The remote OracleVM system is missing necessary patches to address security updates:

  - An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init     (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different     vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an     unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data     in net/netfilter/nf_tables_api.c. (CVE-2022-34918)

  - In the Unbreakable Enterprise Kernel (UEK), the RDS module in UEK has two setsockopt(2) options,     RDS_CONN_RESET and RDS6_CONN_RESET, that are not re-entrant. A malicious local user with CAP_NET_ADMIN can     use this to crash the kernel. (CVE-2023-22024)

  - A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the     extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system     crash or other undefined behaviors. (CVE-2023-2513)

  - Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register     contents when CAP_NET_ADMIN is in any user or network namespace (CVE-2023-35001)

  - An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited     to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-     of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend     upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)

  - A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue     may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in     xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to     achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an     error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can     control the reference counter and set it to zero, they can cause the reference to be freed, leading to a     use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
    (CVE-2023-3776)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to     achieve local privilege escalation. When route4_change() is called on an existing filter, the whole     tcf_result struct is always copied into the new instance of the filter. This causes a problem when     updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the     success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading     to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
    (CVE-2023-4206)

  - A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in     VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash     the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a     kernel information leak problem. (CVE-2023-4387)

  - A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in     the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with     normal user privilege to cause a denial of service due to a missing sanity check during cleanup.
    (CVE-2023-4459)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

OracleVM 3.4 : kernel-uek (OVMSA-2023-0023)

high Nessus Plugin ID 184349

Version 1.2

Version 1.1

Version 1.0

Version 1.0

Version 1.2 Dec 15, 2023, 2:39 PM CVSSv3 score source (changed from "CVE-2023-3776" to "CVE-2023-4206") Plugin Feed: 202312151439
Version 1.1 Nov 6, 2023, 2:53 PM Exploit attributes ("Exploit framework core" set to "True". "Exploited by malware" set to "True". "Exploit framework metasploit" set to "True") Plugin Feed: 202311061453
Version 1.0 Nov 3, 2023, 3:46 PM New Plugin Feed: 202311031546
Version 1.0 Nov 6, 2023, 1:01 PM Exploit attributes ("Exploit framework core" set to "True") Exploit attributes ("Exploit framework metasploit" set to "True") Exploit attributes ("Exploited by malware" set to "True") Plugin Feed: 202311061301