https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg2520013.html

https://www.openwall.com/lists/oss-security/2021/03/28/2

https://bugzilla.redhat.com/show_bug.cgi?id=1944298

[oss-security] 20210508 Re: Linux kernel: f2fs: out-of-bounds memory access bug

https://security.netapp.com/advisory/ntap-20210611-0007/

[debian-lts-announce] 20210623 [SECURITY] [DLA 2690-1] linux-4.19 security update

The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5000-2 advisory.

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux     kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to     out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest     threat from this vulnerability is to system availability. (CVE-2021-3506)

  - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel     privilege escalation from the context of a network service or an unprivileged process. If     sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the     auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network     service privileges to escalate to root or from the context of an unprivileged user directly if a     BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading     to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not     protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized     data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root. In particular, there is a corner case where the off     reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
    (CVE-2021-33200)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4997-2 advisory.

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux     kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to     out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest     threat from this vulnerability is to system availability. (CVE-2021-3506)

  - A flaw null pointer dereference in the Nitro Enclaves kernel driver was found in the way that Enclaves VMs     forces closures on the enclave file descriptor. A local user of a host machine could use this flaw to     crash the system or escalate their privileges on the system. (CVE-2021-3543)

  - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel     privilege escalation from the context of a network service or an unprivileged process. If     sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the     auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network     service privileges to escalate to root or from the context of an unprivileged user directly if a     BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel     5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in     order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The     issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.
    An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the     context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading     to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not     protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized     data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root. In particular, there is a corner case where the off     reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
    (CVE-2021-33200)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):kernel/bpf/verifier.c in     the Linux kernel through 5.12.7 enforces incorrect     limits for pointer arithmetic operations, aka     CID-bb01a1bba579. This can be abused to perform     out-of-bounds reads and writes in kernel memory,     leading to local privilege escalation to root. In     particular, there is a corner case where the off reg     causes a masking direction change, which then results     in an incorrect final aux->alu_limit.(CVE-2021-33200)A     vulnerability was found in Linux Kernel where refcount     leak in llcp_sock_bind() causing use-after-free which     might lead to privilege escalations.(CVE-2020-25670)A     vulnerability was found in Linux Kernel, where a     refcount leak in llcp_sock_connect() causing     use-after-free which might lead to privilege     escalations.(CVE-2020-25671)A memory leak vulnerability     was found in Linux kernel in     llcp_sock_connect(CVE-2020-25672)An out-of-bounds (OOB)     memory access flaw was found in fs/f2fs/ Node.c in the     f2fs module in the Linux kernel in versions before     5.12.0-rc4. A bounds check failure allows a local     attacker to gain access to out-of-bounds memory leading     to a system crash or a leak of internal kernel     information. The highest threat from this vulnerability     is to system availability.(CVE-2021-3506)The Linux     kernel 4.9.x before 4.9.233, 4.14.x before 4.14.194,     and 4.19.x before 4.19.140 has a use-after-free because     skcd->no_refcnt was not considered during a backport of     a CVE-2020-14356 patch. This is related to the cgroups     feature.(CVE-2020-25220)The Linux kernel before 5.11.14     has a use-after-free in cipso_v4_genopt in     net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO     refcounting for the DOI definitions is mishandled, aka     CID-ad5d07f4a9cd. This leads to writing an arbitrary     value.(CVE-2021-33033)kernel/bpf/verifier.c in the     Linux kernel through 5.12.1 performs undesirable     speculative loads, leading to disclosure of stack     content via side-channel attacks, aka CID-801c6058d14a.
    The specific concern is not protecting the BPF stack     area against speculative loads. Also, the BPF stack can     contain uninitialized data that might represent     sensitive information previously operated on by the     kernel.(CVE-2021-31829)An issue was discovered in     fs/fuse/fuse_i.h in the Linux kernel before 5.11.8.
    A(CVE-2021-28950)net/bluetooth/hci_request.c in the     Linux kernel through 5.12.2 has a race condition for     removal of the HCI controller.(CVE-2021-32399)In the     Linux kernel before 5.12.4, net/bluetooth/hci_event.c     has a use-after-free when destroying an hci_chan, aka     CID-5c4c8c954409. This leads to writing an arbitrary     value.(CVE-2021-33034)An out-of-bounds (OOB) memory     write flaw was found in list_devices in     drivers/md/dm-ioctl.c in the Multi-device driver module     in the Linux kernel before 5.12. A bound check failure     allows an attacker with special user (CAP_SYS_ADMIN)     privilege to gain access to out-of-bounds memory     leading to a system crash or a leak of internal kernel     information. The highest threat from this vulnerability     is to system availability.(CVE-2021-31916)Use After     Free vulnerability in nfc sockets in the Linux Kernel     before 5.12.4 allows local attackers to elevate their     privileges. In typical configurations, the issue can     only be triggered by a privileged local user with the     CAP_NET_RAW capability.(CVE-2021-23134)An issue was     discovered in the Linux kernel before 5.9.
    arch/x86/kvm/svm/sev.c allows attackers to cause a     denial of service (soft lockup) by triggering     destruction of a large SEV VM (which requires     unregistering many encrypted regions), aka     CID-7be74942f184.(CVE-2020-36311)An issue was     discovered in the Linux kernel before 5.8.10.
    virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev     memory leak upon a kmalloc failure, aka     CID-f65886606c2d.(CVE-2020-36312)The bpf verifier in     the Linux kernel did not properly handle mod32     destination register truncation when the source     register was known to be 0. A local attacker with the     ability to load bpf programs could use this gain     out-of-bounds reads in kernel memory leading to     information disclosure (kernel memory), and possibly     out-of-bounds writes that could potentially lead to     code execution. This issue was addressed in the     upstream kernel in commit 9b00f1b78809 ('bpf: Fix     truncation handling for mod32 dst reg wrt zero') and in     Linux stable kernels 5.11.2, 5.10.19, and     5.4.101.(CVE-2021-3444)An issue was discovered in the     Linux kernel through 5.11.x. kernel/bpf/verifier.c     performs undesirable out-of-bounds speculation on     pointer arithmetic, leading to side-channel attacks     that defeat Spectre mitigations and obtain sensitive     information from kernel memory. Specifically, for     sequences of pointer arithmetic operations, the pointer     modification performed by the first operation is not     correctly accounted for when restricting subsequent     operations.(CVE-2021-29155)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5016-1 advisory.

  - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux     kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to     out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest     threat from this vulnerability is to system availability. (CVE-2021-3506)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer     allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an     unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in fs/fuse/fuse_i.h in the     Linux kernel before 5.11.8. A 'stall on CPU' can occur     because a retry loop continually finds the same bad     inode, aka CID-775c5033a0d1.(CVE-2021-28950)

  - An issue was discovered in the Linux kernel before     5.8.10. virt/kvm/kvm_main.c has a     kvm_io_bus_unregister_dev memory leak upon a kmalloc     failure, aka CID-f65886606c2d.(CVE-2020-36312)

  - An issue was discovered in the Linux kernel before 5.9.
    arch/x86/kvm/svm/sev.c allows attackers to cause a     denial of service (soft lockup) by triggering     destruction of a large SEV VM (which requires     unregistering many encrypted regions), aka     CID-7be74942f184.(CVE-2020-36311)

  - An out-of-bounds (OOB) memory access flaw was found in     fs/f2fs/node.c in the f2fs module in the Linux kernel     in versions before 5.12.0-rc4. A bounds check failure     allows a local attacker to gain access to out-of-bounds     memory leading to a system crash or a leak of internal     kernel information. The highest threat from this     vulnerability is to system availability.(CVE-2021-3506)

  - An out-of-bounds (OOB) memory write flaw was found in     list_devices in drivers/md/dm-ioctl.c in the     Multi-device driver module in the Linux kernel before     5.12. A bound check failure allows an attacker with     special user (CAP_SYS_ADMIN) privilege to gain access     to out-of-bounds memory leading to a system crash or a     leak of internal kernel information. The highest threat     from this vulnerability is to system     availability.(CVE-2021-31916)

  - An issue was discovered in the Linux kernel through     5.2.13. nbd_genl_status in drivers/block/nbd.c does not     check the nla_nest_start_noflag return     value.(CVE-2019-16089)

  - The bpf verifier in the Linux kernel did not properly     handle mod32 destination register truncation when the     source register was known to be 0. A local attacker     with the ability to load bpf programs could use this     gain out-of-bounds reads in kernel memory leading to     information disclosure (kernel memory), and possibly     out-of-bounds writes that could potentially lead to     code execution. This issue was addressed in the     upstream kernel in commit 9b00f1b78809 ('bpf: Fix     truncation handling for mod32 dst reg wrt zero') and in     Linux stable kernels 5.11.2, 5.10.19, and     5.4.101.(CVE-2021-3444)

  - An issue was discovered in the Linux kernel through     5.11.x. kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic,     leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from     kernel memory. Specifically, for sequences of pointer     arithmetic operations, the pointer modification     performed by the first operation is not correctly     accounted for when restricting subsequent     operations.(CVE-2021-29155)

  - kernel/bpf/verifier.c in the Linux kernel through     5.12.1 performs undesirable speculative loads, leading     to disclosure of stack content via side-channel     attacks, aka CID-801c6058d14a. The specific concern is     not protecting the BPF stack area against speculative     loads. Also, the BPF stack can contain uninitialized     data that might represent sensitive information     previously operated on by the kernel.(CVE-2021-31829)

  - net/bluetooth/hci_request.c in the Linux kernel through     5.12.2 has a race condition for removal of the HCI     controller.(CVE-2021-32399)

  - In the Linux kernel before 5.12.4,     net/bluetooth/hci_event.c has a use-after-free when     destroying an hci_chan, aka CID-5c4c8c954409. This     leads to writing an arbitrary value.(CVE-2021-33034)

  - The Linux kernel before 5.11.14 has a use-after-free in     cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the     CIPSO and CALIPSO refcounting for the DOI definitions     is mishandled, aka CID-ad5d07f4a9cd. This leads to     writing an arbitrary value.(CVE-2021-33033)

  - Use After Free vulnerability in nfc sockets in the     Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations,     the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability.(CVE-2021-23134)

  - A memory leak vulnerability was found in Linux kernel     in llcp_sock_connect(CVE-2020-25672)

  - A vulnerability was found in Linux Kernel, where a     refcount leak in llcp_sock_connect() causing     use-after-free which might lead to privilege     escalations.(CVE-2020-25671)

  - A vulnerability was found in Linux Kernel where     refcount leak in llcp_sock_bind() causing     use-after-free which might lead to privilege     escalations.(CVE-2020-25670)

  - kernel/bpf/verifier.c in the Linux kernel through     5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to     perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root.
    In particular, there is a corner case where the off reg     causes a masking direction change, which then results     in an incorrect final aux->alu_limit.(CVE-2021-33200)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service, or information leaks.

CVE-2020-24586, CVE-2020-24587, CVE-2020-26147

Mathy Vanhoef discovered that many Wi-Fi implementations, including Linux's mac80211, did not correctly implement reassembly of fragmented packets. In some circumstances, an attacker within range of a network could exploit these flaws to forge arbitrary packets and/or to access sensitive data on that network.

CVE-2020-24588

Mathy Vanhoef discovered that most Wi-Fi implementations, including Linux's mac80211, did not authenticate the 'is aggregated' packet header flag. An attacker within range of a network could exploit this to forge arbitrary packets on that network.

CVE-2020-25670, CVE-2020-25671, CVE-2021-23134

kiyin (&#x5C39;&#x4EAE;) of TenCent discovered several reference counting bugs in the NFC LLCP implementation which could lead to use-after-free. A local user could exploit these for denial of service (crash or memory corruption) or possibly for privilege escalation.

Nadav Markus and Or Cohen of Palo Alto Networks discovered that the original fixes for these introduced a new bug that could result in use-after-free and double-free. This has also been fixed.

CVE-2020-25672

kiyin (&#x5C39;&#x4EAE;) of TenCent discovered a memory leak in the NFC LLCP implementation. A local user could exploit this for denial of service (memory exhaustion).

CVE-2020-26139

Mathy Vanhoef discovered that a bug in some Wi-Fi implementations, including Linux's mac80211. When operating in AP mode, they would forward EAPOL frames from one client to another while the sender was not yet authenticated. An attacker within range of a network could use this for denial of service or as an aid to exploiting other vulnerabilities.

CVE-2020-26558, CVE-2021-0129

Researchers at ANSSI discovered vulnerabilities in the Bluetooth Passkey authentication method, and in Linux's implementation of it. An attacker within range of two Bluetooth devices while they pair using Passkey authentication could exploit this to obtain the shared secret (Passkey) and then impersonate either of the devices to each other.

CVE-2020-29374

Jann Horn of Google reported a flaw in Linux's virtual memory management. A parent and child process initially share all their memory, but when either writes to a shared page, the page is duplicated and unshared (copy-on-write). However, in case an operation such as vmsplice() required the kernel to take an additional reference to a shared page, and a copy-on-write occurs during this operation, the kernel might have accessed the wrong process's memory. For some programs, this could lead to an information leak or data corruption.

CVE-2021-3483

&#x9A6C;&#x54F2;&#x5B87; (Zheyu Ma) reported a bug in the 'nosy' driver for TI PCILynx FireWire controllers, which could lead to list corruption and a use-after-free. On a system that uses this driver, local users granted access to /dev/nosy could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2021-3506

The ADLab of venustech discovered a bug in the F2FS driver which could lead to an out-of-bounds read when accessing a crafted filesystem. A local user permitted to mount arbitrary filesystems could exploit this to cause a denial of service (crash) or other security impact.

CVE-2021-3564, CVE-2021-3573, CVE-2021-32399

The BlockSec team discovered several race conditions in the Bluetooth subsystem that could lead to a use-after-free or double-free. A local user could exploit these to caue a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2021-3587

Active Defense Lab of Venustech discovered a potential NULL pointer dereference in the NFC LLCP implementation. A local user could use this to cause a denial of service (crash).

CVE-2021-23133

Or Cohen of Palo Alto Networks discovered a race condition in the SCTP implementation, which can lead to list corruption. A local user could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2021-28688 (XSA-371)

It was discovered that the original fix for CVE-2021-26930 (XSA-365) introduced a potential resource leak. A malicious guest could presumably exploit this to cause a denial of service (resource exhaustion) within the host.

CVE-2021-28964

Zygo Blaxell reported a race condition in the Btrfs driver which can lead to an assertion failure. On systems using Btrfs, a local user could exploit this to cause a denial of service (crash).

CVE-2021-28971

Vince Weaver reported a bug in the performance event handler for Intel PEBS. A workaround for a hardware bug on Intel CPUs codenamed 'Haswell' and earlier could lead to a NULL pointer dereference. On systems with the affected CPUs, if users are permitted to access performance events, a local user may exploit this to cause a denial of service (crash).

By default, unprivileged users do not have access to performance events, which mitigates this issue. This is controlled by the kernel.perf_event_paranoid sysctl.

CVE-2021-29154

It was discovered that the Extended BPF (eBPF) JIT compiler for x86_64 generated incorrect branch instructions in some cases. On systems where eBPF JIT is enabled, users could exploit this to execute arbitrary code in the kernel.

By default, eBPF JIT is disabled, mitigating this issue.
This is controlled by the net.core.bpf_jit_enable sysctl.

CVE-2021-29155, CVE-2021-31829

Piotr Krysiuk and Benedict Schlueter discovered that the Extended BPF (eBPF) verifier did not completely protect against information leaks due to speculative execution. A local user could exploit these to obtain sensitive information from kernel memory.

CVE-2021-29264

It was discovered that the 'gianfar' Ethernet driver used with some Freescale SoCs did not correctly handle a Rx queue overrun when jumbo packets were enabled. On systems using this driver and jumbo packets, an attacker on the network could exploit this to cause a denial of service (crash).

This driver is not enabled in Debian's official kernel configurations.

CVE-2021-29647

The syzbot tool found an information leak in the Qualcomm IPC Router (qrtr) implementation.

This protocol is not enabled in Debian's official kernel configurations.

CVE-2021-29650

It was discovered that a data race in the netfilter subsystem could lead to a NULL pointer dereference during replacement of a table. A local user with CAP_NET_ADMIN capability in any user namespace could use this to cause a denial of service (crash).

By default, unprivileged users cannot create user namespaces, which mitigates this issue. This is controlled by the kernel.unprivileged_userns_clone sysctl.

CVE-2021-31916

Dan Carpenter reported incorrect parameter validation in the device-mapper (dm) subsystem, which could lead to a heap buffer overrun. However, only users with CAP_SYS_ADMIN capability (i.e.
root-equivalent) could trigger this bug, so it did not have any security impact in this kernel version.

CVE-2021-33034

The syzbot tool found a bug in the Bluetooth subsystem that could lead to a use-after-free. A local user could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

For Debian 9 stretch, these problems have been fixed in version 4.19.194-1~deb9u1. This update additionally fixes Debian bug #986949, #988352, and #989451; and includes many more bug fixes from stable updates 4.19.182-4.19.194 inclusive.

We recommend that you upgrade your linux-4.19 packages.

For the detailed security status of linux-4.19 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux-4.19

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5000-1 advisory.

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux     kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to     out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest     threat from this vulnerability is to system availability. (CVE-2021-3506)

  - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel     privilege escalation from the context of a network service or an unprivileged process. If     sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the     auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network     service privileges to escalate to root or from the context of an unprivileged user directly if a     BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading     to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not     protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized     data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root. In particular, there is a corner case where the off     reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
    (CVE-2021-33200)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5001-1 advisory.

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux     kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to     out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest     threat from this vulnerability is to system availability. (CVE-2021-3506)

  - A flaw null pointer dereference in the Nitro Enclaves kernel driver was found in the way that Enclaves VMs     forces closures on the enclave file descriptor. A local user of a host machine could use this flaw to     crash the system or escalate their privileges on the system. (CVE-2021-3543)

  - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel     privilege escalation from the context of a network service or an unprivileged process. If     sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the     auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network     service privileges to escalate to root or from the context of an unprivileged user directly if a     BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel     5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in     order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The     issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.
    An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the     context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4997-1 advisory.

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux     kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to     out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest     threat from this vulnerability is to system availability. (CVE-2021-3506)

  - A flaw null pointer dereference in the Nitro Enclaves kernel driver was found in the way that Enclaves VMs     forces closures on the enclave file descriptor. A local user of a host machine could use this flaw to     crash the system or escalate their privileges on the system. (CVE-2021-3543)

  - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel     privilege escalation from the context of a network service or an unprivileged process. If     sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the     auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network     service privileges to escalate to root or from the context of an unprivileged user directly if a     BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel     5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in     order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The     issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.
    An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the     context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading     to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not     protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized     data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root. In particular, there is a corner case where the off     reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
    (CVE-2021-33200)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
153131	Ubuntu 20.04 LTS : Linux kernel (KVM) vulnerabilities (USN-5000-2)	Nessus	Ubuntu Local Security Checks	high
153127	Ubuntu 21.04 : Linux kernel (KVM) vulnerabilities (USN-4997-2)	Nessus	Ubuntu Local Security Checks	medium
152313	EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-2272)	Nessus	Huawei Local Security Checks	high
151907	Ubuntu 20.04 LTS / 20.10 : Linux kernel vulnerabilities (USN-5016-1)	Nessus	Ubuntu Local Security Checks	high
151562	EulerOS Virtualization 2.9.1 : kernel (EulerOS-SA-2021-2183)	Nessus	Huawei Local Security Checks	high
150984	Debian DLA-2690-1 : linux-4.19 security update	Nessus	Debian Local Security Checks	high
150957	Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-5000-1)	Nessus	Ubuntu Local Security Checks	high
150955	Ubuntu 20.04 LTS : Linux kernel (OEM) vulnerabilities (USN-5001-1)	Nessus	Ubuntu Local Security Checks	medium
150953	Ubuntu 21.04 : Linux kernel vulnerabilities (USN-4997-1)	Nessus	Ubuntu Local Security Checks	medium

CVE-2021-3506

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

medium

high

high

high

high

high

medium

medium