Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-5294-2)

high Nessus Plugin ID 158253

Synopsis

The remote Ubuntu host is missing one or more security updates.

Description

The remote Ubuntu 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5294-2 advisory.

- A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 (CVE-2021-22600)

- In various setup methods of the USB gadget subsystem, there is a possible out of bounds write due to an incorrect flag check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-210292376References: Upstream kernel (CVE-2021-39685)

- A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system.
This flaw affects Linux kernel versions prior to 5.16-rc4. (CVE-2021-4083)

- A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them. (CVE-2021-4155)

- A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem while the device is getting removed, leading to a privilege escalation problem. (CVE-2021-4202)

- In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value. (CVE-2021-43975)

- A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system. (CVE-2022-0330)

- The vmwgfx driver contains a local privilege escalation vulnerability that allows unprivileged users to gain access to files opened by other processes on the system through a dangling 'file' pointer.
(CVE-2022-22942)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

https://ubuntu.com/security/notices/USN-5294-2

Plugin Details

Severity: High

ID: 158253

File Name: ubuntu_USN-5294-2.nasl

Version: 1.13

Type: local

Agent: unix

Published: 2/22/2022

Updated: 1/9/2024

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2021-39685

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2022-22942

Vulnerability Information

CPE: cpe:/o:canonical:ubuntu_linux:18.04:-:lts, cpe:/o:canonical:ubuntu_linux:20.04:-:lts, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-100-generic, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-100-generic-lpae, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-100-lowlatency, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1015-ibm, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1028-bluefield, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1034-gkeop, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1053-raspi, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1056-kvm, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1064-oracle, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1065-gcp, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1066-aws, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1070-azure, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1070-azure-fde

Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/22/2022

Vulnerability Publication Date: 1/11/2021

CISA Known Exploited Vulnerability Due Dates: 5/2/2022

Exploitable With

Metasploit (vmwgfx Driver File Descriptor Handling Priv Esc)

Reference Information

CVE: CVE-2021-22600, CVE-2021-39685, CVE-2021-4083, CVE-2021-4155, CVE-2021-4202, CVE-2021-43975, CVE-2022-0330, CVE-2022-22942

USN: 5294-2