The remote NewStart CGSL host, running version MAIN 7.02, has kernel packages installed that are affected by multiple vulnerabilities:

  - In the Linux kernel, the following vulnerability has been resolved: smack: tcp: ipv4, fix incorrect     labeling Currently, Smack mirrors the label of incoming tcp/ipv4 connections: when a label 'foo' connects     to a label 'bar' with tcp/ipv4, 'foo' always gets 'foo' in returned ipv4 packets. So, 1) returned packets     are incorrectly labeled ('foo' instead of 'bar') 2) 'bar' can write to 'foo' without being authorized to     write. Here is a scenario how to see this: * Take two machines, let's call them C and S, with active Smack     in the default state (no settings, no rules, no labeled hosts, only builtin labels) * At S, add Smack rule     'foo bar w' (labels 'foo' and 'bar' are instantiated at S at this moment) * At S, at label 'bar', launch a     program that listens for incoming tcp/ipv4 connections * From C, at label 'foo', connect to the listener     at S. (label 'foo' is instantiated at C at this moment) Connection succeedes and works. * Send some data     in both directions. * Collect network traffic of this connection. All packets in both directions are     labeled with the CIPSO of the label 'foo'. Hence, label 'bar' writes to 'foo' without being authorized,     and even without ever being known at C. If anybody cares: exactly the same happens with DCCP. This     behavior 1st manifested in release 2.6.29.4 (see Fixes below) and it looks unintentional. At least, no     explanation was provided. I changed returned packes label into the 'bar', to bring it into line with the     Smack documentation claims. (CVE-2024-47659)

  - In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Fix kernel crash     on receiver USB disconnect hidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU) races     when it races with itself. hidpp_connect_event() primarily runs from a workqueue but it also runs on     probe() and if a device-connected packet is received by the hw when the thread running     hidpp_connect_event() from probe() is waiting on the hw, then a second thread running     hidpp_connect_event() will be started from the workqueue. This opens the following races (note the below     code is simplified): 1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) {     hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; } We can actually see     this race hit in the dmesg in the abrt output attached to rhbz#2227968: [ 3064.624215] logitech-hidpp-     device 0003:046D:4071.0049: HID++ 4.5 device connected. [ 3064.658184] logitech-hidpp-device     0003:046D:4071.0049: HID++ 4.5 device connected. Testing with extra logging added has shown that after     this the 2 threads take turn grabbing the hw access mutex (send_mutex) so they ping-pong through all the     other TOCTOU cases managing to hit all of them: 2. Updating the name to the HIDPP name (harmless race): if     (hidpp->name == hdev->name) { ... hidpp->name = new_name; } 3. Initializing the power_supply class for the     battery (problematic!): hidpp_initialize_battery() { if (hidpp->battery.ps) return 0; probe_battery(); /*     Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev,     hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps =     devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); } 4. Creating delayed     input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input =     hidpp_allocate_input(hdev); The really big problem here is 3. Hitting the race leads to the following     sequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);
    hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ...
    hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);
    hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); So now we     have registered 2 power supplies for the same battery, which looks a bit weird from userspace's pov but     this is not even the really big problem. Notice how: 1. This is all devm-maganaged 2. The     hidpp->battery.desc struct is shared between the 2 power supplies 3. hidpp->battery.desc.properties points     to the result from the second devm_kmemdup() This causes a use after free scenario on USB disconnect of     the receiver: 1. The last registered power supply class device gets unregistered 2. The memory from the     last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory 3. The     first registered power supply class device gets unregistered, this involves sending a remove uevent to     userspace which invokes power_supply_uevent() to fill the uevent data 4. power_supply_uevent() uses     hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one: Sep     22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08 ... Sep 22     20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event Sep 22 20:01:35 eric kernel: RIP:
    0010:power_supply_uevent+0xee/0x1d0 ... Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30 Sep 22     20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0 Sep 22 20:01:35 eric kernel: ?     power_supply_uevent+0x10d/0x1d0 Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0 Sep 22 20:01:35 eric     kernel: kobject_uevent_env+0x291/0x680 Sep 22 20:01:35 eric kernel: ---truncated--- (CVE-2023-52478)

  - In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: h6: Reparent CPUX     during PLL CPUX rate change While PLL CPUX clock rate change when CPU is running from it works in vast     majority of cases, now and then it causes instability. This leads to system crashes and other undefined     behaviour. After a lot of testing (30+ hours) while also doing a lot of frequency switches, we can't     observe any instability issues anymore when doing reparenting to stable clock like 24 MHz oscillator.
    (CVE-2023-52882)

  - In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: enhanced error     handling for tightly received RTS messages in xtp_rx_rts_session_new This patch enhances error handling in     scenarios with RTS (Request to Send) messages arriving closely. It replaces the less informative     WARN_ON_ONCE backtraces with a new error handling method. This provides clearer error messages and allows     for the early termination of problematic sessions. Previously, sessions were only released at the end of     j1939_xtp_rx_rts(). Potentially this could be reproduced with something like: testj1939 -r vcan0:0x80 &     while true; do # send first RTS cansend vcan0 18EC8090#1014000303002301; # send second RTS cansend vcan0     18EC8090#1014000303002301; # send abort cansend vcan0 18EC8090#ff00000000002301; done (CVE-2023-52887)

  - In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Only free     buffer VA that is not NULL In the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly called     only when the buffer to free exists, there are some instances that didn't do the check and triggered     warnings in practice. We believe those checks were forgotten unintentionally. Add the checks back to fix     the warnings. (CVE-2023-52888)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Plugins Search

high