https://bugzilla.redhat.com/show_bug.cgi?id=1914719

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel's implementation     of string matching within a packet. A privileged user     (with root or CAP_NET_ADMIN) when inserting iptables     rules could insert a rule which can panic the     system.(CVE-2021-20177)

  - rtw_wx_set_scan in     drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the     Linux kernel through 5.11.6 allows writing beyond the     end of the ->ssid[] array. NOTE: from the perspective     of kernel.org releases, CVE IDs are not normally used     for drivers/staging/* (unfinished work) however, system     integrators may have situations in which a     drivers/staging issue is relevant to their own customer     base.(CVE-2021-28660)

  - There is a flaw reported in     drivers/gpu/drm/nouveau/nouveau_sgdma.c in     nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The     issue results from the lack of validating the existence     of an object prior to performing operations on the     object. An attacker with a local account with a root     privilege, can leverage this vulnerability to escalate     privileges and execute code in the context of the     kernel.(CVE-2021-20292)

  - ntfs_read_locked_inode in the ntfs.ko filesystem driver     in the Linux kernel 4.15.0 allows attackers to trigger     a use-after-free read and possibly cause a denial of     service (kernel oops or panic) via a crafted ntfs     filesystem.(CVE-2018-12929)

  - In the Linux kernel 4.15.0, a NULL pointer dereference     was discovered in hfs_ext_read_extent in hfs.ko. This     can occur during a mount of a crafted hfs     filesystem.(CVE-2018-12928)

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - nbd_add_socket in drivers/block/nbd.c in the Linux     kernel through 5.10.12 has an ndb_queue_rq     use-after-free that could be triggered by local     attackers (with access to the nbd device) via an I/O     request at a certain point during device setup, aka     CID-b98e762e3d71.(CVE-2021-3348)

  - An issue was discovered in the Linux kernel through     5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute     code in the kernel, aka     CID-34b1a1ce1458.(CVE-2021-3347)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - In tun_get_user of tun.c, there is possible memory     corruption due to a use after free. This could lead to     local escalation of privilege with System execution     privileges required. User interaction is not required     for exploitation.(CVE-2021-0342)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - Overlayfs did not properly perform permission checking     when copying up files in an overlayfs and could be     exploited from within a user namespace, if, for     example, unprivileged user namespaces were allowed. It     was possible to have a file not readable by an     unprivileged user to be copied to a mountpoint     controlled by the user, like a removable device. This     was introduced in kernel version 4.19 by commit d1d04ef     ('ovl: stack file ops'). This was fixed in kernel     version 5.8 by commits 56230d9 ('ovl: verify     permissions in ovl_path_open()'), 48bd024 ('ovl: switch     to mounter creds in readdir') and 05acefb ('ovl: check     permission to open real file'). Additionally, commits     130fdbc ('ovl: pass correct flags for opening real     directory') and 292f902 ('ovl: call secutiry hook in     ovl_real_ioctl()') in kernel 5.8 might also be desired     or necessary. These additional commits introduced a     regression in overlay mounts within user namespaces     which prevented access to files with ownership outside     of the user namespace. This regression was mitigated by     subsequent commit b6650da ('ovl: do not fail because of     O_NOATIMEi') in kernel 5.11.(CVE-2020-16120)

  - A flaw was found in the Linux kernel's implementation     of string matching within a packet. A privileged user     (with root or CAP_NET_ADMIN) when inserting iptables     rules could insert a rule which can panic the     system.(CVE-2021-20177)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - nbd_add_socket in drivers/block/nbd.c in the Linux     kernel through 5.10.12 has an ndb_queue_rq     use-after-free that could be triggered by local     attackers (with access to the nbd device) via an I/O     request at a certain point during device setup, aka     CID-b98e762e3d71.(CVE-2021-3348)

  - An issue was discovered in the Linux kernel through     5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute     code in the kernel, aka     CID-34b1a1ce1458.(CVE-2021-3347)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel's implementation     of string matching within a packet. A privileged user     (with root or CAP_NET_ADMIN) when inserting iptables     rules could insert a rule which can panic the     system.(CVE-2021-20177)

  - rtw_wx_set_scan in     drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the     Linux kernel through 5.11.6 allows writing beyond the     end of the ->ssid[] array. NOTE: from the perspective     of kernel.org releases, CVE IDs are not normally used     for drivers/staging/* (unfinished work) however, system     integrators may have situations in which a     drivers/staging issue is relevant to their own customer     base.(CVE-2021-28660)

  - There is a flaw reported in     drivers/gpu/drm/nouveau/nouveau_sgdma.c in     nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The     issue results from the lack of validating the existence     of an object prior to performing operations on the     object. An attacker with a local account with a root     privilege, can leverage this vulnerability to escalate     privileges and execute code in the context of the     kernel.(CVE-2021-20292)

  - ntfs_read_locked_inode in the ntfs.ko filesystem driver     in the Linux kernel 4.15.0 allows attackers to trigger     a use-after-free read and possibly cause a denial of     service (kernel oops or panic) via a crafted ntfs     filesystem.(CVE-2018-12929)

  - In the Linux kernel 4.15.0, a NULL pointer dereference     was discovered in hfs_ext_read_extent in hfs.ko. This     can occur during a mount of a crafted hfs     filesystem.(CVE-2018-12928)

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - nbd_add_socket in drivers/block/nbd.c in the Linux     kernel through 5.10.12 has an ndb_queue_rq     use-after-free that could be triggered by local     attackers (with access to the nbd device) via an I/O     request at a certain point during device setup, aka     CID-b98e762e3d71.(CVE-2021-3348)

  - An issue was discovered in the Linux kernel through     5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute     code in the kernel, aka     CID-34b1a1ce1458.(CVE-2021-3347)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - In tun_get_user of tun.c, there is possible memory     corruption due to a use after free. This could lead to     local escalation of privilege with System execution     privileges required. User interaction is not required     for exploitation.(CVE-2021-0342)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - Overlayfs did not properly perform permission checking     when copying up files in an overlayfs and could be     exploited from within a user namespace, if, for     example, unprivileged user namespaces were allowed. It     was possible to have a file not readable by an     unprivileged user to be copied to a mountpoint     controlled by the user, like a removable device. This     was introduced in kernel version 4.19 by commit d1d04ef     ('ovl: stack file ops'). This was fixed in kernel     version 5.8 by commits 56230d9 ('ovl: verify     permissions in ovl_path_open()'), 48bd024 ('ovl: switch     to mounter creds in readdir') and 05acefb ('ovl: check     permission to open real file'). Additionally, commits     130fdbc ('ovl: pass correct flags for opening real     directory') and 292f902 ('ovl: call secutiry hook in     ovl_real_ioctl()') in kernel 5.8 might also be desired     or necessary. These additional commits introduced a     regression in overlay mounts within user namespaces     which prevented access to files with ownership outside     of the user namespace. This regression was mitigated by     subsequent commit b6650da ('ovl: do not fail because of     O_NOATIMEi') in kernel 5.11.(CVE-2020-16120)

  - A flaw was found in the Linux kernel's implementation     of string matching within a packet. A privileged user     (with root or CAP_NET_ADMIN) when inserting iptables     rules could insert a rule which can panic the     system.(CVE-2021-20177)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - nbd_add_socket in drivers/block/nbd.c in the Linux     kernel through 5.10.12 has an ndb_queue_rq     use-after-free that could be triggered by local     attackers (with access to the nbd device) via an I/O     request at a certain point during device setup, aka     CID-b98e762e3d71.(CVE-2021-3348)

  - An issue was discovered in the Linux kernel through     5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute     code in the kernel, aka     CID-34b1a1ce1458.(CVE-2021-3347)

  - A flaw was found in the Linux kernel. The marvell wifi     driver could allow a local attacker to execute     arbitrary code via a long SSID value in     mwifiex_cmd_802_11_ad_hoc_start function. The highest     threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-36158)

  - A flaw was found in the Linux kernel's implementation     of the Linux SCSI target host, where an authenticated     attacker could write to any block on the exported SCSI     device backing store. This flaw allows an authenticated     attacker to send LIO block requests to the Linux system     to overwrite data on the backing store. The highest     threat from this vulnerability is to integrity. In     addition, this flaw affects the tcmu-runner package,     where the affected SCSI command is     called.(CVE-2020-28374)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - Overlayfs did not properly perform permission checking     when copying up files in an overlayfs and could be     exploited from within a user namespace, if, for     example, unprivileged user namespaces were allowed. It     was possible to have a file not readable by an     unprivileged user to be copied to a mountpoint     controlled by the user, like a removable device. This     was introduced in kernel version 4.19 by commit d1d04ef     ('ovl: stack file ops'). This was fixed in kernel     version 5.8 by commits 56230d9 ('ovl: verify     permissions in ovl_path_open()'), 48bd024 ('ovl: switch     to mounter creds in readdir') and 05acefb ('ovl: check     permission to open real file'). Additionally, commits     130fdbc ('ovl: pass correct flags for opening real     directory') and 292f902 ('ovl: call secutiry hook in     ovl_real_ioctl()') in kernel 5.8 might also be desired     or necessary. These additional commits introduced a     regression in overlay mounts within user namespaces     which prevented access to files with ownership outside     of the user namespace. This regression was mitigated by     subsequent commit b6650da ('ovl: do not fail because of     O_NOATIMEi') in kernel 5.11.(CVE-2020-16120)

  - A flaw was found in the Linux kernel's implementation     of string matching within a packet. A privileged user     (with root or CAP_NET_ADMIN) when inserting iptables     rules could insert a rule which can panic the     system.(CVE-2021-20177)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - nbd_add_socket in drivers/block/nbd.c in the Linux     kernel through 5.10.12 has an ndb_queue_rq     use-after-free that could be triggered by local     attackers (with access to the nbd device) via an I/O     request at a certain point during device setup, aka     CID-b98e762e3d71.(CVE-2021-3348)

  - An issue was discovered in the Linux kernel through     5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute     code in the kernel, aka     CID-34b1a1ce1458.(CVE-2021-3347)

  - A flaw use after free in the Linux kernel TUN/TAP     device driver functionality was found in the way user     create and use tun/tap device. A local user could use     this flaw to crash the system or possibly escalate     their privileges on the system.(CVE-2021-0342)

  - A flaw was found in the Linux kernel. A use-after-free     memory flaw was found in the perf subsystem allowing a     local attacker with permission to monitor perf events     to corrupt memory and possibly escalate privileges. The     highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-14351)

  - A flaw was found in the Linux kernel's multi-touch     input system. An out-of-bounds write triggered by a     use-after-free issue could lead to memory corruption or     possible privilege escalation. The highest threat from     this vulnerability is to confidentiality, integrity, as     well as system availability.(CVE-2020-0465)

  - A NULL pointer dereference flaw was found in the Linux     kernel's GPU Nouveau driver functionality in the way     the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC.
    This flaw allows a local user to crash the     system.(CVE-2020-25639)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9038 advisory.

  - An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are     processing watch events using a single thread. If the events are received faster than the thread is able     to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the     backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. (CVE-2020-29568)

  - An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux     kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped.
    However, the handler may not have time to run if the frontend quickly toggles between the states connect     and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving     guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege     escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
    (CVE-2020-29569)

  - In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking     in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal     in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker     has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are     proxied via an attacker-selected backstore. (CVE-2020-28374)

  - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,     aka CID-c8bcd9c5be24. (CVE-2020-29660)

  - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through     5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.
    (CVE-2020-36158)

  - A flaw was found in the Linux kernel's implementation of string matching within a packet. A privileged     user (with root or CAP_NET_ADMIN) when inserting iptables rules could insert a rule which can panic the     system. Kernel before kernel 5.5-rc1 is affected. (CVE-2021-20177)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9037 advisory.

  - An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are     processing watch events using a single thread. If the events are received faster than the thread is able     to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the     backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. (CVE-2020-29568)

  - An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux     kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped.
    However, the handler may not have time to run if the frontend quickly toggles between the states connect     and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving     guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege     escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
    (CVE-2020-29569)

  - In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking     in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal     in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker     has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are     proxied via an attacker-selected backstore. (CVE-2020-28374)

  - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,     aka CID-c8bcd9c5be24. (CVE-2020-29660)

  - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through     5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.
    (CVE-2020-36158)

  - A flaw was found in the Linux kernel's implementation of string matching within a packet. A privileged     user (with root or CAP_NET_ADMIN) when inserting iptables rules could insert a rule which can panic the     system. Kernel before kernel 5.5-rc1 is affected. (CVE-2021-20177)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4750-1 advisory.

  - An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9.
    Local attackers on systems with the speakup driver could cause a local denial of service attack, aka     CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.
    (CVE-2020-28941)

  - An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are     processing watch events using a single thread. If the events are received faster than the thread is able     to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the     backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. (CVE-2020-29568)

  - An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux     kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped.
    However, the handler may not have time to run if the frontend quickly toggles between the states connect     and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving     guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege     escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
    (CVE-2020-29569)

  - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,     aka CID-c8bcd9c5be24. (CVE-2020-29660)

  - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.
    (CVE-2020-29661)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2020-27815

A flaw was reported in the JFS filesystem code allowing a local attacker with the ability to set extended attributes to cause a denial of service.

CVE-2020-27825

Adam 'pi3' Zabrocki reported a use-after-free flaw in the ftrace ring buffer resizing logic due to a race condition, which could result in denial of service or information leak.

CVE-2020-27830

Shisong Qin reported a NULL pointer dereference flaw in the Speakup screen reader core driver.

CVE-2020-28374

David Disseldorp discovered that the LIO SCSI target implementation performed insufficient checking in certain XCOPY requests. An attacker with access to a LUN and knowledge of Unit Serial Number assignments can take advantage of this flaw to read and write to any LIO backstore, regardless of the SCSI transport settings.

CVE-2020-29568 (XSA-349)

Michael Kurth and Pawel Wieczorkiewicz reported that frontends can trigger OOM in backends by updating a watched path.

CVE-2020-29569 (XSA-350)

Olivier Benjamin and Pawel Wieczorkiewicz reported a use-after-free flaw which can be triggered by a block frontend in Linux blkback. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend.

CVE-2020-29660

Jann Horn reported a locking inconsistency issue in the tty subsystem which may allow a local attacker to mount a read-after-free attack against TIOCGSID.

CVE-2020-29661

Jann Horn reported a locking issue in the tty subsystem which can result in a use-after-free. A local attacker can take advantage of this flaw for memory corruption or privilege escalation.

CVE-2020-36158

A buffer overflow flaw was discovered in the mwifiex WiFi driver which could result in denial of service or the execution of arbitrary code via a long SSID value.

CVE-2021-3347

It was discovered that PI futexes have a kernel stack use-after-free during fault handling. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation.

CVE-2021-20177

A flaw was discovered in the Linux implementation of string matching within a packet. A privileged user (with root or CAP_NET_ADMIN) can take advantage of this flaw to cause a kernel panic when inserting iptables rules.

For Debian 9 stretch, these problems have been fixed in version 4.19.171-2~deb9u1.

We recommend that you upgrade your linux-4.19 packages.

For the detailed security status of linux-4.19 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux-4.19

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 realtime kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395).

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-36158: Fixed an issue wich might have allowed a remote attackers to execute arbitrary code via a long SSID value in mwifiex_cmd_802_11_ad_hoc_start() (bnc#1180559).

CVE-2020-28374: Fixed a vulnerability caused by insufficient identifier checking in the LIO SCSI target code. This could have been used by a remote attackers to read or write files via directory traversal in an XCOPY request (bnc#1178372).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).

CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required.
(bnc#1180812)

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2020-27815     A flaw was reported in the JFS filesystem code allowing     a local attacker with the ability to set extended     attributes to cause a denial of service.

  - CVE-2020-27825     Adam 'pi3' Zabrocki reported a use-after-free flaw in     the ftrace ring buffer resizing logic due to a race     condition, which could result in denial of service or     information leak.

  - CVE-2020-27830     Shisong Qin reported a NULL pointer dereference flaw in     the Speakup screen reader core driver.

  - CVE-2020-28374     David Disseldorp discovered that the LIO SCSI target     implementation performed insufficient checking in     certain XCOPY requests. An attacker with access to a LUN     and knowledge of Unit Serial Number assignments can take     advantage of this flaw to read and write to any LIO     backstore, regardless of the SCSI transport settings.

  - CVE-2020-29568 (XSA-349)     Michael Kurth and Pawel Wieczorkiewicz reported that     frontends can trigger OOM in backends by updating a     watched path.

  - CVE-2020-29569 (XSA-350)     Olivier Benjamin and Pawel Wieczorkiewicz reported a     use-after-free flaw which can be triggered by a block     frontend in Linux blkback. A misbehaving guest can     trigger a dom0 crash by continuously connecting /     disconnecting a block frontend.

  - CVE-2020-29660     Jann Horn reported a locking inconsistency issue in the     tty subsystem which may allow a local attacker to mount     a read-after-free attack against TIOCGSID.

  - CVE-2020-29661     Jann Horn reported a locking issue in the tty subsystem     which can result in a use-after-free. A local attacker     can take advantage of this flaw for memory corruption or     privilege escalation.

  - CVE-2020-36158     A buffer overflow flaw was discovered in the mwifiex     WiFi driver which could result in denial of service or     the execution of arbitrary code via a long SSID value.

  - CVE-2021-3347     It was discovered that PI futexes have a kernel stack     use-after-free during fault handling. An unprivileged     user could use this flaw to crash the kernel (resulting     in denial of service) or for privilege escalation.

  - CVE-2021-20177     A flaw was discovered in the Linux implementation of     string matching within a packet. A privileged user (with     root or CAP_NET_ADMIN) can take advantage of this flaw     to cause a kernel panic when inserting iptables rules.

ID	Name	Product	Family	Severity
151167	EulerOS Virtualization for ARM 64 3.0.6.0 : kernel (EulerOS-SA-2021-2002)	Nessus	Huawei Local Security Checks	high
150213	EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-1950)	Nessus	Huawei Local Security Checks	high
149607	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2021-1879)	Nessus	Huawei Local Security Checks	high
148634	EulerOS Virtualization 2.9.1 : kernel (EulerOS-SA-2021-1715)	Nessus	Huawei Local Security Checks	high
148604	EulerOS Virtualization 2.9.0 : kernel (EulerOS-SA-2021-1751)	Nessus	Huawei Local Security Checks	high
148550	Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2021-9038)	Nessus	Oracle Linux Local Security Checks	medium
148549	Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2021-9037)	Nessus	Oracle Linux Local Security Checks	medium
148009	Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-4750-1)	Nessus	Ubuntu Local Security Checks	high
146685	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0532-1)	Nessus	SuSE Local Security Checks	high
146512	Debian DLA-2557-1 : linux-4.19 security update	Nessus	Debian Local Security Checks	high
146406	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0427-1)	Nessus	SuSE Local Security Checks	high
146366	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:0354-1)	Nessus	SuSE Local Security Checks	high
146362	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0348-1)	Nessus	SuSE Local Security Checks	high
146359	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0353-1)	Nessus	SuSE Local Security Checks	high
146293	openSUSE Security Update : the Linux Kernel (openSUSE-2021-241)	Nessus	SuSE Local Security Checks	high
146052	Debian DSA-4843-1 : linux - security update	Nessus	Debian Local Security Checks	high

CVE-2021-20177

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

medium

medium

high

high

high

high

high

high

high

high

high