An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
{"redhatcve": [{"lastseen": "2023-12-03T20:50:02", "description": "A vulnerability was found in Linux kernel. Where the WiFi implementations accept plaintext frames in a protected WiFi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.\n#### Mitigation\n\nMitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-19T00:26:32", "type": "redhatcve", "title": "CVE-2020-26140", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26140"], "modified": "2023-04-06T07:43:20", "id": "RH:CVE-2020-26140", "href": "https://access.redhat.com/security/cve/cve-2020-26140", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2023-12-05T13:58:30", "description": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for\nAWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext\nframes in a protected Wi-Fi network. An adversary can abuse this to inject\narbitrary data frames independent of the network configuration.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-11T00:00:00", "type": "ubuntucve", "title": "CVE-2020-26140", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26140"], "modified": "2021-05-11T00:00:00", "id": "UB:CVE-2020-26140", "href": "https://ubuntu.com/security/CVE-2020-26140", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "veracode": [{"lastseen": "2022-09-03T06:53:18", "description": "kernel is vulnerable to packet injection. The vulnerability exists due to the WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-17T22:37:25", "type": "veracode", "title": "Packet Injection", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26140"], "modified": "2022-09-03T05:16:27", "id": "VERACODE:33008", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-33008/summary", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2023-05-27T15:14:31", "description": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-11T20:15:00", "type": "debiancve", "title": "CVE-2020-26140", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26140"], "modified": "2021-05-11T20:15:00", "id": "DEBIANCVE:CVE-2020-26140", "href": "https://security-tracker.debian.org/tracker/CVE-2020-26140", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2023-10-31T17:29:37", "description": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.\n\nThis plugin only works with Tenable.ot.\nPlease visit https://www.tenable.com/products/tenable-ot for more information.", "cvss3": {}, "published": "2023-04-11T00:00:00", "type": "nessus", "title": "Siemens SCALANCE FragAttacks (CVE-2020-26140)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-26140"], "modified": "2023-10-19T00:00:00", "cpe": ["cpe:/o:siemens:scalance_w721-1_firmware:-::~~~~rj45~", "cpe:/o:siemens:scalance_w722-1_firmware:-::~~~~rj45~", "cpe:/o:siemens:scalance_w734-1_firmware:-::~~~~rj45~", "cpe:/o:siemens:scalance_w738-1_firmware:-::~~~~m12~", "cpe:/o:siemens:scalance_w748-1_firmware:-::~~~~m12~", "cpe:/o:siemens:scalance_w748-1_firmware:-::~~~~rj45~", "cpe:/o:siemens:scalance_w761-1_firmware:-::~~~~rj45~", "cpe:/o:siemens:scalance_w774-1_firmware:-::~~~~m12_eec~", "cpe:/o:siemens:scalance_w774-1_firmware:-::~~~~rj45~", "cpe:/o:siemens:scalance_w778-1_firmware:-::~~~~m12_eec~", "cpe:/o:siemens:scalance_w778-1_firmware:-::~~~~m12~", "cpe:/o:siemens:scalance_w786-1_firmware:-::~~~~rj45~", "cpe:/o:siemens:scalance_w786-2_firmware:-::~~~~rj45~", "cpe:/o:siemens:scalance_w786-2_firmware:-::~~~~sfp~", "cpe:/o:siemens:scalance_w786-2ia_firmware:-::~~~~rj45~", "cpe:/o:siemens:scalance_w788-1_firmware:-::~~~~m12~", "cpe:/o:siemens:scalance_w788-1_firmware:-::~~~~rj45~", "cpe:/o:siemens:scalance_w788-2_firmware:-::~~~~m12_eec~", "cpe:/o:siemens:scalance_w788-2_firmware:-::~~~~m12~", "cpe:/o:siemens:scalance_w788-2_firmware:-::~~~~rj45~"], "id": "TENABLE_OT_SIEMENS_CVE-2020-26140.NASL", "href": "https://www.tenable.com/plugins/ot/500973", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(500973);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/19\");\n\n script_cve_id(\"CVE-2020-26140\");\n\n script_name(english:\"Siemens SCALANCE FragAttacks (CVE-2020-26140)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote OT asset is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for\nAWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept\nplaintext frames in a protected Wi-Fi network. An adversary can abuse\nthis to inject arbitrary data frames independent of the network\nconfiguration.\n\nThis plugin only works with Tenable.ot.\nPlease visit https://www.tenable.com/products/tenable-ot for more information.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.fragattacks.com\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.openwall.com/lists/oss-security/2021/05/11/12\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1eb2468b\");\n # https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?839210e5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Refer to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-26140\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w721-1_firmware:-::~~~~rj45~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w722-1_firmware:-::~~~~rj45~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w734-1_firmware:-::~~~~rj45~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w738-1_firmware:-::~~~~m12~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w748-1_firmware:-::~~~~m12~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w748-1_firmware:-::~~~~rj45~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w761-1_firmware:-::~~~~rj45~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w774-1_firmware:-::~~~~m12_eec~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w774-1_firmware:-::~~~~rj45~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w778-1_firmware:-::~~~~m12_eec~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w778-1_firmware:-::~~~~m12~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w786-1_firmware:-::~~~~rj45~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w786-2_firmware:-::~~~~rj45~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w786-2_firmware:-::~~~~sfp~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w786-2ia_firmware:-::~~~~rj45~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w788-1_firmware:-::~~~~m12~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w788-1_firmware:-::~~~~rj45~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w788-2_firmware:-::~~~~m12_eec~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w788-2_firmware:-::~~~~m12~\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w788-2_firmware:-::~~~~rj45~\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"former\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Tenable.ot\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tenable_ot_api_integration.nasl\");\n script_require_keys(\"Tenable.ot/Siemens\");\n\n exit(0);\n}\n\n\ninclude('tenable_ot_cve_funcs.inc');\n\nget_kb_item_or_exit('Tenable.ot/Siemens');\n\nvar asset = tenable_ot::assets::get(vendor:'Siemens');\n\nvar vuln_models = {\n \"SCALANCE W721-1 RJ45\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W722-1 RJ45\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W734-1 RJ45\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W738-1 M12\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W748-1 M12\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W761-1 RJ45\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W774-1 M12 EEC\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W774-1 RJ45\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W778-1 M12\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W778-1 M12 EEC\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W786-1 RJ45\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W786-2 RJ45\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W786-2 SFP\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W786-2IA RJ45\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W788-1 M12\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W788-1 RJ45\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W788-2 M12\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W788-2 M12 EEC\" :\n {\"family\" : \"SCALANCEW\"},\n \"SCALANCE W788-2 RJ45\" :\n {\"family\" : \"SCALANCEW\"}\n};\n\ntenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_models, severity:SECURITY_NOTE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:19", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - In the nl80211_policy policy of nl80211.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-119770583 (CVE-2020-27068)\n\n - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.\n This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space (CVE-2021-22555)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - net/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call. (CVE-2021-38208)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-2663)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26145", "CVE-2020-26147", "CVE-2020-27068", "CVE-2021-22555", "CVE-2021-3715", "CVE-2021-38160", "CVE-2021-38208"], "modified": "2023-02-09T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2663.NASL", "href": "https://www.tenable.com/plugins/nessus/155142", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155142);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/09\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26142\",\n \"CVE-2020-26143\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2020-27068\",\n \"CVE-2021-3715\",\n \"CVE-2021-22555\",\n \"CVE-2021-38160\",\n \"CVE-2021-38208\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-2663)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat\n fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,\n independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - In the nl80211_policy policy of nl80211.c, there is a possible out of bounds read due to a missing bounds\n check. This could lead to local information disclosure with System execution privileges needed. User\n interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-119770583 (CVE-2020-27068)\n\n - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.\n This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name\n space (CVE-2021-22555)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss\n can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the\n length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - net/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial\n of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure\n of a bind call. (CVE-2021-38208)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2663\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a8fe6273\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-27068\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Netfilter x_tables Heap OOB Write Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"kernel-3.10.0-862.14.1.5.h631.eulerosv2r7\",\n \"kernel-devel-3.10.0-862.14.1.5.h631.eulerosv2r7\",\n \"kernel-headers-3.10.0-862.14.1.5.h631.eulerosv2r7\",\n \"kernel-tools-3.10.0-862.14.1.5.h631.eulerosv2r7\",\n \"kernel-tools-libs-3.10.0-862.14.1.5.h631.eulerosv2r7\",\n \"perf-3.10.0-862.14.1.5.h631.eulerosv2r7\",\n \"python-perf-3.10.0-862.14.1.5.h631.eulerosv2r7\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-04T15:19:34", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)\n\n - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small. (CVE-2021-45486)\n\n - A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.\n (CVE-2022-0492)\n\n - A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. (CVE-2022-0617)\n\n - An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor. (CVE-2022-24448)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-04-11T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP8 : kernel (EulerOS-SA-2022-1366)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2021-4002", "CVE-2021-4159", "CVE-2021-45485", "CVE-2021-45486", "CVE-2022-0492", "CVE-2022-0617", "CVE-2022-24448"], "modified": "2023-11-02T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:bpftool", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:python3-perf", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2022-1366.NASL", "href": "https://www.tenable.com/plugins/nessus/159627", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159627);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/02\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26142\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2021-4002\",\n \"CVE-2021-4159\",\n \"CVE-2021-45485\",\n \"CVE-2021-45486\",\n \"CVE-2022-0492\",\n \"CVE-2022-0617\",\n \"CVE-2022-24448\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"EulerOS 2.0 SP8 : kernel (EulerOS-SA-2022-1366)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat\n fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,\n independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042\n (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations\n reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate\n selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the\n WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by\n design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some\n regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the\n memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)\n\n - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information\n leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based\n attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak\n because the hash table is very small. (CVE-2021-45486)\n\n - A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the\n kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups\n v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.\n (CVE-2022-0492)\n\n - A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way\n user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw\n to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. (CVE-2022-0617)\n\n - An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the\n O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a\n regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file\n descriptor. (CVE-2022-24448)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1366\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ee40d610\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-0492\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python3-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"bpftool-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"kernel-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"kernel-devel-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"kernel-headers-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"kernel-tools-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"kernel-tools-libs-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"perf-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"python-perf-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"python3-perf-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-29T19:35:04", "description": "The remote OracleVM system is missing necessary patches to address security updates:\n\n - In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow. (CVE-2019-17133)\n\n - In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to a right data structure. (CVE-2019-19448)\n\n - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)\n\n - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-173843328References: Upstream kernel (CVE-2021-0512)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - A flaw was found in the Routing decision classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition.\n This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3715)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13. (CVE-2021-40490)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-09-23T00:00:00", "type": "nessus", "title": "OracleVM 3.4 : kernel-uek (OVMSA-2021-0031)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17133", "CVE-2019-19448", "CVE-2019-3900", "CVE-2020-12114", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2021-0512", "CVE-2021-3655", "CVE-2021-3715", "CVE-2021-38160", "CVE-2021-40490"], "modified": "2023-11-29T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware", "cpe:/o:oracle:vm_server:3.4"], "id": "ORACLEVM_OVMSA-2021-0031.NASL", "href": "https://www.tenable.com/plugins/nessus/153582", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were\n# extracted from OracleVM Security Advisory OVMSA-2021-0031.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153582);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/29\");\n\n script_cve_id(\n \"CVE-2019-3900\",\n \"CVE-2019-17133\",\n \"CVE-2019-19448\",\n \"CVE-2020-12114\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26142\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2021-0512\",\n \"CVE-2021-3655\",\n \"CVE-2021-3715\",\n \"CVE-2021-38160\",\n \"CVE-2021-40490\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"OracleVM 3.4 : kernel-uek (OVMSA-2021-0031)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote OracleVM host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote OracleVM system is missing necessary patches to address security updates:\n\n - In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a\n long SSID IE, leading to a Buffer Overflow. (CVE-2019-17133)\n\n - In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some\n operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in\n fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to\n a right data structure. (CVE-2019-19448)\n\n - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including\n v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster\n than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the\n vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)\n\n - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before\n 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a\n denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat\n fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,\n independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042\n (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations\n reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate\n selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the\n WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by\n design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to\n a heap buffer overflow. This could lead to local escalation of privilege with no additional execution\n privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android\n kernelAndroid ID: A-173843328References: Upstream kernel (CVE-2021-0512)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on\n inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - A flaw was found in the Routing decision classifier in the Linux kernel's Traffic Control networking\n subsystem in the way it handled changing of classification filters, leading to a use-after-free condition.\n This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat\n from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3715)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss\n can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the\n length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in\n the Linux kernel through 5.13.13. (CVE-2021-40490)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2019-17133.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2019-19448.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2019-3900.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-12114.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-24586.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-24587.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-24588.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26139.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26140.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26141.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26142.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26143.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26144.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26145.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26146.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26147.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2021-0512.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2021-3655.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2021-3715.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2021-38160.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2021-40490.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/OVMSA-2021-0031.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel-uek / kernel-uek-firmware packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.4\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['4.1.12-124.54.6.1.el6uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for OVMSA-2021-0031');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '4.1';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-4.1.12-124.54.6.1.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},\n {'reference':'kernel-uek-firmware-4.1.12-124.54.6.1.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'OVS' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-firmware');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-01T15:22:59", "description": "According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses. (CVE-2021-3772)\n\n - In gre_handle_offloads of ip_gre.c, there is a possible page fault due to an invalid memory access. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-150694665References: Upstream kernel (CVE-2021-39633)\n\n - In fs/eventpoll.c, there is a possible use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:\n AndroidVersions: Android kernelAndroid ID: A-204450605References: Upstream kernel (CVE-2021-39634)\n\n - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)\n\n - A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11.\n This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object. (CVE-2021-44733)\n\n - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small. (CVE-2021-45486)\n\n - An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor. (CVE-2022-24448)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-05-07T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.2.0 : kernel (EulerOS-SA-2022-1681)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2021-3772", "CVE-2021-39633", "CVE-2021-39634", "CVE-2021-4002", "CVE-2021-44733", "CVE-2021-45485", "CVE-2021-45486", "CVE-2022-24448"], "modified": "2023-10-30T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-tools-libs-devel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:uvp:3.0.2.0"], "id": "EULEROS_SA-2022-1681.NASL", "href": "https://www.tenable.com/plugins/nessus/160713", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160713);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/30\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26142\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2021-3772\",\n \"CVE-2021-4002\",\n \"CVE-2021-39633\",\n \"CVE-2021-39634\",\n \"CVE-2021-44733\",\n \"CVE-2021-45485\",\n \"CVE-2021-45486\",\n \"CVE-2022-24448\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"EulerOS Virtualization 3.0.2.0 : kernel (EulerOS-SA-2022-1681)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat\n fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,\n independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042\n (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations\n reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate\n selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the\n WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by\n design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP\n association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and\n the attacker can send packets with spoofed IP addresses. (CVE-2021-3772)\n\n - In gre_handle_offloads of ip_gre.c, there is a possible page fault due to an invalid memory access. This\n could lead to local information disclosure with no additional execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-150694665References: Upstream kernel (CVE-2021-39633)\n\n - In fs/eventpoll.c, there is a possible use after free. This could lead to local escalation of privilege\n with no additional execution privileges needed. User interaction is not needed for exploitation.Product:\n AndroidVersions: Android kernelAndroid ID: A-204450605References: Upstream kernel (CVE-2021-39634)\n\n - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some\n regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the\n memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)\n\n - A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11.\n This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory\n object. (CVE-2021-44733)\n\n - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information\n leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based\n attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak\n because the hash table is very small. (CVE-2021-45486)\n\n - An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the\n O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a\n regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file\n descriptor. (CVE-2022-24448)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1681\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?951bc5bc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-39634\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"kernel-4.19.36-vhulk1907.1.0.h1171\",\n \"kernel-devel-4.19.36-vhulk1907.1.0.h1171\",\n \"kernel-headers-4.19.36-vhulk1907.1.0.h1171\",\n \"kernel-tools-4.19.36-vhulk1907.1.0.h1171\",\n \"kernel-tools-libs-4.19.36-vhulk1907.1.0.h1171\",\n \"kernel-tools-libs-devel-4.19.36-vhulk1907.1.0.h1171\",\n \"perf-4.19.36-vhulk1907.1.0.h1171\",\n \"python-perf-4.19.36-vhulk1907.1.0.h1171\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-29T19:34:42", "description": "The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9459 advisory.\n\n - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)\n\n - In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow. (CVE-2019-17133)\n\n - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114)\n\n - In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to a right data structure. (CVE-2019-19448)\n\n - kernel: use-after-free in route4_change() in net/sched/cls_route.c (CVE-2021-3715)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13. (CVE-2021-40490)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)\n\n - In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-173843328References: Upstream kernel (CVE-2021-0512)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-09-22T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2021-9459)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17133", "CVE-2019-19448", "CVE-2019-3900", "CVE-2020-12114", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2021-0512", "CVE-2021-3655", "CVE-2021-3715", "CVE-2021-38160", "CVE-2021-40490"], "modified": "2023-11-29T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-firmware"], "id": "ORACLELINUX_ELSA-2021-9459.NASL", "href": "https://www.tenable.com/plugins/nessus/153557", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-9459.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153557);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/29\");\n\n script_cve_id(\n \"CVE-2019-3900\",\n \"CVE-2019-17133\",\n \"CVE-2019-19448\",\n \"CVE-2020-12114\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26142\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2021-0512\",\n \"CVE-2021-3655\",\n \"CVE-2021-3715\",\n \"CVE-2021-38160\",\n \"CVE-2021-40490\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2021-9459)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2021-9459 advisory.\n\n - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including\n v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster\n than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the\n vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)\n\n - In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a\n long SSID IE, leading to a Buffer Overflow. (CVE-2019-17133)\n\n - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before\n 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a\n denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114)\n\n - In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some\n operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in\n fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to\n a right data structure. (CVE-2019-19448)\n\n - kernel: use-after-free in route4_change() in net/sched/cls_route.c (CVE-2021-3715)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss\n can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the\n length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on\n inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in\n the Linux kernel through 5.13.13. (CVE-2021-40490)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042\n (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat\n fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,\n independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations\n reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate\n selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the\n WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by\n design. (CVE-2020-26146)\n\n - In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to\n a heap buffer overflow. This could lead to local escalation of privilege with no additional execution\n privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android\n kernelAndroid ID: A-173843328References: Upstream kernel (CVE-2021-0512)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-9459.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['4.1.12-124.54.6.1.el7uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2021-9459');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '4.1';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-4.1.12-124.54.6.1.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},\n {'reference':'kernel-uek-debug-4.1.12-124.54.6.1.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.1.12'},\n {'reference':'kernel-uek-debug-devel-4.1.12-124.54.6.1.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.1.12'},\n {'reference':'kernel-uek-devel-4.1.12-124.54.6.1.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.1.12'},\n {'reference':'kernel-uek-doc-4.1.12-124.54.6.1.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-4.1.12'},\n {'reference':'kernel-uek-firmware-4.1.12-124.54.6.1.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-debug / kernel-uek-debug-devel / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-29T19:37:35", "description": "The remote OracleVM system is missing necessary patches to address security updates:\n\n - In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local users can cause a denial of service (NULL pointer dereference and BUG) because a required mutex is not used. (CVE-2017-18216)\n\n - In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931. (CVE-2018-9517)\n\n - Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists. (CVE-2019-10220)\n\n - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113. (CVE-2019-19063)\n\n - A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures, aka CID-0e62395da2bd. (CVE-2019-19066)\n\n - A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.\n (CVE-2019-19074)\n\n - A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.\n As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This issue affects kernel versions before 4.8. (CVE-2019-3901)\n\n - An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails. (CVE-2020-12771)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-10-12T00:00:00", "type": "nessus", "title": "OracleVM 3.4 : kernel-uek (OVMSA-2021-0035)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11089", "CVE-2017-18216", "CVE-2018-9517", "CVE-2019-10220", "CVE-2019-17133", "CVE-2019-19063", "CVE-2019-19066", "CVE-2019-19074", "CVE-2019-19448", "CVE-2019-3900", "CVE-2019-3901", "CVE-2020-12114", "CVE-2020-12771", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2020-27067", "CVE-2021-0512", "CVE-2021-0605", "CVE-2021-3612", "CVE-2021-3655", "CVE-2021-3679", "CVE-2021-3715", "CVE-2021-38160", "CVE-2021-40490"], "modified": "2023-11-28T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware", "cpe:/o:oracle:vm_server:3.4"], "id": "ORACLEVM_OVMSA-2021-0035.NASL", "href": "https://www.tenable.com/plugins/nessus/154016", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were\n# extracted from OracleVM Security Advisory OVMSA-2021-0035.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154016);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/28\");\n\n script_cve_id(\n \"CVE-2017-11089\",\n \"CVE-2017-18216\",\n \"CVE-2018-9517\",\n \"CVE-2019-3900\",\n \"CVE-2019-3901\",\n \"CVE-2019-10220\",\n \"CVE-2019-17133\",\n \"CVE-2019-19063\",\n \"CVE-2019-19066\",\n \"CVE-2019-19074\",\n \"CVE-2019-19448\",\n \"CVE-2020-12114\",\n \"CVE-2020-12771\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26142\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2020-27067\",\n \"CVE-2021-0512\",\n \"CVE-2021-0605\",\n \"CVE-2021-3612\",\n \"CVE-2021-3655\",\n \"CVE-2021-3679\",\n \"CVE-2021-3715\",\n \"CVE-2021-38160\",\n \"CVE-2021-40490\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"OracleVM 3.4 : kernel-uek (OVMSA-2021-0035)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote OracleVM host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote OracleVM system is missing necessary patches to address security updates:\n\n - In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local users can cause a denial of\n service (NULL pointer dereference and BUG) because a required mutex is not used. (CVE-2017-18216)\n\n - In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local\n escalation of privilege with System execution privileges needed. User interaction is not needed for\n exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931. (CVE-2018-9517)\n\n - Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory\n entry lists. (CVE-2019-10220)\n\n - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the\n Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka\n CID-3f9361695113. (CVE-2019-19063)\n\n - A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel\n through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering\n bfa_port_get_stats() failures, aka CID-0e62395da2bd. (CVE-2019-19066)\n\n - A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel\n through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.\n (CVE-2019-19074)\n\n - A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.\n As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it\n is possible for the specified target task to perform an execve() syscall with setuid execution before\n perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check\n and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged\n execve() calls. This issue affects kernel versions before 4.8. (CVE-2019-3901)\n\n - An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c\n has a deadlock if a coalescing operation fails. (CVE-2020-12771)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2017-18216.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2018-9517.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2019-10220.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2019-19063.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2019-19066.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2019-19074.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2019-3901.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-12771.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/OVMSA-2021-0035.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel-uek / kernel-uek-firmware packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10220\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-17133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.4\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['4.1.12-124.56.1.el6uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for OVMSA-2021-0035');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '4.1';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-4.1.12-124.56.1.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},\n {'reference':'kernel-uek-firmware-4.1.12-124.56.1.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'OVS' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-firmware');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-25T15:27:37", "description": "The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-4356 advisory.\n\n - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.\n (CVE-2021-29650)\n\n - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)\n\n - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)\n\n - A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel internal addresses. The highest threat from this vulnerability is to confidentiality. (CVE-2021-20239)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after- free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)\n\n - In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171 (CVE-2020-0427)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24. (CVE-2020-29660)\n\n - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.\n (CVE-2020-36158)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi- device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-31916)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel. (CVE-2020-27777)\n\n - A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5. (CVE-2021-3573)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier support for it) (v5.8-rc1). (CVE-2021-3489)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of- bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf. (CVE-2020-36386)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access. (CVE-2021-0129)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732)\n\n - Improper input validation in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 and before version 1.4.29.0 for Windows*, may allow an authenticated user to potentially enable a denial of service via local access. (CVE-2020-24502)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable information disclosure via local access.\n (CVE-2020-24503)\n\n - Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable denial of service via local access.\n (CVE-2020-24504)\n\n - An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1. (CVE-2020-29368)\n\n - There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation. (CVE-2021-20194)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.\n (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does not properly validate certain data sizes, aka CID-0217ed2848e8. (CVE-2021-29646)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-17T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : kernel (ELSA-2021-4356)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0427", "CVE-2020-24502", "CVE-2020-24503", "CVE-2020-24504", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2020-27777", "CVE-2020-29368", "CVE-2020-29660", "CVE-2020-36158", "CVE-2020-36386", "CVE-2021-0129", "CVE-2021-20194", "CVE-2021-20239", "CVE-2021-23133", "CVE-2021-28950", "CVE-2021-28971", "CVE-2021-29155", "CVE-2021-29646", "CVE-2021-29650", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33200", "CVE-2021-3348", "CVE-2021-3489", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-3600", "CVE-2021-3635", "CVE-2021-3659", "CVE-2021-3679", "CVE-2021-3732"], "modified": "2023-11-23T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:bpftool", "p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-abi-stablelists", "p-cpe:/a:oracle:linux:kernel-core", "p-cpe:/a:oracle:linux:kernel-cross-headers", "p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-debug-core", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-debug-modules", "p-cpe:/a:oracle:linux:kernel-debug-modules-extra", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:kernel-modules", "p-cpe:/a:oracle:linux:kernel-modules-extra", "p-cpe:/a:oracle:linux:kernel-tools", "p-cpe:/a:oracle:linux:kernel-tools-libs", "p-cpe:/a:oracle:linux:kernel-tools-libs-devel", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:python3-perf"], "id": "ORACLELINUX_ELSA-2021-4356.NASL", "href": "https://www.tenable.com/plugins/nessus/155425", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-4356.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155425);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/23\");\n\n script_cve_id(\n \"CVE-2020-0427\",\n \"CVE-2020-24502\",\n \"CVE-2020-24503\",\n \"CVE-2020-24504\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2020-27777\",\n \"CVE-2020-29368\",\n \"CVE-2020-29660\",\n \"CVE-2020-36158\",\n \"CVE-2020-36386\",\n \"CVE-2021-0129\",\n \"CVE-2021-3348\",\n \"CVE-2021-3489\",\n \"CVE-2021-3564\",\n \"CVE-2021-3573\",\n \"CVE-2021-3600\",\n \"CVE-2021-3635\",\n \"CVE-2021-3659\",\n \"CVE-2021-3679\",\n \"CVE-2021-3732\",\n \"CVE-2021-20194\",\n \"CVE-2021-20239\",\n \"CVE-2021-23133\",\n \"CVE-2021-28950\",\n \"CVE-2021-28971\",\n \"CVE-2021-29155\",\n \"CVE-2021-29646\",\n \"CVE-2021-29650\",\n \"CVE-2021-31440\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"Oracle Linux 8 : kernel (ELSA-2021-4356)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2021-4356 advisory.\n\n - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to\n cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h\n lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.\n (CVE-2021-29650)\n\n - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur\n because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)\n\n - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some\n Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS\n status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)\n\n - A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an\n attacker with a local account to leak information about kernel internal addresses. The highest threat from\n this vulnerability is to confidentiality. (CVE-2021-20239)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel\n 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in\n order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The\n issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the\n context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-\n free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a\n certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)\n\n - In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could\n lead to local information disclosure with no additional execution privileges needed. User interaction is\n not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171\n (CVE-2020-0427)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,\n aka CID-c8bcd9c5be24. (CVE-2020-29660)\n\n - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through\n 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.\n (CVE-2020-36158)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-\n device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with\n special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or\n a leak of internal kernel information. The highest threat from this vulnerability is to system\n availability. (CVE-2021-31916)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked\n down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries\n platform) a root like local user could use this flaw to further increase their privileges to that of a\n running kernel. (CVE-2020-27777)\n\n - A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way\n user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev()\n together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(),\n hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their\n privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5. (CVE-2021-3573)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was\n found in the way user uses trace ring buffer in a specific way. Only privileged local users (with\n CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size\n was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel\n and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny\n reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4,\n v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier\n support for it) (v5.8-rc1). (CVE-2021-3489)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042\n (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations\n reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate\n selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the\n WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by\n design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-\n bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf. (CVE-2020-36386)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in\n the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the\n system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - Improper access control in BlueZ may allow an authenticated user to potentially enable information\n disclosure via adjacent access. (CVE-2021-0129)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files\n (CVE-2021-3732)\n\n - Improper input validation in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4\n and before version 1.4.29.0 for Windows*, may allow an authenticated user to potentially enable a denial\n of service via local access. (CVE-2020-24502)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4\n may allow an authenticated user to potentially enable information disclosure via local access.\n (CVE-2020-24503)\n\n - Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers for Linux before version\n 1.0.4 may allow an authenticated user to potentially enable denial of service via local access.\n (CVE-2020-24504)\n\n - An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The\n copy-on-write implementation can grant unintended write access because of a race condition in a THP\n mapcount check, aka CID-c444eb564fb1. (CVE-2020-29368)\n\n - There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config\n params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y ,\n CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution,\n the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap\n overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly\n privileges escalation. (CVE-2021-20194)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with\n root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.\n (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does\n not properly validate certain data sizes, aka CID-0217ed2848e8. (CVE-2021-29646)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-4356.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3489\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-abi-stablelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-cross-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python3-perf\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['4.18.0-348.el8'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2021-4356');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '4.18';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'bpftool-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'bpftool-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-4.18.0'},\n {'reference':'kernel-abi-stablelists-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-abi-stablelists-4.18.0'},\n {'reference':'kernel-core-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-core-4.18.0'},\n {'reference':'kernel-cross-headers-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-cross-headers-4.18.0'},\n {'reference':'kernel-cross-headers-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-cross-headers-4.18.0'},\n {'reference':'kernel-debug-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-4.18.0'},\n {'reference':'kernel-debug-core-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-core-4.18.0'},\n {'reference':'kernel-debug-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-devel-4.18.0'},\n {'reference':'kernel-debug-modules-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-modules-4.18.0'},\n {'reference':'kernel-debug-modules-extra-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-modules-extra-4.18.0'},\n {'reference':'kernel-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-devel-4.18.0'},\n {'reference':'kernel-headers-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-headers-4.18.0'},\n {'reference':'kernel-headers-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-headers-4.18.0'},\n {'reference':'kernel-modules-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-modules-4.18.0'},\n {'reference':'kernel-modules-extra-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-modules-extra-4.18.0'},\n {'reference':'kernel-tools-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-4.18.0'},\n {'reference':'kernel-tools-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-4.18.0'},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-libs-4.18.0'},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-libs-4.18.0'},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-libs-devel-4.18.0'},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-libs-devel-4.18.0'},\n {'reference':'perf-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel / kernel-abi-stablelists / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:29:50", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients. (CVE-2017-13080)\n\n - It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable. (CVE-2018-1128)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw was found in the Linux kernel's implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes the flow of execution to change and possibly allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-27786)\n\n - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:\n Upstream kernel (CVE-2021-0920)\n\n - A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.\n (CVE-2021-20321)\n\n - An information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66 and v5.4.54. The latest version (5.11-rc4) seems to still be vulnerable. A userland application can read the contents of the sigpage, which can leak kernel memory contents. An attacker can read a process's memory at a specific offset to trigger this vulnerability. This was fixed in kernel releases: 4.14.222 4.19.177 5.4.99 5.10.17 5.11 (CVE-2021-21781)\n\n - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.\n (CVE-2021-30002)\n\n - Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow an authenticated user to potentially enable denial of service via local access. (CVE-2021-33098)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.\n (CVE-2021-37159)\n\n - A use-after-free flaw was found in the Linux kernel's Bluetooth subsystem in the way user calls connect to the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the system or escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3752)\n\n - A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses. (CVE-2021-3772)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in any net namespace because these changes are leaked into all other net namespaces. This is related to the NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls. (CVE-2021-38209)\n\n - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)\n\n - A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system.\n This flaw affects Linux kernel versions prior to 5.16-rc4. (CVE-2021-4083)\n\n - A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of service (DOS) due to a deadlock problem. (CVE-2021-4149)\n\n - An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could potentially use this flaw to crash the system or escalate privileges on the system. (CVE-2021-4157)\n\n - An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system. (CVE-2021-4197)\n\n - In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).\n (CVE-2021-43976)\n\n - In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, special files are not considered, leading to a move_data_page NULL pointer dereference. (CVE-2021-44879)\n\n - In __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel through 5.15.11, there is an out-of-bounds memory access when an inode has an invalid last xattr entry. (CVE-2021-45469)\n\n - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small. (CVE-2021-45486)\n\n - A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.\n (CVE-2022-0492)\n\n - A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. (CVE-2022-0617)\n\n - A use-after-free flaw was found in the Linux kernel's FUSE filesystem in the way a user triggers write().\n This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation. (CVE-2022-1011)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-05-26T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP3 : kernel (EulerOS-SA-2022-1735)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-13080", "CVE-2018-1128", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2020-27786", "CVE-2021-0920", "CVE-2021-20321", "CVE-2021-21781", "CVE-2021-30002", "CVE-2021-33098", "CVE-2021-3655", "CVE-2021-3669", "CVE-2021-3679", "CVE-2021-37159", "CVE-2021-3752", "CVE-2021-3772", "CVE-2021-38160", "CVE-2021-38209", "CVE-2021-4002", "CVE-2021-4037", "CVE-2021-4083", "CVE-2021-4149", "CVE-2021-4155", "CVE-2021-4157", "CVE-2021-4197", "CVE-2021-43976", "CVE-2021-44879", "CVE-2021-45469", "CVE-2021-45485", "CVE-2021-45486", "CVE-2022-0492", "CVE-2022-0617", "CVE-2022-1011"], "modified": "2023-04-25T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-debuginfo", "p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2022-1735.NASL", "href": "https://www.tenable.com/plugins/nessus/161565", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161565);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2017-13080\",\n \"CVE-2018-1128\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26142\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2020-27786\",\n \"CVE-2021-0920\",\n \"CVE-2021-3655\",\n \"CVE-2021-3669\",\n \"CVE-2021-3679\",\n \"CVE-2021-3752\",\n \"CVE-2021-3772\",\n \"CVE-2021-4002\",\n \"CVE-2021-4037\",\n \"CVE-2021-4083\",\n \"CVE-2021-4149\",\n \"CVE-2021-4155\",\n \"CVE-2021-4157\",\n \"CVE-2021-4197\",\n \"CVE-2021-20321\",\n \"CVE-2021-21781\",\n \"CVE-2021-30002\",\n \"CVE-2021-33098\",\n \"CVE-2021-37159\",\n \"CVE-2021-38160\",\n \"CVE-2021-38209\",\n \"CVE-2021-43976\",\n \"CVE-2021-44879\",\n \"CVE-2021-45469\",\n \"CVE-2021-45485\",\n \"CVE-2021-45486\",\n \"CVE-2022-0492\",\n \"CVE-2022-0617\",\n \"CVE-2022-1011\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n\n script_name(english:\"EulerOS 2.0 SP3 : kernel (EulerOS-SA-2022-1735)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the\n group key handshake, allowing an attacker within radio range to replay frames from access points to\n clients. (CVE-2017-13080)\n\n - It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable\n to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on\n network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph\n service. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable. (CVE-2018-1128)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat\n fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,\n independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042\n (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations\n reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate\n selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the\n WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by\n design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw was found in the Linux kernel's implementation of MIDI, where an attacker with a local account and\n the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to\n this specific memory while freed and before use causes the flow of execution to change and possibly allow\n for memory corruption or privilege escalation. The highest threat from this vulnerability is to\n confidentiality, integrity, as well as system availability. (CVE-2020-27786)\n\n - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This\n could lead to local escalation of privilege with System execution privileges needed. User interaction is\n not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:\n Upstream kernel (CVE-2021-0920)\n\n - A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users\n do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.\n (CVE-2021-20321)\n\n - An information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66\n and v5.4.54. The latest version (5.11-rc4) seems to still be vulnerable. A userland application can read\n the contents of the sigpage, which can leak kernel memory contents. An attacker can read a process's\n memory at a specific offset to trigger this vulnerability. This was fixed in kernel releases: 4.14.222\n 4.19.177 5.4.99 5.10.17 5.11 (CVE-2021-21781)\n\n - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in\n drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.\n (CVE-2021-30002)\n\n - Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow\n an authenticated user to potentially enable denial of service via local access. (CVE-2021-33098)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on\n inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was\n found in the way user uses trace ring buffer in a specific way. Only privileged local users (with\n CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev\n without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.\n (CVE-2021-37159)\n\n - A use-after-free flaw was found in the Linux kernel's Bluetooth subsystem in the way user calls connect to\n the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the\n system or escalate their privileges. The highest threat from this vulnerability is to confidentiality,\n integrity, as well as system availability. (CVE-2021-3752)\n\n - A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP\n association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and\n the attacker can send packets with spoofed IP addresses. (CVE-2021-3772)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss\n can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the\n length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in\n any net namespace because these changes are leaked into all other net namespaces. This is related to the\n NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls. (CVE-2021-38209)\n\n - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some\n regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the\n memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)\n\n - A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket\n file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race\n condition. This flaw allows a local user to crash the system or escalate their privileges on the system.\n This flaw affects Linux kernel versions prior to 5.16-rc4. (CVE-2021-4083)\n\n - A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an\n improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of\n service (DOS) due to a deadlock problem. (CVE-2021-4149)\n\n - An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in\n the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could\n potentially use this flaw to crash the system or escalate privileges on the system. (CVE-2021-4157)\n\n - An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces\n subsystem was found in the way users have access to some less privileged process that are controlled by\n cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of\n control groups. A local user could use this flaw to crash the system or escalate their privileges on the\n system. (CVE-2021-4197)\n\n - In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows\n an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).\n (CVE-2021-43976)\n\n - In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, special files are not considered,\n leading to a move_data_page NULL pointer dereference. (CVE-2021-44879)\n\n - In __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel through 5.15.11, there is an out-of-bounds\n memory access when an inode has an invalid last xattr entry. (CVE-2021-45469)\n\n - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information\n leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based\n attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak\n because the hash table is very small. (CVE-2021-45486)\n\n - A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the\n kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups\n v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.\n (CVE-2022-0492)\n\n - A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way\n user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw\n to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. (CVE-2022-0617)\n\n - A use-after-free flaw was found in the Linux kernel's FUSE filesystem in the way a user triggers write().\n This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in\n privilege escalation. (CVE-2022-1011)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1735\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2575eb5a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3752\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-4157\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"kernel-3.10.0-514.44.5.10.h359\",\n \"kernel-debuginfo-3.10.0-514.44.5.10.h359\",\n \"kernel-debuginfo-common-x86_64-3.10.0-514.44.5.10.h359\",\n \"kernel-devel-3.10.0-514.44.5.10.h359\",\n \"kernel-headers-3.10.0-514.44.5.10.h359\",\n \"kernel-tools-3.10.0-514.44.5.10.h359\",\n \"kernel-tools-libs-3.10.0-514.44.5.10.h359\",\n \"perf-3.10.0-514.44.5.10.h359\",\n \"python-perf-3.10.0-514.44.5.10.h359\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-14T14:47:04", "description": "The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2021:4356 advisory.\n\n - Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.\n (CVE-2019-14615)\n\n - In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171 (CVE-2020-0427)\n\n - Improper input validation in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 and before version 1.4.29.0 for Windows*, may allow an authenticated user to potentially enable a denial of service via local access. (CVE-2020-24502)\n\n - Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable information disclosure via local access.\n (CVE-2020-24503)\n\n - Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable denial of service via local access.\n (CVE-2020-24504)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel. (CVE-2020-27777)\n\n - An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1. (CVE-2020-29368)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24. (CVE-2020-29660)\n\n - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.\n (CVE-2020-36158)\n\n - An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d. (CVE-2020-36312)\n\n - An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of- bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf. (CVE-2020-36386)\n\n - Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access. (CVE-2021-0129)\n\n - nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after- free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)\n\n - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier support for it) (v5.8-rc1). (CVE-2021-3489)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5. (CVE-2021-3573)\n\n - A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.\n (CVE-2021-3635)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation. (CVE-2021-20194)\n\n - A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel internal addresses. The highest threat from this vulnerability is to confidentiality. (CVE-2021-20239)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)\n\n - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does not properly validate certain data sizes, aka CID-0217ed2848e8. (CVE-2021-29646)\n\n - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.\n (CVE-2021-29650)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi- device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-31916)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. (CVE-2021-33033)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-02-09T00:00:00", "type": "nessus", "title": "AlmaLinux 8 : kernel (ALSA-2021:4356)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14615", "CVE-2020-0427", "CVE-2020-24502", "CVE-2020-24503", "CVE-2020-24504", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2020-27777", "CVE-2020-29368", "CVE-2020-29660", "CVE-2020-36158", "CVE-2020-36312", "CVE-2020-36386", "CVE-2021-0129", "CVE-2021-20194", "CVE-2021-20239", "CVE-2021-23133", "CVE-2021-28950", "CVE-2021-28971", "CVE-2021-29155", "CVE-2021-29646", "CVE-2021-29650", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33033", "CVE-2021-33200", "CVE-2021-3348", "CVE-2021-3489", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-3600", "CVE-2021-3635", "CVE-2021-3659", "CVE-2021-3679", "CVE-2021-3732"], "modified": "2023-11-13T00:00:00", "cpe": ["p-cpe:/a:alma:linux:bpftool", "p-cpe:/a:alma:linux:kernel", "p-cpe:/a:alma:linux:kernel-abi-stablelists", "p-cpe:/a:alma:linux:kernel-core", "p-cpe:/a:alma:linux:kernel-cross-headers", "p-cpe:/a:alma:linux:kernel-debug", "p-cpe:/a:alma:linux:kernel-debug-core", "p-cpe:/a:alma:linux:kernel-debug-devel", "p-cpe:/a:alma:linux:kernel-debug-modules", "p-cpe:/a:alma:linux:kernel-debug-modules-extra", "p-cpe:/a:alma:linux:kernel-devel", "p-cpe:/a:alma:linux:kernel-headers", "p-cpe:/a:alma:linux:kernel-modules", "p-cpe:/a:alma:linux:kernel-modules-extra", "p-cpe:/a:alma:linux:kernel-tools", "p-cpe:/a:alma:linux:kernel-tools-libs", "p-cpe:/a:alma:linux:kernel-tools-libs-devel", "p-cpe:/a:alma:linux:perf", "p-cpe:/a:alma:linux:python3-perf", "cpe:/o:alma:linux:8"], "id": "ALMA_LINUX_ALSA-2021-4356.NASL", "href": "https://www.tenable.com/plugins/nessus/157497", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# AlmaLinux Security Advisory ALSA-2021:4356.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157497);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/13\");\n\n script_cve_id(\n \"CVE-2019-14615\",\n \"CVE-2020-0427\",\n \"CVE-2020-24502\",\n \"CVE-2020-24503\",\n \"CVE-2020-24504\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2020-27777\",\n \"CVE-2020-29368\",\n \"CVE-2020-29660\",\n \"CVE-2020-36158\",\n \"CVE-2020-36312\",\n \"CVE-2020-36386\",\n \"CVE-2021-0129\",\n \"CVE-2021-3348\",\n \"CVE-2021-3489\",\n \"CVE-2021-3564\",\n \"CVE-2021-3573\",\n \"CVE-2021-3600\",\n \"CVE-2021-3635\",\n \"CVE-2021-3659\",\n \"CVE-2021-3679\",\n \"CVE-2021-3732\",\n \"CVE-2021-20194\",\n \"CVE-2021-20239\",\n \"CVE-2021-23133\",\n \"CVE-2021-28950\",\n \"CVE-2021-28971\",\n \"CVE-2021-29155\",\n \"CVE-2021-29646\",\n \"CVE-2021-29650\",\n \"CVE-2021-31440\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-33033\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"ALSA\", value:\"2021:4356\");\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"AlmaLinux 8 : kernel (ALSA-2021:4356)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AlmaLinux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nALSA-2021:4356 advisory.\n\n - Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor\n Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.\n (CVE-2019-14615)\n\n - In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could\n lead to local information disclosure with no additional execution privileges needed. User interaction is\n not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171\n (CVE-2020-0427)\n\n - Improper input validation in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4\n and before version 1.4.29.0 for Windows*, may allow an authenticated user to potentially enable a denial\n of service via local access. (CVE-2020-24502)\n\n - Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4\n may allow an authenticated user to potentially enable information disclosure via local access.\n (CVE-2020-24503)\n\n - Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers for Linux before version\n 1.0.4 may allow an authenticated user to potentially enable denial of service via local access.\n (CVE-2020-24504)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042\n (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations\n reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate\n selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the\n WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by\n design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked\n down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries\n platform) a root like local user could use this flaw to further increase their privileges to that of a\n running kernel. (CVE-2020-27777)\n\n - An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The\n copy-on-write implementation can grant unintended write access because of a race condition in a THP\n mapcount check, aka CID-c444eb564fb1. (CVE-2020-29368)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,\n aka CID-c8bcd9c5be24. (CVE-2020-29660)\n\n - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through\n 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.\n (CVE-2020-36158)\n\n - An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a\n kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d. (CVE-2020-36312)\n\n - An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-\n bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf. (CVE-2020-36386)\n\n - Improper access control in BlueZ may allow an authenticated user to potentially enable information\n disclosure via adjacent access. (CVE-2021-0129)\n\n - nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-\n free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a\n certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)\n\n - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size\n was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel\n and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny\n reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4,\n v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier\n support for it) (v5.8-rc1). (CVE-2021-3489)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in\n the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the\n system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way\n user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev()\n together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(),\n hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their\n privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5. (CVE-2021-3573)\n\n - A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with\n root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.\n (CVE-2021-3635)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was\n found in the way user uses trace ring buffer in a specific way. Only privileged local users (with\n CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config\n params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y ,\n CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution,\n the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap\n overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly\n privileges escalation. (CVE-2021-20194)\n\n - A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an\n attacker with a local account to leak information about kernel internal addresses. The highest threat from\n this vulnerability is to confidentiality. (CVE-2021-20239)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur\n because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)\n\n - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some\n Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS\n status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does\n not properly validate certain data sizes, aka CID-0217ed2848e8. (CVE-2021-29646)\n\n - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to\n cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h\n lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.\n (CVE-2021-29650)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel\n 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in\n order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The\n issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the\n context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-\n device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with\n special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or\n a leak of internal kernel information. The highest threat from this vulnerability is to system\n availability. (CVE-2021-31916)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because\n the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads\n to writing an arbitrary value. (CVE-2021-33033)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.almalinux.org/8/ALSA-2021-4356.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3489\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-abi-stablelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-cross-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-debug-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-debug-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-debug-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:python3-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Alma Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AlmaLinux/release\", \"Host/AlmaLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/AlmaLinux/release');\nif (isnull(release) || 'AlmaLinux' >!< release) audit(AUDIT_OS_NOT, 'AlmaLinux');\nvar os_ver = pregmatch(pattern: \"AlmaLinux release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'AlmaLinux 8.x', 'AlmaLinux ' + os_ver);\n\nif (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2019-14615', 'CVE-2020-0427', 'CVE-2020-24502', 'CVE-2020-24503', 'CVE-2020-24504', 'CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-26139', 'CVE-2020-26140', 'CVE-2020-26141', 'CVE-2020-26143', 'CVE-2020-26144', 'CVE-2020-26145', 'CVE-2020-26146', 'CVE-2020-26147', 'CVE-2020-27777', 'CVE-2020-29368', 'CVE-2020-29660', 'CVE-2020-36158', 'CVE-2020-36312', 'CVE-2020-36386', 'CVE-2021-0129', 'CVE-2021-3348', 'CVE-2021-3489', 'CVE-2021-3564', 'CVE-2021-3573', 'CVE-2021-3600', 'CVE-2021-3635', 'CVE-2021-3659', 'CVE-2021-3679', 'CVE-2021-3732', 'CVE-2021-20194', 'CVE-2021-20239', 'CVE-2021-23133', 'CVE-2021-28950', 'CVE-2021-28971', 'CVE-2021-29155', 'CVE-2021-29646', 'CVE-2021-29650', 'CVE-2021-31440', 'CVE-2021-31829', 'CVE-2021-31916', 'CVE-2021-33033', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ALSA-2021:4356');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\nvar pkgs = [\n {'reference':'bpftool-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-abi-stablelists-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-core-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-cross-headers-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-core-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-extra-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-extra-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'Alma-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel / kernel-abi-stablelists / kernel-core / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-25T15:27:36", "description": "The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:4140 advisory.\n\n - kernel: Intel graphics card information leak. (CVE-2019-14615)\n\n - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)\n\n - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)\n\n - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)\n\n - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)\n\n - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)\n\n - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)\n\n - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)\n\n - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)\n\n - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)\n\n - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)\n\n - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)\n\n - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)\n\n - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)\n\n - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)\n\n - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)\n\n - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check (CVE-2020-29368)\n\n - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read- after-free (CVE-2020-29660)\n\n - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)\n\n - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c (CVE-2020-36312)\n\n - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c (CVE-2020-36386)\n\n - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)\n\n - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)\n\n - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)\n\n - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)\n\n - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode (CVE-2021-28950)\n\n - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)\n\n - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds loads can be bypassed to leak content of kernel memory (CVE-2021-29155)\n\n - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)\n\n - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)\n\n - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)\n\n - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory (CVE-2021-31829)\n\n - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)\n\n - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)\n\n - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations by BPF verifier (CVE-2021-33200)\n\n - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)\n\n - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)\n\n - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)\n\n - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "CentOS 8 : kernel-rt (CESA-2021:4140)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14615", "CVE-2020-0427", "CVE-2020-24502", "CVE-2020-24503", "CVE-2020-24504", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2020-29368", "CVE-2020-29660", "CVE-2020-36158", "CVE-2020-36312", "CVE-2020-36386", "CVE-2021-0129", "CVE-2021-20194", "CVE-2021-20239", "CVE-2021-23133", "CVE-2021-28950", "CVE-2021-28971", "CVE-2021-29155", "CVE-2021-29646", "CVE-2021-29650", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33033", "CVE-2021-33200", "CVE-2021-3348", "CVE-2021-3489", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-3600", "CVE-2021-3635", "CVE-2021-3659", "CVE-2021-3679", "CVE-2021-3732"], "modified": "2023-11-24T00:00:00", "cpe": ["cpe:/o:centos:centos:8-stream", "p-cpe:/a:centos:centos:kernel-rt", "p-cpe:/a:centos:centos:kernel-rt-core", "p-cpe:/a:centos:centos:kernel-rt-debug", "p-cpe:/a:centos:centos:kernel-rt-debug-core", "p-cpe:/a:centos:centos:kernel-rt-debug-devel", "p-cpe:/a:centos:centos:kernel-rt-debug-modules", "p-cpe:/a:centos:centos:kernel-rt-debug-modules-extra", "p-cpe:/a:centos:centos:kernel-rt-devel", "p-cpe:/a:centos:centos:kernel-rt-modules", "p-cpe:/a:centos:centos:kernel-rt-modules-extra"], "id": "CENTOS8_RHSA-2021-4140.NASL", "href": "https://www.tenable.com/plugins/nessus/155070", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# Red Hat Security Advisory RHSA-2021:4140. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155070);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/24\");\n\n script_cve_id(\n \"CVE-2019-14615\",\n \"CVE-2020-0427\",\n \"CVE-2020-24502\",\n \"CVE-2020-24503\",\n \"CVE-2020-24504\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2020-29368\",\n \"CVE-2020-29660\",\n \"CVE-2020-36158\",\n \"CVE-2020-36312\",\n \"CVE-2020-36386\",\n \"CVE-2021-0129\",\n \"CVE-2021-3348\",\n \"CVE-2021-3489\",\n \"CVE-2021-3564\",\n \"CVE-2021-3573\",\n \"CVE-2021-3600\",\n \"CVE-2021-3635\",\n \"CVE-2021-3659\",\n \"CVE-2021-3679\",\n \"CVE-2021-3732\",\n \"CVE-2021-20194\",\n \"CVE-2021-20239\",\n \"CVE-2021-23133\",\n \"CVE-2021-28950\",\n \"CVE-2021-28971\",\n \"CVE-2021-29155\",\n \"CVE-2021-29646\",\n \"CVE-2021-29650\",\n \"CVE-2021-31440\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-33033\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"RHSA\", value:\"2021:4140\");\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"CentOS 8 : kernel-rt (CESA-2021:4140)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2021:4140 advisory.\n\n - kernel: Intel graphics card information leak. (CVE-2019-14615)\n\n - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)\n\n - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)\n\n - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)\n\n - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)\n\n - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)\n\n - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)\n\n - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)\n\n - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)\n\n - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)\n\n - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)\n\n - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)\n\n - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)\n\n - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)\n\n - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)\n\n - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)\n\n - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in\n a THP mapcount check (CVE-2020-29368)\n\n - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-\n after-free (CVE-2020-29660)\n\n - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in\n drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)\n\n - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c\n (CVE-2020-36312)\n\n - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c\n (CVE-2020-36386)\n\n - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)\n\n - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)\n\n - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)\n\n - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)\n\n - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode\n (CVE-2021-28950)\n\n - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)\n\n - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds\n loads can be bypassed to leak content of kernel memory (CVE-2021-29155)\n\n - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)\n\n - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c\n and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)\n\n - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)\n\n - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content\n of kernel memory (CVE-2021-31829)\n\n - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)\n\n - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)\n\n - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations\n by BPF verifier (CVE-2021-33200)\n\n - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)\n\n - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)\n\n - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)\n\n - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files\n (CVE-2021-3732)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:4140\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3489\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:8-stream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-debug-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-debug-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-debug-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-modules-extra\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nvar os_ver = pregmatch(pattern: \"CentOS(?: Stream)?(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nvar os_ver = os_ver[1];\nif ('CentOS Stream' >!< release) audit(AUDIT_OS_NOT, 'CentOS 8-Stream');\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2019-14615', 'CVE-2020-0427', 'CVE-2020-24502', 'CVE-2020-24503', 'CVE-2020-24504', 'CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-26139', 'CVE-2020-26140', 'CVE-2020-26141', 'CVE-2020-26143', 'CVE-2020-26144', 'CVE-2020-26145', 'CVE-2020-26146', 'CVE-2020-26147', 'CVE-2020-29368', 'CVE-2020-29660', 'CVE-2020-36158', 'CVE-2020-36312', 'CVE-2020-36386', 'CVE-2021-0129', 'CVE-2021-3348', 'CVE-2021-3489', 'CVE-2021-3564', 'CVE-2021-3573', 'CVE-2021-3600', 'CVE-2021-3635', 'CVE-2021-3659', 'CVE-2021-3679', 'CVE-2021-3732', 'CVE-2021-20194', 'CVE-2021-20239', 'CVE-2021-23133', 'CVE-2021-28950', 'CVE-2021-28971', 'CVE-2021-29155', 'CVE-2021-29646', 'CVE-2021-29650', 'CVE-2021-31440', 'CVE-2021-31829', 'CVE-2021-31916', 'CVE-2021-33033', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for CESA-2021:4140');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nvar pkgs = [\n {'reference':'kernel-rt-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-core-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-core-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-devel-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-modules-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-modules-extra-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-devel-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-modules-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-modules-extra-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'CentOS-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-rt / kernel-rt-core / kernel-rt-debug / kernel-rt-debug-core / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-25T15:28:16", "description": "The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:4356 advisory.\n\n - kernel: Intel graphics card information leak. (CVE-2019-14615)\n\n - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)\n\n - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)\n\n - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)\n\n - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)\n\n - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)\n\n - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)\n\n - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)\n\n - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)\n\n - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)\n\n - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)\n\n - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)\n\n - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)\n\n - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)\n\n - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)\n\n - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)\n\n - kernel: powerpc: RTAS calls can be used to compromise kernel integrity (CVE-2020-27777)\n\n - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check (CVE-2020-29368)\n\n - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read- after-free (CVE-2020-29660)\n\n - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)\n\n - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c (CVE-2020-36312)\n\n - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c (CVE-2020-36386)\n\n - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)\n\n - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)\n\n - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)\n\n - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)\n\n - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode (CVE-2021-28950)\n\n - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)\n\n - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds loads can be bypassed to leak content of kernel memory (CVE-2021-29155)\n\n - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)\n\n - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)\n\n - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)\n\n - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory (CVE-2021-31829)\n\n - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)\n\n - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)\n\n - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations by BPF verifier (CVE-2021-33200)\n\n - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)\n\n - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)\n\n - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)\n\n - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "CentOS 8 : kernel (CESA-2021:4356)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14615", "CVE-2020-0427", "CVE-2020-24502", "CVE-2020-24503", "CVE-2020-24504", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2020-27777", "CVE-2020-29368", "CVE-2020-29660", "CVE-2020-36158", "CVE-2020-36312", "CVE-2020-36386", "CVE-2021-0129", "CVE-2021-20194", "CVE-2021-20239", "CVE-2021-23133", "CVE-2021-28950", "CVE-2021-28971", "CVE-2021-29155", "CVE-2021-29646", "CVE-2021-29650", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33033", "CVE-2021-33200", "CVE-2021-3348", "CVE-2021-3489", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-3600", "CVE-2021-3635", "CVE-2021-3659", "CVE-2021-3679", "CVE-2021-3732"], "modified": "2023-11-24T00:00:00", "cpe": ["cpe:/o:centos:centos:8-stream", "p-cpe:/a:centos:centos:bpftool", "p-cpe:/a:centos:centos:kernel", "p-cpe:/a:centos:centos:kernel-abi-stablelists", "p-cpe:/a:centos:centos:kernel-core", "p-cpe:/a:centos:centos:kernel-cross-headers", "p-cpe:/a:centos:centos:kernel-debug", "p-cpe:/a:centos:centos:kernel-debug-core", "p-cpe:/a:centos:centos:kernel-debug-devel", "p-cpe:/a:centos:centos:kernel-debug-modules", "p-cpe:/a:centos:centos:kernel-debug-modules-extra", "p-cpe:/a:centos:centos:kernel-devel", "p-cpe:/a:centos:centos:kernel-headers", "p-cpe:/a:centos:centos:kernel-modules", "p-cpe:/a:centos:centos:kernel-modules-extra", "p-cpe:/a:centos:centos:kernel-tools", "p-cpe:/a:centos:centos:kernel-tools-libs", "p-cpe:/a:centos:centos:kernel-tools-libs-devel", "p-cpe:/a:centos:centos:perf", "p-cpe:/a:centos:centos:python3-perf"], "id": "CENTOS8_RHSA-2021-4356.NASL", "href": "https://www.tenable.com/plugins/nessus/155145", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# Red Hat Security Advisory RHSA-2021:4356. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155145);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/24\");\n\n script_cve_id(\n \"CVE-2019-14615\",\n \"CVE-2020-0427\",\n \"CVE-2020-24502\",\n \"CVE-2020-24503\",\n \"CVE-2020-24504\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2020-27777\",\n \"CVE-2020-29368\",\n \"CVE-2020-29660\",\n \"CVE-2020-36158\",\n \"CVE-2020-36312\",\n \"CVE-2020-36386\",\n \"CVE-2021-0129\",\n \"CVE-2021-3348\",\n \"CVE-2021-3489\",\n \"CVE-2021-3564\",\n \"CVE-2021-3573\",\n \"CVE-2021-3600\",\n \"CVE-2021-3635\",\n \"CVE-2021-3659\",\n \"CVE-2021-3679\",\n \"CVE-2021-3732\",\n \"CVE-2021-20194\",\n \"CVE-2021-20239\",\n \"CVE-2021-23133\",\n \"CVE-2021-28950\",\n \"CVE-2021-28971\",\n \"CVE-2021-29155\",\n \"CVE-2021-29646\",\n \"CVE-2021-29650\",\n \"CVE-2021-31440\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-33033\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"RHSA\", value:\"2021:4356\");\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"CentOS 8 : kernel (CESA-2021:4356)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2021:4356 advisory.\n\n - kernel: Intel graphics card information leak. (CVE-2019-14615)\n\n - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)\n\n - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)\n\n - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)\n\n - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)\n\n - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)\n\n - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)\n\n - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)\n\n - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)\n\n - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)\n\n - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)\n\n - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)\n\n - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)\n\n - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)\n\n - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)\n\n - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)\n\n - kernel: powerpc: RTAS calls can be used to compromise kernel integrity (CVE-2020-27777)\n\n - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in\n a THP mapcount check (CVE-2020-29368)\n\n - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-\n after-free (CVE-2020-29660)\n\n - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in\n drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)\n\n - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c\n (CVE-2020-36312)\n\n - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c\n (CVE-2020-36386)\n\n - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)\n\n - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)\n\n - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)\n\n - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)\n\n - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode\n (CVE-2021-28950)\n\n - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)\n\n - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds\n loads can be bypassed to leak content of kernel memory (CVE-2021-29155)\n\n - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)\n\n - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c\n and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)\n\n - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)\n\n - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content\n of kernel memory (CVE-2021-31829)\n\n - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)\n\n - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)\n\n - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations\n by BPF verifier (CVE-2021-33200)\n\n - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)\n\n - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)\n\n - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)\n\n - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files\n (CVE-2021-3732)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:4356\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3489\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:8-stream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-abi-stablelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-cross-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python3-perf\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nvar os_ver = pregmatch(pattern: \"CentOS(?: Stream)?(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nvar os_ver = os_ver[1];\nif ('CentOS Stream' >!< release) audit(AUDIT_OS_NOT, 'CentOS 8-Stream');\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2019-14615', 'CVE-2020-0427', 'CVE-2020-24502', 'CVE-2020-24503', 'CVE-2020-24504', 'CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-26139', 'CVE-2020-26140', 'CVE-2020-26141', 'CVE-2020-26143', 'CVE-2020-26144', 'CVE-2020-26145', 'CVE-2020-26146', 'CVE-2020-26147', 'CVE-2020-27777', 'CVE-2020-29368', 'CVE-2020-29660', 'CVE-2020-36158', 'CVE-2020-36312', 'CVE-2020-36386', 'CVE-2021-0129', 'CVE-2021-3348', 'CVE-2021-3489', 'CVE-2021-3564', 'CVE-2021-3573', 'CVE-2021-3600', 'CVE-2021-3635', 'CVE-2021-3659', 'CVE-2021-3679', 'CVE-2021-3732', 'CVE-2021-20194', 'CVE-2021-20239', 'CVE-2021-23133', 'CVE-2021-28950', 'CVE-2021-28971', 'CVE-2021-29155', 'CVE-2021-29646', 'CVE-2021-29650', 'CVE-2021-31440', 'CVE-2021-31829', 'CVE-2021-31916', 'CVE-2021-33033', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for CESA-2021:4356');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nvar pkgs = [\n {'reference':'bpftool-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'bpftool-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-abi-stablelists-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-abi-stablelists-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-core-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-core-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-cross-headers-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-cross-headers-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-core-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-core-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-devel-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-extra-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-extra-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-extra-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-extra-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'CentOS-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel / kernel-abi-stablelists / kernel-core / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-25T15:28:05", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4356 advisory.\n\n - kernel: Intel graphics card information leak. (CVE-2019-14615)\n\n - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)\n\n - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)\n\n - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)\n\n - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)\n\n - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)\n\n - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)\n\n - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)\n\n - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)\n\n - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)\n\n - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)\n\n - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)\n\n - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)\n\n - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)\n\n - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)\n\n - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)\n\n - kernel: powerpc: RTAS calls can be used to compromise kernel integrity (CVE-2020-27777)\n\n - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check (CVE-2020-29368)\n\n - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read- after-free (CVE-2020-29660)\n\n - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)\n\n - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c (CVE-2020-36312)\n\n - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c (CVE-2020-36386)\n\n - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)\n\n - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)\n\n - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)\n\n - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)\n\n - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode (CVE-2021-28950)\n\n - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)\n\n - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds loads can be bypassed to leak content of kernel memory (CVE-2021-29155)\n\n - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)\n\n - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)\n\n - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)\n\n - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory (CVE-2021-31829)\n\n - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)\n\n - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)\n\n - kernel: Improper input validation in the Intel(R) Ethernet ixgbe driver may allow an authenticated user to potentially enable DoS via local access (CVE-2021-33098)\n\n - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations by BPF verifier (CVE-2021-33200)\n\n - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)\n\n - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)\n\n - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)\n\n - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "RHEL 8 : kernel (RHSA-2021:4356)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14615", "CVE-2020-0427", "CVE-2020-24502", "CVE-2020-24503", "CVE-2020-24504", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2020-27777", "CVE-2020-29368", "CVE-2020-29660", "CVE-2020-36158", "CVE-2020-36312", "CVE-2020-36386", "CVE-2021-0129", "CVE-2021-20194", "CVE-2021-20239", "CVE-2021-23133", "CVE-2021-28950", "CVE-2021-28971", "CVE-2021-29155", "CVE-2021-29646", "CVE-2021-29650", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33033", "CVE-2021-33098", "CVE-2021-33200", "CVE-2021-3348", "CVE-2021-3489", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-3600", "CVE-2021-3635", "CVE-2021-3659", "CVE-2021-3679", "CVE-2021-3732"], "modified": "2023-11-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_aus:8.6", "cpe:/o:redhat:rhel_e4s:8.6", "cpe:/o:redhat:rhel_eus:8.6", "cpe:/o:redhat:rhel_tus:8.6", "p-cpe:/a:redhat:enterprise_linux:bpftool", "p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-stablelists", "p-cpe:/a:redhat:enterprise_linux:kernel-core", "p-cpe:/a:redhat:enterprise_linux:kernel-cross-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-core", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-modules", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-modules-extra", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-modules", "p-cpe:/a:redhat:enterprise_linux:kernel-modules-extra", "p-cpe:/a:redhat:enterprise_linux:kernel-tools", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump", "p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-core", "p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-modules", "p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-modules-extra", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:python3-perf"], "id": "REDHAT-RHSA-2021-4356.NASL", "href": "https://www.tenable.com/plugins/nessus/155219", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:4356. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155219);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/24\");\n\n script_cve_id(\n \"CVE-2019-14615\",\n \"CVE-2020-0427\",\n \"CVE-2020-24502\",\n \"CVE-2020-24503\",\n \"CVE-2020-24504\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2020-27777\",\n \"CVE-2020-29368\",\n \"CVE-2020-29660\",\n \"CVE-2020-36158\",\n \"CVE-2020-36312\",\n \"CVE-2020-36386\",\n \"CVE-2021-0129\",\n \"CVE-2021-3348\",\n \"CVE-2021-3489\",\n \"CVE-2021-3564\",\n \"CVE-2021-3573\",\n \"CVE-2021-3600\",\n \"CVE-2021-3635\",\n \"CVE-2021-3659\",\n \"CVE-2021-3679\",\n \"CVE-2021-3732\",\n \"CVE-2021-20194\",\n \"CVE-2021-20239\",\n \"CVE-2021-23133\",\n \"CVE-2021-28950\",\n \"CVE-2021-28971\",\n \"CVE-2021-29155\",\n \"CVE-2021-29646\",\n \"CVE-2021-29650\",\n \"CVE-2021-31440\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-33033\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"RHSA\", value:\"2021:4356\");\n\n script_name(english:\"RHEL 8 : kernel (RHSA-2021:4356)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:4356 advisory.\n\n - kernel: Intel graphics card information leak. (CVE-2019-14615)\n\n - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)\n\n - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)\n\n - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)\n\n - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)\n\n - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)\n\n - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)\n\n - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)\n\n - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)\n\n - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)\n\n - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)\n\n - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)\n\n - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)\n\n - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)\n\n - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)\n\n - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)\n\n - kernel: powerpc: RTAS calls can be used to compromise kernel integrity (CVE-2020-27777)\n\n - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in\n a THP mapcount check (CVE-2020-29368)\n\n - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-\n after-free (CVE-2020-29660)\n\n - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in\n drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)\n\n - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c\n (CVE-2020-36312)\n\n - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c\n (CVE-2020-36386)\n\n - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)\n\n - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)\n\n - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)\n\n - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)\n\n - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode\n (CVE-2021-28950)\n\n - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)\n\n - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds\n loads can be bypassed to leak content of kernel memory (CVE-2021-29155)\n\n - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)\n\n - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c\n and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)\n\n - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)\n\n - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content\n of kernel memory (CVE-2021-31829)\n\n - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)\n\n - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)\n\n - kernel: Improper input validation in the Intel(R) Ethernet ixgbe driver may allow an authenticated user to\n potentially enable DoS via local access (CVE-2021-33098)\n\n - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations\n by BPF verifier (CVE-2021-33200)\n\n - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)\n\n - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)\n\n - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)\n\n - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files\n (CVE-2021-3732)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14615\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-0427\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-24502\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-24503\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-24504\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-24588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26140\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26143\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26144\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26146\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-27777\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-29368\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-29660\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-36158\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-36312\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-36386\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-0129\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3348\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3564\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3573\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3600\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3635\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3659\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3679\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3732\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-20194\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-20239\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-23133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-28950\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-28971\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-29155\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-29646\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-29650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-31440\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-31829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-31916\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-33033\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-33098\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:4356\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1789209\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1900844\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1903244\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1906522\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1912683\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1913348\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1919893\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1921958\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1923636\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1930376\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1930379\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1930381\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1941762\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1941784\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1945345\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1945388\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1946965\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1947991\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1948772\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1951595\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1957788\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1959559\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1959642\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1959654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1959657\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1959663\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1960490\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1960492\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1960496\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1960498\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1960500\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1960502\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1960504\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1961300\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1964028\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1964139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1965038\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1965458\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1966578\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1969489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1975949\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1976946\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1981954\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1989165\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1995249\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2068236\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3489\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 119, 120, 125, 200, 212, 252, 287, 290, 307, 345, 346, 362, 400, 415, 416, 476, 662, 667, 682, 772, 787, 822, 829, 835, 862, 863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-stablelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-cross-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-perf\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2019-14615', 'CVE-2020-0427', 'CVE-2020-24502', 'CVE-2020-24503', 'CVE-2020-24504', 'CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-26139', 'CVE-2020-26140', 'CVE-2020-26141', 'CVE-2020-26143', 'CVE-2020-26144', 'CVE-2020-26145', 'CVE-2020-26146', 'CVE-2020-26147', 'CVE-2020-27777', 'CVE-2020-29368', 'CVE-2020-29660', 'CVE-2020-36158', 'CVE-2020-36312', 'CVE-2020-36386', 'CVE-2021-0129', 'CVE-2021-3348', 'CVE-2021-3489', 'CVE-2021-3564', 'CVE-2021-3573', 'CVE-2021-3600', 'CVE-2021-3635', 'CVE-2021-3659', 'CVE-2021-3679', 'CVE-2021-3732', 'CVE-2021-20194', 'CVE-2021-20239', 'CVE-2021-23133', 'CVE-2021-28950', 'CVE-2021-28971', 'CVE-2021-29155', 'CVE-2021-29646', 'CVE-2021-29650', 'CVE-2021-31440', 'CVE-2021-31829', 'CVE-2021-31916', 'CVE-2021-33033', 'CVE-2021-33098', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for RHSA-2021:4356');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.6/x86_64/appstream/debug',\n 'content/aus/rhel8/8.6/x86_64/appstream/os',\n 'content/aus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.6/x86_64/baseos/debug',\n 'content/aus/rhel8/8.6/x86_64/baseos/os',\n 'content/aus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.6/x86_64/appstream/os',\n 'content/e4s/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.6/x86_64/baseos/os',\n 'content/e4s/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap/os',\n 'content/e4s/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/appstream/debug',\n 'content/eus/rhel8/8.6/aarch64/appstream/os',\n 'content/eus/rhel8/8.6/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/baseos/debug',\n 'content/eus/rhel8/8.6/aarch64/baseos/os',\n 'content/eus/rhel8/8.6/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.6/aarch64/highavailability/os',\n 'content/eus/rhel8/8.6/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.6/aarch64/supplementary/os',\n 'content/eus/rhel8/8.6/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.6/ppc64le/appstream/os',\n 'content/eus/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.6/ppc64le/baseos/os',\n 'content/eus/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap/os',\n 'content/eus/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/appstream/debug',\n 'content/eus/rhel8/8.6/s390x/appstream/os',\n 'content/eus/rhel8/8.6/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/baseos/debug',\n 'content/eus/rhel8/8.6/s390x/baseos/os',\n 'content/eus/rhel8/8.6/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/highavailability/debug',\n 'content/eus/rhel8/8.6/s390x/highavailability/os',\n 'content/eus/rhel8/8.6/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/sap/debug',\n 'content/eus/rhel8/8.6/s390x/sap/os',\n 'content/eus/rhel8/8.6/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/supplementary/debug',\n 'content/eus/rhel8/8.6/s390x/supplementary/os',\n 'content/eus/rhel8/8.6/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/appstream/debug',\n 'content/eus/rhel8/8.6/x86_64/appstream/os',\n 'content/eus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/baseos/debug',\n 'content/eus/rhel8/8.6/x86_64/baseos/os',\n 'content/eus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.6/x86_64/highavailability/os',\n 'content/eus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap/debug',\n 'content/eus/rhel8/8.6/x86_64/sap/os',\n 'content/eus/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.6/x86_64/supplementary/os',\n 'content/eus/rhel8/8.6/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/appstream/debug',\n 'content/tus/rhel8/8.6/x86_64/appstream/os',\n 'content/tus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/baseos/debug',\n 'content/tus/rhel8/8.6/x86_64/baseos/os',\n 'content/tus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.6/x86_64/highavailability/os',\n 'content/tus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/rt/os',\n 'content/tus/rhel8/8.6/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'bpftool-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-abi-stablelists-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-core-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-cross-headers-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-core-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-devel-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-extra-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-extra-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-zfcpdump-4.18.0-348.el8', 'sp':'6', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-zfcpdump-core-4.18.0-348.el8', 'sp':'6', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-zfcpdump-devel-4.18.0-348.el8', 'sp':'6', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-zfcpdump-modules-4.18.0-348.el8', 'sp':'6', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-zfcpdump-modules-extra-4.18.0-348.el8', 'sp':'6', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-4.18.0-348.el8', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/aarch64/appstream/debug',\n 'content/dist/rhel8/8/aarch64/appstream/os',\n 'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/baseos/debug',\n 'content/dist/rhel8/8/aarch64/baseos/os',\n 'content/dist/rhel8/8/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/codeready-builder/debug',\n 'content/dist/rhel8/8/aarch64/codeready-builder/os',\n 'content/dist/rhel8/8/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/highavailability/debug',\n 'content/dist/rhel8/8/aarch64/highavailability/os',\n 'content/dist/rhel8/8/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/supplementary/debug',\n 'content/dist/rhel8/8/aarch64/supplementary/os',\n 'content/dist/rhel8/8/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/appstream/debug',\n 'content/dist/rhel8/8/ppc64le/appstream/os',\n 'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/baseos/debug',\n 'content/dist/rhel8/8/ppc64le/baseos/os',\n 'content/dist/rhel8/8/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/debug',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/os',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/highavailability/debug',\n 'content/dist/rhel8/8/ppc64le/highavailability/os',\n 'content/dist/rhel8/8/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/debug',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/os',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/debug',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/os',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap/debug',\n 'content/dist/rhel8/8/ppc64le/sap/os',\n 'content/dist/rhel8/8/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/supplementary/debug',\n 'content/dist/rhel8/8/ppc64le/supplementary/os',\n 'content/dist/rhel8/8/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/s390x/appstream/debug',\n 'content/dist/rhel8/8/s390x/appstream/os',\n 'content/dist/rhel8/8/s390x/appstream/source/SRPMS',\n 'content/dist/rhel8/8/s390x/baseos/debug',\n 'content/dist/rhel8/8/s390x/baseos/os',\n 'content/dist/rhel8/8/s390x/baseos/source/SRPMS',\n 'content/dist/rhel8/8/s390x/codeready-builder/debug',\n 'content/dist/rhel8/8/s390x/codeready-builder/os',\n 'content/dist/rhel8/8/s390x/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/s390x/highavailability/debug',\n 'content/dist/rhel8/8/s390x/highavailability/os',\n 'content/dist/rhel8/8/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/s390x/resilientstorage/debug',\n 'content/dist/rhel8/8/s390x/resilientstorage/os',\n 'content/dist/rhel8/8/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/s390x/sap/debug',\n 'content/dist/rhel8/8/s390x/sap/os',\n 'content/dist/rhel8/8/s390x/sap/source/SRPMS',\n 'content/dist/rhel8/8/s390x/supplementary/debug',\n 'content/dist/rhel8/8/s390x/supplementary/os',\n 'content/dist/rhel8/8/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/appstream/debug',\n 'content/dist/rhel8/8/x86_64/appstream/os',\n 'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/baseos/debug',\n 'content/dist/rhel8/8/x86_64/baseos/os',\n 'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/codeready-builder/debug',\n 'content/dist/rhel8/8/x86_64/codeready-builder/os',\n 'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/highavailability/debug',\n 'content/dist/rhel8/8/x86_64/highavailability/os',\n 'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/nfv/debug',\n 'content/dist/rhel8/8/x86_64/nfv/os',\n 'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/resilientstorage/debug',\n 'content/dist/rhel8/8/x86_64/resilientstorage/os',\n 'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/rt/debug',\n 'content/dist/rhel8/8/x86_64/rt/os',\n 'content/dist/rhel8/8/x86_64/rt/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap-solutions/debug',\n 'content/dist/rhel8/8/x86_64/sap-solutions/os',\n 'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap/debug',\n 'content/dist/rhel8/8/x86_64/sap/os',\n 'content/dist/rhel8/8/x86_64/sap/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/supplementary/debug',\n 'content/dist/rhel8/8/x86_64/supplementary/os',\n 'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'bpftool-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-abi-stablelists-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-core-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-cross-headers-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-core-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-devel-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-extra-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-extra-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-zfcpdump-4.18.0-348.el8', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-zfcpdump-core-4.18.0-348.el8', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-zfcpdump-devel-4.18.0-348.el8', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-zfcpdump-modules-4.18.0-348.el8', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-zfcpdump-modules-extra-4.18.0-348.el8', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel / kernel-abi-stablelists / kernel-core / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-25T15:28:16", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4140 advisory.\n\n - kernel: Intel graphics card information leak. (CVE-2019-14615)\n\n - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)\n\n - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)\n\n - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)\n\n - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)\n\n - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)\n\n - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)\n\n - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)\n\n - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)\n\n - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)\n\n - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)\n\n - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)\n\n - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)\n\n - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)\n\n - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)\n\n - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)\n\n - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check (CVE-2020-29368)\n\n - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read- after-free (CVE-2020-29660)\n\n - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)\n\n - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c (CVE-2020-36312)\n\n - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c (CVE-2020-36386)\n\n - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)\n\n - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)\n\n - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)\n\n - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)\n\n - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode (CVE-2021-28950)\n\n - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)\n\n - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds loads can be bypassed to leak content of kernel memory (CVE-2021-29155)\n\n - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)\n\n - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)\n\n - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)\n\n - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory (CVE-2021-31829)\n\n - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)\n\n - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)\n\n - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations by BPF verifier (CVE-2021-33200)\n\n - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)\n\n - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)\n\n - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)\n\n - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "RHEL 8 : kernel-rt (RHSA-2021:4140)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14615", "CVE-2020-0427", "CVE-2020-24502", "CVE-2020-24503", "CVE-2020-24504", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2020-29368", "CVE-2020-29660", "CVE-2020-36158", "CVE-2020-36312", "CVE-2020-36386", "CVE-2021-0129", "CVE-2021-20194", "CVE-2021-20239", "CVE-2021-23133", "CVE-2021-28950", "CVE-2021-28971", "CVE-2021-29155", "CVE-2021-29646", "CVE-2021-29650", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33033", "CVE-2021-33200", "CVE-2021-3348", "CVE-2021-3489", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-3600", "CVE-2021-3635", "CVE-2021-3659", "CVE-2021-3679", "CVE-2021-3732"], "modified": "2023-11-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_aus:8.6", "cpe:/o:redhat:rhel_e4s:8.6", "cpe:/o:redhat:rhel_eus:8.6", "cpe:/o:redhat:rhel_tus:8.6", "p-cpe:/a:redhat:enterprise_linux:kernel-rt", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-core", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-core", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-modules", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-modules-extra", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-modules", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-modules-extra"], "id": "REDHAT-RHSA-2021-4140.NASL", "href": "https://www.tenable.com/plugins/nessus/155172", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:4140. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155172);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/24\");\n\n script_cve_id(\n \"CVE-2019-14615\",\n \"CVE-2020-0427\",\n \"CVE-2020-24502\",\n \"CVE-2020-24503\",\n \"CVE-2020-24504\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2020-29368\",\n \"CVE-2020-29660\",\n \"CVE-2020-36158\",\n \"CVE-2020-36312\",\n \"CVE-2020-36386\",\n \"CVE-2021-0129\",\n \"CVE-2021-3348\",\n \"CVE-2021-3489\",\n \"CVE-2021-3564\",\n \"CVE-2021-3573\",\n \"CVE-2021-3600\",\n \"CVE-2021-3635\",\n \"CVE-2021-3659\",\n \"CVE-2021-3679\",\n \"CVE-2021-3732\",\n \"CVE-2021-20194\",\n \"CVE-2021-20239\",\n \"CVE-2021-23133\",\n \"CVE-2021-28950\",\n \"CVE-2021-28971\",\n \"CVE-2021-29155\",\n \"CVE-2021-29646\",\n \"CVE-2021-29650\",\n \"CVE-2021-31440\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-33033\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"RHSA\", value:\"2021:4140\");\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"RHEL 8 : kernel-rt (RHSA-2021:4140)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:4140 advisory.\n\n - kernel: Intel graphics card information leak. (CVE-2019-14615)\n\n - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)\n\n - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)\n\n - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)\n\n - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)\n\n - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)\n\n - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)\n\n - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)\n\n - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)\n\n - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)\n\n - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)\n\n - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)\n\n - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)\n\n - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)\n\n - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)\n\n - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)\n\n - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in\n a THP mapcount check (CVE-2020-29368)\n\n - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-\n after-free (CVE-2020-29660)\n\n - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in\n drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)\n\n - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c\n (CVE-2020-36312)\n\n - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c\n (CVE-2020-36386)\n\n - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)\n\n - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)\n\n - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)\n\n - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)\n\n - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode\n (CVE-2021-28950)\n\n - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)\n\n - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds\n loads can be bypassed to leak content of kernel memory (CVE-2021-29155)\n\n - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)\n\n - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c\n and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)\n\n - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)\n\n - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content\n of kernel memory (CVE-2021-31829)\n\n - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)\n\n - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)\n\n - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations\n by BPF verifier (CVE-2021-33200)\n\n - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)\n\n - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)\n\n - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)\n\n - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files\n (CVE-2021-3732)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14615\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-0427\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-24502\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-24503\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-24504\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-24588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26140\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26143\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26144\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26146\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-29368\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-29660\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-36158\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-36312\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-36386\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-0129\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3348\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3564\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3573\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3600\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3635\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3659\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3679\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3732\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-20194\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-20239\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-23133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-28950\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-28971\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-29155\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-29646\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-29650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-31440\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-31829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-31916\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-33033\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:4140\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1789209\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1903244\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1906522\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1912683\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1913348\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1919893\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1921958\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1923636\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1930376\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1930379\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1930381\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1941762\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1941784\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1945345\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1945388\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1946965\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1947991\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1948772\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1951595\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1957788\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1959559\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1959642\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1959654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1959657\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1959663\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1960490\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1960492\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1960496\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1960498\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1960500\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1960502\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1960504\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1961300\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1964028\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1964139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1965038\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1965458\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1966578\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1969489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1975949\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1976946\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1981954\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1989165\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1995249\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3489\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 119, 120, 125, 200, 212, 252, 287, 290, 307, 345, 346, 362, 400, 415, 416, 476, 662, 667, 682, 772, 787, 822, 829, 835, 863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-modules-extra\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2019-14615', 'CVE-2020-0427', 'CVE-2020-24502', 'CVE-2020-24503', 'CVE-2020-24504', 'CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-26139', 'CVE-2020-26140', 'CVE-2020-26141', 'CVE-2020-26143', 'CVE-2020-26144', 'CVE-2020-26145', 'CVE-2020-26146', 'CVE-2020-26147', 'CVE-2020-29368', 'CVE-2020-29660', 'CVE-2020-36158', 'CVE-2020-36312', 'CVE-2020-36386', 'CVE-2021-0129', 'CVE-2021-3348', 'CVE-2021-3489', 'CVE-2021-3564', 'CVE-2021-3573', 'CVE-2021-3600', 'CVE-2021-3635', 'CVE-2021-3659', 'CVE-2021-3679', 'CVE-2021-3732', 'CVE-2021-20194', 'CVE-2021-20239', 'CVE-2021-23133', 'CVE-2021-28950', 'CVE-2021-28971', 'CVE-2021-29155', 'CVE-2021-29646', 'CVE-2021-29650', 'CVE-2021-31440', 'CVE-2021-31829', 'CVE-2021-31916', 'CVE-2021-33033', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for RHSA-2021:4140');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.6/x86_64/appstream/debug',\n 'content/aus/rhel8/8.6/x86_64/appstream/os',\n 'content/aus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.6/x86_64/baseos/debug',\n 'content/aus/rhel8/8.6/x86_64/baseos/os',\n 'content/aus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.6/x86_64/appstream/os',\n 'content/e4s/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.6/x86_64/baseos/os',\n 'content/e4s/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap/os',\n 'content/e4s/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/appstream/debug',\n 'content/eus/rhel8/8.6/x86_64/appstream/os',\n 'content/eus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/baseos/debug',\n 'content/eus/rhel8/8.6/x86_64/baseos/os',\n 'content/eus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.6/x86_64/highavailability/os',\n 'content/eus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap/debug',\n 'content/eus/rhel8/8.6/x86_64/sap/os',\n 'content/eus/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.6/x86_64/supplementary/os',\n 'content/eus/rhel8/8.6/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/appstream/debug',\n 'content/tus/rhel8/8.6/x86_64/appstream/os',\n 'content/tus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/baseos/debug',\n 'content/tus/rhel8/8.6/x86_64/baseos/os',\n 'content/tus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.6/x86_64/highavailability/os',\n 'content/tus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/rt/os',\n 'content/tus/rhel8/8.6/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'kernel-rt-4.18.0-348.rt7.130.el8', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-core-4.18.0-348.rt7.130.el8', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-4.18.0-348.rt7.130.el8', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-core-4.18.0-348.rt7.130.el8', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-devel-4.18.0-348.rt7.130.el8', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-kvm-4.18.0-348.rt7.130.el8', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-modules-4.18.0-348.rt7.130.el8', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-modules-extra-4.18.0-348.rt7.130.el8', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-devel-4.18.0-348.rt7.130.el8', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-kvm-4.18.0-348.rt7.130.el8', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-modules-4.18.0-348.rt7.130.el8', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-modules-extra-4.18.0-348.rt7.130.el8', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/x86_64/appstream/debug',\n 'content/dist/rhel8/8/x86_64/appstream/os',\n 'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/baseos/debug',\n 'content/dist/rhel8/8/x86_64/baseos/os',\n 'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/codeready-builder/debug',\n 'content/dist/rhel8/8/x86_64/codeready-builder/os',\n 'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/highavailability/debug',\n 'content/dist/rhel8/8/x86_64/highavailability/os',\n 'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/nfv/debug',\n 'content/dist/rhel8/8/x86_64/nfv/os',\n 'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/resilientstorage/debug',\n 'content/dist/rhel8/8/x86_64/resilientstorage/os',\n 'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/rt/debug',\n 'content/dist/rhel8/8/x86_64/rt/os',\n 'content/dist/rhel8/8/x86_64/rt/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap-solutions/debug',\n 'content/dist/rhel8/8/x86_64/sap-solutions/os',\n 'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap/debug',\n 'content/dist/rhel8/8/x86_64/sap/os',\n 'content/dist/rhel8/8/x86_64/sap/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/supplementary/debug',\n 'content/dist/rhel8/8/x86_64/supplementary/os',\n 'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'kernel-rt-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-core-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-core-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-devel-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-kvm-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-modules-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-modules-extra-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-devel-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-kvm-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-modules-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-modules-extra-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-rt / kernel-rt-core / kernel-rt-debug / kernel-rt-debug-core / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-26T13:11:40", "description": "According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - A flaw was found in the Linux kernel, where the WiFi implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (ex., LLC/SNAP) header for EAPOL. The highest threat from this vulnerability is to integrity. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - A vulnerability was found in Linux kernel, where the WiFi implementation reassemble fragments with non- consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data- confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:\n Upstream kernel (CVE-2021-0920)\n\n - In memzero_explicit of compiler-clang.h, there is a possible bypass of defense in depth due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2021-0938)\n\n - In bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-154177719References:\n Upstream kernel (CVE-2021-0941)\n\n - A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.\n (CVE-2021-20321)\n\n - A denial-of-service (DoS) flaw was identified in the Linux kernel due to an incorrect memory barrier in xt_replace_table in net/netfilter/x_tables.c in the netfilter subsystem. (CVE-2021-29650)\n\n - Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow an authenticated user to potentially enable denial of service via local access. (CVE-2021-33098)\n\n - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack. (CVE-2021-34556)\n\n - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value.\n (CVE-2021-35477)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - A flaw was found in the Linux kernel. A memory leak in the ccp-ops crypto driver can allow attackers to cause a denial of service. This vulnerability is similar with the older CVE-2019-18808. The highest threat from this vulnerability is to system availability. (CVE-2021-3744)\n\n - A memory leak flaw was found in the Linux kernel's ccp_run_aes_gcm_cmd() function that allows an attacker to cause a denial of service. The vulnerability is similar to the older CVE-2019-18808. The highest threat from this vulnerability is to system availability. (CVE-2021-3764)\n\n - A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses. (CVE-2021-3772)\n\n - net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in any net namespace because these changes are leaked into all other net namespaces. This is related to the NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls. (CVE-2021-38209)\n\n - In gre_handle_offloads of ip_gre.c, there is a possible page fault due to an invalid memory access. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-150694665References: Upstream kernel (CVE-2021-39633)\n\n - In fs/eventpoll.c, there is a possible use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:\n AndroidVersions: Android kernelAndroid ID: A-204450605References: Upstream kernel (CVE-2021-39634)\n\n - In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2021-39698)\n\n - A use-after-free flaw was found in the Linux kernel's network scheduling subsystem due to a race condition.This flaw allows a local user to cause a denial of service (memory corruption or crash) or privilege escalation. (CVE-2021-39713)\n\n - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)\n\n - A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS. (CVE-2021-4037)\n\n - A read-after-free memory flaw was found in the Linux kernel s garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges o (CVE-2021-4083)\n\n - A flaw memory leak in the Linux kernel's eBPF for the Simulated networking device driver in the way user uses BPF for the device such that function nsim_map_alloc_elem being called. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4135)\n\n - An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could potentially use this flaw to crash the system or escalate privileges on the system. (CVE-2021-4157)\n\n - A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.\n Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel. (CVE-2021-4159)\n\n - A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11.\n This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object. (CVE-2021-44733)\n\n - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small. (CVE-2021-45486)\n\n - In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file. (CVE-2021-45868)\n\n - Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-0001)\n\n - Non-transparent sharing of branch predictor within a context in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-0002)\n\n - A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.\n (CVE-2022-0492)\n\n - A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or CAP_SYS_RAWIO) to create issues with confidentiality. (CVE-2022-0494)\n\n - A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. (CVE-2022-0617)\n\n - A flaw use after free in the Linux kernel FUSE filesystem was found in the way user triggers write(). A local user could use this flaw to get some unauthorized access to some data from the FUSE filesystem and as result potentially privilege escalation too. (CVE-2022-1011)\n\n - Due to the small table perturb size, a memory leak flaw was found in the Linux kernel's TCP source port generation algorithm in the net/ipv4/tcp.c function. This flaw allows an attacker to leak information and may cause a denial of service. (CVE-2022-1012)\n\n - A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain,which can cause a use- after-free.This issue needs to handle return with proper preconditions,as it can lead to a kernel information leak problem caused by a local,unprivileged attacker. (CVE-2022-1016)\n\n - A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel.This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information. (CVE-2022-1353)\n\n - An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients. (CVE-2022-1678)\n\n - Kernel-headers includes the C header files that specify the interfacebetween the Linux kernel and userspace libraries and programs. Theheader files define structures and constants that are needed forbuilding most standard programs and are also needed for rebuilding theglibc package. (CVE-2022-1729)\n\n - In mmc_blk_read_single of block.c, there is a possible way to read kernel heap memory due to uninitialized data. This could lead to local information disclosure if reading from an SD card that triggers errors, with no additional execution privileges needed. User interaction is not needed for exploitation.\n (CVE-2022-20008)\n\n - In lg_probe and related functions of hid-lg.c and other USB HID files, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure if a malicious USB HID device were plugged in, with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2022-20132)\n\n - In ip_check_mc_rcu of igmp.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege when opening and closing inet sockets with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2022-20141)\n\n - Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB.An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches.Then, cache allocation can allow the attacker to obtain sensitive information. (CVE-2022-23960)\n\n - An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor. (CVE-2022-24448)\n\n - A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat. (CVE-2022-27666)\n\n - usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double free. (CVE-2022-28388)\n\n - ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.\n (CVE-2022-28390)\n\n - Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions. (CVE-2022-29581)\n\n - The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag. (CVE-2022-30594)\n\n - net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free. (CVE-2022-32250)\n\n - The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used. (CVE-2022-32296)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-10-10T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.6.0 : kernel (EulerOS-SA-2022-2566)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-13405", "CVE-2019-18808", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2021-0920", "CVE-2021-0938", "CVE-2021-0941", "CVE-2021-20321", "CVE-2021-29650", "CVE-2021-33098", "CVE-2021-34556", "CVE-2021-35477", "CVE-2021-3655", "CVE-2021-3744", "CVE-2021-3764", "CVE-2021-3772", "CVE-2021-38209", "CVE-2021-39633", "CVE-2021-39634", "CVE-2021-39698", "CVE-2021-39713", "CVE-2021-4002", "CVE-2021-4037", "CVE-2021-4083", "CVE-2021-4135", "CVE-2021-4157", "CVE-2021-4159", "CVE-2021-44733", "CVE-2021-45485", "CVE-2021-45486", "CVE-2021-45868", "CVE-2022-0001", "CVE-2022-0002", "CVE-2022-0492", "CVE-2022-0494", "CVE-2022-0617", "CVE-2022-1011", "CVE-2022-1012", "CVE-2022-1016", "CVE-2022-1353", "CVE-2022-1678", "CVE-2022-1729", "CVE-2022-20008", "CVE-2022-20132", "CVE-2022-20141", "CVE-2022-23960", "CVE-2022-24448", "CVE-2022-27666", "CVE-2022-28388", "CVE-2022-28390", "CVE-2022-29581", "CVE-2022-30594", "CVE-2022-32250", "CVE-2022-32296"], "modified": "2022-12-26T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:bpftool", "cpe:/o:huawei:euleros:uvp:3.0.6.0", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python3-perf", "p-cpe:/a:huawei:euleros:kernel"], "id": "EULEROS_SA-2022-2566.NASL", "href": "https://www.tenable.com/plugins/nessus/165936", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165936);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/26\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26142\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2021-0920\",\n \"CVE-2021-0938\",\n \"CVE-2021-0941\",\n \"CVE-2021-3655\",\n \"CVE-2021-3744\",\n \"CVE-2021-3764\",\n \"CVE-2021-3772\",\n \"CVE-2021-4002\",\n \"CVE-2021-4037\",\n \"CVE-2021-4083\",\n \"CVE-2021-4135\",\n \"CVE-2021-4157\",\n \"CVE-2021-4159\",\n \"CVE-2021-20321\",\n \"CVE-2021-29650\",\n \"CVE-2021-33098\",\n \"CVE-2021-34556\",\n \"CVE-2021-35477\",\n \"CVE-2021-38209\",\n \"CVE-2021-39633\",\n \"CVE-2021-39634\",\n \"CVE-2021-39698\",\n \"CVE-2021-39713\",\n \"CVE-2021-44733\",\n \"CVE-2021-45485\",\n \"CVE-2021-45486\",\n \"CVE-2021-45868\",\n \"CVE-2022-0001\",\n \"CVE-2022-0002\",\n \"CVE-2022-0492\",\n \"CVE-2022-0494\",\n \"CVE-2022-0617\",\n \"CVE-2022-1011\",\n \"CVE-2022-1012\",\n \"CVE-2022-1016\",\n \"CVE-2022-1353\",\n \"CVE-2022-1678\",\n \"CVE-2022-1729\",\n \"CVE-2022-20008\",\n \"CVE-2022-20132\",\n \"CVE-2022-20141\",\n \"CVE-2022-23960\",\n \"CVE-2022-24448\",\n \"CVE-2022-27666\",\n \"CVE-2022-28388\",\n \"CVE-2022-28390\",\n \"CVE-2022-29581\",\n \"CVE-2022-30594\",\n \"CVE-2022-32250\",\n \"CVE-2022-32296\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n\n script_name(english:\"EulerOS Virtualization 3.0.6.0 : kernel (EulerOS-SA-2022-2566)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat\n fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,\n independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - A flaw was found in the Linux kernel, where the WiFi implementations accept plaintext A-MSDU frames as\n long as the first 8 bytes correspond to a valid RFC1042 (ex., LLC/SNAP) header for EAPOL. The highest\n threat from this vulnerability is to integrity. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - A vulnerability was found in Linux kernel, where the WiFi implementation reassemble fragments with non-\n consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This\n vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-\n confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This\n could lead to local escalation of privilege with System execution privileges needed. User interaction is\n not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:\n Upstream kernel (CVE-2021-0920)\n\n - In memzero_explicit of compiler-clang.h, there is a possible bypass of defense in depth due to\n uninitialized data. This could lead to local information disclosure with no additional execution\n privileges needed. User interaction is not needed for exploitation. (CVE-2021-0938)\n\n - In bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free. This\n could lead to local escalation of privilege with System execution privileges needed. User interaction is\n not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-154177719References:\n Upstream kernel (CVE-2021-0941)\n\n - A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users\n do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.\n (CVE-2021-20321)\n\n - A denial-of-service (DoS) flaw was identified in the Linux kernel due to an incorrect memory barrier in\n xt_replace_table in net/netfilter/x_tables.c in the netfilter subsystem. (CVE-2021-29650)\n\n - Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow\n an authenticated user to potentially enable denial of service via local access. (CVE-2021-33098)\n\n - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from\n kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects\n the possibility of uninitialized memory locations on the BPF stack. (CVE-2021-34556)\n\n - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from\n kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store\n operation does not necessarily occur before a store operation that has an attacker-controlled value.\n (CVE-2021-35477)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on\n inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - A flaw was found in the Linux kernel. A memory leak in the ccp-ops crypto driver can allow attackers to\n cause a denial of service. This vulnerability is similar with the older CVE-2019-18808. The highest threat\n from this vulnerability is to system availability. (CVE-2021-3744)\n\n - A memory leak flaw was found in the Linux kernel's ccp_run_aes_gcm_cmd() function that allows an attacker\n to cause a denial of service. The vulnerability is similar to the older CVE-2019-18808. The highest threat\n from this vulnerability is to system availability. (CVE-2021-3764)\n\n - A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP\n association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and\n the attacker can send packets with spoofed IP addresses. (CVE-2021-3772)\n\n - net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in\n any net namespace because these changes are leaked into all other net namespaces. This is related to the\n NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls. (CVE-2021-38209)\n\n - In gre_handle_offloads of ip_gre.c, there is a possible page fault due to an invalid memory access. This\n could lead to local information disclosure with no additional execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-150694665References: Upstream kernel (CVE-2021-39633)\n\n - In fs/eventpoll.c, there is a possible use after free. This could lead to local escalation of privilege\n with no additional execution privileges needed. User interaction is not needed for exploitation.Product:\n AndroidVersions: Android kernelAndroid ID: A-204450605References: Upstream kernel (CVE-2021-39634)\n\n - In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. This\n could lead to local escalation of privilege with no additional execution privileges needed. User\n interaction is not needed for exploitation. (CVE-2021-39698)\n\n - A use-after-free flaw was found in the Linux kernel's network scheduling subsystem due to a race\n condition.This flaw allows a local user to cause a denial of service (memory corruption or crash) or\n privilege escalation. (CVE-2021-39713)\n\n - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some\n regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the\n memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)\n\n - A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that\n allows local users to create files for the XFS file-system with an unintended group ownership and with\n group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a\n certain group and is writable by a user who is not a member of this group. This can lead to excessive\n permissions granted in case when they should not. This vulnerability is similar to the previous\n CVE-2018-13405 and adds the missed fix for the XFS. (CVE-2021-4037)\n\n - A read-after-free memory flaw was found in the Linux kernel s garbage collection for Unix domain socket\n file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race\n condition. This flaw allows a local user to crash the system or escalate their privileges o\n (CVE-2021-4083)\n\n - A flaw memory leak in the Linux kernel's eBPF for the Simulated networking device driver in the way user\n uses BPF for the device such that function nsim_map_alloc_elem being called. A local user could use this\n flaw to get unauthorized access to some data. (CVE-2021-4135)\n\n - An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in\n the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could\n potentially use this flaw to crash the system or escalate privileges on the system. (CVE-2021-4157)\n\n - A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.\n Internal memory locations could be returned to userspace. A local attacker with the permissions to insert\n eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit\n mitigations in place for the kernel. (CVE-2021-4159)\n\n - A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11.\n This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory\n object. (CVE-2021-44733)\n\n - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information\n leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based\n attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak\n because the hash table is very small. (CVE-2021-45486)\n\n - In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota\n tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a\n corrupted quota file. (CVE-2021-45868)\n\n - Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may\n allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-0001)\n\n - Non-transparent sharing of branch predictor within a context in some Intel(R) Processors may allow an\n authorized user to potentially enable information disclosure via local access. (CVE-2022-0002)\n\n - A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the\n kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups\n v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.\n (CVE-2022-0492)\n\n - A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in\n the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or\n CAP_SYS_RAWIO) to create issues with confidentiality. (CVE-2022-0494)\n\n - A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way\n user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw\n to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. (CVE-2022-0617)\n\n - A flaw use after free in the Linux kernel FUSE filesystem was found in the way user triggers write(). A\n local user could use this flaw to get some unauthorized access to some data from the FUSE filesystem and\n as result potentially privilege escalation too. (CVE-2022-1011)\n\n - Due to the small table perturb size, a memory leak flaw was found in the Linux kernel's TCP source port\n generation algorithm in the net/ipv4/tcp.c function. This flaw allows an attacker to leak information and\n may cause a denial of service. (CVE-2022-1012)\n\n - A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain,which can cause a use-\n after-free.This issue needs to handle return with proper preconditions,as it can lead to a kernel\n information leak problem caused by a local,unprivileged attacker. (CVE-2022-1016)\n\n - A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel.This flaw\n allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of\n internal kernel information. (CVE-2022-1353)\n\n - An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP\n pacing can lead to memory/netns leak, which can be used by remote clients. (CVE-2022-1678)\n\n - Kernel-headers includes the C header files that specify the interfacebetween the Linux kernel and\n userspace libraries and programs. Theheader files define structures and constants that are needed\n forbuilding most standard programs and are also needed for rebuilding theglibc package. (CVE-2022-1729)\n\n - In mmc_blk_read_single of block.c, there is a possible way to read kernel heap memory due to uninitialized\n data. This could lead to local information disclosure if reading from an SD card that triggers errors,\n with no additional execution privileges needed. User interaction is not needed for exploitation.\n (CVE-2022-20008)\n\n - In lg_probe and related functions of hid-lg.c and other USB HID files, there is a possible out of bounds\n read due to improper input validation. This could lead to local information disclosure if a malicious USB\n HID device were plugged in, with no additional execution privileges needed. User interaction is not needed\n for exploitation. (CVE-2022-20132)\n\n - In ip_check_mc_rcu of igmp.c, there is a possible use after free due to improper locking. This could lead\n to local escalation of privilege when opening and closing inet sockets with no additional execution\n privileges needed. User interaction is not needed for exploitation. (CVE-2022-20141)\n\n - Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation,\n aka Spectre-BHB.An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to\n influence mispredicted branches.Then, cache allocation can allow the attacker to obtain sensitive\n information. (CVE-2022-23960)\n\n - An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the\n O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a\n regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file\n descriptor. (CVE-2022-24448)\n\n - A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and\n net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap\n objects and may cause a local privilege escalation threat. (CVE-2022-27666)\n\n - usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double\n free. (CVE-2022-28388)\n\n - ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.\n (CVE-2022-28390)\n\n - Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to\n cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14\n and later versions. (CVE-2022-29581)\n\n - The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers\n to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag. (CVE-2022-30594)\n\n - net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create\n user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to\n a use-after-free. (CVE-2022-32250)\n\n - The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are\n used. (CVE-2022-32296)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-2566\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2c3963be\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4157\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-1012\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python3-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"bpftool-4.19.36-vhulk1907.1.0.h1252.eulerosv2r8\",\n \"kernel-4.19.36-vhulk1907.1.0.h1252.eulerosv2r8\",\n \"kernel-devel-4.19.36-vhulk1907.1.0.h1252.eulerosv2r8\",\n \"kernel-headers-4.19.36-vhulk1907.1.0.h1252.eulerosv2r8\",\n \"kernel-tools-4.19.36-vhulk1907.1.0.h1252.eulerosv2r8\",\n \"kernel-tools-libs-4.19.36-vhulk1907.1.0.h1252.eulerosv2r8\",\n \"perf-4.19.36-vhulk1907.1.0.h1252.eulerosv2r8\",\n \"python-perf-4.19.36-vhulk1907.1.0.h1252.eulerosv2r8\",\n \"python3-perf-4.19.36-vhulk1907.1.0.h1252.eulerosv2r8\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "prion": [{"lastseen": "2023-11-22T01:31:45", "description": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-11T20:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26140"], "modified": "2022-09-03T03:55:00", "id": "PRION:CVE-2020-26140", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2020-26140", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "ics": [{"lastseen": "2023-12-03T17:12:23", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 6.5**\n * **ATTENTION:** Exploitable remotely\n * **Vendor: **Mitsubishi Electric\n * **Equipment:** Wireless LAN communication unit GT25-WLAN in GOT2000 Series GT25 or GT27\n * **Vulnerabilities: **Improper Removal of Sensitive Information Before Storage or Transfer, Inadequate Encryption Strength, Missing Authentication for Critical Function, Injection, Improper Input Validation\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the original advisory titled ICSA-22-102-04 Mitsubishi Electric GT25-WLAN that was published April 12, 2022, on the ICS webpage on cisa.gov/ics.\n\n## 3\\. RISK EVALUATION\n\nThere are multiple vulnerabilities due to design flaws in the frame fragmentation functionality and the frame aggregation functionality in the Wireless Communication Standards IEEE 802.11. These vulnerabilities could allow an attacker to steal communication contents or inject unauthorized packets.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nThe following versions of Wireless LAN communication unit GT25-WLAN in GOT2000 Series GT25 or GT27, are affected:\n\n**\\--------- Begin Update A Part 1 of 2 ---------**\n\n * GT25-WLAN: Version 01.39.000 and earlier\n\n**\\--------- End Update A Part 1 of 2 ---------**\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [IMPROPER REMOVAL OF SENSITIVE INFORMATION BEFORE STORAGE OR TRANSFER CWE-212](<https://cwe.mitre.org/data/definitions/212.html>)\n\nThe affected product is vulnerable to a fragment cache attack as it does not clear fragments from memory when (re)connecting. This may allow an attacker to steal communication contents or inject unauthorized packets.\n\n[CVE-2020-24586](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24586>) has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N>)).\n\n#### 4.2.2 [INADEQUATE ENCRYPTION STRENGTH CWE-326](<https://cwe.mitre.org/data/definitions/326.html>)\n\nThe affected product is vulnerable to a mixed key attack as it reassembles fragments encrypted under different keys. This may allow an attacker to steal communication contents.\n\n[CVE-2020-24587](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24587>) has been assigned to this vulnerability. A CVSS v3 base score of 2.6 has been assigned; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N>)).\n\n#### 4.2.3 [MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306](<https://cwe.mitre.org/data/definitions/306.html>)\n\nThe affected product is vulnerable to an aggregation attack as it accepts non-SPP A-MSDU frames. This may allow an attacker to inject unauthorized packets.\n\n[CVE-2020-24588](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24588>) has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N>)).\n\n#### 4.2.4 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nThe affected product can accept plaintext data frames in a protected network. This may allow an attacker to inject unauthorized packets.\n\n[CVE-2020-26140](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26140>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 4.2.5 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe affected product is vulnerable to accepting fragmented plaintext data frames in a protected network. This may allow an attacker to inject unauthorized packets.\n\n[CVE-2020-26143](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26143>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 4.2.6 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe affected product can accept plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL in an encrypted network. This may allow an attacker to inject unauthorized packets.\n\n[CVE-2020-26144](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26144>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 4.2.7 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe affected product can reassemble encrypted fragments with non-consecutive packet numbers. This may allow an attacker to steal communication contents.\n\n[CVE-2020-26146](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26146>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Critical Manufacturing\n * **COUNTRIES/AREAS DEPLOYED:** Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** Japan\n\n### 4.4 RESEARCHER\n\nMitsubishi Electric reported these vulnerabilities to CISA.\n\n## 5\\. MITIGATIONS\n\nMitsubishi Electric has provided the following mitigations or workarounds.\n\n**\\-------- Begin Update A Part 2 of 2 ---------**\n\nFor users who use the affected products and versions, please update to the fixed versions by following the steps:\n\nCheck the versions in use by referencing GOT2000 Series User's Manual (Utility) (SH-081195ENG), 6.9 Package Data Management \u2013 \u201cProperty operation.\u201d\n\nThe latest version of the manual is available from [Mitsubishi Electric FA Global Website](<https://www.mitsubishielectric.com/fa>).\n\n**Fixed versions**\n\nInstall system applications (extended function) \u201cWireless LAN\u201d v01.45.000 or later.\n\n * Fixed system applications (extended function) \u201cWireless LAN\u201d is included in GT Designer3 Version 1 (GOT2000) v1.275M or later.\n * This does not include countermeasures for [CVE-2020-26146](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26146>)\n\nUsers are encouraged to follow the following update procedure:\n\n 1. Download and install the fixed version of MELSOFT GT Designer3 (GOT2000). Please contact a [Mitsubishi Electric representative](<https://www.mitsubishielectric.com/fa/support/index.html>) about MELSOFT GT Designer3 (GOT2000).\n 2. Start the MELSOFT GT Designer3 (GOT2000) and open the project data used in affected products.\n 3. Select [Write to GOT] from [Communication] menu to write the required package data to the GOT. Please refer to \u201c4. COMMUNICATING WITH GOT\u201d in the GT Designer3 (GOT2000) [Screen Design Manual (SH-081220ENG)](<https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html>).\n 4. After writing the required package data to the GOT, refer to the \u201cHow to check the versions in use\u201d and check the fixed versions.\n\n**\\-------- End Update A Part 2 of 2 ---------**\n\nWhen using the wireless LAN communication unit as an access point, check if the wireless LAN communication unit settings are as follows.\n\n * For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers.\n * Use WPA or WPA2 as the security authentication method for wireless LAN.\n * Use the IP filter function*1 to restrict the accessible IP addresses. \n * *1- Refer to GT Designer3 (GOT2000) [Screen Design Manual (SH-081220ENG)](<https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html>) \u201c5.4.3 Setting the IP filter\u201d\n\nWhen using the wireless LAN communication unit as a station, check if the router settings are as follows:\n\n * For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers.\n * Use WPA or WPA2 as the security authentication method for wireless LAN.\n * If you change the router settings, hide its presence on the Internet to make it difficult for unauthorized access. (e.g., set to not respond to PING requests).\n * Set password for the router\u2019s Management portal, which is difficult to be identified.\n\nCheck the following when using a computer or tablet, etc., on the same network.\n\n * Update Antivirus software to the latest version.\n * Do not open or access suspicious attachment file or linked URL.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure they are [not accessible from the Internet](<https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nCISA also provides a section for [control systems security recommended practices](<https://www.cisa.gov/uscert/ics/recommended-practices>) on the [ICS webpage on cisa.gov/ics](<https://cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on cisa.gov/ics](<https://cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-12T12:00:00", "type": "ics", "title": "Mitsubishi Electric GT25-WLAN (Update A)", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26140", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26146"], "modified": "2022-05-12T12:00:00", "id": "ICSA-22-102-04", "href": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-102-04", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-03T17:13:25", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 6.5**\n * **ATTENTION:** Exploitable remotely/low attack complexity\n * **Vendor:** Siemens\n * **Equipment: **SCALANCE family devices\n * **Vulnerabilities: **Improper Authentication, Injection, Improper Validation of Integrity Check, Improper Input Validation\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker within Wi-Fi range to forge encrypted frames, which could result in sensitive data disclosure and traffic manipulation.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following Siemens products are affected:\n\n * SCALANCE W721-1 RJ45: All versions\n * SCALANCE W722-1 RJ45: All versions\n * SCALANCE W734-1 RJ45: All versions\n * SCALANCE W738-1 M12: All versions\n * SCALANCE W748-1 M12: All versions\n * SCALANCE W738-1 RJ45: All versions\n * SCALANCE W761-1 RJ45: All versions\n * SCALANCE W774-1 M12 EEC: All versions\n * SCALANCE W774-1 RJ45: All versions\n * SCALANCE W778-1 M12 EEC: All versions\n * SCALANCE W786-1 RJ45: All versions\n * SCALANCE W786-2 RJ45: All versions\n * SCALANCE W786-2 SFP: All versions\n * SCALANCE W786-2IA RJ45: All versions\n * SCALANCE W788-1 M12: All versions\n * SCALANCE W788-1 RJ45: All versions\n * SCALANCE W788-2 M12: All versions\n * SCALANCE W788-1 M12 EEC: All versions\n * SCALANCE W788-2 RJ45: All versions\n * SCALANCE W1748-1 M12: All versions prior to v3.0.0\n * SCALANCE W1750D M12: All versions prior to v8.7.1.3\n * SCALANCE W1788-1 M12: All versions prior to v3.0.0\n * SCALANCE W1788-2 EEC M12: All versions prior to v3.0.0\n * SCALANCE W1788-2 M12: All versions prior to v3.0.0\n * SCALANCE W1788-2IA M12: All versions prior to v3.0.0\n * SCALANCE WAM766-1: All versions\n * SCALANCE WAM766-1 EEC: All versions\n * SCALANCE WUM763-1: All versions\n * SCALANCE WUM766-1: All versions\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306](<https://cwe.mitre.org/data/definitions/306.html>)\n\nThe 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn\u2019t require the A-MSDU flag in the plaintext QoS header field to be authenticated. Against devices that support receiving non-SSP A-MSDU frames, which is mandatory as part of 802.11n, an adversary can abuse this to inject arbitrary network packets.\n\n[CVE-2020-24588](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24588>) has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N>)).\n\n#### 3.2.2 [IMPROPER AUTHENTICATION CWE-287](<https://cwe.mitre.org/data/definitions/287.html>)\n\nAn issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.\n\n[CVE-2020-26139](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26139>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n#### 3.2.3 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nAn issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.\n\n[CVE-2020-26140](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26140>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.4 [IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354](<https://cwe.mitre.org/data/definitions/354.html>)\n\nAn issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.\n\n[CVE-2020-26141](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26141>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.5 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.\n\n[CVE-2020-26143](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26143>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.6 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first eight bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.\n\n[CVE-2020-26144](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26144>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.7 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.\n\n[CVE-2020-26145](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26145>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.8 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note WEP is vulnerable to this attack by design.\n\n[CVE-2020-26146](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26146>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.9 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.\n\n[CVE-2020-26147](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26147>) has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Multiple Sectors\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** Germany\n\n### 3.4 RESEARCHER\n\nSiemens reported these vulnerabilities to CISA.\n\n## 4\\. MITIGATIONS\n\nSiemens recommends updating their software to the latest version where available:\n\n * SCALANCE W1748-1 M12: [Update to v3.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109808629>) or later\n * SCALANCE W1750D M12: [Update to v8.7.1.3](<https://support.industry.siemens.com/cs/de/en/view/109802805>) or later\n * SCALANCE W1788-1 M12: [Update to v3.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109808629>) or later\n * SCALANCE W1788-2 EEC M12: [Update to v3.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109808629>) or later\n * SCALANCE W1788-2 M12: [Update to v3.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109808629>) or later\n * SCALANCE W1788-2IA M12: [Update to v3.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109808629>) or later\n * SCALANCE WAM766-1: [Update to v1.2](<https://support.industry.siemens.com/cs/de/en/view/109805887>) or later\n * SCALANCE WAM766-1 EEC: [Update to v1.2](<https://support.industry.siemens.com/cs/de/en/view/109805887>) or later\n * SCALANCE WUM763-1: [Update to v1.2](<https://support.industry.siemens.com/cs/de/en/view/109805887>) or later\n * SCALANCE WUM766-1: [Update to v1.2](<https://support.industry.siemens.com/cs/de/en/view/109805887>) or later\n\nSiemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:\n\n * As these vulnerabilities can only be exploited within Wi-Fi range, when possible reduce Wi-Fi transmission power or make sure to have the devices in private areas with physical access controls\n * When possible, A-MSDU can be disabled to mitigate CVE-2020-24588 and CVE-2020-26144\n\nFor more details regarding the [FragAttacks](<https://www.fragattacks.com/>) vulnerabilities refer to:\n\n * [Fragment and Forge Breaking Wi-Fi Through Frame Aggregation and Fragmentation](<https://papers.mathyvanhoef.com/usenix2021.pdf>)\n\nAs a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to the [Siemens operational guidelines for industrial security](<https://cert-portal.siemens.com/operational-guidelines-industrial-security.pdf>) and follow the recommendations in the product manuals.\n\nFor additional information, please refer to Siemens Security Advisory [SSA-913875](<https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf>) \n\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure they are [not accessible from the Internet](<https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nCISA also provides a section for [control systems security recommended practices](<https://www.cisa.gov/uscert/ics/recommended-practices>) on the ICS webpage on [cisa.gov](<https://www.cisa.gov/uscert/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on cisa.gov](<https://www.cisa.gov/uscert/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-14T12:00:00", "type": "ics", "title": "Siemens SCALANCE FragAttacks", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147"], "modified": "2022-04-14T12:00:00", "id": "ICSA-22-104-04", "href": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-104-04", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-03T17:20:57", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 7.5**\n * **ATTENTION: **Low attack complexity\n * **Vendor:** Hitachi ABB Power Grids\n * **Equipment:** TropOS\n * **Vulnerabilities:** Injection, Inadequate Encryption Strength, Missing Authentication for Critical Function, Improper Authentication, Improper Validation of Integrity Check Value, Improper Input Validation\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to direct a client that is connected to a TropOS Wi-Fi access point to fake websites and extract sensitive data.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nHitachi ABB Power Grids reports these vulnerabilities affect the following products:\n\n * TropOS: Firmware Version 8.9.4.8 and prior\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nThe 802.11 standard that underpins Wi-Fi protected access (WPA, WPA2, and WPA3) and wired equivalent privacy (WEP) does not require received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this vulnerability can be exploited to inject arbitrary network packets and/or exfiltrate user data.\n\n[CVE-2020-24586](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24586>) has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N>)).\n\n#### 3.2.2 [INADEQUATE ENCRYPTION STRENGTH CWE-326](<https://cwe.mitre.org/data/definitions/326.html>)\n\nThe 802.11 standard that underpins Wi-Fi protected access (WPA, WPA2, and WPA3) and wired equivalent privacy (WEP) does not require all fragments of a frame are encrypted under the same key. An adversary could exploit this vulnerability to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.\n\n[CVE-2020-24587](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24587>) has been assigned to this vulnerability. A CVSS v3 base score of 2.6 has been calculated; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N>)).\n\n#### 3.2.3 [MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306](<https://cwe.mitre.org/data/definitions/306.html>)\n\nThe 802.11 standard that underpins Wi-Fi protected access (WPA, WPA2, and WPA3) and wired equivalent privacy (WEP) does not require the A-MSDU flag in the plaintext QoS header field be authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary could exploit this vulnerability to inject arbitrary network packets.\n\n[CVE-2020-24588](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24588>) has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N>)).\n\n#### 3.2.4 [IMPROPER AUTHENTICATION CWE-287](<https://cwe.mitre.org/data/definitions/287.html>)\n\nAn access point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.\n\n[CVE-2020-26139](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26139>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n#### 3.2.5 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can exploit this vulnerability to inject arbitrary data frames independent of the network configuration.\n\n[CVE-2020-26140](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26140>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.6 [IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354](<https://cwe.mitre.org/data/definitions/354.html>)\n\nThe Wi-Fi implementation does not verify the message integrity check (authenticity) of fragmented TKIP frames. An adversary can exploit this vulnerability to inject and decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.\n\n[CVE-2020-26141](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26141>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.7 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can exploit this vulnerability to inject arbitrary network packets independent of the network configuration.\n\n[CVE-2020-26142](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26142>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.8 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can exploit this vulnerability to inject arbitrary data frames independent of the network configuration.\n\n[CVE-2020-26143](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26143>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.9 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first eight bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can exploit this vulnerability to inject arbitrary network packets independent of the network configuration.\n\n[CVE-2020-26144](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26144>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.10 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments when sent in plaintext and process them as full unfragmented frames. An adversary can exploit this vulnerability to inject arbitrary network packets independent of the network configuration.\n\n[CVE-2020-26145](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26145>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.11 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can exploit this vulnerability to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note: WEP is vulnerable to this attack by design.\n\n[CVE-2020-26146](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26146>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.12 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. An adversary can exploit this vulnerability to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.\n\n[CVE-2020-26147](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26147>) has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Critical Manufacturing, Energy\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Switzerland\n\n### 3.4 RESEARCHER\n\nHitachi ABB Power Grids reported these vulnerabilities to CISA.\n\n## 4\\. MITIGATIONS\n\nHitachi ABB Power Grids recommends updating to firmware v8.9.4.9 or later, which resolves these vulnerabilities. For additional information on these vulnerabilities, including update instructions, please see the [Hitachi ABB Power Grids security advisory](<https://search.abb.com/library/Download.aspx?DocumentID=9AKK107992A4463&LanguageCode=en&DocumentPartId=&Action=Launch>).\n\nHitachi ABB Power Grids has tested and recommends the following mitigation actions, which help block known attack vectors:\n\n * Disable the Wi-Fi access on any TropOS unit where local Wi-Fi access is not required. This is achieved by NOT enabling (or disabling) the local access SSID.\n * Where Wi-Fi access is required, wherever possible ensure physical access to the local area is restricted to approved staff only.\n * Use the Wi-Fi whitelist capability to restrict Wi-Fi access to only approved personnel.\n * As the FragAttacks vulnerability is targeted at an end-user device and generally involves redirection to fraudulent websites, the installation of comprehensive firewall capabilities on company end-user devices and servers will significantly reduce the likelihood of negative outcomes.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\n * Do not click web links or open unsolicited attachments in email messages.\n * Refer to [Recognizing and Avoiding Email Scams](<https://us-cert.cisa.gov/sites/default/files/publications/emailscams_0905.pdf>) for more information on avoiding email scams.\n * Refer to [Avoiding Social Engineering and Phishing Attacks](<https://us-cert.cisa.gov/ncas/tips/ST04-014>) for more information on social engineering attacks.\n\nThese vulnerabilities are not exploitable remotely. No known public exploits specifically target these vulnerabilities. \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-08-24T12:00:00", "type": "ics", "title": "Hitachi ABB Power Grids TropOS", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147"], "modified": "2021-08-24T12:00:00", "id": "ICSA-21-236-01", "href": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-236-01", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "checkpoint_security": [{"lastseen": "2023-04-20T02:09:08", "description": "Cause\n\nSeveral CVEs were published on Wi-Fi devices under the name FragAttacks. More information about them can be found at: <https://www.fragattacks.com/> \n \nThe list of new CVEs related to wireless security flaws with fragmented and aggregated frames, is relevant to Check Point Quantum Spark wireless products. All of the vulnerabilities are in the wireless medium and therefore require physical proximity to the appliance and can not be exploited just from any network. \n \nThese are the relevant CVEs: \n[CVE-2020-24586](<https://vulners.com/cve/CVE-2020-24586>) \u2013 Not clearing fragments from memory when (re)connecting to a network \n[CVE-2020-26144](<https://vulners.com/cve/CVE-2020-26144>) \u2013 Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network) \n[CVE-2020-26145](<https://vulners.com/cve/CVE-2020-26145>) \u2013 Accepting plaintext broadcast fragments as full frames (in an encrypted network) \n[CVE-2020-26146](<https://vulners.com/cve/CVE-2020-26146>) \u2013 Reassembling encrypted fragments with non-consecutive packet numbers \n[CVE-2020-26147](<https://vulners.com/cve/CVE-2020-26147>) \u2013 Reassembling mixed encrypted/plaintext fragments \n[CVE-2020-24587](<https://vulners.com/cve/CVE-2020-24587>) \u2013 Reassembling fragments encrypted under different keys \n[CVE-2020-24588](<https://vulners.com/cve/CVE-2020-24588>) \u2013 Accepting non-SPP A-MSDU frames \n[CVE-2020-26139](<https://vulners.com/cve/CVE-2020-26139>) \u2013 Forwarding EAPOL frames even though the sender is not yet authenticated \n[CVE-2020-26140](<https://vulners.com/cve/CVE-2020-26140>) \u2013 Accepting plaintext data frames in a protected network \n[CVE-2020-26141](<https://vulners.com/cve/CVE-2020-26141>) \u2013 Not verifying the TKIP MIC of fragmented frames \n[CVE-2020-26143](<https://vulners.com/cve/CVE-2020-26143>) \u2013 Accepting fragmented plaintext data frames in a protected network \n\n\nSolution\n\nThis problem was fixed. The fix is included in:\n\n * [**R77.20.87 Build 990172913 for 700/900/1400 Appliances**](<https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=116361>)\n * [**R80.20.25 Build 992002136 for 1500 Appliances**](<https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=116364>)\n * **[R80.20.30 for Quantum Spark Appliances](<https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk173185>)**\nNote: The R77.20.87 and R80.20.25 fixes are Jumbo Hotfixes based on the latest Jumbo release. \nThe sequence number is different because it is a different branch (until a new public jumbo GA will be available). \n \nCheck Point recommends to always upgrade to the most recent version ([700 ](<https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowproductpage&productTab=overview&product=460>)/ [1400 ](<https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowproductpage&productTab=overview&product=490>)/ [1500](<https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowproductpage&productTab=overview&product=512>)). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-09T23:24:30", "type": "checkpoint_security", "title": "Check Point Response to Wi-Fi FragAttacks in Quantum Spark appliances", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147"], "modified": "2021-06-09T23:24:30", "id": "CPS:SK173718", "href": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk173718", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "thn": [{"lastseen": "2022-05-09T12:38:04", "description": "[](<https://thehackernews.com/images/-W-onve7bfgs/YJvS6q8T98I/AAAAAAAAChk/CbCIUJa6N8w2vj9w5f15LSdzMm3ypsFigCLcBGAsYHQ/s0/wifi-hacking.jpg>)\n\nThree design and multiple implementation flaws have been disclosed in IEEE 802.11 technical standard that undergirds Wi-Fi, potentially enabling an adversary to take control over a system and plunder confidential data.\n\nCalled [FragAttacks](<https://www.fragattacks.com/>) (short for FRgmentation and AGgregation Attacks), the weaknesses impact all Wi-Fi security protocols, from Wired Equivalent Privacy (WEP) all the way to Wi-Fi Protected Access 3 (WPA3), thus virtually putting almost every wireless-enabled device at risk of attack.\n\n\"An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or attack devices,\" Mathy Vanhoef, a security academic at New York University Abu Dhabi, said. \"Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.\"\n\nIEEE 802.11 provides the basis for all modern devices using the Wi-Fi family of network protocols, allowing laptops, tablets, printers, smartphones, smart speakers, and other devices to communicate with each other and access the Internet via a wireless router.\n\nIntroduced in January 2018, [WPA3](<https://www.wi-fi.org/discover-wi-fi/security>) is a third-generation security protocol that's at the heart of most Wi-Fi devices with several enhancements such as robust authentication and increased cryptographic strength to safeguard wireless computer networks.\n\nAccording to Vanhoef, the [issues](<https://github.com/vanhoefm/fragattacks>) stem from \"widespread\" programming mistakes encoded in the implementation of the standard, with some flaws dating all the way back to 1997. The vulnerabilities have to do with the way the standard fragments and aggregates frames, allowing threat actors to inject arbitrary packets and trick a victim into using a malicious DNS server, or forge the frames to siphon data. \n\nThe [list of 12 flaws](<https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md>) is as follows \u2014\n\n * **CVE-2020-24588**: Accepting non-SPP A-MSDU frames\n * **CVE-2020-24587**: Reassembling fragments encrypted under different keys\n * **CVE-2020-24586**: Not clearing fragments from memory when (re)connecting to a network\n * **CVE-2020-26145**: Accepting plaintext broadcast fragments as full frames (in an encrypted network)\n * **CVE-2020-26144**: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network)\n * **CVE-2020-26140**: Accepting plaintext data frames in a protected network\n * **CVE-2020-26143**: Accepting fragmented plaintext data frames in a protected network\n * **CVE-2020-26139**: Forwarding EAPOL frames even though the sender is not yet authenticated\n * **CVE-2020-26146**: Reassembling encrypted fragments with non-consecutive packet numbers\n * **CVE-2020-26147**: Reassembling mixed encrypted/plaintext fragments\n * **CVE-2020-26142**: Processing fragmented frames as full frames\n * **CVE-2020-26141**: Not verifying the TKIP MIC of fragmented frames\n\nA bad actor can leverage these flaws to inject arbitrary network packets, intercept and exfiltrate user data, launch denial-of-service attacks, and even possibly decrypt packets in WPA or WPA2 networks.\n\n\"If network packets can be injected towards a client, this can be abused to trick the client into using a malicious DNS server,\" Vanhoef explained in an [accompanying research paper](<https://papers.mathyvanhoef.com/usenix2021.pdf>). \"If network packets can be injected towards an [access point], the adversary can abuse this to bypass the NAT/firewall and directly connect to any device in the local network.\"\n\nIn a hypothetical attack scenario, these vulnerabilities can be exploited as a stepping stone to launch advanced attacks, permitting an attacker to take over an outdated Windows 7 machine inside a local network. But on a brighter note, the design flaws are hard to exploit as they require user interaction or are only possible when using uncommon network settings.\n\nThe findings have been shared with the Wi-Fi Alliance, following which firmware updates were prepared during a 9-month-long coordinated disclosure period. Microsoft, for its part, released fixes for some of the flaws ([CVE-2020-24587](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-24587>), [CVE-2020-24588](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-24588>), and [CVE-2020-26144](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-26144>)) as part of its Patch Tuesday update for May 2021. Vanhoef said an updated Linux kernel is in the works for actively supported distributions.\n\nThis is not the first time Vanhoef has demonstrated severe flaws in the Wi-Fi standard. In 2017, the researcher disclosed what's called [KRACKs](<https://www.krackattacks.com/>) (Key Reinstallation AttACKs) in WPA2 protocol, enabling an attacker to read sensitive information and steal credit card numbers, passwords, messages, and other data.\n\n\"Interestingly, our aggregation attack could have been avoided if devices had implemented optional security improvements earlier,\" Vanhoef concluded. \"This highlights the importance of deploying security improvements before practical attacks are known. The two fragmentation based design flaws were, at a high level, caused by not adequately separating different security contexts. From this we learn that properly separating security contexts is an important principle to take into account when designing protocols.\"\n\nMitigations for FragAttacks from other companies like Cisco, HPE/Aruba Networks, Juniper Networks, and Sierra Wireless can be accessed in the [advisory](<https://www.icasi.org/aggregation-fragmentation-attacks-against-wifi/>) released by the Industry Consortium for Advancement of Security on the Internet (ICASI).\n\n\"There is no evidence of the vulnerabilities being used against Wi-Fi users maliciously, and these issues are mitigated through routine device updates that enable detection of suspect transmissions or improve adherence to recommended security implementation practices,\" the Wi-Fi Alliance [said](<https://www.wi-fi.org/security-update-fragmentation>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-12T13:07:00", "type": "thn", "title": "Nearly All Wi-Fi Devices Are Vulnerable to New FragAttacks", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147"], "modified": "2021-05-14T11:46:06", "id": "THN:C210D3FA71F1ED44D3BA1BF0CA368767", "href": "https://thehackernews.com/2021/05/nearly-all-wifi-devices-are-vulnerable.html", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "cisco": [{"lastseen": "2023-12-03T16:53:09", "description": "On May 11, 2021, the research paper Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation was made public. This paper discusses 12 vulnerabilities in the 802.11 standard. One vulnerability is in the frame aggregation functionality, two vulnerabilities are in the frame fragmentation functionality, and the other nine are implementation vulnerabilities. These vulnerabilities could allow an attacker to forge encrypted frames, which could in turn enable the exfiltration of sensitive data from a targeted device.\n\nThis advisory will be updated as additional information becomes available.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu\"]", "cvss3": {}, "published": "2021-05-11T18:00:00", "type": "cisco", "title": "Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147"], "modified": "2021-12-15T15:47:26", "id": "CISCO-SA-WIFI-FAF-22EPCEWU", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu", "cvss": {"score": 6.5, "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "threatpost": [{"lastseen": "2021-05-12T17:09:06", "description": "A Belgian security researcher specializing in Wi-Fi bugs has unearthed a clutch of new ones, which he called FragAttacks, that affect the Wi-Fi standard itself. The name is short for \u201cfragmentation and aggregation attacks.\u201d\n\nSome bugs date back to 1997, meaning that computers, smartphones or other smart devices as old as 24 years may be vulnerable to attackers in Wi-Fi range. If attackers are near enough, they could intercept the owner\u2019s information, trigger malicious code, and/or take over the device.\n\nMathy Vanhoef, the Belgian security researcher who discovered the FragAttacks, said in a Tuesday [post](<https://www.fragattacks.com/>) that three of the vulnerabilities are design flaws in the Wi-Fi standard and therefore \u201caffect most devices.\u201d Several other vulnerabilities are caused by \u201cwidespread programming mistakes,\u201d he said, with experiments indicating that \u201cevery Wi-Fi product is affected by at least one vulnerability,\u201d with most affected by several.\n\nVanhoef knows his Wi-Fi protocols and how to shred them: He previously discovered the [KRACK attack](<https://threatpost.com/krack-attack-devastates-wi-fi-security/128461/>), a devastating weakness in the WPA2 protocol that allows attackers to decrypt encrypted traffic, steal data and inject malicious code, depending on the network configuration. He also found the [RC4 NOMORE attack](<https://threatpost.com/new-rc4-attack-dramatically-reduces-plaintext-recovery-time/113808/>), which helped drive nails into the coffin of the RC4 encryption algorithm, as well as the Dragonblood attack against WPA3 Wi-Fi networks that would allow attackers to steal passwords.\n\nThe video below demonstrates three ways attackers can exploit the latest vulnerabilities: By intercepting victims\u2019 authentication credentials; abusing [insecure internet-of-things (IoT)](<https://threatpost.com/5-fundamental-iot-device-security-controls/165577/>) devices by remotely flipping a smart power socket on and off; and by serving as a foothold to launch advanced attacks, particularly by hijacking an outdated Windows 7 machine inside a local network.\n\n## Bugs Are Not Being Exploited in the Wild\u2026Maybe\n\nVanhoef said that the design flaws aren\u2019t being exploited now, nor have they been in the past \u2013 at least, not that he and his team are aware of. It took so long to discover some of the flaws, his hunch is that they haven\u2019t yet been uncovered elsewhere. It\u2019s tough to say for sure though, given how difficult it is to monitor all these devices, with the flaws reaching back over more than two decades. \u201cSo it is hard to give a definite answer to this question,\u201d he said.\n\nYaniv Bar-Dayan, CEO and co-founder at the vulnerability management provider Vulcan Cyber, agrees that an attack is unlikely, though we should take frag attacks against Wi-Fi devices quite seriously \u2013 they can, after all, be exploited to steal user data or attack devices. While serious, they would take a \u201cperfect storm\u201d, he said Attackers need to be in radio range, an exploit requires misconfigured network settings, and adversaries need direct interaction with a user. \u201cThis has the potential to seriously disrupt a large [swath] of users. However, it\u2019s unlikely that the exploitation of these vulnerabilities will be successful in the wild,\u201d he told Threatpost via email on Wednesday. \n\nThat doesn\u2019t mean that they can be ignored, though. While vendors work to pump out patches, it\u2019s vital that device owners implement proven Wi-Fi security best practices. \u201cEnd users and administrators alike need to be coordinated in their efforts to regularly patch connected devices, which include routers, IoT devices and smartphones,\u201d Bar-Dayan commented. \u201cMake sure your router is encrypting data, use a sophisticated and unique password or multi-factor authentication, don\u2019t broadcast your network ID, double check configurations are secure, and, above all else, patch early and often.\u201d\n\n## How the Bugs Work\n\nSeveral of the implementation flaws can be abused to \u201ceasily\u201d inject frames into a protected Wi-Fi network, Vanhoef explained. \u201cIn particular, an adversary can often inject an unencrypted Wi-Fi frame by carefully constructing this frame,\u201d he wrote.\n\nOne way these bugs can be abused to intercept a device owners\u2019 information is by tricking the client into using a malicious DNS server, as his demo video shows. Those flaws can also be used to compromise routers by bypassing the NAT/firewall, which would let attackers go after devices in a local Wi-Fi network. The demo video above demonstrates one example: An attack on an outdated Windows 7 machine.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nThe demo also shows how other vulnerabilities are linked to the process by which the Wi-Fi standard breaks and then reassembles network packets, allowing an attacker to siphon data by injecting their own malicious code during the operation.\n\n## How Does He Know That *Every* Device Is Affected?\n\nExperiments were done on more than 75 devices, with every one of them proving vulnerable to at least one of the discovered attacks. Could there be FragAttack-resistant Wi-Fi gadgets tucked into some cave in some dark corner of the globe? Well, if you find one, let him know, Vanhoef wrote.\n\n\u201cI\u2019m curious myself whether all devices in the whole world are indeed affected though!\u201d he said. \u201cTo find this out, if you find a device that isn\u2019t affected by at least one of the discovered vulnerabilities, let me know.\u201d\n\nDevice vendors, this could be your 15 minutes of fame. The researcher said that if you think your product isn\u2019t affected, please send him one: After he confirms that it can shrug off FragAttacks, the name of the company and the product will be featured in his post. No silent patches, please: Vanhoef has ways to sniff out whether the device was indeed available before the vulnerabilities were disclosed. He plans to present his research at the [USENIX Security](<https://www.fragattacks.com/#usenixpres>) conference, with a longer talk and more background scheduled for [Black Hat USA](<https://blackhat.com/us-21/briefings/schedule/index.html#fragattacks-breaking-wi-fi-through-fragmentation-and-aggregation-23518>), which takes place July 31-Aug. 5.\n\n## Welcome to a Hellish, Ongoing Patching Job\n\nDisclosure of the FragAttack vulnerabilities comes after a nine-month embargo: A period in which the Wi-Fi Alliance has been overhauling its standard and guidelines and working with device vendors as they release firmware patches, with supervision from the Industry Consortium for Advancement of Security on the Internet (ICASI). Not all vendors have patched at this point, but ICASI has published [an overview](<https://www.icasi.org/aggregation-fragmentation-attacks-against-wifi/>) of where they\u2019re at.\n\nThe creaky [WEP protocol](<https://threatpost.com/microsoft-wi-fi-protection/145053/>) won\u2019t save you, and you should hang your head in shame if you\u2019re still using it, Vanhoef said: \u201cIn case you\u2019ve been living under a rock, stop using WEP, it\u2019s known to be a horrible security protocol.\u201d\n\nThis [tool](<https://github.com/vanhoefm/fragattacks>) can test if clients or Wi-Fi access points, including home or enterprise networks, are vulnerable to the design and implementations flaws. The tool supports over 45 test cases and requires modified drivers in order to reliably test, but bear in mind that without modified drivers, you might come to the incorrect conclusion that a device isn\u2019t affected.\n\nTo check whether or not a device vendor has issued a patch for one of the dozen FragAttacks, check your device\u2019s firmware changelogs to see if it\u2019s received security updates that address these CVEs:\n\n### **Wi-Fi Standard Design Flaws:**\n\n * [CVE-2020-24588](<https://nvd.nist.gov/vuln/detail/CVE-2020-24588>): aggregation attack (accepting non-SPP A-MSDU frames).\n * [CVE-2020-24587](<https://nvd.nist.gov/vuln/detail/CVE-2020-24587>): mixed key attack (reassembling fragments encrypted under different keys).\n * [CVE-2020-24586](<https://nvd.nist.gov/vuln/detail/CVE-2020-24586>): fragment cache attack (not clearing fragments from memory when (re)connecting to a network).\n\n### **WiFi Standard Implementation Flaws:**\n\n * [CVE-2020-26145](<https://nvd.nist.gov/vuln/detail/CVE-2020-26145>): Accepting plaintext broadcast fragments as full frames (in an encrypted network).\n * [CVE-2020-26144](<https://nvd.nist.gov/vuln/detail/CVE-2020-26144>): Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).\n * [CVE-2020-26140](<https://nvd.nist.gov/vuln/detail/CVE-2020-26140>): Accepting plaintext data frames in a protected network.\n * [CVE-2020-26143](<https://nvd.nist.gov/vuln/detail/CVE-2020-26143>): Accepting fragmented plaintext data frames in a protected network.\n\n### **Other Implementation Flaws:**\n\n * [CVE-2020-26139](<https://nvd.nist.gov/vuln/detail/CVE-2020-26139>): Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).\n * [CVE-2020-26146](<https://nvd.nist.gov/vuln/detail/CVE-2020-26146>): Reassembling encrypted fragments with non-consecutive packet numbers.\n * [CVE-2020-26147](<https://nvd.nist.gov/vuln/detail/CVE-2020-26147>): Reassembling mixed encrypted/plaintext fragments.\n * [CVE-2020-26142](<https://nvd.nist.gov/vuln/detail/CVE-2020-26142>): Processing fragmented frames as full frames.\n * [CVE-2020-26141](<https://nvd.nist.gov/vuln/detail/CVE-2020-26141>): Not verifying the TKIP MIC of fragmented frames\n\n## Why Didn\u2019t Anybody Notice Until Now?\n\nAs far as the aggregation design flaw goes, it was in fact noticed. Back in 2007, when the 802.11n amendment was being written, it introduced support for aggregated (A-MSDU) frames. Several IEEE members noticed that the \u201cis aggregated\u201d flag wasn\u2019t authenticated, but given that many products had already implemented a draft of the 802.11n amendment, it was decided that rather than work backwards, devices could advertise whether they are capable of authenticating the \u201cis aggregated\u201d flag.\n\nUnfortunately, as of 2020, \u201cnot a single tested device supported this capability, likely because it was considered hard to exploit,\u201d the researcher said. \u201cTo quote a remark made back in 2007: \u2018While it is hard to see how this can be exploited, it is clearly a flaw that is capable of being fixed.'\u201d\n\nIn short, it was noticed, a defense was cooked up, but nobody adopted it: A \u201cgood example that security defenses must be adopted before attacks become practical,\u201d Vanhoef said.\n\n## The Vendors Respond\n\nOn Monday, vendors issued a slew of advisories connected to the Frag Attacks. \n\n**Intel** \nFor its part, Intel issued [an advisory](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html>) about the potential security vulnerabilities that can be found in its PROSet/Wireless WiFi and Intel vPro\u00ae Converged Security and Management Engine (CSME) WiFi and Killer\u2122 WiFi products and which may allow denial of service (DoS). The company is in the process of releasing firmware and software updates to fix the bugs, it says.\n\n**Linksys** \n[Linksys did the same](<https://www.linksys.com/us/support-article/?articleNum=246427#ff>), referring to the vulnerabilities with the name of Vanhoef\u2019s paper, which is titled [Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation](<https://papers.mathyvanhoef.com/usenix2021.pdf>). The company said that \u201cdevices using encryption schemes from WEP up to WPA3 are affected industry wide,\u201d though an attacker would again need to either \u201chave a device under their control already on the target network or \u2026 to be in proximity of the Wi-Fi network and trick a user on the network to visit the attacker\u2019s server (phishing email, malicious ads, etc.).\u201d The company says it\u2019s working with vendors and manufacturers to get patches out and into customers\u2019 devices \u201cas soon as possible.\u201d \n\nBesides basic security protections \u2013 don\u2019t click on unexpected emails or visit fishy websites \u2013 Linksys also recommends periodically checking that there are no unfamiliar devices connected to your network. If so, block them and/or change your Wi-Fi network password and, as always, use a strong admin password for your router and enable automatic updates.\n\n**Cisco** \nThe hardware giant published [an advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu>) with a list of affected products longer than your arm. It\u2019s still working to evaluate fixes, so check back: It will continue to update the advisory as it works through this blizzard. \n\nThanks to the nine-month embargo on disclosure, many affected devices and software have already been (quietly) fixed. That includes already applied [Linux patches](<https://lore.kernel.org/linux-wireless/20210511180259.159598-1-johannes@sipsolutions.net/#t>). Microsoft released its patches early, on March 9, which was actually the original date set for disclosure until it was decided to delay. Microsoft had already committed to shipping certain patches on March 9: a decision with which Vanhoef said he agreed, given that \u201creleasing certain patches without providing information about the vulnerabilities was, at that point, an acceptable risk. Put differently, the advantages of delaying the disclosure appeared to outweigh the risk that someone would reverse engineer the patches and rediscover certain attacks.\u201d\n\nAs for all the other Wi-Fi device vendors, Vanhoef recommended checking with them to find out whether the Frag Attacks have been addressed. \u201c[F]or some devices the impact is minor, while for others it\u2019s disastrous,\u201d he said.\n\n## What To Do if Your Device Isn\u2019t Patched Yet\n\nUsing a VPN can prevent attacks where an adversary is trying to exfiltrate data, but it won\u2019t prevent an attacker from bypassing your router\u2019s NAT/firewall to directly attack devices.\n\nVanhoef passed along these general security best practices:\n\n * Update your devices, including IoT/smart devices, which don\u2019t all receive regular updates\n * Don\u2019t reuse your passwords\n * Back up important data\n * Keep off of dicey websites\n * Double-check that websites you visit use HTTPS, or better yet, install the HTTPS Everywhere plugin, which forces HTTPS usages on websites that are known to support it\n * Manually configure your DNS server to prevent poisoning.\n\n051221 12:20 UPDATE: Added commentary from Yaniv Bar-Dayan. \n051221 13:03 UPSRW: Included vendor response data.\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and**[ **Register HERE**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)** for free. **\n", "cvss3": {}, "published": "2021-05-12T15:48:05", "type": "threatpost", "title": "\u2018FragAttacks\u2019: Wi-Fi Bugs Affect Millions of Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147"], "modified": "2021-05-12T15:48:05", "id": "THREATPOST:2DBC4E237FAA8188A19D53BBB3356C62", "href": "https://threatpost.com/fragattacks-wifi-bugs-millions-devices/166080/", "cvss": {"score": 0.0, "vector": "NONE"}}], "hackerone": [{"lastseen": "2023-10-17T07:28:52", "bounty": 0.0, "description": "I discovered three design flaws in the Wi-Fi standard and widespread related implementation flaws ([see GitHub overview and test tool](https://github.com/vanhoefm/fragattacks#fragattacks-fragmentation--aggregation-attacks)). **Here I'll specifically cover open source software**. These findings have not received bug bounties from other sources.\n\n\n# Implementation flaws allowing trivial packet injection\n\n- [CVE-2020-26140](https://nvd.nist.gov/vuln/detail/CVE-2020-26140): Accepting plaintext data frames in a protected network. This allows trivial packet injection. On a Linux client, the AWUS036H network card is vulnerable and two out of four Linux-based **home routers** were vulnerable. On **NetBSD access points**, three out of four tested network cards were vulnerable, and on FreeBSD access points, the F5D8053 network card was vulnerable.\n\n- [CVE-2020-26143](https://nvd.nist.gov/vuln/detail/CVE-2020-26143): Accepting fragmented plaintext data frames in a protected network. This allows trivial packet injection. On a **Linux client**, 7 out of 16 network cards were vulnerable. On FreeBSD access points, two out of four tested network cards were vulnerable.\n\n- [CVE-2020-26145](https://nvd.nist.gov/vuln/detail/CVE-2020-26145): Accepting plaintext broadcast fragments as full frames. This allows trivial packet injection. All tested network cards on **NetBSD and FreeBSD access points** were vulnerable. On a Linux client, only the TWFM-B003D network card was vulnerable.\n\n- [CVE-2020-26144](https://nvd.nist.gov/vuln/detail/CVE-2020-26144): Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL. This allows trivial packet injection. On a Linux client, the AWUS036ACH and TWFM-B003D network cards were vulnerable. All 6 tested **FreeBSD** network cards were vulnerable (both as clients and access points).\n\n\n# Other implementation vulnerabilities\n\n- [CVE-2020-26139](https://nvd.nist.gov/vuln/detail/CVE-2020-26139): the access point forwards EAPOL frames even if the client isn't yet authenticated. This allows an adversary to perform the aggregation attack (see below) against any client by simply being within radio range (i.e. no social engineering needed). All **NetBSD and FreeBSD access points** were vulnerable, as were two out of four Linux-based home routers.\n\n- [CVE-2020-26146](https://nvd.nist.gov/vuln/detail/CVE-2020-26146): reassembling encrypted fragments with non-consecutive packet numbers. This can be abused to exfiltrate data, under the condition that another device sends fragmented frames. All tested open source Wi-Fi implementations were vulnerable (FreeBSD, NetBSD, FullMAC Linux drivers) except SoftMAC Linux drivers.\n\n- [CVE-2020-26147](https://nvd.nist.gov/vuln/detail/CVE-2020-26147): reassembling mixed encrypted/plaintext fragments. The impact ranges from data exfiltration to packet injection, under the condition that another device sends fragmented frames. All open source Wi-Fi implementations were vulnerable (Linux, FreeBSD, NetBSD, Linux, etc).\n\n- [CVE-2020-26142](https://nvd.nist.gov/vuln/detail/CVE-2020-26142): processing fragmented frames as full frames. This can be abused to inject packets, under the condition that the another device sends fragmented frames, and in most cases requires (minor) social engineering. Among open source platforms, only OpenBSD was vulnerable.\n\n- [CVE-2020-26141](https://nvd.nist.gov/vuln/detail/CVE-2020-26141): not verifying the TKIP MIC of fragmented frames. This can be abused to exfiltrate and inject packets in old WPA1 networks. On Linux, only the NWD6505 and AWUS036ACM network cards were vulnerable.\n\n\n# Design flaws\n\n1. [Aggregation Attack](https://www.fragattacks.com/#aggregationattack) (CVE-2020-24588): the A-MSDU flag in the plaintext Wi-Fi header is not authenticated. This can be abused, usually in combination with minor social engineering, to inject arbitrary packets to a victim. All 802.11n-compatible open source implementations were vulnerable (Linux, FreeBSD, OpenBSD, etc).\n\n2. [Mixed Key Attack](https://www.fragattacks.com/#mixedkeyattack) (CVE-2020-24587): a receiver will reassemble fragments that were decrypted using different keys. Under very rare conditions this can be abused to exfiltrate data. All open source Wi-Fi implementations were vulnerable (FreeBSD, NetBSD, Linux, etc) except OpenBSD because it doesn't support fragmentation.\n\n3. [Fragment Cache Attack](https://www.fragattacks.com/#fragcacheattack) (CVE-2020-24586): a receiver will not clear fragments from memory when reconnecting or reassociating to a Wi-Fi network. Under the right conditions this can be abused to exfiltrate data. Under very rare conditions it can also be abused to inject arbitrary packets towards clients. Most open source Wi-Fi implementations were vulnerable (FreeBSD, Linux, etc) with the exception of OpenBSD and NetBSD.\n\n## Impact\n\nAs indicated above, there are two impacts:\n\n1. **Arbitrary packet injection**: this clearly breaks the security of Wi-Fi. A first practical example is that this can be abused to make a client use a malicious DNS server to subsequently intercept all traffic (and perform SSL stripping attacks). As second practical example, the adversary can abuse packet injection to \"punch holes in the NAT\" to then directly attack internal devices (e.g. exploit internet-of-things devices or exploit BlueKeep against outdated Windows 7 machines). See [this addendum](https://papers.mathyvanhoef.com/fragattacks-overview.pdf) for the technical details or [watch three demos](https://www.youtube.com/watch?v=88YZ4061tYw).\n\n2. **Data exfiltration**: this is only possible if another device sends fragmented frames. In practice this is rare unless Wi-Fi 6 is used. Additionally, the data can only be exfiltrated if no higher-layer encryption is used (i.e. TLS will prevent data exfiltration).\n\n\nFinally, I've also contributed patches to these open source projects:\n\n- [Linux](https://lwn.net/ml/linux-wireless/20210511200110.30c4394bb835.I5acfdb552cc1d20c339c262315950b3eac491397@changeid/): I wrote patches to prevent all attacks. Additional defense-in-depth and driver-specific patches were added by Linux developers.\n\n- [Wi-Fi standard](https://mentor.ieee.org/802.11/dcn/21/11-21-0816-00-000m-on-a-msdu-addressing.docx): I'm helping to update the 802.11 standard to fix the design flaws (starting with A-MSDU fixes).\n\n- [FreeBSD](https://bugs.freebsd.org/bugzilla/buglist.cgi?quicksearch=ALL%20reporter%3Avanhoef): I wrote patches to mitigate vulnerabilities in FreeBSD. These patches are now under review [[1](https://reviews.freebsd.org/D30665), [2](https://reviews.freebsd.org/D30664), [3](https://reviews.freebsd.org/D30663)].\n\n- [NetBSD](https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=56204): I submitted initial patches. The remaining patches are in progress.\n\n- [OpenBSD](https://github.com/openbsd/src/commit/e12e039eea57d78605e08542b570756b41a2a610): I reviewed patches related to A-MSDU vulnerabilities resulting in more secure patches.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-19T21:24:25", "type": "hackerone", "title": "Internet Bug Bounty: Fragmentation and Aggregation Flaws in Wi-Fi", "bulletinFamily": "bugbounty", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147"], "modified": "2021-07-23T03:59:49", "id": "H1:1238470", "href": "https://hackerone.com/reports/1238470", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "malwarebytes": [{"lastseen": "2021-05-21T10:40:11", "description": "A new set of vulnerabilities with an aggressive name and their own [website](<http://www.fragattacks.com/>) almost always bodes ill. The name FragAttack is a contraction of **fragmentation and aggregation attacks**, which immediately indicates the main area where the vulnerabilities were found.\n\nThe vulnerabilities are mostly in how Wi-Fi and connected devices handle data packets, and more particularly in how they handle fragments and frames of data packets. As far as the researcher is aware every Wi-Fi product is affected by at least one vulnerability.\n\n### The research\n\nThe researcher that uncovered the Wi-Fi vulnerabilities, some of which have existed since 1997, is [Mathy](<https://www.twitter.com/vanhoefm>)[ Vanhoef](<https://www.twitter.com/vanhoefm>). The vulnerabilities he discovered affect all modern Wi-Fi security protocols, including the latest WPA3 specification. You may remember Vanhoef as one of the researchers behind the [KrackAttacks](<https://www.krackattacks.com/>) weaknesses in the WPA2 protocol. As Vanhoef puts it:\n\n> \u201cit stays important to analyze even the most well-known security. Additionally, it shows that it's essential to regularly test Wi-Fi products for security vulnerabilities, which can for instance be done when certifying them.\u201d\n\n### Packet fragmentation\n\nIn each network, there is a maximum size to the chunks of data that can be transmitted on a network layer, called the MTU (Maximum Transmission Unit). Packets can often be larger than this maximum size, so to fit inside the MTU limit each packet can be divided into smaller pieces of data, called fragments. These fragments are later re-assembled to reconstruct the original message.\n\nWi-Fi networks can use this packet fragmentation to improve throughput. By fragmenting data packets and sending more, but shorter frames, each transmission will have a lower probability of collision with another packet. So, if the content of a message is too large to fit inside a single packet, the content is spread across several fragments, each with its own header. \n\nJust like packets, frames are small parts of a message in the network. A frame helps to identify data and determine the way it should be decoded and interpreted. The main difference between a packet and a frame is the association with the [OSI layers](<https://en.wikipedia.org/wiki/OSI_model>). While a packet is the unit of data used in the network layer, a frame is the unit of data used on the layer below it in the OSI model\u2019s data link layer. A frame contains more information about the transmitted message than a packet.\n\n### The vulnerabilities\n\nThe researcher found several implementation flaws that can be abused to easily inject frames into a protected Wi-Fi network. These vulnerabilities can be grouped as follows:\n\n#### Device-specific flaws\n\n * Some Wi-Fi devices accept any unencrypted frame even when connected to a protected Wi-Fi network.\n * Certain devices accept plaintext aggregated frames that look like handshake messages.\n * Worse than those, some devices accept broadcast fragments even when sent unencrypted.\n\n#### Design flaws in the Wi-Fi feature that handling frames\n\n * The frame aggregation feature of Wi-Fi uses an "is aggregated" flag that is not authenticated and can be modified by an adversary.\n * Another design flaw is in the frame fragmentation feature of Wi-Fi. Receivers are not required to check whether every fragment that belongs to the same frame is encrypted with the same key and will reassemble fragments that were decrypted using different keys.\n * The third design flaw is also in Wi-Fi's frame fragmentation feature. When a client disconnects from the network, the Wi-Fi device is not required to remove non-reassembled fragments from memory.\n\nA few other implementation vulnerabilities that can be used to escalate the flaws mentioned above.\n\n### CVE\u2019s\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Although each affected codebase normally receives a unique CVE, the agreement between affected vendors was that, in this specific case, using the same CVE across different codebases would make communication easier.\n\nThe design flaws were assigned the following CVEs:\n\n * [CVE-2020-24588](<https://nvd.nist.gov/vuln/detail/CVE-2020-24588>): Aggregation attack (accepting non-SPP A-MSDU frames).\n * [CVE-2020-24587](<https://nvd.nist.gov/vuln/detail/CVE-2020-24587>): Mixed key attack (reassembling fragments encrypted under different keys).\n * [CVE-2020-24586](<https://nvd.nist.gov/vuln/detail/CVE-2020-24586>): Fragment cache attack (not clearing fragments from memory when (re)connecting to a network).\n\nImplementation vulnerabilities that allow the trivial injection of plaintext frames in a protected Wi-Fi network were assigned these CVEs:\n\n * [CVE-2020-26145](<https://nvd.nist.gov/vuln/detail/CVE-2020-26145>): Samsung Galaxy S3 accepting plaintext broadcast fragments as full frames (in an encrypted network).\n * [CVE-2020-26144](<https://nvd.nist.gov/vuln/detail/CVE-2020-26144>): Samsung Galaxy S3 accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).\n * [CVE-2020-26140](<https://nvd.nist.gov/vuln/detail/CVE-2020-26140>): Alfa Windows 10 driver for AWUS036H accepting plaintext data frames in a protected network.\n * [CVE-2020-26143](<https://nvd.nist.gov/vuln/detail/CVE-2020-26143>): Alfa Windows 10 driver 1030.36.604 for AWUS036ACH accepting fragmented plaintext data frames in a protected network.\n\nOther implementation flaws are assigned the following CVEs:\n\n * [CVE-2020-26139](<https://nvd.nist.gov/vuln/detail/CVE-2020-26139>): NetBSD forwarding EAPOL frames even though the sender is not yet authenticated.\n * [CVE-2020-26146](<https://nvd.nist.gov/vuln/detail/CVE-2020-26146>): Samsung Galaxy S3 reassembling encrypted fragments with non-consecutive packet numbers.\n * [CVE-2020-26147](<https://nvd.nist.gov/vuln/detail/CVE-2020-26147>): Linux kernel 5.8.9 reassembling mixed encrypted/plaintext fragments.\n * [CVE-2020-26142](<https://nvd.nist.gov/vuln/detail/CVE-2020-26142>): OpenBSD 6.6 kernel processing fragmented frames as full frames.\n * [CVE-2020-26141](<https://nvd.nist.gov/vuln/detail/CVE-2020-26141>): ALFA Windows 10 driver for AWUS036H not verifying the TKIP MIC of fragmented frames.\n\n### Vulnerable devices\n\nOn the dedicated site the researcher states that\n\n> \u201cexperiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.\u201d\n\nThe statement is based on testing more than 75 devices, which showed they were all vulnerable to one or more of the discovered attacks.\n\n### Mitigation\n\nTo mitigate attacks where your router's NAT/firewall is bypassed and devices are directly attacked, you must assure that all your devices will need to be updated. Unfortunately, not all products get regular updates.\n\nUsing a [VPN](<https://blog.malwarebytes.com/privacy-2/2020/06/vpns-should-you-use-them/>) can prevent attacks where an adversary is trying to exfiltrate data. It will not prevent an adversary from bypassing your router's NAT/firewall to directly attack devices.\n\nThe impact of attacks can also be reduced by manually configuring your [DNS](<https://blog.malwarebytes.com/cybercrime/2015/09/dns-hijacks-what-to-look-for/>) server so that it cannot be poisoned.\n\n### Graveness of the vulnerabilities\n\nWe have been here before. When the KRACK vulnerabilities were revealed a few years ago some people treated it as if it was the end of Wi-Fi. You'll have noticed it wasn't. That doesn't mean it was nothing, either, but a little perspective goes a long way.\n\nThe CVEs registered to the FragAttacks have been given a medium severity rating and have CVSS scores sitting between 4.8 to 6.5. Which indicates that the chances of anything resembling remote control is probably too difficult to achieve to make it attractive. The data stealing options however are more imminent and could well be used in specific attacks.\n\n### Proof is in the pudding\n\nIf you are interested, you can find a demo and a link to a testing tool on the [dedicated website](<http://www.fragattacks.com/>). You can also find some FAQs and a pre-recorded presentation made for USENIX Security about these vulnerabilities.\n\nStay safe, everyone!\n\nThe post [FragAttack: New Wi-Fi vulnerabilities that affect\u2026 basically everything](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/fragattack-new-wi-fi-vulnerabilities-that-affect-basically-everything/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-05-12T17:31:21", "type": "malwarebytes", "title": "FragAttack: New Wi-Fi vulnerabilities that affect\u2026 basically everything", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147"], "modified": "2021-05-12T17:31:21", "id": "MALWAREBYTES:28CA5946147FC0561948BA2EF52A8329", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/fragattack-new-wi-fi-vulnerabilities-that-affect-basically-everything/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "arista": [{"lastseen": "2023-12-03T17:36:08", "description": "## Security Advisory 0063 PDF\n\n#### **Updated:** May 25th, 2021\n\nRevision | Date | Changes \n---|---|--- \n1.0 | May 12th, 2021 | Initial Release \n1.1 | May 25th, 2021 | Updated assessment with impacted platforms, detection and mitigation. \n1.2 | June 9, 2021 | Updated assessment \n1.3 | August 19, 2021 | Updated affected platforms, fixed releases, and CVSS Scores \n \n### **Description**\n\nThis security advisory documents the exposure of Arista\u2019s Wi-Fi products to multiple publicly documented security vulnerabilities related to packet fragmentation and aggregation, known as Fragmentation and Forge. These vulnerabilities impact any deployments using WEP, WPA, WPA2 and WPA3 security methods with any SSID. The vulnerabilities span multiple vectors and types of attack. \n\nThe vulnerabilities are documented by Arista under Bug 561363.\n\n**CVE** | **Description** | **CVSS** \n---|---|--- \nCVE-2020-24586 | During a connection/reconnection, fragments are cached in memory. This vulnerability can be used to inject fragmented packets; or to exfiltrate user data if the cache is accessed during the connection. | **3.5** \nAV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N \nCVE-2020-24587 | When reassembling packets, the encryption key used on fragments is not required to be consistent. As a result, unrelated fragments can be mixed using valid keys. This requires a \u201cMan in the Middle\u201d presence level. | **2.6** \nAV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N \nCVE-2020-24588 | A payload protected wireless frame (PP A-MSDU) does not protect the Present subfield of the QoS header. As this subfield is not authenticated, the bit can be flipped to alter the aggregation status of the packet. | **3.5** \nAV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N \nCVE-2020-26139 | During the authentication process, the AP will forward EAPOL frames, prior to sender completing authentication. Allows for packet injection into an encrypted networking during authentication. | **5.3** \nAV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H \nCVE-2020-26140 | Plaintext data frames are accepted, despite network encryption. Allows for packet injection into an encrypted network. | **6.5** \nAV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N \nCVE-2020-26141 | If using Temporal Key Integrity Protocol (TKIP), the Message Integrity Check (MIC) will be skipped for fragmented frames. Can be leveraged for packet injection and decryption against an encrypted network. This CVE is not applicable to the Arista Wi-Fi Solution. | NA \nCVE-2020-26142 | AP will treat fragmented frames as full frames. This CVE is not applicable to the Arista Wi-Fi Solution. | NA \nCVE-2020-26143 | Plaintext data fragments are accepted, despite network encryption. Allows for packet injection into an encrypted network. | **6.5** \nAV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N \nCVE-2020-26144 | Plaintext A-MSDU frames are accepted on an encrypted network if the frame begins with an EAPOL LLC/Snap header. Allows for packet injection into an encrypted network. | **6.5** \nAV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N \nCVE-2020-26135 | If a fragmented multi-destination packet is received, it will be accepted on encrypted networks if the fragment is plaintext. Allows for packet injection into an encrypted network. | **6.5** \nAV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N \nCVE-2020-26146 | Encrypted fragments will be reassembled, even if they do not have consecutive packet numbers. When combined with fragment injection this can cause users to process malicious data. | **5.3** \nAV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N \nCVE-2020-26147 | Encrypted fragments will be reassembled, even if other fragments have been received plaintext. When combined with fragment injection this can cause users to process malicious data. | **5.4** \nAV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N \n \n### **Symptoms**\n\nThe CVEs discussed primarily create opportunities for packet injection attack vectors:\n\n * Adversaries can inject/cause receipt of arbitrary TCP/IP packets that were never sent by the legitimate client or AP.\n * Adversaries can exfiltrate data under specific conditions.\n * Adversary can make the victim use the adversary's DNS server and intercept the victim\u2019s traffic.\n * Adversaries can get access to victim\u2019s TCP ports that have active services listening (portscan).\n * Adversaries may target delivery of illegitimate TCP/IP packets to any routable network devices.\n * Adversary may route malicious traffic over operator network (hotspot mode).\n\n### **Vulnerability Assessment**\n\n**Affected Software**\n\n * All available versions of Wi-Fi AP software as per the impact matrix below\n\n**Affected Platforms**\n\n**CVE ID** | **Access Points \nC-250 \nC-260 \nC-230 \nC-235 \nC-200 ** | **Access Points \nC-120 \nC-130 \nC-100 \nC-110 \nO-105 \nW-118 ** | \n\n**Access Points \nC-75 \nO-90 \nC-65 \nW-68** \n \n---|---|---|--- \nCVE-2020-24586 | Y | N | N \nCVE-2020-24587 | Y | Y | Y \nCVE-2020-24588 | Y | Y | Y \nCVE-2020-26139 | Y | Y | N \nCVE-2020-26140 | N | N | Y \nCVE-2020-26141 | N | N | N \nCVE-2020-26142 | N | N | N \nCVE-2020-26143 | N | N | Y \nCVE-2020-26144 | Y | Y | Y \nCVE-2020-26145 | Y | Y | Y \nCVE-2020-26146 | Y | Y | Y \nCVE-2020-26147 | N | N | Y \n \n**Mitigation**\n\nAs a security best practice, it is recommended to restrict public access to internal devices to safeguard from potential attacks. A machine-in-the-middle (MitM) attack is required to reliably exploit many of these vulnerabilities (except those applicable to the hotspot scenarios). In this type of attack the adversary sets up a clone of the real AP on a different channel and the client connects to this attacker\u2019s clone instead of the real AP. This enables the attacker to block or modify 802.11 frames.\n\nArista Access Points are already capable of detecting Rogue APs spoofing the MAC address of a legitimate AP. They can also launch an automatic mitigation session in some cases to prevent legitimate clients from connecting to the Rogue AP. Arista AP models equipped with a dedicated scanning radio are capable of this detection and prevention features by scanning the entire spectrum.\n\nArista overlay WIPS solution can also detect and mitigate the Rogue AP spoofing attacks.\n\nWe recommend enabling the following WIPS settings if they are not already enabled:\n\n**Configure > Alerts > MAC Spoofing > AP MAC Spoofing**\n\nEnable \u201cDisplay\u201d and \u201cAffects Security Status\u201d:\n\n\n\n**Configure > WIPS > Automatic Intrusion Detection > MAC Spoofing**\n\nEnable \u201cSpoofing of an Authorized Access Point MAC address\u201d:\n\n\n\nAs a full resolution against this vulnerability, refer to the next section for remediated software versions and hotfix details.\n\n**Resolution**\n\nThis vulnerability is tracked by Bug 561363 and can manifest in any environment leveraging WEP, WPA, WPA2 and WPA3 security methods with any SSID for encryption. Arista is actively working with our chip vendors on incorporating fixes into Arista CloudVision Wi-Fi AP software. A new AP software version which addresses the above vulnerabilities will be released by Arista. This will be a regular upgrade similar to other new version upgrades. Arista will notify all customers and partners once the new version with the fixes is released and available. The recommended course of action is to install the provided hotfix or upgrade to a remediated CloudVision Wi-Fi AP software version once available.\n\nPlatform | Fixed Version | Release Date \n---|---|--- \n**C-260** | **10.0.1-31** | **July 27, 2021** \n**C-250** | **10.0.1-31** | **July 27, 2021 ** \n**C-230** | **10.0.1-31** | **July 27, 2021 ** \n**C-200** | **11.0.0-36** | **August 30, 2021** \n**C-130** | **11.0.0-36** | **August 30, 2021** \n**C-120** | **11.0.0-36** | **August 30, 2021** \n**C-110** | **11.0.0-36** | **August 30, 2021** \n**C-100 ** | **11.0.0-36** | **August 30, 2021** \n_C-75 _ | _TBD _ | _TBD_ \n_C-65 _ | _TBD _ | _TBD _ \n**O-235 ** | **10.0.1-31** | **July 27, 2021** \n**O-105 ** | **11.0.0-36** | **August 30, 2021** \n_O-90 _ | _TBD _ | _TBD_ \n**W-118 ** | **11.0.0-36 ** | **August 30, 2021**_ _ \n_W-68 _ | _TBD _ | _TBD _ \n \nArista will notify all customers and partners as new versions with the fixes are released and available.\n\nFor instructions on how to upgrade APs, please refer to the following resources:\n\n * [On-prem deployments](<https://arista.my.site.com/AristaCommunity/s/article/How-to-Upgrade-Access-Points-to-a-Specific-Build-On-Premise>)\n * On-prem and Cloud deployments\n\n**For More Information**\n\nTo read more about this vulnerability, please refer to the following links:\n\n[https://www.icasi.org/aggregation-fragmentation-attacks-against-wifi/](<https://www.icasi.org/aggregation-fragmentation-attacks-against-wifi/>)\n\nIf you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:\n\n#### **Open a Service Request**\n\nBy email: This email address is being protected from spambots. You need JavaScript enabled to view it. \nBy telephone: 408-547-5502 ; 866-476-0000\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-25T00:00:00", "type": "arista", "title": "Security Advisory 0063", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26135", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147"], "modified": "2021-05-25T00:00:00", "id": "ARISTA:0063", "href": "https://www.arista.com/en/support/advisories-notices/security-advisory/12602-security-advisory-63", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "oraclelinux": [{"lastseen": "2021-09-22T18:26:11", "description": "[4.1.12-124.54.6.1]\n- fs/namespace.c: fix mountpoint reference counter race (Piotr Krysiuk) [Orabug: 33369433] {CVE-2020-12114} {CVE-2020-12114}\n- btrfs: only search for left_info if there is no right_info in try_merge_free_space (Josef Bacik) [Orabug: 33369414] {CVE-2019-19448} {CVE-2019-19448}\n- cfg80211: wext: avoid copying malformed SSIDs (Will Deacon) [Orabug: 33369390] {CVE-2019-17133}\n- vhost_net: fix possible infinite loop (Jason Wang) [Orabug: 33369374] {CVE-2019-3900} {CVE-2019-3900}\n- vhost: introduce vhost_exceeds_weight() (Jason Wang) [Orabug: 33369374] {CVE-2019-3900}\n- vhost_net: introduce vhost_exceeds_weight() (Jason Wang) [Orabug: 33369374] {CVE-2019-3900}\n- vhost_net: use packet weight for rx handler, too (Paolo Abeni) [Orabug: 33369374] {CVE-2019-3900}\n- vhost-net: set packet weight of tx polling to 2 * vq size (haibinzhang) [Orabug: 33369374] {CVE-2019-3900}\n- mac80211: extend protection against mixed key and fragment cache attacks (Wen Gong) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147} {CVE-2020-24586} {CVE-2020-24587}\n- mac80211: do not accept/forward invalid EAPOL frames (Johannes Berg) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}\n- mac80211: prevent attacks on TKIP/WEP as well (Johannes Berg) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}\n- mac80211: check defrag PN against current frame (Johannes Berg) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}\n- mac80211: add fragment cache to sta_info (Johannes Berg) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}\n- mac80211: drop A-MSDUs on old ciphers (Johannes Berg) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147} {CVE-2020-24588}\n- cfg80211: mitigate A-MSDU aggregation attacks (Mathy Vanhoef) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147} {CVE-2020-24588}\n- mac80211: properly handle A-MSDUs that start with an RFC 1042 header (Mathy Vanhoef) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}\n- mac80211: prevent mixed key and fragment cache attacks (Mathy Vanhoef) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147} {CVE-2020-24587} {CVE-2020-24586}\n- mac80211: assure all fragments are encrypted (Mathy Vanhoef) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147} {CVE-2020-26147}\n- sctp: validate from_addr_param return (Marcelo Ricardo Leitner) [Orabug: 33369303] {CVE-2021-3655}\n- virtio_console: Assure used length from device is limited (Xie Yongji) [Orabug: 33369276] {CVE-2021-38160}\n- net_sched: cls_route: remove the right filter from hashtable (Cong Wang) [Orabug: 33369231] {CVE-2021-3715}\n- HID: make arrays usage and value to be the same (Will McVicker) [Orabug: 33369121] {CVE-2021-0512}\n- ext4: fix race writing to an inline_data file while its xattrs are changing (Theodore Ts'o) [Orabug: 33369043] {CVE-2021-40490}", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-22T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17133", "CVE-2019-19448", "CVE-2019-3900", "CVE-2020-12114", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2021-0512", "CVE-2021-3655", "CVE-2021-3715", "CVE-2021-38160", "CVE-2021-40490"], "modified": "2021-09-22T00:00:00", "id": "ELSA-2021-9459", "href": "http://linux.oracle.com/errata/ELSA-2021-9459.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-12T18:39:51", "description": "[4.18.0-348.OL8]\n- Update Oracle Linux certificates (Kevin Lyons)\n- Disable signing for aarch64 (Ilya Okomin)\n- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]\n- Update x509.genkey [Orabug: 24817676]\n- Conflict with shim-ia32 and shim-x64 <= 15-11.0.5\n[4.18.0-348]\n- drm/nouveau/fifo/ga102: initialise chid on return from channel creation (Ben Skeggs) [1997878]\n- drm/nouveau/ga102-: support ttm buffer moves via copy engine (Ben Skeggs) [1997878]\n- drm/nouveau/kms/tu102-: delay enabling cursor until after assign_windows (Ben Skeggs) [1997878]\n- drm/nouveau/kms/nv50: workaround EFI GOP window channel format differences (Ben Skeggs) [1997878]\n- drm/nouveau/disp: power down unused DP links during init (Ben Skeggs) [1997878]\n- drm/nouveau: recognise GA107 (Ben Skeggs) [1997878]\n[4.18.0-347]\n- PCI: Mark TI C667X to avoid bus reset (Alex Williamson) [1975768]\n[4.18.0-346]\n- redhat: switch secureboot kernel image signing to release keys (Bruno Meneguele)\n- CI: handle RT branches in a single config (Veronika Kabatova)\n- CI: Fix RT check branch name (Veronika Kabatova)\n- CI: Drop private CI config (Veronika Kabatova)\n- CI: extend template use (Veronika Kabatova)\n- Revert 'Merge: mt7921e: enable new Mediatek wireless hardware' (Bruno Meneguele) [2009501]\n- megaraid_sas: fix concurrent access to ISR between IRQ polling and real interrupt (Tomas Henzl) [2009022]\n- scsi: megaraid_sas: mq_poll support (Tomas Henzl) [2009022]\n- [PATCH v2] scsi: qla2xxx: Suppress unnecessary log messages during login (Nilesh Javali) [1982186]\n- scsi: qla2xxx: Fix excessive messages during device logout (Nilesh Javali) [1982186]\n- PCI: pciehp: Ignore Link Down/Up caused by DPC (Myron Stowe) [1981741]\n- arm64: kpti: Fix 'kpti=off' when KASLR is enabled (Mark Salter) [1979731]\n- arm64: Fix CONFIG_ARCH_RANDOM=n build (Mark Salter) [1979731]\n- redhat/configs: aarch64: add CONFIG_ARCH_RANDOM (Mark Salter) [1979731]\n- arm64: Implement archrandom.h for ARMv8.5-RNG (Mark Salter) [1979731]\n- arm64: kconfig: Fix alignment of E0PD help text (Mark Salter) [1979731]\n- arm64: Use register field helper in kaslr_requires_kpti() (Mark Salter) [1979731]\n- arm64: Simplify early check for broken TX1 when KASLR is enabled (Mark Salter) [1979731]\n- arm64: Use a variable to store non-global mappings decision (Mark Salter) [1979731]\n- arm64: Dont use KPTI where we have E0PD (Mark Salter) [1979731]\n- arm64: Factor out checks for KASLR in KPTI code into separate function (Mark Salter) [1979731]\n- redhat/configs: Add CONFIG_ARM64_E0PD (Mark Salter) [1979731]\n- arm64: Add initial support for E0PD (Mark Salter) [1979731]\n- arm64: cpufeature: Export matrix and other features to userspace (Mark Salter) [1980098]\n- arm64: docs: cpu-feature-registers: Document ID_AA64PFR1_EL1 (Mark Salter) [1980098]\n- docs/arm64: cpu-feature-registers: Rewrite bitfields that dont follow [e, s] (Mark Salter) [1980098]\n- docs/arm64: cpu-feature-registers: Documents missing visible fields (Mark Salter) [1980098]\n- arm64: Introduce system_capabilities_finalized() marker (Mark Salter) [1980098]\n- arm64: entry.S: Do not preempt from IRQ before all cpufeatures are enabled (Mark Salter) [1980098]\n- docs/arm64: elf_hwcaps: Document HWCAP_SB (Mark Salter) [1980098]\n- docs/arm64: elf_hwcaps: sort the HWCAP{, 2} documentation by ascending value (Mark Salter) [1980098]\n- arm64: cpufeature: Treat ID_AA64ZFR0_EL1 as RAZ when SVE is not enabled (Mark Salter) [1980098]\n- arm64: cpufeature: Effectively expose FRINT capability to userspace (Mark Salter) [1980098]\n- arm64: cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG} (Mark Salter) [1980098]\n- arm64: Expose FRINT capabilities to userspace (Mark Salter) [1980098]\n- arm64: Expose ARMv8.5 CondM capability to userspace (Mark Salter) [1980098]\n- docs: arm64: convert perf.txt to ReST format (Mark Salter) [1980098]\n- docs: arm64: convert docs to ReST and rename to .rst (Mark Salter) [1980098]\n- Documentation/arm64: HugeTLB page implementation (Mark Salter) [1980098]\n- Documentation/arm64/sve: Couple of improvements and typos (Mark Salter) [1980098]\n- arm64: cpufeature: Fix missing ZFR0 in __read_sysreg_by_encoding() (Mark Salter) [1980098]\n- arm64: Expose SVE2 features for userspace (Mark Salter) [1980098]\n- arm64: Advertise ARM64_HAS_DCPODP cpu feature (Mark Salter) [1980098]\n- arm64: add CVADP support to the cache maintenance helper (Mark Salter) [1980098]\n- arm64: Fix minor issues with the dcache_by_line_op macro (Mark Salter) [1980098]\n- arm64: Expose DC CVADP to userspace (Mark Salter) [1980098]\n- arm64: Handle trapped DC CVADP (Mark Salter) [1980098]\n- arm64: HWCAP: encapsulate elf_hwcap (Mark Salter) [1980098]\n- arm64: HWCAP: add support for AT_HWCAP2 (Mark Salter) [1980098]\n- x86/MCE/AMD, EDAC/mce_amd: Add new SMCA bank types (Aristeu Rozanski) [1965331]\n- x86/MCE/AMD, EDAC/mce_amd: Remove struct smca_hwid.xec_bitmap (Aristeu Rozanski) [1965331]\n- EDAC, mce_amd: Print ExtErrorCode and description on a single line (Aristeu Rozanski) [1965331]\n[4.18.0-345]\n- e1000e: Do not take care about recovery NVM checksum (Ken Cox) [1984558]\n- qrtr: disable CONFIG_QRTR for non x86_64 archs (inigo Huguet) [1999642]\n- ceph: fix possible null-pointer dereference in ceph_mdsmap_decode() (Jeff Layton) [1989999]\n- ceph: fix dereference of null pointer cf (Jeff Layton) [1989999]\n- ceph: correctly handle releasing an embedded cap flush (Jeff Layton) [1989999]\n- ceph: take snap_empty_lock atomically with snaprealm refcount change (Jeff Layton) [1989999]\n- ceph: dont WARN if were still opening a session to an MDS (Jeff Layton) [1989999]\n- rbd: dont hold lock_rwsem while running_list is being drained (Jeff Layton) [1989999]\n- rbd: always kick acquire on 'acquired' and 'released' notifications (Jeff Layton) [1989999]\n- ceph: take reference to req->r_parent at point of assignment (Jeff Layton) [1989999]\n- ceph: eliminate ceph_async_iput() (Jeff Layton) [1989999]\n- ceph: dont take s_mutex in ceph_flush_snaps (Jeff Layton) [1989999]\n- ceph: dont take s_mutex in try_flush_caps (Jeff Layton) [1989999]\n- ceph: dont take s_mutex or snap_rwsem in ceph_check_caps (Jeff Layton) [1989999]\n- ceph: eliminate session->s_gen_ttl_lock (Jeff Layton) [1989999]\n- ceph: allow ceph_put_mds_session to take NULL or ERR_PTR (Jeff Layton) [1989999]\n- ceph: clean up locking annotation for ceph_get_snap_realm and __lookup_snap_realm (Jeff Layton) [1989999]\n- ceph: add some lockdep assertions around snaprealm handling (Jeff Layton) [1989999]\n- ceph: decoding error in ceph_update_snap_realm should return -EIO (Jeff Layton) [1989999]\n- ceph: add IO size metrics support (Jeff Layton) [1989999]\n- ceph: update and rename __update_latency helper to __update_stdev (Jeff Layton) [1989999]\n- ceph: simplify the metrics struct (Jeff Layton) [1989999]\n- libceph: fix doc warnings in cls_lock_client.c (Jeff Layton) [1989999]\n- libceph: remove unnecessary ret variable in ceph_auth_init() (Jeff Layton) [1989999]\n- libceph: kill ceph_none_authorizer::reply_buf (Jeff Layton) [1989999]\n- ceph: make ceph_queue_cap_snap static (Jeff Layton) [1989999]\n- ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty (Jeff Layton) [1989999]\n- libceph: set global_id as soon as we get an auth ticket (Jeff Layton) [1989999]\n- libceph: dont pass result into ac->ops->handle_reply() (Jeff Layton) [1989999]\n- ceph: fix error handling in ceph_atomic_open and ceph_lookup (Jeff Layton) [1989999]\n- ceph: must hold snap_rwsem when filling inode for async create (Jeff Layton) [1989999]\n- libceph: Fix spelling mistakes (Jeff Layton) [1989999]\n- libceph: dont set global_id until we get an auth ticket (Jeff Layton) [1989999]\n- libceph: bump CephXAuthenticate encoding version (Jeff Layton) [1989999]\n- ceph: dont allow access to MDS-private inodes (Jeff Layton) [1989999]\n- ceph: fix up some bare fetches of i_size (Jeff Layton) [1989999]\n- ceph: support getting ceph.dir.rsnaps vxattr (Jeff Layton) [1989999]\n- ceph: drop pinned_page parameter from ceph_get_caps (Jeff Layton) [1989999]\n- ceph: fix inode leak on getattr error in __fh_to_dentry (Jeff Layton) [1989999]\n- ceph: only check pool permissions for regular files (Jeff Layton) [1989999]\n- ceph: send opened files/pinned caps/opened inodes metrics to MDS daemon (Jeff Layton) [1989999]\n- ceph: avoid counting the same request twice or more (Jeff Layton) [1989999]\n- ceph: rename the metric helpers (Jeff Layton) [1989999]\n- ceph: fix kerneldoc copypasta over ceph_start_io_direct (Jeff Layton) [1989999]\n- ceph: dont use d_add in ceph_handle_snapdir (Jeff Layton) [1989999]\n- ceph: dont clobber i_snap_caps on non-I_NEW inode (Jeff Layton) [1989999]\n- ceph: fix fall-through warnings for Clang (Jeff Layton) [1989999]\n- net: ceph: Fix a typo in osdmap.c (Jeff Layton) [1989999]\n- ceph: dont allow type or device number to change on non-I_NEW inodes (Jeff Layton) [1989999]\n- ceph: defer flushing the capsnap if the Fb is used (Jeff Layton) [1989999]\n- ceph: allow queueing cap/snap handling after putting cap references (Jeff Layton) [1989999]\n- ceph: clean up inode work queueing (Jeff Layton) [1989999]\n- ceph: fix flush_snap logic after putting caps (Jeff Layton) [1989999]\n- libceph: fix 'Boolean result is used in bitwise operation' warning (Jeff Layton) [1989999]\n- new helper: inode_wrong_type() (Jeff Layton) [1989999]\n- kabi: Adding symbol single_release (fs/seq_file.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol single_open (fs/seq_file.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol seq_read (fs/seq_file.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol seq_printf (fs/seq_file.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol seq_lseek (fs/seq_file.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol unregister_chrdev_region (fs/char_dev.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol cdev_init (fs/char_dev.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol cdev_del (fs/char_dev.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol cdev_alloc (fs/char_dev.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol cdev_add (fs/char_dev.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol alloc_chrdev_region (fs/char_dev.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol pcie_capability_read_word (drivers/pci/access.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pcie_capability_read_dword (drivers/pci/access.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pcie_capability_clear_and_set_word (drivers/pci/access.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_write_config_dword (drivers/pci/access.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_write_config_byte (drivers/pci/access.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_set_power_state (drivers/pci/pci.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_read_config_dword (drivers/pci/access.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_read_config_byte (drivers/pci/access.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_irq_vector (drivers/pci/msi.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_get_device (drivers/pci/search.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_free_irq_vectors (drivers/pci/msi.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_alloc_irq_vectors_affinity (drivers/pci/msi.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol kexec_crash_loaded (kernel/kexec_core.c) (cestmir Kalina) [1945491]\n[4.18.0-344]\n- perf/x86/intel: Fix PEBS-via-PT reload base value for Extended PEBS (Michael Petlan) [1998051]\n- perf/x86/intel/uncore: Fix Add BW copypasta (Michael Petlan) [1998051]\n- perf/x86/intel/uncore: Add BW counters for GT, IA and IO breakdown (Michael Petlan) [1998051]\n- Revert 'ice: Add initial support framework for LAG' (Michal Schmidt) [1999016]\n- net: re-initialize slow_gro flag at gro_list_prepare time (Paolo Abeni) [2002367]\n- cxgb4: dont touch blocked freelist bitmap after free (Rahul Lakkireddy) [1998148]\n- cxgb4vf: configure ports accessible by the VF (Rahul Lakkireddy) [1961329]\n- scsi: lpfc: Fix memory leaks in error paths while issuing ELS RDF/SCR request (Dick Kennedy) [1976332]\n- scsi: lpfc: Keep NDLP reference until after freeing the IOCB after ELS handling (Dick Kennedy) [1976332]\n- scsi: lpfc: Move initialization of phba->poll_list earlier to avoid crash (Dick Kennedy) [1976332]\n[4.18.0-343]\n- rcu: Avoid unneeded function call in rcu_read_unlock() (Waiman Long) [1997500]\n- mt76: connac: do not schedule mac_work if the device is not running (Inigo Huguet) [1956419 1972045]\n- mt7921e: enable module in config (Inigo Huguet) [1956419 1972045]\n- Revert tools/power/cpupower: Read energy_perf_bias from sysfs (Steve Best) [1999926]\n- libnvdimm/namespace: Differentiate between probe mapping and runtime mapping (Jeff Moyer) [1795719]\n- libnvdimm/pfn_dev: Dont clear device memmap area during generic namespace probe (Jeff Moyer) [1795719]\n- perf/x86/intel/uncore: Clean up error handling path of iio mapping (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Fix for iio mapping on Skylake Server (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Generic support for the MMIO type of uncore blocks (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Generic support for the PCI type of uncore blocks (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Rename uncore_notifier to uncore_pci_sub_notifier (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Generic support for the MSR type of uncore blocks (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Parse uncore discovery tables (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Expose an Uncore unit to IIO PMON mapping (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Wrap the max dies calculation into an accessor (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Expose an Uncore unit to PMON mapping (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Validate MMIO address before accessing (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Record the size of mapped area (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Fix oops when counting IMC uncore events on some TGL (Michael Petlan) [1837330]\n- crypto: qat - remove unused macro in FW loader (Vladis Dronov) [1920086]\n- crypto: qat - check return code of qat_hal_rd_rel_reg() (Vladis Dronov) [1920086]\n- crypto: qat - report an error if MMP file size is too large (Vladis Dronov) [1920086]\n- crypto: qat - check MMP size before writing to the SRAM (Vladis Dronov) [1920086]\n- crypto: qat - return error when failing to map FW (Vladis Dronov) [1920086]\n- crypto: qat - enable detection of accelerators hang (Vladis Dronov) [1920086]\n- crypto: qat - Fix a double free in adf_create_ring (Vladis Dronov) [1920086]\n- crypto: qat - fix error path in adf_isr_resource_alloc() (Vladis Dronov) [1920086]\n- crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (Vladis Dronov) [1920086]\n- crypto: qat - dont release uninitialized resources (Vladis Dronov) [1920086]\n- crypto: qat - fix use of 'dma_map_single' (Vladis Dronov) [1920086]\n- crypto: qat - fix unmap invalid dma address (Vladis Dronov) [1920086]\n- crypto: qat - fix spelling mistake: 'messge' -> 'message' (Vladis Dronov) [1920086]\n- crypto: qat - reduce size of mapped region (Vladis Dronov) [1920086]\n- crypto: qat - change format string and cast ring size (Vladis Dronov) [1920086]\n- crypto: qat - fix potential spectre issue (Vladis Dronov) [1920086]\n- crypto: qat - configure arbiter mapping based on engines enabled (Vladis Dronov) [1920086]\n[4.18.0-342]\n- selftest: netfilter: add test case for unreplied tcp connections (Florian Westphal) [1991523]\n- netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (Florian Westphal) [1991523]\n- net/sched: store the last executed chain also for clsact egress (Davide Caratti) [1980537]\n- ice: fix Tx queue iteration for Tx timestamp enablement (Ken Cox) [1999743]\n- perf evsel: Add missing cloning of evsel->use_config_name (Michael Petlan) [1838635]\n- perf Documentation: Document intel-hybrid support (Michael Petlan) [1838635]\n- perf tests: Skip 'perf stat metrics (shadow stat) test' for hybrid (Michael Petlan) [1838635]\n- perf tests: Support 'Convert perf time to TSC' test for hybrid (Michael Petlan) [1838635]\n- perf tests: Support 'Session topology' test for hybrid (Michael Petlan) [1838635]\n- perf tests: Support 'Parse and process metrics' test for hybrid (Michael Petlan) [1838635]\n- perf tests: Support 'Track with sched_switch' test for hybrid (Michael Petlan) [1838635]\n- perf tests: Skip 'Setup struct perf_event_attr' test for hybrid (Michael Petlan) [1838635]\n- perf tests: Add hybrid cases for 'Roundtrip evsel->name' test (Michael Petlan) [1838635]\n- perf tests: Add hybrid cases for 'Parse event definition strings' test (Michael Petlan) [1838635]\n- perf record: Uniquify hybrid event name (Michael Petlan) [1838635]\n- perf stat: Warn group events from different hybrid PMU (Michael Petlan) [1838635]\n- perf stat: Filter out unmatched aggregation for hybrid event (Michael Petlan) [1838635]\n- perf stat: Add default hybrid events (Michael Petlan) [1838635]\n- perf record: Create two hybrid 'cycles' events by default (Michael Petlan) [1838635]\n- perf parse-events: Support event inside hybrid pmu (Michael Petlan) [1838635]\n- perf parse-events: Compare with hybrid pmu name (Michael Petlan) [1838635]\n- perf parse-events: Create two hybrid raw events (Michael Petlan) [1838635]\n- perf parse-events: Create two hybrid cache events (Michael Petlan) [1838635]\n- perf parse-events: Create two hybrid hardware events (Michael Petlan) [1838635]\n- perf stat: Uniquify hybrid event name (Michael Petlan) [1838635]\n- perf pmu: Add hybrid helper functions (Michael Petlan) [1838635]\n- perf pmu: Save detected hybrid pmus to a global pmu list (Michael Petlan) [1838635]\n- perf pmu: Save pmu name (Michael Petlan) [1838635]\n- perf pmu: Simplify arguments of __perf_pmu__new_alias (Michael Petlan) [1838635]\n- perf jevents: Support unit value 'cpu_core' and 'cpu_atom' (Michael Petlan) [1838635]\n- tools headers uapi: Update toolss copy of linux/perf_event.h (Michael Petlan) [1838635]\n[4.18.0-341]\n- mptcp: Only send extra TCP acks in eligible socket states (Paolo Abeni) [1997178]\n- mptcp: fix possible divide by zero (Paolo Abeni) [1997178]\n- mptcp: drop tx skb cache (Paolo Abeni) [1997178]\n- mptcp: fix memory leak on address flush (Paolo Abeni) [1997178]\n- ice: Only lock to update netdev dev_addr (Michal Schmidt) [1995868]\n- ice: restart periodic outputs around time changes (Ken Cox) [1992750]\n- ice: Fix perout start time rounding (Ken Cox) [1992750]\n- net/sched: ets: fix crash when flipping from 'strict' to 'quantum' (Davide Caratti) [1981184]\n- ovl: prevent private clone if bind mount is not allowed (Miklos Szeredi) [1993131] {CVE-2021-3732}\n- gfs2: Dont call dlm after protocol is unmounted (Bob Peterson) [1997193]\n- gfs2: dont stop reads while withdraw in progress (Bob Peterson) [1997193]\n- gfs2: Mark journal inodes as 'dont cache' (Bob Peterson) [1997193]\n- bpf: bpftool: Add -fno-asynchronous-unwind-tables to BPF Clang invocation (Yauheni Kaliuta) [1997124]\n- perf/x86/intel: Apply mid ACK for small core (Michael Petlan) [1838573]\n- perf/x86/intel/lbr: Zero the xstate buffer on allocation (Michael Petlan) [1838573]\n- perf: Fix task context PMU for Hetero (Michael Petlan) [1838573]\n- perf/x86/intel: Fix fixed counter check warning for some Alder Lake (Michael Petlan) [1838573]\n- perf/x86/lbr: Remove cpuc->lbr_xsave allocation from atomic context (Michael Petlan) [1838573]\n- x86/fpu/xstate: Fix an xstate size check warning with architectural LBRs (Michael Petlan) [1838573]\n- perf/x86/rapl: Add support for Intel Alder Lake (Michael Petlan) [1838573]\n- perf/x86/cstate: Add Alder Lake CPU support (Michael Petlan) [1838573]\n- perf/x86/msr: Add Alder Lake CPU support (Michael Petlan) [1838573]\n- perf/x86/intel/uncore: Add Alder Lake support (Michael Petlan) [1838573]\n- perf: Extend PERF_TYPE_HARDWARE and PERF_TYPE_HW_CACHE (Michael Petlan) [1838573]\n- perf/x86/intel: Add Alder Lake Hybrid support (Michael Petlan) [1838573]\n- perf/x86: Support filter_match callback (Michael Petlan) [1838573]\n- perf/x86/intel: Add attr_update for Hybrid PMUs (Michael Petlan) [1838573]\n- perf/x86: Add structures for the attributes of Hybrid PMUs (Michael Petlan) [1838573]\n- perf/x86: Register hybrid PMUs (Michael Petlan) [1838573]\n- perf/x86: Factor out x86_pmu_show_pmu_cap (Michael Petlan) [1838573]\n- perf/x86: Remove temporary pmu assignment in event_init (Michael Petlan) [1838573]\n- perf/x86/intel: Factor out intel_pmu_check_extra_regs (Michael Petlan) [1838573]\n- perf/x86/intel: Factor out intel_pmu_check_event_constraints (Michael Petlan) [1838573]\n- perf/x86/intel: Factor out intel_pmu_check_num_counters (Michael Petlan) [1838573]\n- perf/x86: Hybrid PMU support for extra_regs (Michael Petlan) [1838573]\n- perf/x86: Hybrid PMU support for event constraints (Michael Petlan) [1838573]\n- perf/x86: Hybrid PMU support for hardware cache event (Michael Petlan) [1838573]\n- perf/x86: Hybrid PMU support for unconstrained (Michael Petlan) [1838573]\n- perf/x86: Hybrid PMU support for counters (Michael Petlan) [1838573]\n- perf/x86: Hybrid PMU support for intel_ctrl (Michael Petlan) [1838573]\n- perf/x86/intel: Hybrid PMU support for perf capabilities (Michael Petlan) [1838573]\n- perf/x86: Track pmu in per-CPU cpu_hw_events (Michael Petlan) [1838573]\n- perf/x86/intel/lbr: Support XSAVES for arch LBR read (Michael Petlan) [1838573]\n- perf/x86/intel/lbr: Support XSAVES/XRSTORS for LBR context switch (Michael Petlan) [1838573]\n- x86/fpu/xstate: Add helpers for LBR dynamic supervisor feature (Michael Petlan) [1838573]\n- x86/fpu/xstate: Support dynamic supervisor feature for LBR (Michael Petlan) [1838573]\n- x86/fpu: Use proper mask to replace full instruction mask (Michael Petlan) [1838573]\n- x86/cpu: Add helper function to get the type of the current hybrid CPU (Michael Petlan) [1838573]\n- x86/cpufeatures: Enumerate Intel Hybrid Technology feature bit (Michael Petlan) [1838573]\n- HID: make arrays usage and value to be the same (Benjamin Tissoires) [1974942]\n- ACPI: PM: s2idle: Invert Microsoft UUID entry and exit (David Arcari) [1960440]\n- platform/x86: amd-pmc: Fix undefined reference to __udivdi3 (David Arcari) [1960440]\n- platform/x86: amd-pmc: Fix missing unlock on error in amd_pmc_send_cmd() (David Arcari) [1960440]\n- platform/x86: amd-pmc: Use return code on suspend (David Arcari) [1960440]\n- platform/x86: amd-pmc: Add new acpi id for future PMC controllers (David Arcari) [1960440]\n- platform/x86: amd-pmc: Add support for ACPI ID AMDI0006 (David Arcari) [1960440]\n- platform/x86: amd-pmc: Add support for logging s0ix counters (David Arcari) [1960440]\n- platform/x86: amd-pmc: Add support for logging SMU metrics (David Arcari) [1960440]\n- platform/x86: amd-pmc: call dump registers only once (David Arcari) [1960440]\n- platform/x86: amd-pmc: Fix SMU firmware reporting mechanism (David Arcari) [1960440]\n- platform/x86: amd-pmc: Fix command completion code (David Arcari) [1960440]\n- usb: pci-quirks: disable D3cold on xhci suspend for s2idle on AMD Renoir (David Arcari) [1960440]\n- ACPI: PM: Only mark EC GPE for wakeup on Intel systems (David Arcari) [1960440]\n- ACPI: PM: Adjust behavior for field problems on AMD systems (David Arcari) [1960440]\n- ACPI: PM: s2idle: Add support for new Microsoft UUID (David Arcari) [1960440]\n- ACPI: PM: s2idle: Add support for multiple func mask (David Arcari) [1960440]\n- ACPI: PM: s2idle: Refactor common code (David Arcari) [1960440]\n- ACPI: PM: s2idle: Use correct revision id (David Arcari) [1960440]\n- ACPI: PM: s2idle: Add missing LPS0 functions for AMD (David Arcari) [1960440]\n- lockd: Fix invalid lockowner cast after vfs_test_lock (Benjamin Coddington) [1986138]\n[4.18.0-340]\n- blk-mq: fix is_flush_rq (Ming Lei) [1992700]\n- blk-mq: fix kernel panic during iterating over flush request (Ming Lei) [1992700]\n[4.18.0-339]\n- smb2: fix use-after-free in smb2_ioctl_query_info() (Ronnie Sahlberg) [1952781]\n- dm crypt: Avoid percpu_counter spinlock contention in crypt_page_alloc() (Mike Snitzer) [1996854]\n- md/raid10: Remove rcu_dereference when it doesnt need rcu lock to protect (Nigel Croxon) [1978115]\n- scsi: csiostor: Mark known unused variable as __always_unused (Raju Rangoju) [1961333]\n- scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() (Raju Rangoju) [1961333]\n- scsi: csiostor: Remove set but not used variable 'rln' (Raju Rangoju) [1961333]\n- scsi: csiostor: Return value not required for csio_dfs_destroy (Raju Rangoju) [1961333]\n- scsi: csiostor: Fix NULL check before debugfs_remove_recursive (Raju Rangoju) [1961333]\n- scsi: csiostor: Dont enable IRQs too early (Raju Rangoju) [1961333]\n- scsi: csiostor: Fix spelling typos (Raju Rangoju) [1961333]\n- scsi: csiostor: Prefer pcie_capability_read_word() (Raju Rangoju) [1961333]\n- scsi: target: cxgbit: Unmap DMA buffer before calling target_execute_cmd() (Raju Rangoju) [1961394]\n- net: Use skb_frag_off accessors (Raju Rangoju) [1961394]\n- net: Use skb accessors in network drivers (Raju Rangoju) [1961394]\n- cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (Raju Rangoju) [1961394]\n- scsi: libcxgbi: Fix a use after free in cxgbi_conn_xmit_pdu() (Raju Rangoju) [1961394]\n- scsi: libcxgbi: Use kvzalloc instead of opencoded kzalloc/vzalloc (Raju Rangoju) [1961394]\n- scsi: libcxgbi: Remove unnecessary NULL checks for 'tdata' pointer (Raju Rangoju) [1961394]\n- scsi: cxgb4i: Remove an unnecessary NULL check for 'cconn' pointer (Raju Rangoju) [1961394]\n- scsi: cxgb4i: Clean up a debug printk (Raju Rangoju) [1961394]\n- scsi: cxgb4i: Fix dereference of pointer tdata before it is null checked (Raju Rangoju) [1961394]\n- scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy() (Raju Rangoju) [1961394]\n- scsi: libcxgbi: remove unused function to stop warning (Raju Rangoju) [1961394]\n- scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route() (Raju Rangoju) [1961394]\n- net/chelsio: Delete drive and module versions (Raju Rangoju) [1961394]\n- chelsio: Replace zero-length array with flexible-array member (Raju Rangoju) [1961394]\n- [netdrv] treewide: prefix header search paths with / (Raju Rangoju) [1961394]\n- libcxgb: fix incorrect ppmax calculation (Raju Rangoju) [1961394]\n- scsi: cxgb4i: Fix TLS dependency (Raju Rangoju) [1961394]\n- [target] treewide: Use fallthrough pseudo-keyword (Raju Rangoju) [1961394]\n- scsi: cxgb4i: Add support for iSCSI segmentation offload (Raju Rangoju) [1961394]\n- [target] treewide: Use sizeof_field() macro (Raju Rangoju) [1961394]\n- [target] treewide: replace '---help---' in Kconfig files with 'help' (Raju Rangoju) [1961394]\n- scsi: cxgb4i: Remove superfluous null check (Raju Rangoju) [1961394]\n[4.18.0-338]\n- KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653) (Jon Maloy) [1985413] {CVE-2021-3653}\n- KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656) (Jon Maloy) [1985430] {CVE-2021-3656}\n- drm/i915/rkl: Remove require_force_probe protection (Lyude Paul) [1985159]\n- drm/i915/display: support ddr5 mem types (Lyude Paul) [1992233]\n- drm/i915/adl_s: Update ddi buf translation tables (Lyude Paul) [1992233]\n- drm/i915/adl_s: Wa_14011765242 is also needed on A1 display stepping (Lyude Paul) [1992233]\n- drm/i915/adl_s: Extend Wa_1406941453 (Lyude Paul) [1992233]\n- drm/i915: Implement Wa_1508744258 (Lyude Paul) [1992233]\n- drm/i915/adl_s: Fix dma_mask_size to 39 bit (Lyude Paul) [1992233]\n- drm/i915: Add the missing adls vswing tables (Lyude Paul) [1992233]\n- drm/i915: Add Wa_14011060649 (Lyude Paul) [1992233]\n- drm/i915/adl_s: Add Interrupt Support (Lyude Paul) [1992233]\n- drm/amdgpu: add another Renoir DID (Lyude Paul) [1980900]\n[4.18.0-337]\n- net/mlx5: Fix flow table chaining (Amir Tzin) [1987139]\n- openvswitch: fix sparse warning incorrect type (Mark Gray) [1992773]\n- openvswitch: fix alignment issues (Mark Gray) [1992773]\n- openvswitch: update kdoc OVS_DP_ATTR_PER_CPU_PIDS (Mark Gray) [1992773]\n- openvswitch: Introduce per-cpu upcall dispatch (Mark Gray) [1992773]\n- KVM: X86: Expose bus lock debug exception to guest (Paul Lai) [1842322]\n- KVM: X86: Add support for the emulation of DR6_BUS_LOCK bit (Paul Lai) [1842322]\n- scsi: libfc: Fix array index out of bound exception (Chris Leech) [1972643]\n- scsi: libfc: FDMI enhancements (Chris Leech) [1972643]\n- scsi: libfc: Add FDMI-2 attributes (Chris Leech) [1972643]\n- scsi: qedf: Add vendor identifier attribute (Chris Leech) [1972643]\n- scsi: libfc: Initialisation of RHBA and RPA attributes (Chris Leech) [1972643]\n- scsi: libfc: Correct the condition check and invalid argument passed (Chris Leech) [1972643]\n- scsi: libfc: Work around -Warray-bounds warning (Chris Leech) [1972643]\n- scsi: fc: FDMI enhancement (Chris Leech) [1972643]\n- scsi: libfc: Move scsi/fc_encode.h to libfc (Chris Leech) [1972643]\n- scsi: fc: Correct RHBA attributes length (Chris Leech) [1972643]\n- block: return ELEVATOR_DISCARD_MERGE if possible (Ming Lei) [1991976]\n- x86/fpu: Prevent state corruption in __fpu__restore_sig() (Terry Bowman) [1970086]\n- x86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer (Terry Bowman) [1970086]\n- x86/pkru: Write hardware init value to PKRU when xstate is init (Terry Bowman) [1970086]\n- x86/process: Check PF_KTHREAD and not current->mm for kernel threads (Terry Bowman) [1970086]\n- x86/fpu: Add address range checks to copy_user_to_xstate() (Terry Bowman) [1970086]\n- selftests/x86: Test signal frame XSTATE header corruption handling (Terry Bowman) [1970086]\n- Bump DRM backport version to 5.12.14 (Lyude Paul) [1944405]\n- drm/i915: Use the correct max source link rate for MST (Lyude Paul) [1944405 1966599]\n- drm/dp_mst: Use Extended Base Receiver Capability DPCD space (Lyude Paul) [1944405 1966599]\n- drm/i915/display: Defeature PSR2 for RKL and ADL-S (Lyude Paul) [1944405]\n- drm/i915/adl_s: ADL-S platform Update PCI ids for Mobile BGA (Lyude Paul) [1944405]\n- drm/amdgpu: wait for moving fence after pinning (Lyude Paul) [1944405]\n- drm/radeon: wait for moving fence after pinning (Lyude Paul) [1944405]\n- drm/nouveau: wait for moving fence after pinning v2 (Lyude Paul) [1944405]\n- radeon: use memcpy_to/fromio for UVD fw upload (Lyude Paul) [1944405]\n- drm/amd/amdgpu:save psp ring wptr to avoid attack (Lyude Paul) [1944405]\n- drm/amd/display: Fix potential memory leak in DMUB hw_init (Lyude Paul) [1944405]\n- drm/amdgpu: refine amdgpu_fru_get_product_info (Lyude Paul) [1944405]\n- drm/amd/display: Allow bandwidth validation for 0 streams. (Lyude Paul) [1944405]\n- drm: Lock pointer access in drm_master_release() (Lyude Paul) [1944405]\n- drm: Fix use-after-free read in drm_getunique() (Lyude Paul) [1944405]\n- drm/amdgpu: make sure we unpin the UVD BO (Lyude Paul) [1944405]\n- drm/amdgpu: Dont query CE and UE errors (Lyude Paul) [1944405]\n- drm/amdgpu/jpeg3: add cancel_delayed_work_sync before power gate (Lyude Paul) [1944405]\n- drm/amdgpu/jpeg2.5: add cancel_delayed_work_sync before power gate (Lyude Paul) [1944405]\n- drm/amdgpu/vcn3: add cancel_delayed_work_sync before power gate (Lyude Paul) [1944405]\n- amdgpu: fix GEM obj leak in amdgpu_display_user_framebuffer_create (Lyude Paul) [1944405]\n- drm/i915/selftests: Fix return value check in live_breadcrumbs_smoketest() (Lyude Paul) [1944405]\n- drm/amdgpu: stop touching sched.ready in the backend (Lyude Paul) [1944405]\n- drm/amd/amdgpu: fix a potential deadlock in gpu reset (Lyude Paul) [1944405]\n- drm/amdgpu: Fix a use-after-free (Lyude Paul) [1944405]\n- drm/amd/amdgpu: fix refcount leak (Lyude Paul) [1944405]\n- drm/amd/display: Disconnect non-DP with no EDID (Lyude Paul) [1944405]\n- drm/amdgpu/jpeg2.0: add cancel_delayed_work_sync before power gate (Lyude Paul) [1944405]\n- drm/amdgpu/vcn2.5: add cancel_delayed_work_sync before power gate (Lyude Paul) [1944405]\n- drm/amdgpu/vcn2.0: add cancel_delayed_work_sync before power gate (Lyude Paul) [1944405]\n- drm/amdkfd: correct sienna_cichlid SDMA RLC register offset error (Lyude Paul) [1944405]\n- drm/amdgpu/vcn1: add cancel_delayed_work_sync before power gate (Lyude Paul) [1944405]\n- drm/amd/pm: correct MGpuFanBoost setting (Lyude Paul) [1944405]\n- drm/i915: Reenable LTTPR non-transparent LT mode for DPCD_REV<1.4 (Lyude Paul) [1944405]\n- drm/i915/gt: Disable HiZ Raw Stall Optimization on broken gen7 (Lyude Paul) [1944405]\n- dma-buf: fix unintended pin/unpin warnings (Lyude Paul) [1944405]\n- drm/amdgpu: update sdma golden setting for Navi12 (Lyude Paul) [1944405]\n- drm/amdgpu: update gc golden setting for Navi12 (Lyude Paul) [1944405]\n- drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang (Lyude Paul) [1944405]\n- drm/amdgpu: Fix GPU TLB update error when PAGE_SIZE > AMDGPU_PAGE_SIZE (Lyude Paul) [1944405]\n- drm/radeon: use the dummy page for GART if needed (Lyude Paul) [1944405]\n- drm/amd/display: Use the correct max downscaling value for DCN3.x family (Lyude Paul) [1944405]\n- drm/i915/gem: Pin the L-shape quirked object as unshrinkable (Lyude Paul) [1944405]\n- drm/ttm: Do not add non-system domain BO into swap list (Lyude Paul) [1944405]\n- drm/amd/display: Fix two cursor duplication when using overlay (Lyude Paul) [1944405]\n- amdgpu/pm: Prevent force of DCEFCLK on NAVI10 and SIENNA_CICHLID (Lyude Paul) [1944405]\n- drm/i915/display: fix compiler warning about array overrun (Lyude Paul) [1944405]\n- drm/i915: Fix crash in auto_retire (Lyude Paul) [1944405]\n- drm/i915/overlay: Fix active retire callback alignment (Lyude Paul) [1944405]\n- drm/i915: Read C0DRB3/C1DRB3 as 16 bits again (Lyude Paul) [1944405]\n- drm/i915/gt: Fix a double free in gen8_preallocate_top_level_pdp (Lyude Paul) [1944405]\n- drm/i915/dp: Use slow and wide link training for everything (Lyude Paul) [1944405]\n- drm/i915: Avoid div-by-zero on gen2 (Lyude Paul) [1944405]\n- drm/amd/display: Initialize attribute for hdcp_srm sysfs file (Lyude Paul) [1944405]\n- drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected (Lyude Paul) [1944405]\n- drm/radeon: Avoid power table parsing memory leaks (Lyude Paul) [1944405]\n- drm/radeon: Fix off-by-one power_state index heap overwrite (Lyude Paul) [1944405]\n- drm/amdgpu: Add mem sync flag for IB allocated by SA (Lyude Paul) [1944405]\n- drm/amd/display: add handling for hdcp2 rx id list validation (Lyude Paul) [1944405]\n- drm/amd/display: fixed divide by zero kernel crash during dsc enablement (Lyude Paul) [1944405]\n- drm/amd/display: Force vsync flip when reconfiguring MPCC (Lyude Paul) [1944405]\n- arm64: enable tlbi range instructions (Jeremy Linton) [1861872]\n- arm64: tlb: Use the TLBI RANGE feature in arm64 (Jeremy Linton) [1861872]\n- arm64: tlb: Detect the ARMv8.4 TLBI RANGE feature (Jeremy Linton) [1861872]\n- arm64/cpufeature: Add remaining feature bits in ID_AA64ISAR0 register (Jeremy Linton) [1861872]\n- arm64: tlbflush: Ensure start/end of address range are aligned to stride (Jeremy Linton) [1861872]\n- arm64: Detect the ARMv8.4 TTL feature (Jeremy Linton) [1861872]\n- arm64: tlbi: Set MAX_TLBI_OPS to PTRS_PER_PTE (Jeremy Linton) [1861872]\n[4.18.0-336]\n- bpf: Fix integer overflow involving bucket_size (Jiri Olsa) [1992588]\n- bpf: Fix leakage due to insufficient speculative store bypass mitigation (Jiri Olsa) [1992588]\n- bpf: Introduce BPF nospec instruction for mitigating Spectre v4 (Jiri Olsa) [1992588]\n- bpf: Fix OOB read when printing XDP link fdinfo (Jiri Olsa) [1992588]\n- bpf, test: fix NULL pointer dereference on invalid expected_attach_type (Jiri Olsa) [1992588]\n- bpf: Fix tail_call_reachable rejection for interpreter when jit failed (Jiri Olsa) [1992588]\n- bpf: Track subprog poke descriptors correctly and fix use-after-free (Jiri Olsa) [1992588]\n- bpf: Fix null ptr deref with mixed tail calls and subprogs (Jiri Olsa) [1992588]\n- bpf: Fix leakage under speculation on mispredicted branches (Jiri Olsa) [1992588]\n- bpf: Set mac_len in bpf_skb_change_head (Jiri Olsa) [1992588]\n- bpf: Prevent writable memory-mapping of read-only ringbuf pages (Jiri Olsa) [1992588]\n- bpf: Fix alu32 const subreg bound tracking on bitwise operations (Jiri Olsa) [1992588]\n- xsk: Fix broken Tx ring validation (Jiri Olsa) [1992588]\n- xsk: Fix for xp_aligned_validate_desc() when len == chunk_size (Jiri Olsa) [1992588]\n- bpf: link: Refuse non-O_RDWR flags in BPF_OBJ_GET (Jiri Olsa) [1992588]\n- bpf: Refcount task stack in bpf_get_task_stack (Jiri Olsa) [1992588]\n- bpf: Use NOP_ATOMIC5 instead of emit_nops(&prog, 5) for BPF_TRAMP_F_CALL_ORIG (Jiri Olsa) [1992588]\n- selftest/bpf: Add a test to check trampoline freeing logic. (Jiri Olsa) [1992588]\n- bpf: Fix fexit trampoline. (Jiri Olsa) [1992588]\n- ftrace: Fix modify_ftrace_direct. (Jiri Olsa) [1992588]\n- ftrace: Add a helper function to modify_ftrace_direct() to allow arch optimization (Jiri Olsa) [1992588]\n- ftrace: Add helper find_direct_entry() to consolidate code (Jiri Olsa) [1992588]\n- bpf: Fix truncation handling for mod32 dst reg wrt zero (Jiri Olsa) [1992588]\n- bpf: Fix an unitialized value in bpf_iter (Jiri Olsa) [1992588]\n- bpf_lru_list: Read double-checked variable once without lock (Jiri Olsa) [1992588]\n- mt76: validate rx A-MSDU subframes (Inigo Huguet) [1991459] {CVE-2020-24588 CVE-2020-26144}\n- ath11k: Drop multicast fragments (Inigo Huguet) [1991459] {CVE-2020-26145}\n- ath11k: Clear the fragment cache during key install (Inigo Huguet) [1991459] {CVE-2020-24587}\n- ath10k: Validate first subframe of A-MSDU before processing the list (Inigo Huguet) [1991459] {CVE-2020-24588 CVE-2020-26144}\n- ath10k: Fix TKIP Michael MIC verification for PCIe (Inigo Huguet) [1991459] {CVE-2020-26141}\n- ath10k: drop MPDU which has discard flag set by firmware for SDIO (Inigo Huguet) [1991459] {CVE-2020-24588}\n- ath10k: drop fragments with multicast DA for SDIO (Inigo Huguet) [1991459] {CVE-2020-26145}\n- ath10k: drop fragments with multicast DA for PCIe (Inigo Huguet) [1991459] {CVE-2020-26145}\n- ath10k: add CCMP PN replay protection for fragmented frames for PCIe (Inigo Huguet) [1991459]\n- mac80211: extend protection against mixed key and fragment cache attacks (Inigo Huguet) [1991459] {CVE-2020-24586 CVE-2020-24587}\n- mac80211: do not accept/forward invalid EAPOL frames (Inigo Huguet) [1991459] {CVE-2020-26139}\n- mac80211: prevent attacks on TKIP/WEP as well (Inigo Huguet) [1991459] {CVE-2020-26141}\n- mac80211: check defrag PN against current frame (Inigo Huguet) [1991459]\n- mac80211: add fragment cache to sta_info (Inigo Huguet) [1991459] {CVE-2020-24586 CVE-2020-24587}\n- mac80211: drop A-MSDUs on old ciphers (Inigo Huguet) [1991459] {CVE-2020-24588}\n- cfg80211: mitigate A-MSDU aggregation attacks (Inigo Huguet) [1991459] {CVE-2020-24588 CVE-2020-26144}\n- mac80211: properly handle A-MSDUs that start with an RFC 1042 header (Inigo Huguet) [1991459]\n- mac80211: prevent mixed key and fragment cache attacks (Inigo Huguet) [1991459] {CVE-2020-24586 CVE-2020-24587}\n- mac80211: assure all fragments are encrypted (Inigo Huguet) [1991459] {CVE-2020-26147}\n- tipc: call tipc_wait_for_connect only when dlen is not 0 (Xin Long) [1989361]\n- mptcp: remove tech preview warning (Florian Westphal) [1985120]\n- tcp: consistently disable header prediction for mptcp (Florian Westphal) [1985120]\n- selftests: mptcp: fix case multiple subflows limited by server (Florian Westphal) [1985120]\n- selftests: mptcp: turn rp_filter off on each NIC (Florian Westphal) [1985120]\n- selftests: mptcp: display proper reason to abort tests (Florian Westphal) [1985120]\n- mptcp: properly account bulk freed memory (Florian Westphal) [1985120]\n- mptcp: fix 'masking a bool' warning (Florian Westphal) [1985120]\n- mptcp: refine mptcp_cleanup_rbuf (Florian Westphal) [1985120]\n- mptcp: use fast lock for subflows when possible (Florian Westphal) [1985120]\n- mptcp: avoid processing packet if a subflow reset (Florian Westphal) [1985120]\n- mptcp: add sk parameter for mptcp_get_options (Florian Westphal) [1985120]\n- mptcp: fix syncookie process if mptcp can not_accept new subflow (Florian Westphal) [1985120]\n- mptcp: fix warning in __skb_flow_dissect() when do syn cookie for subflow join (Florian Westphal) [1985120]\n- mptcp: avoid race on msk state changes (Florian Westphal) [1985120]\n- mptcp: fix 32 bit DSN expansion (Florian Westphal) [1985120]\n- mptcp: fix bad handling of 32 bit ack wrap-around (Florian Westphal) [1985120]\n- tcp: parse mptcp options contained in reset packets (Florian Westphal) [1985120]\n- ionic: count csum_none when offload enabled (Jonathan Toppins) [1991646]\n- ionic: fix up dim accounting for tx and rx (Jonathan Toppins) [1991646]\n- ionic: remove intr coalesce update from napi (Jonathan Toppins) [1991646]\n- ionic: catch no ptp support earlier (Jonathan Toppins) [1991646]\n- ionic: make all rx_mode work threadsafe (Jonathan Toppins) [1991646]\n- dmaengine: idxd: Fix missing error code in idxd_cdev_open() (Jerry Snitselaar) [1990637]\n- dmaengine: idxd: add missing dsa driver unregister (Jerry Snitselaar) [1990637]\n- dmaengine: idxd: add engine 'struct device' missing bus type assignment (Jerry Snitselaar) [1990637]\n- dmaengine: idxd: remove MSIX masking for interrupt handlers (Jerry Snitselaar) [1990637]\n- dmaengine: idxd: Use cpu_feature_enabled() (Jerry Snitselaar) [1990637]\n- dmaengine: idxd: enable SVA feature for IOMMU (Jerry Snitselaar) [1990637]\n- dmagenine: idxd: Dont add portal offset in idxd_submit_desc (Jerry Snitselaar) [1990637]\n- ethtool: strset: fix message length calculation (Balazs Nemeth) [1989003]\n- net: add strict checks in netdev_name_node_alt_destroy() (Andrea Claudi) [1859038]\n- net: rtnetlink: fix bugs in rtnl_alt_ifname() (Andrea Claudi) [1859038]\n- net: rtnetlink: add linkprop commands to add and delete alternative ifnames (Andrea Claudi) [1859038]\n- net: check all name nodes in __dev_alloc_name (Andrea Claudi) [1859038]\n- net: fix a leak in register_netdevice() (Andrea Claudi) [1859038]\n- tun: fix memory leak in error path (Andrea Claudi) [1859038]\n- net: propagate errors correctly in register_netdevice() (Andrea Claudi) [1859038]\n- net: introduce name_node struct to be used in hashlist (Andrea Claudi) [1859038]\n- net: procfs: use index hashlist instead of name hashlist (Andrea Claudi) [1859038]\n- configs: Enable CONFIG_CHELSIO_INLINE_CRYPTO (Raju Rangoju) [1961368]\n- cxgb4/ch_ktls: Clear resources when pf4 device is removed (Raju Rangoju) [1961374]\n- ch_ktls: Remove redundant variable result (Raju Rangoju) [1961374]\n- ch_ktls: do not send snd_una update to TCB in middle (Raju Rangoju) [1961374]\n- ch_ktls: tcb close causes tls connection failure (Raju Rangoju) [1961374]\n- ch_ktls: fix device connection close (Raju Rangoju) [1961374]\n- ch_ktls: Fix kernel panic (Raju Rangoju) [1961374]\n- ch_ktls: fix enum-conversion warning (Raju Rangoju) [1961374]\n- net: ethernet: chelsio: inline_crypto: Mundane typos fixed throughout the file chcr_ktls.c (Raju Rangoju) [1961374]\n- ch_ipsec: Remove initialization of rxq related data (Raju Rangoju) [1961388]\n- ch_ktls: fix build warning for ipv4-only config (Raju Rangoju) [1961374]\n- ch_ktls: lock is not freed (Raju Rangoju) [1961374]\n- ch_ktls: stop the txq if reaches threshold (Raju Rangoju) [1961374]\n- ch_ktls: tcb update fails sometimes (Raju Rangoju) [1961374]\n- ch_ktls/cxgb4: handle partial tag alone SKBs (Raju Rangoju) [1961374]\n- ch_ktls: dont free skb before sending FIN (Raju Rangoju) [1961374]\n- ch_ktls: packet handling prior to start marker (Raju Rangoju) [1961374]\n- ch_ktls: Correction in middle record handling (Raju Rangoju) [1961374]\n- ch_ktls: missing handling of header alone (Raju Rangoju) [1961374]\n- ch_ktls: Correction in trimmed_len calculation (Raju Rangoju) [1961374]\n- cxgb4/ch_ktls: creating skbs causes panic (Raju Rangoju) [1961374]\n- ch_ktls: Update cheksum information (Raju Rangoju) [1961374]\n- ch_ktls: Correction in finding correct length (Raju Rangoju) [1961374]\n- cxgb4/ch_ktls: decrypted bit is not enough (Raju Rangoju) [1961374]\n- cxgb4/ch_ipsec: Replace the module name to ch_ipsec from chcr (Raju Rangoju) [1961388]\n- cxgb4/ch_ktls: ktls stats are added at port level (Raju Rangoju) [1961374]\n- ch_ktls: Issue if connection offload fails (Raju Rangoju) [1961374]\n- chelsio/chtls: Re-add dependencies on CHELSIO_T4 to fix modular CHELSIO_T4 (Raju Rangoju) [1961388]\n- chelsio/chtls: CHELSIO_INLINE_CRYPTO should depend on CHELSIO_T4 (Raju Rangoju) [1961388]\n- crypto: chelsio - fix minor indentation issue (Raju Rangoju) [1961368]\n- crypto/chcr: move nic TLS functionality to drivers/net (Raju Rangoju) [1961368]\n- cxgb4/ch_ipsec: Registering xfrmdev_ops with cxgb4 (Raju Rangoju) [1961388]\n- crypto/chcr: Moving chelsios inline ipsec functionality to /drivers/net (Raju Rangoju) [1961368]\n- chelsio/chtls: separate chelsio tls driver from crypto driver (Raju Rangoju) [1961368]\n- crypto: chelsio - Fix some pr_xxx messages (Raju Rangoju) [1961368]\n- crypto: chelsio - Avoid some code duplication (Raju Rangoju) [1961368]\n- crypto: drivers - set the flag CRYPTO_ALG_ALLOCATES_MEMORY (Raju Rangoju) [1961368]\n- crypto: aead - remove useless setting of type flags (Raju Rangoju) [1961368]\n- crypto: Replace zero-length array with flexible-array (Raju Rangoju) [1961368]\n- [Crypto] treewide: replace '---help---' in Kconfig files with 'help' (Raju Rangoju) [1961368]\n- Crypto/chcr: Checking cra_refcnt before unregistering the algorithms (Raju Rangoju) [1961368]\n- Crypto/chcr: Calculate src and dst sg lengths separately for dma map (Raju Rangoju) [1961368]\n- Crypto/chcr: Fixes a coccinile check error (Raju Rangoju) [1961368]\n- Crypto/chcr: Fixes compilations warnings (Raju Rangoju) [1961368]\n- crypto/chcr: IPV6 code needs to be in CONFIG_IPV6 (Raju Rangoju) [1961368]\n- crypto: lib/sha1 - remove unnecessary includes of linux/cryptohash.h (Raju Rangoju) [1961368]\n- Crypto/chcr: fix for hmac(sha) test fails (Raju Rangoju) [1961368]\n- Crypto/chcr: fix for ccm(aes) failed test (Raju Rangoju) [1961368]\n- Crypto/chcr: fix ctr, cbc, xts and rfc3686-ctr failed tests (Raju Rangoju) [1961368]\n- crypto: chelsio - remove redundant assignment to variable error (Raju Rangoju) [1961368]\n- chcr: Fix CPU hard lockup (Raju Rangoju) [1961368]\n- crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN (Raju Rangoju) [1961368]\n- crypto: chelsio - switch to skcipher API (Raju Rangoju) [1961368]\n- crypto: chelsio - Remove VLA usage of skcipher (Raju Rangoju) [1961368]", "cvss3": {"exploitabilityScore": 1.8,
CVE-2020-26140
