Detections
Analytics

TencentOS Server 2: kernel (TSSA-2023:0339)

high Nessus Plugin ID 238807

Synopsis

The remote TencentOS Server 2 host is missing one or more security updates.

Description

The version of Tencent Linux installed on the remote TencentOS Server 2 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2023:0339 advisory.

 Package updates are available for TencentOS Server 2 that fix the following vulnerabilities:

 CVE-2020-27820:
 A vulnerability was found in Linux kernel, where a use-after-frees in nouveau/'s postclose() handler could happen if removing device (that is not common to remove video card physically without power-off, but same happens if unbind the driver).

 CVE-2021-0920:
 In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:
 Upstream kernel

 CVE-2021-20321:
 A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.

 CVE-2021-22543:
 An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation.

 CVE-2021-38160:
 ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:
 the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior.

 CVE-2021-38199:
 fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for those servers to be unreachable during trunking detection.

 CVE-2021-45868:
 In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.

 CVE-2022-0617:
 A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2.

 CVE-2022-0850:
 A vulnerability was found in linux kernel, where an information leak occurs via ext4_extent_header to userspace.

 CVE-2022-20421:
 In binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free.
 This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
 A-239630375References: Upstream kernel

 CVE-2022-2196:
 A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPBafter running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit2e7eab81425a

 CVE-2022-2639:
 An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.

 CVE-2022-29581:
 Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.

 CVE-2022-3567:
 A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211090 is the identifier assigned to this vulnerability.

 CVE-2022-3586:
 A flaw was found in the Linux kernels networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service.

 CVE-2022-4129:
 A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service.

 CVE-2022-41858:
 A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.

 CVE-2022-4378:
 A stack overflow flaw was found in the Linux kernel/'s SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.

 CVE-2023-0045:
 The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176.

 We recommend upgrading past commita664ec9158eeddd75121d39c9a0758016097fa96

 CVE-2023-0394:
 A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.

 CVE-2023-1076:
 A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters.

 CVE-2023-20938:
 In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel

 CVE-2023-2513:
 A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors.

 CVE-2023-30456:
 An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.

 CVE-2023-31436:
 qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.

 CVE-2023-32269:
 An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use- after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability.

 CVE-2023-35001:
 Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace

 CVE-2023-4128:
 A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.

 CVE-2022-0847:
 A flaw was found in the way the flags member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

 CVE-2023-2269:
 A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub- component.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://mirrors.tencent.com/tlinux/errata/tssa-20230244.xml

Plugin Details

Severity: High

ID: 238807

File Name: tencentos_TSSA_2023_0339.nasl

Version: 1.3

Type: local

Published: 6/16/2025

Updated: 11/23/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.8

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-29581

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.4

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2022-2196

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 8.7

Threat Vector: CVSS:4.0/E:A

Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

CVSS Score Source: CVE-2021-22543

Vulnerability Information

CPE: cpe:/o:tencent:tencentos_server:2, p-cpe:/a:tencent:tencentos_server:kernel

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/etc/os-release, Host/TencentOS/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/6/2024

Vulnerability Publication Date: 5/6/2024

CISA Known Exploited Vulnerability Due Dates: 5/16/2022, 6/13/2022

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Dirty Pipe Local Privilege Escalation via CVE-2022-0847)

Reference Information

CVE: CVE-2020-27820, CVE-2021-0920, CVE-2021-20321, CVE-2021-22543, CVE-2021-38160, CVE-2021-38199, CVE-2021-45868, CVE-2022-0617, CVE-2022-0847, CVE-2022-0850, CVE-2022-20421, CVE-2022-2196, CVE-2022-2639, CVE-2022-29581, CVE-2022-3567, CVE-2022-3586, CVE-2022-4129, CVE-2022-41858, CVE-2022-4378, CVE-2023-0045, CVE-2023-0394, CVE-2023-1076, CVE-2023-20938, CVE-2023-2269, CVE-2023-2513, CVE-2023-30456, CVE-2023-31436, CVE-2023-32269, CVE-2023-35001