The remote Ubuntu 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5623-1 advisory.

  - Insufficient control flow management for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an     authenticated user to potentially enable denial of service via local access. (CVE-2021-33061)

  - When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of     bounds. (CVE-2021-33655)

  - A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the     small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of     service problem. (CVE-2022-1012)

  - A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged     user to gain root privileges. The bug allows to build several exploit primitives such as kernel address     information leak, arbitrary execution, etc. (CVE-2022-1729)

  - A NULL pointer dereference flaw was found in the Linux kernel's KVM module, which can lead to a denial of     service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal     instruction in guest in the Intel CPU. (CVE-2022-1852)

  - A flaw out of bounds memory write in the Linux kernel UDF file system functionality was found in the way     user triggers some file operation which triggers udf_write_fi(). A local user could use this flaw to crash     the system or potentially (CVE-2022-1943)

  - A use-after-free flaw was found in the Linux kernel in log_replay in fs/ntfs3/fslog.c in the NTFS journal.
    This flaw allows a local attacker to crash the system and leads to a kernel information leak problem.
    (CVE-2022-1973)

  - There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that     allow attackers to crash linux kernel without any privileges. (CVE-2022-2318)

  - Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to     restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently     allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass     verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and     unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for     peripherals that do not verify firmware updates. We recommend upgrading past commit     4caae58406f8ceb741603eee460d79bacca9b1b5 (CVE-2022-2503)

  - Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text     explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device     frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740).
    Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to     unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend     (CVE-2022-33741, CVE-2022-33742). (CVE-2022-26365, CVE-2022-33740, CVE-2022-33741, CVE-2022-33742)

  - An out-of-bounds memory access flaw was found in the Linux kernel Intel's iSMT SMBus host controller     driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input     data. This flaw allows a local user to crash the system. (CVE-2022-2873)

  - A race condition was found in the Linux kernel's watch queue due to a missing lock in pipe_resize_ring().
    The specific flaw exists within the handling of pipe buffers. The issue results from the lack of proper     locking when performing operations on an object. This flaw allows a local user to crash the system or     escalate their privileges on the system. (CVE-2022-2959)

  - The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are     used. This occurs because of use of Algorithm 4 (Double-Hash Port Selection Algorithm) of RFC 6056.
    (CVE-2022-32296)

  - network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data     Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further     processing to nevertheless be freed. (CVE-2022-33743)

  - Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree     to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the     related lock held, resulting in a small race window, which can be used by unprivileged guests via PV     devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS)     of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory     pages. (CVE-2022-33744)

  - rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a     double free. (CVE-2022-34494)

  - rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.
    (CVE-2022-34495)

  - nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote     attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte     nfta_payload attribute, an skb_pull can encounter a negative skb->len. (CVE-2022-36946)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Ubuntu 20.04 LTS : Linux kernel (HWE) vulnerabilities (USN-5623-1)

high Nessus Plugin ID 165280

Version 1.8

Version 1.7

Version 1.6

Version 1.5

Version 1.4

Version 1.3

Version 1.8 Jan 10, 2024, 8:45 AM Detection (updated detection logic) Plugin metadata Plugin Feed: 202401100845
Version 1.7 Oct 21, 2023, 3:09 AM Plugin metadata Detection Plugin Feed: 202310210309
Version 1.6 Oct 11, 2023, 4:17 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") Exploit attributes ("Exploit available" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202310111617
Version 1.5 Jan 18, 2023, 9:01 AM Logic Changes (Added support for s390x) Plugin Feed: 202301180901
Version 1.4 Nov 8, 2022, 3:50 PM CVSS metrics CVSSv2 score source (Changed from CVE-2022-33743 to CVE-2022-1943) CVSSv2 severity (Based on CVE-2022-1943 severity increased from Medium to High) Plugin Feed: 202211081550
Version 1.3 Oct 3, 2022, 3:58 PM CVSS metrics Plugin Feed: 202210031558