The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:1988 advisory.

  - In uvc_scan_chain_forward of uvc_driver.c, there is a possible linked list corruption due to an unusual     root cause. This could lead to local escalation of privilege in the kernel with no additional execution     privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-111893654References: Upstream kernel (CVE-2020-0404)

  - IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive     information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296.
    (CVE-2020-4788)

  - An issue was discovered in the Linux kernel 4.4 through 5.7.1. drivers/tty/vt/keyboard.c has an integer     overflow if k_ascii is called several times in a row, aka CID-b86dab054059. NOTE: Members in the community     argue that the integer overflow does not lead to a security issue in this case. (CVE-2020-13974)

  - A vulnerability was found in Linux kernel, where a use-after-frees in nouveau's postclose() handler could     happen if removing device (that is not common to remove video card physically without power-off, but same     happens if unbind the driver). (CVE-2020-27820)

  - In bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free. This     could lead to local escalation of privilege with System execution privileges needed. User interaction is     not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-154177719References:
    Upstream kernel (CVE-2021-0941)

  - An out-of-bounds memory write flaw was found in the Linux kernel's joystick devices subsystem in versions     before 5.9-rc1, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the     system or possibly escalate their privileges on the system. The highest threat from this vulnerability is     to confidentiality, integrity, as well as system availability. (CVE-2021-3612)

  - An out-of-bounds (OOB) memory read flaw was found in the Qualcomm IPC router protocol in the Linux kernel.
    A missing sanity check allows a local attacker to gain access to out-of-bounds memory, leading to a system     crash or a leak of internal kernel information. The highest threat from this vulnerability is to system     availability. (CVE-2021-3743)

  - A memory leak flaw was found in the Linux kernel in the ccp_run_aes_gcm_cmd() function in     drivers/crypto/ccp/ccp-ops.c, which allows attackers to cause a denial of service (memory consumption).
    This vulnerability is similar with the older CVE-2019-18808. (CVE-2021-3744)

  - A use-after-free flaw was found in the Linux kernel's Bluetooth subsystem in the way user calls connect to     the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the     system or escalate their privileges. The highest threat from this vulnerability is to confidentiality,     integrity, as well as system availability. (CVE-2021-3752)

  - A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP     association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and     the attacker can send packets with spoofed IP addresses. (CVE-2021-3772)

  - A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint     information for further use in traditional network attacks. (CVE-2021-3773)

  - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some     regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the     memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)

  - A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket     file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race     condition. This flaw allows a local user to crash the system or escalate their privileges on the system.
    This flaw affects Linux kernel versions prior to 5.16-rc4. (CVE-2021-4083)

  - An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in     the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could     potentially use this flaw to crash the system or escalate privileges on the system. (CVE-2021-4157)

  - An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces     subsystem was found in the way users have access to some less privileged process that are controlled by     cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of     control groups. A local user could use this flaw to crash the system or escalate their privileges on the     system. (CVE-2021-4197)

  - A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and     SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a     user privileges may crash the system or leak internal kernel information. (CVE-2021-4203)

  - A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux     kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an     off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this     vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source     port randomization are indirectly affected as well. (CVE-2021-20322)

  - An information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66     and v5.4.54. The latest version (5.11-rc4) seems to still be vulnerable. A userland application can read     the contents of the sigpage, which can leak kernel memory contents. An attacker can read a process's     memory at a specific offset to trigger this vulnerability. This was fixed in kernel releases: 4.14.222     4.19.177 5.4.99 5.10.17 5.11 (CVE-2021-21781)

  - LFENCE/JMP (mitigation V2-2) may not sufficiently mitigate CVE-2017-5715 on some AMD CPUs.
    (CVE-2021-26401)

  - BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements,     allowing them to execute arbitrary code within the kernel context. This affects     arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)

  - hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev     without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.
    (CVE-2021-37159)

  - prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel before 5.14.12 allows     unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds     write. (CVE-2021-41864)

  - A heap-based buffer overflow flaw was found in the Linux kernel FireDTV media card driver, where the user     calls the CA_SEND_MSG ioctl. This flaw allows a local user of the host machine to crash the system or     escalate privileges on the system. The highest threat from this vulnerability is to confidentiality,     integrity, as well as system availability. (CVE-2021-42739)

  - An issue was discovered in the Linux kernel for powerpc before 5.14.15. It allows a malicious KVM guest to     crash the host, when the host is running on Power8, due to an arch/powerpc/kvm/book3s_hv_rmhandlers.S     implementation bug in the handling of the SRR1 register values. (CVE-2021-43056)

  - An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in     the detach_capi_ctr function in drivers/isdn/capi/kcapi.c. (CVE-2021-43389)

  - In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows     an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).
    (CVE-2021-43976)

  - A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11.
    This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory     object. (CVE-2021-44733)

  - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information     leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based     attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)

  - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak     because the hash table is very small. (CVE-2021-45486)

  - Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may     allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-0001)

  - Non-transparent sharing of branch predictor within a context in some Intel(R) Processors may allow an     authorized user to potentially enable information disclosure via local access. (CVE-2022-0002)

  - A flaw was found in the Linux kernel. A null pointer dereference in bond_ipsec_add_sa() may lead to local     denial of service. (CVE-2022-0286)

  - A flaw was found in the sctp_make_strreset_req function in net/sctp/sm_make_chunk.c in the SCTP network     protocol in the Linux kernel with a local user privilege access. In this flaw, an attempt to use more     buffer than is allocated triggers a BUG_ON issue, leading to a denial of service (DOS). (CVE-2022-0322)

  - A use-after-free flaw was found in the Linux kernel's FUSE filesystem in the way a user triggers write().
    This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in     privilege escalation. (CVE-2022-1011)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-039 advisory.

    Amazon Linux has been made aware of a potential Branch Target Injection (BTI) issue (sometimes referred to     as Spectre variant 2). This is a known cross-domain transient execution attack where a third party may     seek to cause a disclosure gadget to be speculatively executed after an indirect branch prediction.
    Generally, actors who attempt transient execution attacks do not have access to the data on the hosts they     attempt to access (e.g. where privilege-level isolation is in place). For such attacks to succeed, actors     need to be able to run code on the (virtual) machine hosting the data in which they are interested.

    To mitigate this issue, Amazon Linux recommends that customers disable unprivileged eBPF.  This     configuration, having the unprivileged eBPF disabled, is the current default for most Linux distributions     and as of this advisory, is also the default for all Amazon Linux kernels.

    Specific mitigations for various CPUs are listed below.

    Intel CPUs:For Intel CPUs, this applies to all instance types that have CPUs with eIBRS support. They     are:*6i* (all sizes), c5d.metal, c5.metal, g4dn.metal, i3en.metal, m5*.metal, r5*.metal

    Vectors outside of unprivileged eBPF are not currently known, and Intel recommends disabling unprivileged     BPF, as mentioned above. However, optionally enabling spectre_v2=eibrs,lfence on Linux kernel command     line on the instance types mentioned above, would provide additional protection.

    AMD CPUs:As part of the investigation triggered by this issue, AMD now recommends using a different     software mitigation inside the Linux kernel, which the Amazon Linux kernel is enabling by default. This     means that the Linux kernel will use the generic retpoline software mitigation, instead of the specialized     AMD one, on AMD instances (*5a*). This is done by default, and no administrator action is needed.

    ARM CPUs:The Amazon Linux kernel now enables, by default, a software mitigation for this issue, on all     ARM-based EC2 instance types.

    Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may     allow an authorized user to potentially enable information disclosure. (CVE-2022-0001)

    Non-transparent sharing of branch predictor within a context in some Intel(r) Processors may allow an     authorized user to potentially enable information disclosure via local access. (CVE-2022-0002)

    A flaw was found in the way the flags member of the new pipe buffer structure was lacking proper     initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus     contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache     backed by read only files and as such escalate their privileges on the system. (CVE-2022-0847)References     to CVE-2021-26401, CVE-2021-26341, CVE-2022-23960 and CVE-2022-1055 have been added after the original     release of this advisory, however those vulnerabilities were fixed by the packages referenced by this     advisory's initial release on 2022-03-07

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:1408-1 advisory.

  - LFENCE/JMP (mitigation V2-2) may not sufficiently mitigate CVE-2017-5715 on some AMD CPUs.
    (CVE-2021-26401)

  - Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may     allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-0001)

  - Non-transparent sharing of branch predictor within a context in some Intel(R) Processors may allow an     authorized user to potentially enable information disclosure via local access. (CVE-2022-0002)

  - Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode     done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing     log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while     another CPU is still in the process of tearing down the structures related to a previously enabled log     dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between both     operations and can lead to entries being added in already freed slots, resulting in a memory leak.
    (CVE-2022-26356)

  - race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only     less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore     internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping     structures has a race, allowing for VT-d domain IDs to be leaked and flushes to be bypassed.
    (CVE-2022-26357)

  - IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple     CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a     system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, RMRR)     for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as     legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with     such a region is active, the mappings of these regions need to remain continuouly accessible by the     device. This requirement has been violated. Subsequent DMA or interrupts from the device may have     unpredictable behaviour, ranging from IOMMU faults to memory corruption. (CVE-2022-26358, CVE-2022-26359,     CVE-2022-26360, CVE-2022-26361)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-4929:03 advisory.

    * kernel: memory corruption in AX88179_178A based USB ethernet device. (CVE-2022-2964)
      * hw: cpu: LFENCE/JMP Mitigation Update for CVE-2017-5715 (CVE-2021-26401)

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
161093	AlmaLinux 8 : kernel (ALSA-2022:1988)	Nessus	Alma Linux Local Security Checks	5/12/2022	5/18/2022	critical
164727	Amazon Linux 2022 : bpftool, kernel, kernel-devel (ALAS2022-2022-039)	Nessus	Amazon Linux Local Security Checks	9/6/2022	2/24/2026	high
160220	SUSE SLES12 Security Update : xen (SUSE-SU-2022:1408-1)	Nessus	SuSE Local Security Checks	4/27/2022	7/13/2023	high
292907	MiracleLinux 7 : kernel-3.10.0-1160.83.1.el7 (AXSA:2023-4929:03)	Nessus	Miracle Linux Local Security Checks	1/20/2026	1/20/2026	high

Detections

Analytics

Plugins Search

critical

high

high

high