The remote Ubuntu 16.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5299-1 advisory.

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby     man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication     procedure) by reflection of the public key and the authentication evidence of the initiating device,     potentially permitting this attacker to complete authenticated pairing with the responding device using     the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit     at a time. (CVE-2020-26558)

  - Improper access control in BlueZ may allow an authenticated user to potentially enable information     disclosure via adjacent access. (CVE-2021-0129)

  - In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has     a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination, aka CID-cc7a0bb058b8. (CVE-2021-28972)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from     kernel stack memory because parts of a data structure are uninitialized. (CVE-2021-34693)

  - A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice     into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest     threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions     before kernel 5.12-rc6 are affected (CVE-2021-3483)

  - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in     the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the     system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)

  - An out-of-bounds memory write flaw was found in the Linux kernel's joystick devices subsystem in versions     before 5.9-rc1, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the     system or possibly escalate their privileges on the system. The highest threat from this vulnerability is     to confidentiality, integrity, as well as system availability. (CVE-2021-3612)

  - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was     found in the way user uses trace ring buffer in a specific way. Only privileged local users (with     CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
    (CVE-2021-3679)

  - drivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6 allows physically proximate attackers to     cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain     situations. (CVE-2021-38204)

  - The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab     out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.
    (CVE-2021-42008)

  - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information     leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based     attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Ubuntu 16.04 ESM : Linux kernel vulnerabilities (USN-5299-1)

high Nessus Plugin ID 158254

Version 1.4