Detections
Analytics
TencentOS Server 2: kernel (TSSA-2023:0339)
high Nessus Plugin ID 238807
Synopsis
The remote TencentOS Server 2 host is missing one or more security updates.Description
The version of Tencent Linux installed on the remote TencentOS Server 2 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2023:0339 advisory.Package updates are available for TencentOS Server 2 that fix the following vulnerabilities:
CVE-2020-27820:
A vulnerability was found in Linux kernel, where a use-after-frees in nouveau/'s postclose() handler could happen if removing device (that is not common to remove video card physically without power-off, but same happens if unbind the driver).
CVE-2021-0920:
In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:
Upstream kernel
CVE-2021-20321:
A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.
CVE-2021-22543:
An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation.
CVE-2021-38160:
** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:
the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior.
CVE-2021-38199:
fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for those servers to be unreachable during trunking detection.
CVE-2021-45868:
In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.
CVE-2022-0617:
A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2.
CVE-2022-0850:
A vulnerability was found in linux kernel, where an information leak occurs via ext4_extent_header to userspace.
CVE-2022-20421:
In binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free.
This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
A-239630375References: Upstream kernel
CVE-2022-2196:
A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPBafter running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit2e7eab81425a
CVE-2022-2639:
An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2022-29581:
Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.
CVE-2022-3567:
A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211090 is the identifier assigned to this vulnerability.
CVE-2022-3586:
A flaw was found in the Linux kernel's networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service.
CVE-2022-4129:
A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service.
CVE-2022-41858:
A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.
CVE-2022-4378:
A stack overflow flaw was found in the Linux kernel/'s SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2023-0045:
The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176.
We recommend upgrading past commita664ec9158eeddd75121d39c9a0758016097fa96
CVE-2023-0394:
A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.
CVE-2023-1076:
A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters.
CVE-2023-20938:
In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel
CVE-2023-2513:
A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors.
CVE-2023-30456:
An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.
CVE-2023-31436:
qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.
CVE-2023-32269:
An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use- after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability.
CVE-2023-35001:
Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace
CVE-2023-4128:
A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.
CVE-2022-0847:
A flaw was found in the way the flags member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
CVE-2023-2269:
A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub- component.
Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
https://mirrors.tencent.com/tlinux/errata/tssa-20230244.xml
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27820
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0920
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20321
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22543
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38160
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38199
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45868
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0617
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20421
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2196
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2639
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29581
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3567
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3586
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41858
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4378
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0045
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0394
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1076
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20938
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31436
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32269
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35001
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2269
Plugin Details
Severity: High
ID: 238807
File Name: tencentos_TSSA_2023_0339.nasl
Version: 1.1
Type: local
Family: Tencent Local Security Checks
Published: 6/16/2025
Updated: 6/16/2025
Supported Sensors: Nessus
Vulnerability Information
CPE: cpe:/o:tencent:tencentos_server:2, p-cpe:/a:tencent:tencentos_server:kernel
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/etc/os-release, Host/TencentOS/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 5/6/2024
Vulnerability Publication Date: 5/6/2024