Detections
Analytics

Alibaba Cloud Linux 3 : 0158: cloud-kernel bugfix, enhancement and (ALINUX3-SA-2022:0158)

high Nessus Plugin ID 236488

Synopsis

The remote Alibaba Cloud Linux host is missing one or more security updates.

Description

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2022:0158 advisory.

 Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

 CVE-2021-33655:
 When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.

 CVE-2021-33656:
 When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.

 CVE-2022-0494:
 A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or CAP_SYS_RAWIO) to create issues with confidentiality.

 CVE-2022-0500:
 A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernels BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system.

 CVE-2022-1012:
 A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem.

 CVE-2022-1184:
 A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernels filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service.

 CVE-2022-1462:
 An out-of-bounds read flaw was found in the Linux kernels TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory.

 CVE-2022-1652:
 Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a concurrency use-after-free flaw in the bad_flp_intr function. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.

 CVE-2022-1729:
 A use-after-free flaw was found in the Linux kernels performance events functionality. A user triggers a race condition in setting up performance monitoring between the leading PERF_TYPE_TRACEPOINT and sub PERF_EVENT_HARDWARE plus the PERF_EVENT_SOFTWARE using the perf_event_open() function with these three types. This flaw allows a local user to crash the system.

 CVE-2022-1734:
 A flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in drivers/nfc/nfcmrvl/main.c can lead to use after free both read or write when non synchronized between cleanup routine and firmware download routine.

 CVE-2022-1786:
 A use-after-free flaw was found in the Linux kernels io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. This flaw allows a local user to crash or escalate their privileges on the system.

 CVE-2022-1789:
 With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.

 CVE-2022-1836:
 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-33981. Reason: This candidate is a reservation duplicate of CVE-2022-33981. Notes: All CVE users should reference CVE-2022-33981 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

 CVE-2022-1966:
 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-32250. Reason: This candidate is a duplicate of CVE-2022-32250. Notes: All CVE users should reference CVE-2022-32250 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

 CVE-2022-1972:
 CVE-2022-1972 is duplicate of CVE-2022-2078, so please consider CVE-2022-2078 instead.

 CVE-2022-1974:
 A use-after-free flaw was found in the Linux kernel's NFC core functionality due to a race condition between kobject creation and delete. This vulnerability allows a local attacker with CAP_NET_ADMIN privilege to leak kernel information.

 CVE-2022-1975:
 No description is available for this CVE.

 CVE-2022-2078:
 A vulnerability was found in the Linux kernel's nft_set_desc_concat_parse() function .This flaw allows an attacker to trigger a buffer overflow via nft_set_desc_concat_parse() , causing a denial of service and possibly to run code.

 CVE-2022-21123:
 Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

 CVE-2022-21125:
 Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

 CVE-2022-21166:
 Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

 CVE-2022-21499:
 KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown.
 An attacker with access to a serial port could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. CVSS 3.1 Base Score 6.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

 CVE-2022-21505:
 A bug in the IMA subsystem was discovered which would incorrectly allow kexec to be used when kernel lockdown was enabled

 CVE-2022-2153:
 A flaw was found in the Linux kernels KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.

 CVE-2022-2318:
 There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.

 CVE-2022-23816:
 A flaw was found in hw. Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.

 CVE-2022-2503:
 Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates.

 CVE-2022-2586:
 A use-after-free flaw was found in nf_tables cross-table in the net/netfilter/nf_tables_api.c function in the Linux kernel. This flaw allows a local, privileged attacker to cause a use-after-free problem at the time of table deletion, possibly leading to local privilege escalation.

 CVE-2022-2588:
 A use-after-free flaw was found in route4_change in the net/sched/cls_route.c filter implementation in the Linux kernel. This flaw allows a local user to crash the system and possibly lead to a local privilege escalation problem.

 CVE-2022-26365:
 Linux disk/nic frontends data leaks [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740).
 Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

 CVE-2022-2639:
 An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.

 CVE-2022-28893:
 The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.

 CVE-2022-29581:
 Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.

 CVE-2022-2959:
 A race condition was found in the Linux kernel's watch queue due to a missing lock in pipe_resize_ring().
 The specific flaw exists within the handling of pipe buffers. The issue results from the lack of proper locking when performing operations on an object. This flaw allows a local user to crash the system or escalate their privileges on the system.

 CVE-2022-2978:
 A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.

 CVE-2022-29900:
 Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.

 CVE-2022-29901:
 Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.

 CVE-2022-32250:
 net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.

 CVE-2022-32296:
 The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used.

 CVE-2022-32981:
 An issue was discovered in the Linux kernel through 5.18.3 on powerpc 32-bit platforms. There is a buffer overflow in ptrace PEEKUSER and POKEUSER (aka PEEKUSR and POKEUSR) when accessing floating point registers.

 CVE-2022-33740:
 Linux disk/nic frontends data leaks [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740).
 Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

 CVE-2022-33741:
 Linux disk/nic frontends data leaks [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740).
 Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

 CVE-2022-33742:
 Linux disk/nic frontends data leaks [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740).
 Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

 CVE-2022-33743:
 network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed.

 CVE-2022-33744:
 Linux disk/nic frontends data leaks [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740).
 Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

 CVE-2022-33981:
 drivers/block/floppy.c in the Linux kernel before 5.17.6 is vulnerable to a denial of service, because of a concurrency use-after-free flaw after deallocating raw_cmd in the raw_cmd_ioctl function.

 CVE-2022-34918:
 An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.

 CVE-2022-36123:
 The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges.

 CVE-2022-36879:
 An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice.

 CVE-2022-36946:
 nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://mirrors.aliyun.com/alinux/3/cve/alinux3-sa-20220158.xml

Plugin Details

Severity: High

ID: 236488

File Name: alinux3_sa_2022-0158.nasl

Version: 1.1

Type: local

Published: 5/14/2025

Updated: 5/14/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.7

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-34918

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2022-1012

Vulnerability Information

CPE: p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-core, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-tools, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-debuginfo, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-modules-extra, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:bpftool, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:perf-debuginfo, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-tools-libs, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-modules, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debuginfo, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debuginfo-common-aarch64, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-devel, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-headers, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-modules-internal, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debuginfo-common-x86_64, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:bpftool-debuginfo, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:python3-perf, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-devel, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-tools-libs-devel, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-modules-extra, cpe:/o:alibabacloud:alibaba_cloud_linux_3, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:perf, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-tools-debuginfo, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-modules, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-core, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-modules-internal, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:python3-perf-debuginfo

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Alibaba/release, Host/Alibaba/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/8/2022

Vulnerability Publication Date: 7/21/2021

CISA Known Exploited Vulnerability Due Dates: 7/17/2024

Reference Information

CVE: CVE-2021-33655, CVE-2021-33656, CVE-2022-0494, CVE-2022-0500, CVE-2022-1012, CVE-2022-1184, CVE-2022-1462, CVE-2022-1652, CVE-2022-1729, CVE-2022-1734, CVE-2022-1786, CVE-2022-1789, CVE-2022-1836, CVE-2022-1966, CVE-2022-1972, CVE-2022-1974, CVE-2022-1975, CVE-2022-2078, CVE-2022-21123, CVE-2022-21125, CVE-2022-21166, CVE-2022-21499, CVE-2022-21505, CVE-2022-2153, CVE-2022-2318, CVE-2022-23816, CVE-2022-2503, CVE-2022-2586, CVE-2022-2588, CVE-2022-26365, CVE-2022-2639, CVE-2022-28893, CVE-2022-29581, CVE-2022-2959, CVE-2022-2978, CVE-2022-29900, CVE-2022-29901, CVE-2022-32250, CVE-2022-32296, CVE-2022-32981, CVE-2022-33740, CVE-2022-33741, CVE-2022-33742, CVE-2022-33743, CVE-2022-33744, CVE-2022-33981, CVE-2022-34918, CVE-2022-36123, CVE-2022-36879, CVE-2022-36946