp_parse_cr function leads to memory corruption and read overflow     (CVE-2020-25643)

  - kernel: perf_event_parse_addr_filter memory (CVE-2020-25704)

  - kernel: use-after-free in kernel midi subsystem (CVE-2020-27786)

  - kernel: child process is able to access parent mm through hfi dev file handle (CVE-2020-27835)

  - kernel: slab-out-of-bounds read in fbcon (CVE-2020-28974)

  - kernel: fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent (CVE-2020-35508)

  - kernel: use after free in tun_get_user of tun.c could lead to local escalation of privilege     (CVE-2021-0342)

  - kernel: In pfkey_dump() dplen and splen can both be specified to access the xfrm_address_t structure out     of bounds (CVE-2021-0605)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel's implementation     of string matching within a packet. A privileged user     (with root or CAP_NET_ADMIN) when inserting iptables     rules could insert a rule which can panic the     system.(CVE-2021-20177)

  - rtw_wx_set_scan in     drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the     Linux kernel through 5.11.6 allows writing beyond the     end of the ->ssid[] array. NOTE: from the perspective     of kernel.org releases, CVE IDs are not normally used     for drivers/staging/* (unfinished work) however, system     integrators may have situations in which a     drivers/staging issue is relevant to their own customer     base.(CVE-2021-28660)

  - There is a flaw reported in     drivers/gpu/drm/nouveau/nouveau_sgdma.c in     nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The     issue results from the lack of validating the existence     of an object prior to performing operations on the     object. An attacker with a local account with a root     privilege, can leverage this vulnerability to escalate     privileges and execute code in the context of the     kernel.(CVE-2021-20292)

  - ntfs_read_locked_inode in the ntfs.ko filesystem driver     in the Linux kernel 4.15.0 allows attackers to trigger     a use-after-free read and possibly cause a denial of     service (kernel oops or panic) via a crafted ntfs     filesystem.(CVE-2018-12929)

  - In the Linux kernel 4.15.0, a NULL pointer dereference     was discovered in hfs_ext_read_extent in hfs.ko. This     can occur during a mount of a crafted hfs     filesystem.(CVE-2018-12928)

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - nbd_add_socket in drivers/block/nbd.c in the Linux     kernel through 5.10.12 has an ndb_queue_rq     use-after-free that could be triggered by local     attackers (with access to the nbd device) via an I/O     request at a certain point during device setup, aka     CID-b98e762e3d71.(CVE-2021-3348)

  - An issue was discovered in the Linux kernel through     5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute     code in the kernel, aka     CID-34b1a1ce1458.(CVE-2021-3347)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - In tun_get_user of tun.c, there is possible memory     corruption due to a use after free. This could lead to     local escalation of privilege with System execution     privileges required. User interaction is not required     for exploitation.(CVE-2021-0342)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - Overlayfs did not properly perform permission checking     when copying up files in an overlayfs and could be     exploited from within a user namespace, if, for     example, unprivileged user namespaces were allowed. It     was possible to have a file not readable by an     unprivileged user to be copied to a mountpoint     controlled by the user, like a removable device. This     was introduced in kernel version 4.19 by commit d1d04ef     ('ovl: stack file ops'). This was fixed in kernel     version 5.8 by commits 56230d9 ('ovl: verify     permissions in ovl_path_open()'), 48bd024 ('ovl: switch     to mounter creds in readdir') and 05acefb ('ovl: check     permission to open real file'). Additionally, commits     130fdbc ('ovl: pass correct flags for opening real     directory') and 292f902 ('ovl: call secutiry hook in     ovl_real_ioctl()') in kernel 5.8 might also be desired     or necessary. These additional commits introduced a     regression in overlay mounts within user namespaces     which prevented access to files with ownership outside     of the user namespace. This regression was mitigated by     subsequent commit b6650da ('ovl: do not fail because of     O_NOATIMEi') in kernel 5.11.(CVE-2020-16120)

  - A flaw was found in the Linux kernel's implementation     of string matching within a packet. A privileged user     (with root or CAP_NET_ADMIN) when inserting iptables     rules could insert a rule which can panic the     system.(CVE-2021-20177)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - nbd_add_socket in drivers/block/nbd.c in the Linux     kernel through 5.10.12 has an ndb_queue_rq     use-after-free that could be triggered by local     attackers (with access to the nbd device) via an I/O     request at a certain point during device setup, aka     CID-b98e762e3d71.(CVE-2021-3348)

  - An issue was discovered in the Linux kernel through     5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute     code in the kernel, aka     CID-34b1a1ce1458.(CVE-2021-3347)

  - A flaw use after free in the Linux kernel TUN/TAP     device driver functionality was found in the way user     create and use tun/tap device. A local user could use     this flaw to crash the system or possibly escalate     their privileges on the system.(CVE-2021-0342)

  - A flaw was found in the Linux kernel. A use-after-free     memory flaw was found in the perf subsystem allowing a     local attacker with permission to monitor perf events     to corrupt memory and possibly escalate privileges. The     highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-14351)

  - A flaw was found in the Linux kernel's multi-touch     input system. An out-of-bounds write triggered by a     use-after-free issue could lead to memory corruption or     possible privilege escalation. The highest threat from     this vulnerability is to confidentiality, integrity, as     well as system availability.(CVE-2020-0465)

  - A NULL pointer dereference flaw was found in the Linux     kernel's GPU Nouveau driver functionality in the way     the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC.
    This flaw allows a local user to crash the     system.(CVE-2020-25639)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A locking inconsistency issue was discovered in the tty     subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may     allow a read-after-free attack against TIOCGSID, aka     CID-c8bcd9c5be24.(CVE-2020-29660)

  - A locking vulnerability was found in the tty subsystem     of the Linux kernel in drivers/tty/tty_jobctrl.c. This     flaw allows a local attacker to possibly corrupt memory     or escalate privileges. The highest threat from this     vulnerability is to confidentiality, integrity, as well     as system availability.(CVE-2020-29661)

  - The Linux kernel is the kernel used by the open source     operating system Linux released by the Linux     Foundation. The Linux kernel con_font_op() has a code     problem vulnerability, which can force the use of freed     memory, resulting in denial of service or execution of     custom code.(CVE-2020-25668 CVE-2020-4788     CVE-2020-27830)

  - A flaw was found in the Linux kernel's implementation     of MIDI, where an attacker with a local account and the     permissions to issue ioctl commands to midi devices     could trigger a use-after-free issue. A write to this     specific memory while freed and before use causes the     flow of execution to change and possibly allow for     memory corruption or privilege escalation. The highest     threat from this vulnerability is to confidentiality,     integrity, as well as system (CVE-2020-27786)

  - In various methods of hid-multitouch.c, there is a     possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-162844689References: Upstream kernel(CVE-2020-0465)

  - In the nl80211_policy policy of nl80211.c, there is a     possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure     with System execution privileges needed. User     interaction is not required for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-119770583(CVE-2020-27068)

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-147802478References: Upstream kernel(CVE-2020-0466)

  - In audit_free_lsm_field of auditfilter.c, there is a     possible bad kfree due to a logic error in     audit_data_to_entry. This could lead to local     escalation of privilege with no additional execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-150693166References: Upstream     kernel(CVE-2020-0444)

  - No description is available for this     CVE.(CVE-2020-27815)

  - A flaw was found in the Linux kernel. The marvell wifi     driver could allow a local attacker to execute     arbitrary code via a long SSID value in     mwifiex_cmd_802_11_ad_hoc_start function. The highest     threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-36158)

  - In create_pinctrl of core.c, there is a possible out of     bounds read due to a use after free. This could lead to     local information disclosure with no additional     execution privileges needed. User interaction is not     needed for exploitation.Product: AndroidVersions:
    Android kernelAndroid ID: A-140550171(CVE-2020-0427)

  - In binder_release_work of binder.c, there is a possible     use-after-free due to improper locking. This could lead     to local escalation of privilege in the kernel with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-161151868References: N/A(CVE-2020-0423)

  - In drivers/target/target_core_xcopy.c in the Linux     kernel before 5.10.7, insufficient identifier checking     in the LIO SCSI target code can be used by remote     attackers to read or write files via directory     traversal in an XCOPY request, aka CID-2896c93811e3.
    For example, an attack can occur over a network if the     attacker has access to one iSCSI LUN. The attacker     gains control over file access because I/O operations     are proxied via an attacker-selected     backstore.(CVE-2020-28374)

  - A flaw in the way reply ICMP packets are limited in the     Linux kernel functionality was found that allows to     quickly scan open UDP ports. This flaw allows an     off-path remote user to effectively bypassing source     port UDP randomization. The highest threat from this     vulnerability is to confidentiality and possibly     integrity, because software that relies on UDP source     port randomization are indirectly affected as well.
    Kernel versions before 5.10 may be vulnerable to this     issue.(CVE-2020-25705)

  - Insufficient access control in the Linux kernel driver     for some Intel(R) Processors may allow an authenticated     user to potentially enable information disclosure via     local access.(CVE-2020-8694)

  - A flaw was found in the Linux kernel's futex     implementation. This flaw allows a local attacker to     corrupt system memory or escalate their privileges when     creating a futex on a filesystem that is about to be     unmounted. The highest threat from this vulnerability     is to confidentiality, integrity, as well as system     availability.(CVE-2020-14381)

  - In tun_get_user of tun.c, there is possible memory     corruption due to a use after free. This could lead to     local escalation of privilege with System execution     privileges required. User interaction is not required     for exploitation. Product: Android Versions: Android     kernel Android ID: A-146554327.(CVE-2021-0342)

  - A flaw was found in the Linux kernel. A use-after-free     memory flaw in the Fast Userspace Mutexes functionality     allowing a local user to crash the system or escalate     their privileges on the system. The highest threat from     this vulnerability is to data confidentiality and     integrity as well as system     availability.(CVE-2021-3347)

  - A use after free flaw in the Linux kernel network block     device (NBD) subsystem was found in the way user calls     an ioctl NBD_SET_SOCK at a certain point during device     setup.(CVE-2021-3348)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 realtime kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395).

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-36158: Fixed an issue wich might have allowed a remote attackers to execute arbitrary code via a long SSID value in mwifiex_cmd_802_11_ad_hoc_start() (bnc#1180559).

CVE-2020-28374: Fixed a vulnerability caused by insufficient identifier checking in the LIO SCSI target code. This could have been used by a remote attackers to read or write files via directory traversal in an XCOPY request (bnc#1178372).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In drivers/target/target_core_xcopy.c in the Linux     kernel before 5.10.7, insufficient identifier checking     in the LIO SCSI target code can be used by remote     attackers to read or write files via directory     traversal in an XCOPY request, aka CID-2896c93811e3.
    For example, an attack can occur over a network if the     attacker has access to one iSCSI LUN. The attacker     gains control over file access because I/O operations     are proxied via an attacker-selected     backstore.(CVE-2020-28374)

  - mwifiex_cmd_802_11_ad_hoc_start in     drivers/net/wireless/marvell/mwifiex/join.c in the     Linux kernel through 5.10.4 might allow remote     attackers to execute arbitrary code via a long SSID     value, aka CID-5c455c5ab332.(CVE-2020-36158)

  - In tun_get_user of tun.c, there is possible memory     corruption due to a use after free. This could lead to     local escalation of privilege with System execution     privileges required. User interaction is not required     for exploitation. (CVE-2021-0342)

  - A flaw was found in the Linux kernel. A use-after-free     memory flaw was found in the perf subsystem allowing a     local attacker with permission to monitor perf events     to corrupt memory and possibly escalate privileges. The     highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability. (CVE-2020-14351)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
151167	EulerOS Virtualization for ARM 64 3.0.6.0 : kernel (EulerOS-SA-2021-2002)	Nessus	Huawei Local Security Checks	high
149914	Oracle Linux 8 : kernel (ELSA-2021-1578)	Nessus	Oracle Linux Local Security Checks	high
149874	CentOS 8 : kernel (CESA-2021:1578)	Nessus	CentOS Local Security Checks	high
149670	RHEL 8 : kernel (RHSA-2021:1578)	Nessus	Red Hat Local Security Checks	high
149660	RHEL 8 : kernel-rt (RHSA-2021:1739)	Nessus	Red Hat Local Security Checks	high
149607	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2021-1879)	Nessus	Huawei Local Security Checks	high
148604	EulerOS Virtualization 2.9.0 : kernel (EulerOS-SA-2021-1751)	Nessus	Huawei Local Security Checks	high
147588	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2021-1386)	Nessus	Huawei Local Security Checks	high
146685	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0532-1)	Nessus	SuSE Local Security Checks	high
146406	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0427-1)	Nessus	SuSE Local Security Checks	high
146366	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:0354-1)	Nessus	SuSE Local Security Checks	high
146362	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0348-1)	Nessus	SuSE Local Security Checks	high
146359	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0353-1)	Nessus	SuSE Local Security Checks	high
146293	openSUSE Security Update : the Linux Kernel (openSUSE-2021-241)	Nessus	SuSE Local Security Checks	high
146261	EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-1265)	Nessus	Huawei Local Security Checks	medium

CVE-2021-0342

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

medium