https://bugzilla.redhat.com/show_bug.cgi?id=1932150

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a0c80efe5956ccce9fe7ae5c78542578c07bc20a

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2020-0466)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - A race condition was found in the Linux kernels     implementation of the floppy disk drive controller     driver software. The impact of this issue is lessened     by the fact that the default permissions on the floppy     device (/dev/fd0) are restricted to root. If the     permissions on the device have changed the impact     changes greatly. In the default configuration root (or     equivalent) permissions are required to attack this     flaw.(CVE-2021-20261)

  - In fs/ocfs2/cluster/nodemanager.c in the Linux kernel     before 4.15, local users can cause a denial of service     (NULL pointer dereference and BUG) because a required     mutex is not used.(CVE-2017-18216)

  - The omninet_open function in     drivers/usb/serial/omninet.c in the Linux kernel before     4.10.4 allows local users to cause a denial of service     (tty exhaustion) by leveraging reference count     mishandling.(CVE-2017-8925)

  - A flaw was found in the way memory resources were freed     in the unix_stream_recvmsg function in the Linux kernel     when a signal was pending. This flaw allows an     unprivileged local user to crash the system by     exhausting available memory. The highest threat from     this vulnerability is to system     availability.(CVE-2021-20265)

  - A flaw was found in the JFS filesystem code in the     Linux Kernel which allows a local attacker with the     ability to set extended attributes to panic the system,     causing memory corruption or escalating privileges. The     highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-27815)

  - An out-of-bounds (OOB) memory access flaw was found in     x25_bind in net/x25/af_x25.c in the Linux kernel     version v5.12-rc5. A bounds check failure allows a     local attacker with a user account on the system to     gain access to out-of-bounds memory, leading to a     system crash or a leak of internal kernel information.
    The highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-35519)

  - There is a flaw reported in the Linux kernel in     versions before 5.9 in     drivers/gpu/drm/nouveau/nouveau_sgdma.c in     nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The     issue results from the lack of validating the existence     of an object prior to performing operations on the     object. An attacker with a local account with a root     privilege, can leverage this vulnerability to escalate     privileges and execute code in the context of the     kernel.(CVE-2021-20292)

  - In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux     kernel through 5.11.8, the RPA PCI Hotplug driver has a     user-tolerable buffer overflow when writing a new     device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame     directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination,     aka CID-cc7a0bb058b8.(CVE-2021-28972)

  - A race condition was discovered in get_old_root in     fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It     allows attackers to cause a denial of service (BUG)     because of a lack of locking on an extent buffer before     a cloning operation, aka     CID-dbcc7d57bffc.(CVE-2021-28964)

  - An issue was discovered in the Linux kernel before     5.11.7. usbip_sockfd_store in     drivers/usb/usbip/stub_dev.c allows attackers to cause     a denial of service (GPF) because the stub-up sequence     has race conditions during an update of the local and     shared status, aka CID-9380afd6df70.(CVE-2021-29265)

  - BPF JIT compilers in the Linux kernel through 5.11.12     have incorrect computation of branch displacements,     allowing them to execute arbitrary code within the     kernel context. This affects     arch/x86/net/bpf_jit_comp.c and     arch/x86/net/bpf_jit_comp32.c.(CVE-2021-29154)

  - The KVM implementation in the Linux kernel through     4.14.7 allows attackers to obtain potentially sensitive     information from kernel memory, aka a write_mmio     stack-based out-of-bounds read, related to     arch/x86/kvm/x86.c and     include/trace/events/kvm.h.(CVE-2017-17741)

  - An issue was discovered in the Linux kernel before     5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak     for large arguments, aka     CID-fb18802a338b.(CVE-2021-30002)

  - An issue was discovered in the Linux kernel through     4.17.10. There is an invalid pointer dereference in
    __del_reloc_root() in fs/btrfs/relocation.c when     mounting a crafted btrfs image, related to removing     reloc rb_trees when reloc control has not been     initialized.(CVE-2018-14609)

  - An issue was discovered in     fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel     through 4.17.3. A denial of service (memory corruption     and BUG) can occur for a corrupted xfs image upon     encountering an inode that is in extent format, but has     more extents than fit in the inode     fork.(CVE-2018-13095)

  - The vmw_gb_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel through 4.10.7 does not validate certain levels     data, which allows local users to cause a denial of     service (system hang) via a crafted ioctl call for a     /dev/dri/renderD* device.(CVE-2017-7346)

  - The klsi_105_get_line_state function in     drivers/usb/serial/kl5kusb105.c in the Linux kernel     before 4.9.5 places uninitialized heap-memory contents     into a log entry upon a failure to read the line     status, which allows local users to obtain sensitive     information by reading the log.(CVE-2017-5549)

  - An integer overflow in the uvesafb_setcmap function in     drivers/video/fbdev/uvesafb.c in the Linux kernel     before 4.17.4 could result in local attackers being     able to crash the kernel or potentially elevate     privileges because kmalloc_array is not     used.(CVE-2018-13406)

  - In the Linux kernel before version 4.12, Kerberos 5     tickets decoded when using the RXRPC keys incorrectly     assumes the size of a field. This could lead to the     size-remaining variable wrapping and the data pointer     going over the end of the buffer. This could possibly     lead to memory corruption and possible privilege     escalation.(CVE-2017-7482)

  - drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x     before 4.9.11 interacts incorrectly with the     CONFIG_VMAP_STACK option, which allows local users to     cause a denial of service (system crash or memory     corruption) or possibly have unspecified other impact     by leveraging use of more than one virtual page for a     DMA scatterlist.(CVE-2017-8069)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - A flaw was found in the Nosy driver in the Linux     kernel. This issue allows a device to be inserted twice     into a doubly-linked list, leading to a use-after-free     when one of these devices is removed. The highest     threat from this vulnerability is to confidentiality,     integrity, as well as system availability. Versions     before kernel 5.12-rc6 are affected(CVE-2021-3483)

  - An issue was discovered in the FUSE filesystem     implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls     make_bad_inode() in inappropriate situations, causing a     system crash. NOTE: the original fix for this     vulnerability was incomplete, and its incompleteness is     tracked as CVE-2021-28950.(CVE-2020-36322)

  - An out-of-bounds (OOB) memory write flaw was found in     list_devices in drivers/md/dm-ioctl.c in the     Multi-device driver module in the Linux kernel before     5.12. A bound check failure allows an attacker with     special user (CAP_SYS_ADMIN) privilege to gain access     to out-of-bounds memory leading to a system crash or a     leak of internal kernel information. The highest threat     from this vulnerability is to system     availability.(CVE-2021-31916)

  - A vulnerability was found in Linux Kernel, where a     refcount leak in llcp_sock_connect() causing     use-after-free which might lead to privilege     escalations.(CVE-2020-25671)

  - A vulnerability was found in Linux Kernel where     refcount leak in llcp_sock_bind() causing     use-after-free which might lead to privilege     escalations.(CVE-2020-25670)

  - A memory leak vulnerability was found in Linux kernel     in llcp_sock_connect(CVE-2020-25672)

  - The Linux kernel before 5.11.14 has a use-after-free in     cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the     CIPSO and CALIPSO refcounting for the DOI definitions     is mishandled, aka CID-ad5d07f4a9cd. This leads to     writing an arbitrary value.(CVE-2021-33033)

  - Use After Free vulnerability in nfc sockets in the     Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations,     the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability.(CVE-2021-23134)

  - A flaw use-after-free in function     hci_sock_bound_ioctl() of the Linux kernel HCI     subsystem was found in the way user detaches bluetooth     dongle or other way triggers unregister bluetooth     device event. A local user could use this flaw to crash     the system or escalate their privileges on the     system.(CVE-2021-3573)

  - An issue was discovered in the Linux kernel through     5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute     code in the kernel, aka     CID-34b1a1ce1458.(CVE-2021-3347)

  - A vulnerability was found in Linux kernel where     non-blocking socket in llcp_sock_connect() leads to     leak and eventually hanging-up the     system.(CVE-2020-25673)

  - net/bluetooth/hci_request.c in the Linux kernel through     5.12.2 has a race condition for removal of the HCI     controller.(CVE-2021-32399)

  - In all Qualcomm products with Android releases from CAF     using the Linux kernel, during DMA allocation, due to     wrong data type of size, allocation size gets truncated     which makes allocation succeed when it should     fail.(CVE-2017-9725)

  - A flaw double-free memory corruption in the Linux     kernel HCI device initialization subsystem was found in     the way user attach malicious HCI TTY Bluetooth device.
    A local user could use this flaw to crash the system.
    This flaw affects all the Linux kernel versions     starting from 3.13.(CVE-2021-3564)

  - A flaw was found in the CAN BCM networking protocol in     the Linux kernel, where a local attacker can abuse a     flaw in the CAN subsystem to corrupt memory, crash the     system or escalate privileges.(CVE-2021-3609)

  - The ip6gre_err function in net/ipv6/ip6_gre.c in the     Linux kernel allows remote attackers to have     unspecified impact via vectors involving GRE flags in     an IPv6 packet, which trigger an out-of-bounds     access.(CVE-2017-5897)

  - An Out-of-Bounds Read was discovered in     arch/arm/mach-footbridge/personal-pci.c in the Linux     kernel through 5.12.11 because of the lack of a check     for a value that shouldn't be negative, e.g., access to     element -2 of an array, aka     CID-298a58e165e4.(CVE-2021-32078)

  - In the Linux kernel before 4.20.8,     kvm_ioctl_create_device in virt/kvm/kvm_main.c     mishandles reference counting because of a race     condition, leading to a use-after-free.(CVE-2019-6974)

  - In uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2020-0404)

  - In create_pinctrl of core.c, there is a possible out of     bounds read due to a use after free. This could lead to     local information disclosure with no additional     execution privileges needed. User interaction is not     needed for exploitation.(CVE-2020-0427)

  - In kbd_keycode of keyboard.c, there is a possible out     of bounds write due to a missing bounds check. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-144161459(CVE-2020-0431)

  - In blk_mq_queue_tag_busy_iter of blk-mq-tag.c, there is     a possible use after free due to improper locking. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2020-0433)

  - In various methods of hid-multitouch.c, there is a     possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2020-0465)

  - A vulnerability was found in the Linux Kernel where the     function sunkbd_reinit having been scheduled by     sunkbd_interrupt before sunkbd being freed. Though the     dangling pointer is set to NULL in sunkbd_disconnect,     there is still an alias in sunkbd_reinit causing Use     After Free.(CVE-2020-25669)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New kernel packages are available for Slackware 14.2 to fix a security issue.

The remote SUSE Linux SLES11 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:14724-1 advisory.

  - An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel     version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to     gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information.
    The highest threat from this vulnerability is to confidentiality, integrity, as well as system     availability. (CVE-2020-35519)

  - An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system     crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as     CVE-2021-28950. (CVE-2020-36322)

  - A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver     software. The impact of this issue is lessened by the fact that the default permissions on the floppy     device (/dev/fd0) are restricted to root. If the permissions on the device have changed the impact changes     greatly. In the default configuration root (or equivalent) permissions are required to attack this flaw.
    (CVE-2021-20261)

  - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI     subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the     pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)

  - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)

  - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a     Netlink message. (CVE-2021-27365)

  - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur     because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)

  - In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has     a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination, aka CID-cc7a0bb058b8. (CVE-2021-28972)

  - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to     cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h     lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
    (CVE-2021-29650)

  - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.
    (CVE-2021-30002)

  - A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice     into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest     threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions     before kernel 5.12-rc6 are affected (CVE-2021-3483)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - btrfs: fix race when cloning extent buffer during rewind     of an old root (Filipe Manana) [Orabug: 32669454]     (CVE-2021-28964)

  - xen-blkback: don't leak persistent grants from     xen_blkbk_map (Jan Beulich) [Orabug: 32697855]     (CVE-2021-28688)

  - netfilter: x_tables: Use correct memory barriers. (Mark     Tomlinson) [Orabug: 32709125] (CVE-2021-29650)

  - netfilter: x_tables: make xt_replace_table wait until     old rules are not used anymore (Florian Westphal)     [Orabug: 32709125] (CVE-2021-29650)

  - do_epoll_ctl: clean the failure exits up a bit (Al Viro)     [Orabug: 32759496] (CVE-2020-0466)

  - epoll: Keep a reference on files added to the check list     (Marc Zyngier) [Orabug: 32759496] (CVE-2020-0466)

  - HID: core: Sanitize event code and type when mapping     input (Marc Zyngier) [Orabug: 32759553] (CVE-2020-0465)

  - floppy: fix lock_fdc signal handling (Jiri Kosina)     [Orabug: 32624116] (CVE-2021-20261)

  - Xen/gnttab: handle p2m update errors on a per-slot basis     (Jan Beulich) [Orabug: 32651478] (CVE-2021-28038)

  - n_tty: Fix stall at n_tty_receive_char_special. (Tetsuo     Handa) [Orabug: 32656942] (CVE-2021-20219)

  - fork: fix copy_process(CLONE_PARENT) race with the     exiting ->real_parent (Eddy Wu) [Orabug: 32695783]     (CVE-2020-35508)

  - Return EBUSY from BLKRRPART for mounted whole-dev fs     (Eric Sandeen) [Orabug: 32696741]

  - SecureBoot Digicert 2021 certificates update (Brian     Maly) [Orabug: 32734505]

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In various methods of hid-multitouch.c, there is a     possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-162844689References: Upstream kernel(CVE-2020-0465)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-147802478References: Upstream kernel(CVE-2020-0466)

  - In fs/ocfs2/cluster/nodemanager.c in the Linux kernel     before 4.15, local users can cause a denial of service     (NULL pointer dereference and BUG) because a required     mutex is not used.(CVE-2017-18216)

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - A race condition was found in the Linux kernels     implementation of the floppy disk drive controller     driver software. The impact of this issue is lessened     by the fact that the default permissions on the floppy     device (/dev/fd0) are restricted to root. If the     permissions on the device have changed the impact     changes greatly. In the default configuration root (or     equivalent) permissions are required to attack this     flaw.(CVE-2021-20261)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9215 advisory.

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic     error. This could lead to local escalation of privilege with no additional execution privileges needed.
    User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
    A-147802478References: Upstream kernel (CVE-2020-0466)

  - An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the     netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of     changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior     of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.
    (CVE-2021-28038)

  - In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege with no additional execution privileges needed.
    User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
    A-162844689References: Upstream kernel (CVE-2020-0465)

  - A flaw possibility of race condition and incorrect initialization of the process id was found in the Linux     kernel child/parent process identification handling while filtering signal handlers. A local attacker is     able to abuse this flaw to bypass checks to send any signal to a privileged process. (CVE-2020-35508)

  - A denial of service vulnerability was found in n_tty_receive_char_special in drivers/tty/n_tty.c of the     Linux kernel. In this flaw a local attacker with a normal user privilege could delay the loop (due to a     changing ldata->read_head, and a missing sanity check) and cause a threat to the system availability.
    (CVE-2021-20219)

  - A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver     software. The impact of this issue is lessened by the fact that the default permissions on the floppy     device (/dev/fd0) are restricted to root. If the permissions on the device have changed the impact changes     greatly. In the default configuration root (or equivalent) permissions are required to attack this flaw.
    (CVE-2021-20261)

  - The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use     uninitialized or stale values. This initialization went too far and may under certain conditions also     overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking     persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died,     leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable.
    XSA-365 was classified to affect versions back to at least 3.11. (CVE-2021-28688)

  - A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It     allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer     before a cloning operation, aka CID-dbcc7d57bffc. (CVE-2021-28964)

  - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to     cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h     lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
    (CVE-2021-29650)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):A flaw was found in Linux     kernel in the ext4 filesystem code. A use-after-free is     possible in ext4_ext_remove_space() function when     mounting and operating a crafted ext4     image.(CVE-2018-10876)A flaw was found in the Linux     kernel. A use-after-free was found in the way the     console subsystem was using ioctls KDGKBSENT and     KDSKBSENT. A local user could use this flaw to get read     memory access out of bounds. The highest threat from     this vulnerability is to data     confidentiality.(CVE-2020-25656)A flaw was found in the     way RTAS handled memory accesses in userspace to kernel     communication. On a locked down (usually due to Secure     Boot) guest system running on top of PowerVM or KVM     hypervisors (pseries platform) a root like local user     could use this flaw to further increase their     privileges to that of a running     kernel.(CVE-2020-27777)A information disclosure     vulnerability in the Upstream kernel encrypted-keys.
    Product: Android. Versions: Android kernel. Android ID:
    A-70526974.(CVE-2017-13305)A race condition was found     in the Linux kernels implementation of the floppy disk     drive controller driver software. The impact of this     issue is lessened by the fact that the default     permissions on the floppy device (/dev/fd0) are     restricted to root. If the permissions on the device     have changed the impact changes greatly. In the default     configuration root (or equivalent) permissions are     required to attack this flaw.(CVE-2021-20261)An issue     was discovered in dlpar_parse_cc_property in     arch/powerpc/platforms/pseries/dlpar.c in the Linux     kernel through 5.1.6. There is an unchecked kstrdup of     prop->name, which might allow an attacker to cause a     denial of service (NULL pointer dereference and system     crash).(CVE-2019-12614)An issue was discovered in     fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3.
    There is a NULL pointer dereference and panic in     lookup_slow() on a NULL inode->i_ops pointer when doing     pathwalks on a corrupted xfs image. This occurs because     of a lack of proper validation that cached inodes are     free during allocation.(CVE-2018-13093)An issue was     discovered in rds_tcp_kill_sock in net/rds/tcp.c in the     Linux kernel before 5.0.8. There is a race condition     leading to a use-after-free, related to net namespace     cleanup.(CVE-2019-11815)An issue was discovered in the     Linux kernel through 5.11.3. A kernel pointer leak can     be used to determine the address of the iscsi_transport     structure. When an iSCSI transport is registered with     the iSCSI subsystem, the transport's handle is     available to unprivileged users via the sysfs file     system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)An issue was     discovered in the Linux kernel through 5.11.3. Certain     iSCSI data structures do not have appropriate length     constraints or checks, and can exceed the PAGE_SIZE     value. An unprivileged user can send a Netlink message     that is associated with iSCSI, and has a length up to     the maximum length of a Netlink     message.(CVE-2021-27365)An issue was discovered in the     Linux kernel through 5.11.3.
    drivers/scsi/scsi_transport_iscsi.c is adversely     affected by the ability of an unprivileged user to     craft Netlink messages.(CVE-2021-27364)An issue was     discovered in yurex_read in drivers/usb/misc/yurex.c in     the Linux kernel before 4.17.7. Local attackers could     use user access read/writes with incorrect bounds     checking in the yurex USB driver to crash the kernel or     potentially escalate     privileges.(CVE-2018-16276)drivers/infiniband/core/ucma     .c in the Linux kernel through 4.17.11 allows     ucma_leave_multicast to access a certain data structure     after a cleanup step in ucma_process_join, which allows     attackers to cause a denial of service     (use-after-free).(CVE-2018-14734)In create_pinctrl of     core.c, there is a possible out of bounds read due to a     use after free. This could lead to local information     disclosure with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-140550171(CVE-2020-0427)In     do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-147802478References: Upstream kernel(CVE-2020-0466)In     fs/ocfs2/cluster/ nodemanager.c in the Linux kernel     before 4.15, local users can cause a denial of service     (NULL pointer dereference and BUG) because a required     mutex is not used.(CVE-2017-18216)In the Linux kernel     before 5.2, a setxattr operation, after a mount of a     crafted ext4 image, can cause a slab-out-of-bounds     write access because of an ext4_xattr_set_entry     use-after-free in fs/ext4/xattr.c when a large old_size     value is used in a memset call, aka     CID-345c0dbf3a30.(CVE-2019-19319)In the Linux kernel     before version 4.12, Kerberos 5 tickets decoded when     using the RXRPC keys incorrectly assumes the size of a     field. This could lead to the size-remaining variable     wrapping and the data pointer going over the end of the     buffer. This could possibly lead to memory corruption     and possible privilege escalation.(CVE-2017-7482)In     uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-111893654References: Upstream     kernel(CVE-2020-0404)In various methods of     hid-multitouch.c, there is a possible out of bounds     write due to a missing bounds check. This could lead to     local escalation of privilege with no additional     execution privileges needed. User interaction is not     needed for exploitation.Product: AndroidVersions:
    Android kernelAndroid ID: A-162844689References:
    Upstream kernel(CVE-2020-0465)It was found that the raw     midi kernel driver does not protect against concurrent     access which leads to a double realloc (double free) in     snd_rawmidi_input_params() and     snd_rawmidi_output_status() which are part of     snd_rawmidi_ioctl() handler in rawmidi.c file. A     malicious local attacker could possibly use this for     privilege escalation.(CVE-2018-10902)Linux kernel ext4     filesystem is vulnerable to an out-of-bound access in     the ext4_ext_drop_refs() function when operating on a     crafted ext4 filesystem image.(CVE-2018-10877)Linux     kernel is vulnerable to a stack-out-of-bounds write in     the ext4 filesystem code when mounting and writing to a     crafted ext4 image in ext4_update_inline_data(). An     attacker could use this to cause a system crash and a     denial of service.(CVE-2018-10880)Linux Kernel contains     an out-of-bounds read flaw in the asn1_ber_decoder()     function in lib/asn1_decoder.c that is triggered when     decoding ASN.1 data. This may allow a remote attacker     to disclose potentially sensitive memory     contents.(CVE-2018-9383)use-after-free read in     sunkbd_reinit in     drivers/input/keyboard/sunkbd.c(CVE-2020-25669)mwifiex_     cmd_802_11_ad_hoc_start in drivers/     net/wireless/marvell/mwifiex/join.c in the Linux kernel     through 5.10.4 might allow remote attackers to execute     arbitrary code via a long SSID value, aka     CID-5c455c5ab332.(CVE-2020-36158)fs/ nfsd/ nfs3xdr.c in     the Linux kernel through 5.10.8, when there is an NFS     export of a subdirectory of a filesystem, allows remote     attackers to traverse to other parts of the filesystem     via READDIRPLUS. NOTE: some parties argue that such a     subdirectory export is not intended to prevent this     attack see also the exports(5) no_subtree_check default     behavior.(CVE-2021-3178)In the Linux kernel before     4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c     mishandles reference counting because of a race     condition, leading to a     use-after-free.(CVE-2019-6974)The KVM implementation in     the Linux kernel through 4.20.5 has a     Use-after-Free.(CVE-2019-7221)A flaw was found in the     JFS filesystem code. This flaw allows a local attacker     with the ability to set extended attributes to panic     the system, causing memory corruption or escalating     privileges. The highest threat from this vulnerability     is to confidentiality, integrity, as well as system     availability.(CVE-2020-27815)An out-of-bounds (OOB)     memory access flaw was found in x25_bind in     net/x25/af_x25.c in the Linux kernel. A bounds check     failure allows a local attacker with a user account on     the system to gain access to out-of-bounds memory,     leading to a system crash or a leak of internal kernel     information. The highest threat from this vulnerability     is to confidentiality, integrity, as well as system     availability.(CVE-2020-35519)In     drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux     kernel through 5.11.8, the RPA PCI Hotplug driver has a     user-tolerable buffer overflow when writing a new     device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame     directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination,     aka CID-cc7a0bb058b8.(CVE-2021-28972)A NULL pointer     dereference was found in the net/rds/rdma.c
    __rds_rdma_map() function in the Linux kernel before     4.14.7 allowing local attackers to cause a system panic     and a denial-of-service, related to RDS_GET_MR and     RDS_GET_MR_FOR_DEST.(CVE-2018-7492)The Siemens R3964     line discipline driver in drivers/tty/ n_r3964.c in the     Linux kernel before 5.0.8 has multiple race     conditions.(CVE-2019-11486)The kernel in Android before     2016-08-05 on Nexus 7 (2013) devices allows attackers     to gain privileges via a crafted application, aka     internal bug 28522518.(CVE-2016-3857)The KVM     implementation in the Linux kernel through 4.14.7     allows attackers to obtain potentially sensitive     information from kernel memory, aka a write_mmio     stack-based out-of-bounds read, related to     arch/x86/kvm/x86.c and     include/trace/events/kvm.h.(CVE-2017-17741)The     sctp_process_param function in net/sctp/sm_make_chunk.c     in the SCTP implementation in the Linux kernel before     3.17.4, when ASCONF is used, allows remote attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a malformed INIT     chunk.(CVE-2014-7841)The XFS subsystem in the Linux     kernel through 4.8.2 allows local users to cause a     denial of service (fdatasync failure and system hang)     by using the vfs syscall group in the trinity program,     related to a 'page lock order bug in the XFS seek     hole/data implementation.'(CVE-2016-8660)The     xfs_dinode_verify function in     fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel     through 4.16.3 allows local users to cause a denial of     service (xfs_ilock_attr_map_shared invalid pointer     dereference) via a crafted xfs image.(CVE-2018-10322)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4904-1 advisory.

  - The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr     operations that underspecifies removing extended privilege attributes, which allows local users to cause a     denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by     using chown to remove a capability from the ping or Wireshark dumpcap program. (CVE-2015-1350)

  - The time subsystem in the Linux kernel through 4.9.9, when CONFIG_TIMER_STATS is enabled, allows local     users to discover real PID values (as distinguished from PID values inside a PID namespace) by reading the     /proc/timer_list file, related to the print_timer function in kernel/time/timer_list.c and the
    __timer_stats_timer_set_start_info function in kernel/time/timer.c. (CVE-2017-5967)

  - The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11     allows local users to cause a denial of service (improper error handling and system crash) or possibly     have unspecified other impact via a crafted USB device. (CVE-2017-16644)

  - An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of     service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is     in extent format, but has more extents than fit in the inode fork. (CVE-2018-13095)

  - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,     leading to a NULL pointer dereference. (CVE-2019-16231)

  - drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the     alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16232)

  - A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux     kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka     CID-9c0530e898f3. (CVE-2019-19061)

  - A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver     software. The impact of this issue is lessened by the fact that the default permissions on the floppy     device (/dev/fd0) are restricted to root. If the permissions on the device have changed the impact changes     greatly. In the default configuration root (or equivalent) permissions are required to attack this flaw.
    (CVE-2021-20261)

  - An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests to     the PV backend, the driver maps grant references provided by the frontend. In this process, errors may be     encountered. In one case, an error encountered earlier might be discarded by later processing, resulting     in the caller assuming successful mapping, and hence subsequent operations trying to access space that     wasn't mapped. In another case, internal state would be insufficiently updated, preventing safe recovery     from the error. This affects drivers/block/xen-blkback/blkback.c. (CVE-2021-26930)

  - An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI     backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially     being at least under the influence of guests (such as out of memory conditions), it isn't correct to     assume a plain bug. Memory allocations potentially causing such crashes occur only when Linux is running     in PV mode, though. This affects drivers/block/xen-blkback/blkback.c and drivers/xen/xen-scsiback.c.
    (CVE-2021-26931)

  - An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the     netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of     changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior     of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.
    (CVE-2021-28038)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
153271	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2021-2392)	Nessus	Huawei Local Security Checks	high
151897	Slackware 14.2 : Slackware 14.2 kernel (SSA:2021-202-01)	Nessus	Slackware Local Security Checks	high
150550	SUSE SLES11 Security Update : kernel (SUSE-SU-2021:14724-1)	Nessus	SuSE Local Security Checks	medium
150463	OracleVM 3.4 : Unbreakable / etc (OVMSA-2021-0016)	Nessus	OracleVM Local Security Checks	high
149587	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-1904)	Nessus	Huawei Local Security Checks	high
149296	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2021-9215)	Nessus	Oracle Linux Local Security Checks	high
149098	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2021-1808)	Nessus	Huawei Local Security Checks	high
148498	Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4904-1)	Nessus	Ubuntu Local Security Checks	medium

CVE-2021-20261

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

high

medium

high

high

high

high

medium