An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.
{"githubexploit": [{"lastseen": "2022-03-23T18:41:59", "description": "# This is the Proof Of Concept code for CVE-2021-29155.\n\nThe ran...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-03T15:53:10", "type": "githubexploit", "title": "Exploit for Out-of-bounds Read in Linux Linux Kernel", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29155"], "modified": "2021-12-23T10:42:33", "id": "C0ADE54F-990F-5E04-8AD2-C7DD772426F3", "href": "", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}], "debiancve": [{"lastseen": "2023-12-03T15:22:41", "description": "An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-20T16:15:00", "type": "debiancve", "title": "CVE-2021-29155", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29155"], "modified": "2021-04-20T16:15:00", "id": "DEBIANCVE:CVE-2021-29155", "href": "https://security-tracker.debian.org/tracker/CVE-2021-29155", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "cbl_mariner": [{"lastseen": "2023-12-03T15:17:27", "description": "CVE-2021-29155 affecting package kernel 5.10.189.1-1. A patched version of the package is available.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-09-09T15:03:26", "type": "cbl_mariner", "title": "CVE-2021-29155 affecting package kernel 5.10.189.1-1", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29155"], "modified": "2021-09-09T15:03:26", "id": "CBLMARINER:4119", "href": "", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-03T15:17:33", "description": "CVE-2021-29155 affecting package kernel 5.10.78.1-1. A patched version of the package is available.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-09T06:52:47", "type": "cbl_mariner", "title": "CVE-2021-29155 affecting package kernel 5.10.78.1-1", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29155"], "modified": "2022-04-09T06:52:47", "id": "CBLMARINER:6545", "href": "", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "redhatcve": [{"lastseen": "2023-12-03T20:50:37", "description": "A vulnerability was discovered in retrieve_ptr_limit in kernel/bpf/verifier.c in the Linux kernel mechanism to mitigate speculatively out-of-bounds loads (Spectre mitigation). In this flaw a local, special user privileged (CAP_SYS_ADMIN) BPF program running on affected systems may bypass the protection, and execute speculatively out-of-bounds loads from the kernel memory. This can be abused to extract contents of kernel memory via side-channel.\n#### Mitigation\n\nThe default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space. \n\n\nFor the Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled. \nFor the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command: \n\n\n# cat /proc/sys/kernel/unprivileged_bpf_disabled \n\n\nThe setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw. \n\n\nA kernel update will be required to mitigate the flaw for the root or users with CAP_SYS_ADMIN capabilities. \n\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-20T15:00:31", "type": "redhatcve", "title": "CVE-2021-29155", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29155"], "modified": "2023-04-06T07:55:32", "id": "RH:CVE-2021-29155", "href": "https://access.redhat.com/security/cve/cve-2021-29155", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "ubuntucve": [{"lastseen": "2023-12-05T14:00:07", "description": "An issue was discovered in the Linux kernel through 5.11.x.\nkernel/bpf/verifier.c performs undesirable out-of-bounds speculation on\npointer arithmetic, leading to side-channel attacks that defeat Spectre\nmitigations and obtain sensitive information from kernel memory.\nSpecifically, for sequences of pointer arithmetic operations, the pointer\nmodification performed by the first operation is not correctly accounted\nfor when restricting subsequent operations.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-20T00:00:00", "type": "ubuntucve", "title": "CVE-2021-29155", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29155"], "modified": "2021-04-20T00:00:00", "id": "UB:CVE-2021-29155", "href": "https://ubuntu.com/security/CVE-2021-29155", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "prion": [{"lastseen": "2023-11-22T00:46:20", "description": "An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.", "cvss3": {"cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-04-20T16:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29155"], "modified": "2022-04-19T03:58:00", "id": "PRION:CVE-2021-29155", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-29155", "cvss": {"score": 1.7, "vector": "AV:L/AC:L/Au:S/C:P/I:N/A:N"}}], "veracode": [{"lastseen": "2022-07-17T13:05:50", "description": "kernel is vulnerable to side-channel attack. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-12T23:36:15", "type": "veracode", "title": "Side-channel Attack", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29155"], "modified": "2022-04-19T05:16:52", "id": "VERACODE:33278", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-33278/summary", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2023-05-25T14:17:19", "description": "The openSUSE Leap 15.2 kernel was updated to receive various security and bugfixes.\n\nThe following security bugs were fixed :\n\n - CVE-2021-29650: The netfilter subsystem allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf (bnc#1184208).\n\n - CVE-2021-29155: kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (bnc#1184942).\n\nThe following non-security bugs were fixed :\n\n - ACPI: CPPC: Replace cppc_attr with kobj_attribute (git-fixes).\n\n - ALSA: core: remove redundant spin_lock pair in snd_card_disconnect (git-fixes).\n\n - ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer (git-fixes).\n\n - ALSA: hda/cirrus: Add Headphone and Headset MIC Volume Control (git-fixes).\n\n - ALSA: hda/cirrus: Add error handling into CS8409 I2C functions (git-fixes).\n\n - ALSA: hda/cirrus: Add jack detect interrupt support from CS42L42 companion codec (git-fixes).\n\n - ALSA: hda/cirrus: Add support for CS8409 HDA bridge and CS42L42 companion codec (git-fixes).\n\n - ALSA: hda/cirrus: Cleanup patch_cirrus.c code (git-fixes).\n\n - ALSA: hda/cirrus: Fix CS42L42 Headset Mic volume control name (git-fixes).\n\n - ALSA: hda/cirrus: Make CS8409 driver more generic by using fixups (git-fixes).\n\n - ALSA: hda/cirrus: Set Initial DMIC volume for Bullseye to -26 dB (git-fixes).\n\n - ALSA: hda/cirrus: Use CS8409 filter to fix abnormal sounds on Bullseye (git-fixes).\n\n - ALSA: hda/realtek - Headset Mic issue on HP platform (git-fixes).\n\n - ALSA: hda/realtek: Add quirk for Intel Clevo PCx0Dx (git-fixes).\n\n - ALSA: hda/realtek: GA503 use same quirks as GA401 (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC269 ASUS quirk table entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC269 Acer quirk table entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC269 Dell quirk table entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC269 HP quirk table entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC269 Sony quirk table entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC662 quirk table entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC882 Acer quirk table entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC882 Clevo quirk table entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order remaining ALC269 quirk table entries (git-fixes).\n\n - ALSA: hda/realtek: Remove redundant entry for ALC861 Haier/Uniwill devices (git-fixes).\n\n - ALSA: hda/realtek: fix mic boost on Intel NUC 8 (git-fixes).\n\n - ALSA: hda/realtek: fix static noise on ALC285 Lenovo laptops (git-fixes).\n\n - ALSA: sb: Fix two use after free in snd_sb_qsound_build (git-fixes).\n\n - ALSA: usb-audio: Add DJM450 to Pioneer format quirk (git-fixes).\n\n - ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX (git-fixes).\n\n - ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls (git-fixes).\n\n - ALSA: usb-audio: Configure Pioneer DJM-850 samplerate (git-fixes).\n\n - ALSA: usb-audio: DJM-750: ensure format is set (git-fixes).\n\n - ALSA: usb-audio: Explicitly set up the clock selector (git-fixes).\n\n - ALSA: usb-audio: Fix Pioneer DJM devices URB_CONTROL request direction to set samplerate (git-fixes).\n\n - ALSA: usb-audio: Fix implicit sync clearance at stopping stream (git-fixes).\n\n - ALSA: usb: midi: do not return -ENOMEM when usb_urb_ep_type_check fails (git-fixes).\n\n - ASoC: Intel: kbl_da7219_max98927: Fix kabylake_ssp_fixup function (git-fixes).\n\n - ASoC: SOF: Intel: HDA: fix core status verification (git-fixes).\n\n - ASoC: SOF: Intel: hda: remove unnecessary parentheses (git-fixes).\n\n - ASoC: ak5558: Fix s/show/slow/ typo (git-fixes).\n\n - ASoC: ak5558: correct reset polarity (git-fixes).\n\n - ASoC: samsung: tm2_wm5110: check of of_parse return value (git-fixes).\n\n - ASoC: simple-card: fix possible uninitialized single_cpu local variable (git-fixes).\n\n - HID: alps: fix error return code in alps_input_configured() (git-fixes).\n\n - HID: google: add don USB id (git-fixes).\n\n - HID: plantronics: Workaround for double volume key presses (git-fixes).\n\n - HID: wacom: Assign boolean values to a bool variable (git-fixes).\n\n - HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices (git-fixes).\n\n - Input: i8042 - fix Pegatron C15B ID entry (git-fixes).\n\n - Input: nspire-keypad - enable interrupts only when opened (git-fixes).\n\n - Input: s6sy761 - fix coordinate read bit shift (git-fixes).\n\n - KVM: PPC: Book3S HV P9: Restore host CTRL SPR after guest exit (bsc#1156395).\n\n - KVM: PPC: Make the VMX instruction emulation routines static (bsc#1156395).\n\n - KVM: kvmclock: Fix vCPUs > 64 can't be online/hotpluged (bsc#1152489).\n\n - Move upstreamed i915 fix into sorted section\n\n - PCI/AER: Add RCEC AER error injection support (bsc#1174426).\n\n - PCI/AER: Add pcie_walk_rcec() to RCEC AER handling (bsc#1174426).\n\n - PCI/AER: Clear AER status from Root Port when resetting Downstream Port (bsc#1174426).\n\n - PCI/AER: Specify the type of Port that was reset (bsc#1174426).\n\n - PCI/AER: Use 'aer' variable for capability offset (bsc#1174426).\n\n - PCI/AER: Write AER Capability only when we control it (bsc#1174426).\n\n - PCI/ERR: Add pci_walk_bridge() to pcie_do_recovery() (bsc#1174426).\n\n - PCI/ERR: Add pcie_link_rcec() to associate RCiEPs (bsc#1174426).\n\n - PCI/ERR: Avoid negated conditional for clarity (bsc#1174426).\n\n - PCI/ERR: Bind RCEC devices to the Root Port driver (bsc#1174426).\n\n - PCI/ERR: Cache RCEC EA Capability offset in pci_init_capabilities() (bsc#1174426).\n\n - PCI/ERR: Clear AER status only when we control AER (bsc#1174426).\n\n - PCI/ERR: Clear PCIe Device Status errors only if OS owns AER (bsc#1174426).\n\n - PCI/ERR: Clear status of the reporting device (bsc#1174426).\n\n - PCI/ERR: Recover from RCEC AER errors (bsc#1174426).\n\n - PCI/ERR: Recover from RCiEP AER errors (bsc#1174426).\n\n - PCI/ERR: Rename reset_link() to reset_subordinates() (bsc#1174426).\n\n - PCI/ERR: Retain status from error notification (bsc#1174426).\n\n - PCI/ERR: Simplify by computing pci_pcie_type() once (bsc#1174426).\n\n - PCI/ERR: Simplify by using pci_upstream_bridge() (bsc#1174426).\n\n - PCI/ERR: Use 'bridge' for clarity in pcie_do_recovery() (bsc#1174426).\n\n - PCI/PME: Add pcie_walk_rcec() to RCEC PME handling (bsc#1174426).\n\n - PCI/portdrv: Report reset for frozen channel (bsc#1174426).\n\n - PCI: designware-ep: Fix the Header Type check (git-fixes).\n\n - PCI: tegra: Fix ASPM-L1SS advertisement disable code (git-fixes).\n\n - PCI: tegra: Move 'dbi' accesses to post common DWC initialization (git-fixes).\n\n - PM: runtime: Add documentation for pm_runtime_resume_and_get() (git-fixes).\n\n - Revert 'USB: cdc-acm: fix rounding error in TIOCSSERIAL' (git-fixes).\n\n - Revert 'bcache: Kill btree_io_wq' (git-fixes).\n\n - Revert 'dm cache: fix arm link errors with inline' (git-fixes).\n\n - USB: CDC-ACM: fix poison/unpoison imbalance (bsc#1184984).\n\n - USB: CDC-ACM: fix poison/unpoison imbalance (git-fixes).\n\n - USB: cdc-acm: fix TIOCGSERIAL implementation (git-fixes).\n\n - USB: cdc-acm: fix unprivileged TIOCCSERIAL (git-fixes).\n\n - USB: gadget: udc: fix wrong pointer passed to IS_ERR() and PTR_ERR() (git-fixes).\n\n - USB: serial: ark3116: fix TIOCGSERIAL implementation (git-fixes).\n\n - USB: serial: f81232: fix TIOCGSERIAL implementation (git-fixes).\n\n - USB: serial: f81534: fix TIOCGSERIAL implementation (git-fixes).\n\n - USB: serial: fix return value for unsupported ioctls (git-fixes).\n\n - USB: serial: mos7720: fix TIOCGSERIAL implementation (git-fixes).\n\n - USB: serial: opticon: fix TIOCGSERIAL implementation (git-fixes).\n\n - USB: serial: quatech2: fix TIOCGSERIAL implementation (git-fixes).\n\n - USB: serial: ssu100: fix TIOCGSERIAL implementation (git-fixes).\n\n - USB: serial: usb_wwan: fix TIOCGSERIAL implementation (git-fixes).\n\n - USB: serial: usb_wwan: fix TIOCSSERIAL jiffies conversions (git-fixes).\n\n - USB: serial: usb_wwan: fix unprivileged TIOCCSERIAL (git-fixes).\n\n - arm: dts: add imx7d pcf2127 fix to blacklist\n\n - ata: libahci_platform: fix IRQ check (git-fixes).\n\n - ath10k: Fix ath10k_wmi_tlv_op_pull_peer_stats_info() unlock without lock (git-fixes).\n\n - ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices (git-fixes).\n\n - backlight: journada720: Fix Wmisleading-indentation warning (git-fixes).\n\n - blkcg: fix memleak for iolatency (git-fixes).\n\n - block, bfq: set next_rq to waker_bfqq->next_rq in waker injection (bsc#1168838). \n\n - block: recalculate segment count for multi-segment discards correctly (bsc#1184724).\n\n - block: rsxx: select CONFIG_CRC32 (git-fixes).\n\n - bluetooth: eliminate the potential race condition when removing the HCI controller (git-fixes).\n\n - bnxt_en: reverse order of TX disable and carrier off (git-fixes).\n\n - bsg: free the request before return error code (git-fixes).\n\n - btrfs: fix qgroup data rsv leak caused by falloc failure (bsc#1185549).\n\n - btrfs: fix race between swap file activation and snapshot creation (bsc#1185587).\n\n - btrfs: fix race between writes to swap files and scrub (bsc#1185586).\n\n - btrfs: track qgroup released data in own variable in insert_prealloc_file_extent (bsc#1185549).\n\n - bus: qcom: Put child node before return (git-fixes).\n\n - cfg80211: remove WARN_ON() in cfg80211_sme_connect (git-fixes).\n\n - clk: exynos7: Mark aclk_fsys1_200 as critical (git-fixes).\n\n - clk: mvebu: armada-37xx-periph: Fix switching CPU freq from 250 Mhz to 1 GHz (git-fixes).\n\n - clk: mvebu: armada-37xx-periph: Fix workaround for switching from L1 to L0 (git-fixes).\n\n - clk: mvebu: armada-37xx-periph: remove .set_parent method for CPU PM clock (git-fixes).\n\n - clk: qcom: a53-pll: Add missing MODULE_DEVICE_TABLE (git-fixes).\n\n - clk: uniphier: Fix potential infinite loop (git-fixes).\n\n - clk: zynqmp: move zynqmp_pll_set_mode out of round_rate callback (git-fixes).\n\n - coresight: etm4x: Fix issues on trcseqevr access (git-fixes).\n\n - coresight: etm4x: Fix save and restore of TRCVMIDCCTLR1 register (git-fixes).\n\n - coresight: tmc-etr: Fix barrier packet insertion for perf buffer (git-fixes).\n\n - cpufreq: Kconfig: fix documentation links (git-fixes).\n\n - cpufreq: armada-37xx: Fix determining base CPU frequency (git-fixes).\n\n - cpufreq: armada-37xx: Fix driver cleanup when registration failed (git-fixes).\n\n - cpufreq: armada-37xx: Fix setting TBG parent for load levels (git-fixes).\n\n - cpufreq: armada-37xx: Fix the AVS value for load L1 (git-fixes).\n\n - crypto: arm/curve25519 - Move '.fpu' after '.arch' (git-fixes).\n\n - crypto: rng - fix crypto_rng_reset() refcounting when !CRYPTO_STATS (git-fixes).\n\n - cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (git-fixes).\n\n - cxgb4: avoid collecting SGE_QBASE regs during traffic (git-fixes).\n\n - dm era: Fix bitset memory leaks (git-fixes).\n\n - dm era: Recover committed writeset after crash (git-fixes).\n\n - dm era: Reinitialize bitset cache before digesting a new writeset (git-fixes).\n\n - dm era: Update in-core bitset after committing the metadata (git-fixes).\n\n - dm era: Use correct value size in equality function of writeset tree (git-fixes).\n\n - dm era: Verify the data block size hasn't changed (git-fixes).\n\n - dm era: only resize metadata in preresume (git-fixes).\n\n - dm integrity: fix error reporting in bitmap mode after creation (git-fixes).\n\n - dm ioctl: fix error return code in target_message (git-fixes).\n\n - dm mpath: fix racey management of PG initialization (git-fixes).\n\n - dm raid: fix discard limits for raid1 (git-fixes).\n\n - dm writecache: fix the maximum number of arguments (git-fixes).\n\n - dm writecache: handle DAX to partitions on persistent memory correctly (git-fixes).\n\n - dm writecache: remove BUG() and fail gracefully instead (git-fixes).\n\n - dm zoned: select CONFIG_CRC32 (git-fixes).\n\n - dm: eliminate potential source of excessive kernel log noise (git-fixes).\n\n - dm: fix bug with RCU locking in dm_blk_report_zones (git-fixes).\n\n - dm: remove invalid sparse __acquires and __releases annotations (git-fixes).\n\n - dmaengine: dw: Make it dependent to HAS_IOMEM (git-fixes).\n\n - dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom (git-fixes).\n\n - dpaa_eth: Use random MAC address when none is given (bsc#1184811).\n\n - dpaa_eth: copy timestamp fields to new skb in A-050385 workaround (git-fixes).\n\n - dpaa_eth: fix the RX headroom size alignment (git-fixes).\n\n - dpaa_eth: update the buffer layout for non-A050385 erratum scenarios (git-fixes).\n\n - drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' (git-fixes).\n\n - drm/amdkfd: fix build error with AMD_IOMMU_V2=m (git-fixes).\n\n - drm/ast: AST2500 fixups (bsc#1174416).\n\n - drm/ast: Add 25MHz refclk support (bsc#1174416).\n\n - drm/ast: Add support for 1152x864 mode (bsc#1174416).\n\n - drm/ast: Add support for AIP200 (bsc#1174416).\n\n - drm/ast: Correct mode table for AST2500 precatch (bsc#1174416).\n\n - drm/ast: Disable VGA decoding while driver is active (bsc#1174416).\n\n - drm/ast: Disable screen on register init (bsc#1174416).\n\n - drm/ast: Fix P2A config detection (bsc#1174416).\n\n - drm/ast: Fix register access in non-P2A mode for DP501 (bsc#1174416).\n\n - drm/ast: Keep MISC fields when enabling VGA (bsc#1174416).\n\n - drm/ast: drm/ast: Fix boot address for AST2500 (bsc#1174416).\n\n - drm/i915/gvt: Fix error code in intel_gvt_init_device() (git-fixes).\n\n - drm/imx: imx-ldb: fix out of bounds array access warning (git-fixes).\n\n - drm/msm: Fix a5xx/a6xx timestamps (git-fixes).\n\n - drm/omap: fix misleading indentation in pixinc() (git-fixes).\n\n - drm/radeon: fix copy of uninitialized variable back to userspace (git-fixes).\n\n - drm/tegra: dc: Do not set PLL clock to 0Hz (git-fixes).\n\n - e1000e: Fix duplicate include guard (git-fixes).\n\n - e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 (git-fixes).\n\n - e1000e: add rtnl_lock() to e1000_reset_task (git-fixes).\n\n - enetc: Let the hardware auto-advance the taprio base-time of 0 (git-fixes).\n\n - enetc: Workaround for MDIO register access issue (git-fixes).\n\n - ethernet/netronome/nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx (git-fixes).\n\n - ext4: do not try to set xattr into ea_inode if value is empty (bsc#1184730).\n\n - ext4: find old entry again if failed to rename whiteout (bsc#1184742).\n\n - ext4: fix potential error in ext4_do_update_inode (bsc#1184731).\n\n - ext4: fix potential htree index checksum corruption (bsc#1184728).\n\n - firmware: qcom-scm: Fix QCOM_SCM configuration (git-fixes).\n\n - fnic: use scsi_host_busy_iter() to traverse commands (bsc#1179851).\n\n - fotg210-udc: Complete OUT requests on short packets (git-fixes).\n\n - fotg210-udc: Do not DMA more than the buffer can take (git-fixes).\n\n - fotg210-udc: Fix DMA on EP0 for length > max packet size (git-fixes).\n\n - fotg210-udc: Fix EP0 IN requests bigger than two packets (git-fixes).\n\n - fotg210-udc: Mask GRP2 interrupts we do not handle (git-fixes).\n\n - fotg210-udc: Remove a dubious condition leading to fotg210_done (git-fixes).\n\n - fs/jfs: fix potential integer overflow on shift of a int (bsc#1184741).\n\n - fs: direct-io: fix missing sdio->boundary (bsc#1184736).\n\n - fsl/fman: reuse set_mac_address() in dtsec init() (bsc#1184811).\n\n - fsl/fman: tolerate missing MAC address in device tree (bsc#1184811).\n\n - gpio: omap: Save and restore sysconfig (git-fixes).\n\n - gpio: sysfs: Obey valid_mask (git-fixes).\n\n - i2c: cadence: add IRQ check (git-fixes).\n\n - i2c: emev2: add IRQ check (git-fixes).\n\n - i2c: img-scb: fix reference leak when pm_runtime_get_sync fails (git-fixes).\n\n - i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails (git-fixes).\n\n - i2c: jz4780: add IRQ check (git-fixes).\n\n - i2c: omap: fix reference leak when pm_runtime_get_sync fails (git-fixes).\n\n - i2c: sh7760: add IRQ check (git-fixes).\n\n - i2c: sh7760: fix IRQ error path (git-fixes).\n\n - i2c: sprd: fix reference leak when pm_runtime_get_sync fails (git-fixes).\n\n - i40e: Add zero-initialization of AQ command structures (git-fixes).\n\n - i40e: Added Asym_Pause to supported link modes (git-fixes).\n\n - i40e: Fix add TC filter for IPv6 (git-fixes).\n\n - i40e: Fix addition of RX filters after enabling FW LLDP agent (git-fixes).\n\n - i40e: Fix display statistics for veb_tc (git-fixes).\n\n - i40e: Fix endianness conversions (git-fixes).\n\n - i40e: Fix flow for IPv6 next header (extension header) (git-fixes).\n\n - i40e: Fix kernel oops when i40e driver removes VF's (git-fixes).\n\n - i40e: Fix overwriting flow control settings during driver loading (git-fixes).\n\n - i40e: Fix sparse errors in i40e_txrx.c (git-fixes).\n\n - i40e: Fix sparse warning: missing error code 'err' (git-fixes).\n\n - i40e: fix the panic when running bpf in xdpdrv mode (git-fixes).\n\n - ibmvnic: avoid calling napi_disable() twice (bsc#1065729).\n\n - ibmvnic: clean up the remaining debugfs data structures (bsc#1065729).\n\n - ibmvnic: correctly use dev_consume/free_skb_irq (jsc#SLE-17268 jsc#SLE-17043 bsc#1179243 ltc#189290 git-fixes).\n\n - ibmvnic: improve failover sysfs entry (bsc#1043990 ltc#155681 git-fixes).\n\n - ibmvnic: print adapter state as a string (bsc#1152457 ltc#174432 git-fixes).\n\n - ibmvnic: print reset reason as a string (bsc#1152457 ltc#174432 git-fixes).\n\n - ibmvnic: queue reset work in system_long_wq (bsc#1152457 ltc#174432 git-fixes).\n\n - ibmvnic: remove duplicate napi_schedule call in do_reset function (bsc#1065729).\n\n - ibmvnic: remove duplicate napi_schedule call in open function (bsc#1065729).\n\n - ice: Account for port VLAN in VF max packet size calculation (git-fixes).\n\n - ice: Cleanup fltr list in case of allocation issues (git-fixes).\n\n - ice: Fix for dereference of NULL pointer (git-fixes).\n\n - ice: Increase control queue timeout (git-fixes).\n\n - ice: prevent ice_open and ice_stop during reset (git-fixes).\n\n - igb: Fix duplicate include guard (git-fixes).\n\n - igb: check timestamp validity (git-fixes).\n\n - igc: Fix Pause Frame Advertising (git-fixes).\n\n - igc: Fix Supported Pause Frame Link Setting (git-fixes).\n\n - igc: reinit_locked() should be called with rtnl_lock (git-fixes).\n\n - iio:accel:adis16201: Fix wrong axis assignment that prevents loading (git-fixes).\n\n - ima: Free IMA measurement buffer after kexec syscall (git-fixes).\n\n - interconnect: core: fix error return code of icc_link_destroy() (git-fixes).\n\n - iopoll: introduce read_poll_timeout macro (git-fixes).\n\n - ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() (git-fixes).\n\n - irqchip/ls-extirq: Add LS1043A, LS1088A external interrupt support (bsc#1185233).\n\n - irqchip/ls-extirq: add IRQCHIP_SKIP_SET_WAKE to the irqchip flags (bsc#1185233).\n\n - irqchip: Add support for Layerscape external interrupt lines (bsc#1185233).\n\n - isofs: release buffer head before return (bsc#1182613).\n\n - ixgbe: fail to create xfrm offload of IPsec tunnel mode SA (git-fixes).\n\n - jffs2: fix use after free in jffs2_sum_write_data() (bsc#1184740).\n\n - kABI: Fix kABI caused by fixes for bsc#1174426 (bsc#1174426).\n\n - kABI: cover up change in struct kvm_arch (bsc#1184969).\n\n - kABI: powerpc/pseries: Add shutdown() to vio_driver and vio_bus (bsc#1184209 ltc#190917).\n\n - kernel/smp: make csdlock timeout depend on boot parameter (bsc#1180846).\n\n - libnvdimm/label: Return -ENXIO for no slot in\n __blk_label_update (bsc#1185269).\n\n - libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels (bsc#1185269).\n\n - libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC (bsc#1184969 git-fixes).\n\n - libnvdimm/security: ensure sysfs poll thread woke up and fetch updated attr (git-fixes).\n\n - liquidio: Fix unintented sign extension of a left shift of a u16 (git-fixes).\n\n - locking/qrwlock: Fix ordering in queued_write_lock_slowpath() (bsc#1185041).\n\n - mac80211: bail out if cipher schemes are invalid (git-fixes).\n\n - mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN (git-fixes).\n\n - macvlan: macvlan_count_rx() needs to be aware of preemption (git-fixes).\n\n - media: dvbdev: Fix memory leak in dvb_media_device_free() (git-fixes).\n\n - media: m88rs6000t: avoid potential out-of-bounds reads on arrays (git-fixes).\n\n - media: mantis: remove orphan mantis_core.c (git-fixes).\n\n - media: omap4iss: return error code when omap4iss_get() failed (git-fixes).\n\n - media: platform: sunxi: sun6i-csi: fix error return code of sun6i_video_start_streaming() (git-fixes).\n\n - media: staging/intel-ipu3: Fix memory leak in imu_fmt (git-fixes).\n\n - media: staging/intel-ipu3: Fix race condition during set_fmt (git-fixes).\n\n - media: staging/intel-ipu3: Fix set_fmt error handling (git-fixes).\n\n - media: v4l2-ctrls.c: fix race condition in hdl->requests list (git-fixes).\n\n - memory: gpmc: fix out of bounds read and dereference on gpmc_cs[] (git-fixes).\n\n - memory: pl353: fix mask of ECC page_size config register (git-fixes).\n\n - mfd: lpc_sch: Partially revert 'Add support for Intel Quark X1000' (git-fixes).\n\n - mfd: stm32-timers: Avoid clearing auto reload register (git-fixes).\n\n - misc: lis3lv02d: Fix false-positive WARN on various HP models (git-fixes).\n\n - misc: vmw_vmci: explicitly initialize vmci_datagram payload (git-fixes).\n\n - misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct (git-fixes).\n\n - mm/rmap: fix potential pte_unmap on an not mapped pte (git-fixes).\n\n - mm: memcontrol: fix cpuhotplug statistics flushing (bsc#1185606).\n\n - mmc: core: Correct descriptions in mmc_of_parse() (git-fixes).\n\n - mmc: cqhci: Add cqhci_deactivate() (git-fixes).\n\n - mmc: mmc_spi: Drop unused NO_IRQ definition (git-fixes).\n\n - mmc: sdhci-of-arasan: Add missed checks for devm_clk_register() (git-fixes).\n\n - mmc: sdhci-of-dwcmshc: fix rpmb access (git-fixes).\n\n - mmc: sdhci-of-dwcmshc: implement specific set_uhs_signaling (git-fixes).\n\n - mmc: sdhci-of-esdhc: make sure delay chain locked for HS400 (git-fixes).\n\n - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes).\n\n - mmc: sdhci-pci: Fix SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers (git-fixes).\n\n - mmc: sdhci: Use Auto CMD Auto Select only when v4_mode is true (git-fixes).\n\n - mmc: uniphier-sd: Fix a resource leak in the remove function (git-fixes).\n\n - mmc: uniphier-sd: Fix an error handling path in uniphier_sd_probe() (git-fixes).\n\n - mt7601u: fix always true expression (git-fixes).\n\n - mtd: Handle possible -EPROBE_DEFER from parse_mtd_partitions() (git-fixes).\n\n - mtd: rawnand: atmel: Update ecc_stats.corrected counter (git-fixes).\n\n - mtd: rawnand: brcmnand: fix OOB R/W with Hamming ECC (git-fixes).\n\n - mtd: rawnand: fsmc: Fix error code in fsmc_nand_probe() (git-fixes).\n\n - mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init (git-fixes).\n\n - mtd: rawnand: qcom: Return actual error code instead of\n -ENODEV (git-fixes).\n\n - mtd: require write permissions for locking and badblock ioctls (git-fixes).\n\n - mtd: spi-nor: Rename 'n25q512a' to 'mt25qu512a (n25q512a)' (bsc#1167260).\n\n - mtd: spi-nor: Split mt25qu512a (n25q512a) entry into two (bsc#1167260).\n\n - mtd: spinand: core: add missing MODULE_DEVICE_TABLE() (git-fixes).\n\n - nbd: fix a block_device refcount leak in nbd_release (git-fixes).\n\n - net/mlx4_core: Add missed mlx4_free_cmd_mailbox() (git-fixes).\n\n - net/mlx4_en: update moderation when config reset (git-fixes).\n\n - net/mlx5: Do not request more than supported EQs (git-fixes).\n\n - net/mlx5e: Do not match on Geneve options in case option masks are all zero (git-fixes).\n\n - net/mlx5e: Fix error path for ethtool set-priv-flag (git-fixes).\n\n - net/mlx5e: Fix ethtool indication of connector type (git-fixes).\n\n - net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta (jsc#SLE-8464).\n\n - net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template (git-fixes).\n\n - net: atlantic: fix out of range usage of active_vlans array (git-fixes).\n\n - net: atlantic: fix potential error handling (git-fixes).\n\n - net: atlantic: fix use after free kasan warn (git-fixes).\n\n - net: dsa: felix: implement port flushing on .phylink_mac_link_down (git-fixes).\n\n - net: enetc: remove bogus write to SIRXIDR from enetc_setup_rxbdr (git-fixes).\n\n - net: enetc: take the MDIO lock only once per NAPI poll cycle (git-fixes).\n\n - net: geneve: check skb is large enough for IPv4/IPv6 header (git-fixes).\n\n - net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb (git-fixes).\n\n - net: hns3: Remove un-necessary 'else-if' in the hclge_reset_event() (git-fixes).\n\n - net: hns3: clear VF down state bit before request link status (git-fixes).\n\n - net: hns3: fix bug when calculating the TCAM table info (git-fixes).\n\n - net: hns3: fix query vlan mask value error for flow director (git-fixes).\n\n - net: ll_temac: Add more error handling of dma_map_single() calls (git-fixes).\n\n - net: ll_temac: Fix RX buffer descriptor handling on GFP_ATOMIC pressure (git-fixes).\n\n - net: ll_temac: Fix race condition causing TX hang (git-fixes).\n\n - net: ll_temac: Handle DMA halt condition caused by buffer underrun (git-fixes).\n\n - net: phy: intel-xway: enable integrated led functions (git-fixes).\n\n - net: phy: marvell: fix m88e1011_set_downshift (git-fixes).\n\n - net: phy: marvell: fix m88e1111_set_downshift (git-fixes).\n\n - net: smc911x: Adjust indentation in smc911x_phy_configure (git-fixes).\n\n - net: stmmac: fix missing IFF_MULTICAST check in dwmac4_set_filter (git-fixes).\n\n - net: stmmac: xgmac: fix missing IFF_MULTICAST checki in dwxgmac2_set_filter (git-fixes).\n\n - net: tulip: Adjust indentation in (dmfe, uli526x)_init_module (git-fixes).\n\n - net:nfc:digital: Fix a double free in digital_tg_recv_dep_req (git-fixes).\n\n - nfc: pn533: prevent potential memory corruption (git-fixes).\n\n - nfp: flower: ignore duplicate merge hints from FW (git-fixes).\n\n - node: fix device cleanups in error handling code (git-fixes).\n\n - null_blk: fix passing of REQ_FUA flag in null_handle_rq (git-fixes).\n\n - nvme-fabrics: reject I/O to offline device (bsc#1181161).\n\n - nvme-multipath: reset bdev to ns head when failover (bsc#178378 bsc#1182999).\n\n - nvme-tcp: fix possible hang when failing to set io queues (bsc#1181161).\n\n - nvme: add 'kato' sysfs attribute (bsc#1179825).\n\n - nvme: sanitize KATO setting (bsc#1179825).\n\n - ocfs2: fix a use after free on error (bsc#1184738).\n\n - pata_arasan_cf: fix IRQ check (git-fixes).\n\n - pata_ipx4xx_cf: fix IRQ check (git-fixes).\n\n - phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y, unconditionally (git-fixes).\n\n - pinctrl: Ingenic: Add missing pins to the JZ4770 MAC MII group (git-fixes).\n\n - pinctrl: core: Fix kernel doc string for pin_get_name() (git-fixes).\n\n - pinctrl: lewisburg: Update number of pins in community (git-fixes).\n\n - platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards with critclk_systems DMI table (git-fixes).\n\n - powerepc/book3s64/hash: Align start/end address correctly with bolt mapping (bsc#1184957).\n\n - powerpc/64s: Fix pte update for kernel memory on radix (bsc#1055117 git-fixes).\n\n - powerpc/asm-offsets: GPR14 is not needed either (bsc#1065729).\n\n - powerpc/eeh: Fix EEH handling for hugepages in ioremap space (bsc#1156395).\n\n - powerpc/fadump: Mark fadump_calculate_reserve_size as\n __init (bsc#1065729).\n\n - powerpc/mm: Add cond_resched() while removing hpte mappings (bsc#1183289 ltc#191637).\n\n - powerpc/papr_scm: Fix build error due to wrong printf specifier (bsc#1184969).\n\n - powerpc/papr_scm: Implement support for H_SCM_FLUSH hcall (bsc#1184969).\n\n - powerpc/perf: Fix PMU constraint check for EBB events (bsc#1065729).\n\n - powerpc/prom: Mark identical_pvr_fixup as __init (bsc#1065729).\n\n - powerpc/pseries: Add shutdown() to vio_driver and vio_bus (bsc#1184209 ltc#190917).\n\n - powerpc/time: Enable sched clock for irqtime (bsc#1156395).\n\n - regmap: set debugfs_name to NULL after it is freed (git-fixes).\n\n - regulator: Avoid a double 'of_node_get' in 'regulator_of_get_init_node()' (git-fixes).\n\n - reintroduce cqhci_suspend for kABI (git-fixes).\n\n - reiserfs: update reiserfs_xattrs_initialized() condition (bsc#1184737).\n\n - rsi: Use resume_noirq for SDIO (git-fixes).\n\n - rsxx: remove extraneous 'const' qualifier (git-fixes).\n\n - rtc: ds1307: Fix wday settings for rx8130 (git-fixes).\n\n - rtc: fsl-ftm-alarm: add MODULE_TABLE() (bsc#1185454).\n\n - rtc: fsl-ftm-alarm: avoid struct rtc_time conversions (bsc#1185454).\n\n - rtc: fsl-ftm-alarm: enable acpi support (bsc#1185454).\n\n - rtc: fsl-ftm-alarm: fix freeze(s2idle) failed to wake (bsc#1185454).\n\n - rtc: fsl-ftm-alarm: report alarm to core (bsc#1185454).\n\n - rtc: fsl-ftm-alarm: switch to ktime_get_real_seconds (bsc#1185454).\n\n - rtc: fsl-ftm-alarm: switch to rtc_time64_to_tm/rtc_tm_to_time64 (bsc#1185454).\n\n - rtc: fsl-ftm-alarm: update acpi device id (bsc#1185454).\n\n - rtc: pcf2127: add alarm support (bsc#1185233).\n\n - rtc: pcf2127: add pca2129 device id (bsc#1185233).\n\n - rtc: pcf2127: add tamper detection support (bsc#1185233).\n\n - rtc: pcf2127: add watchdog feature support (bsc#1185233).\n\n - rtc: pcf2127: bugfix: watchdog build dependency (bsc#1185233).\n\n - rtc: pcf2127: cleanup register and bit defines (bsc#1185233).\n\n - rtc: pcf2127: convert to devm_rtc_allocate_device (bsc#1185233).\n\n - rtc: pcf2127: fix a bug when not specify interrupts property (bsc#1185233).\n\n - rtc: pcf2127: fix alarm handling (bsc#1185233).\n\n - rtc: pcf2127: fix pcf2127_nvmem_read/write() returns (bsc#1185233).\n\n - rtc: pcf2127: handle boot-enabled watchdog feature (bsc#1185233).\n\n - rtc: pcf2127: let the core handle rtc range (bsc#1185233).\n\n - rtc: pcf2127: move watchdog initialisation to a separate function (bsc#1185233).\n\n - rtc: pcf2127: only use watchdog when explicitly available (bsc#1185233).\n\n - rtc: pcf2127: properly set flag WD_CD for rtc chips(pcf2129, pca2129) (bsc#1185233).\n\n - rtc: pcf2127: remove unnecessary #ifdef (bsc#1185233).\n\n - rtc: pcf2127: set regmap max_register (bsc#1185233).\n\n - rtc: pcf2127: watchdog: handle nowayout feature (bsc#1185233).\n\n - rtlwifi: 8821ae: upgrade PHY and RF parameters (git-fixes).\n\n - rtw88: Fix array overrun in rtw_get_tx_power_params() (git-fixes).\n\n - sata_mv: add IRQ checks (git-fixes).\n\n - scsi: block: Fix a race in the runtime power management code (git-fixes).\n\n - scsi: core: Only return started requests from scsi_host_find_tag() (bsc#1179851).\n\n - scsi: core: add scsi_host_busy_iter() (bsc#1179851).\n\n - scsi: lpfc: Copyright updates for 12.8.0.9 patches (bsc#1185472).\n\n - scsi: lpfc: Eliminate use of LPFC_DRIVER_NAME in lpfc_attr.c (bsc#1185472).\n\n - scsi: lpfc: Fix DMA virtual address ptr assignment in bsg (bsc#1185365).\n\n - scsi: lpfc: Fix NMI crash during rmmod due to circular hbalock dependency (bsc#1185472).\n\n - scsi: lpfc: Fix a bunch of kernel-doc issues (bsc#1185472).\n\n - scsi: lpfc: Fix a bunch of kernel-doc misdemeanours (bsc#1185472).\n\n - scsi: lpfc: Fix a bunch of misnamed functions (bsc#1185472).\n\n - scsi: lpfc: Fix a few incorrectly named functions (bsc#1185472).\n\n - scsi: lpfc: Fix a typo (bsc#1185472).\n\n - scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO response (bsc#1185472).\n\n - scsi: lpfc: Fix error handling for mailboxes completed in MBX_POLL mode (bsc#1185472).\n\n - scsi: lpfc: Fix formatting and misspelling issues (bsc#1185472).\n\n - scsi: lpfc: Fix gcc -Wstringop-overread warning (bsc#1185472).\n\n - scsi: lpfc: Fix illegal memory access on Abort IOCBs (bsc#1183203).\n\n - scsi: lpfc: Fix incorrect naming of\n __lpfc_update_fcf_record() (bsc#1185472).\n\n - scsi: lpfc: Fix incorrectly documented function lpfc_debugfs_commonxripools_data() (bsc#1185472).\n\n - scsi: lpfc: Fix kernel-doc formatting issue (bsc#1185472).\n\n - scsi: lpfc: Fix lack of device removal on port swaps with PRLIs (bsc#1185472).\n\n - scsi: lpfc: Fix lpfc_hdw_queue attribute being ignored (bsc#1185472).\n\n - scsi: lpfc: Fix missing FDMI registrations after Mgmt Svc login (bsc#1185472).\n\n - scsi: lpfc: Fix reference counting errors in lpfc_cmpl_els_rsp() (bsc#1185472).\n\n - scsi: lpfc: Fix rmmod crash due to bad ring pointers to abort_iotag (bsc#1185472).\n\n - scsi: lpfc: Fix silent memory allocation failure in lpfc_sli4_bsg_link_diag_test() (bsc#1185472).\n\n - scsi: lpfc: Fix some error codes in debugfs (bsc#1185472).\n\n - scsi: lpfc: Fix use-after-free on unused nodes after port swap (bsc#1185472).\n\n - scsi: lpfc: Fix various trivial errors in comments and log messages (bsc#1185472).\n\n - scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic (bsc#1185472).\n\n - scsi: lpfc: Standardize discovery object logging format (bsc#1185472).\n\n - scsi: lpfc: Update lpfc version to 12.8.0.9 (bsc#1185472).\n\n - scsi: qla2xxx: Add H:C:T info in the log message for fc ports (bsc#1185491).\n\n - scsi: qla2xxx: Add error counters to debugfs node (bsc#1185491).\n\n - scsi: qla2xxx: Always check the return value of qla24xx_get_isp_stats() (bsc#1185491).\n\n - scsi: qla2xxx: Assign boolean values to a bool variable (bsc#1185491).\n\n - scsi: qla2xxx: Check kzalloc() return value (bsc#1185491).\n\n - scsi: qla2xxx: Consolidate zio threshold setting for both FCP & NVMe (bsc#1185491).\n\n - scsi: qla2xxx: Constify struct qla_tgt_func_tmpl (bsc#1185491).\n\n - scsi: qla2xxx: Do logout even if fabric scan retries got exhausted (bsc#1185491).\n\n - scsi: qla2xxx: Enable NVMe CONF (BIT_7) when enabling SLER (bsc#1185491).\n\n - scsi: qla2xxx: Fix IOPS drop seen in some adapters (bsc#1185491).\n\n - scsi: qla2xxx: Fix RISC RESET completion polling (bsc#1185491).\n\n - scsi: qla2xxx: Fix a couple of misdocumented functions (bsc#1185491).\n\n - scsi: qla2xxx: Fix a couple of misnamed functions (bsc#1185491).\n\n - scsi: qla2xxx: Fix broken #endif placement (bsc#1185491).\n\n - scsi: qla2xxx: Fix crash in PCIe error handling (bsc#1185491).\n\n - scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() (bsc#1185491).\n\n - scsi: qla2xxx: Fix endianness annotations (bsc#1185491).\n\n - scsi: qla2xxx: Fix incorrectly named function qla8044_check_temp() (bsc#1185491).\n\n - scsi: qla2xxx: Fix mailbox Ch erroneous error (bsc#1185491).\n\n - scsi: qla2xxx: Fix mailbox recovery during PCIe error (bsc#1185491).\n\n - scsi: qla2xxx: Fix some incorrect formatting/spelling issues (bsc#1185491).\n\n - scsi: qla2xxx: Fix some memory corruption (bsc#1185491).\n\n - scsi: qla2xxx: Fix stuck session (bsc#1185491).\n\n - scsi: qla2xxx: Fix use after free in bsg (bsc#1185491).\n\n - scsi: qla2xxx: Implementation to get and manage host, target stats and initiator port (bsc#1185491).\n\n - scsi: qla2xxx: Move some messages from debug to normal log level (bsc#1185491).\n\n - scsi: qla2xxx: Remove redundant NULL check (bsc#1185491).\n\n - scsi: qla2xxx: Remove unnecessary NULL check (bsc#1185491).\n\n - scsi: qla2xxx: Remove unneeded if-null-free check (bsc#1185491).\n\n - scsi: qla2xxx: Replace __qla2x00_marker()'s missing underscores (bsc#1185491).\n\n - scsi: qla2xxx: Reserve extra IRQ vectors (bsc#1184436).\n\n - scsi: qla2xxx: Reuse existing error handling path (bsc#1185491).\n\n - scsi: qla2xxx: Simplify if statement (bsc#1185491).\n\n - scsi: qla2xxx: Simplify qla8044_minidump_process_control() (bsc#1185491).\n\n - scsi: qla2xxx: Simplify the calculation of variables (bsc#1185491).\n\n - scsi: qla2xxx: Suppress Coverity complaints about dseg_r* (bsc#1185491).\n\n - scsi: qla2xxx: Update default AER debug mask (bsc#1185491).\n\n - scsi: qla2xxx: Update version to 10.02.00.105-k (bsc#1185491).\n\n - scsi: qla2xxx: Update version to 10.02.00.106-k (bsc#1185491).\n\n - scsi: qla2xxx: Use dma_pool_zalloc() (bsc#1185491).\n\n - scsi: qla2xxx: Wait for ABTS response on I/O timeouts for NVMe (bsc#1185491).\n\n - scsi: qla2xxx: fc_remote_port_chkready() returns a SCSI result value (bsc#1185491).\n\n - scsi: smartpqi: Correct driver removal with HBA disks (bsc#1178089).\n\n - scsi: smartpqi: Correct pqi_sas_smp_handler busy condition (bsc#1178089).\n\n - scsi: smartpqi: Update version to 1.2.16-012 (bsc#1178089).\n\n - selftests/powerpc: Add pkey helpers for rights (bsc#1184934 ltc#191460).\n\n - selftests/powerpc: Add test for execute-disabled pkeys (bsc#1184934 ltc#191460).\n\n - selftests/powerpc: Add test for pkey siginfo verification (bsc#1184934 ltc#191460).\n\n - selftests/powerpc: Add wrapper for gettid (bsc#1184934 ltc#191460).\n\n - selftests/powerpc: Fix L1D flushing tests for Power10 (bsc#1184934 ltc#191460).\n\n - selftests/powerpc: Fix exit status of pkey tests (bsc#1184934 ltc#191460).\n\n - selftests/powerpc: Fix pkey syscall redefinitions (bsc#1184934 ltc#191460).\n\n - selftests/powerpc: Move pkey helpers to headers (bsc#1184934 ltc#191460).\n\n - selftests/powerpc: refactor entry and rfi_flush tests (bsc#1184934 ltc#191460).\n\n - series.conf: cleanup\n\n - series.conf: cleanup\n\n - series.conf: cleanup\n\n - soc: aspeed: fix a ternary sign expansion bug (git-fixes).\n\n - soc: qcom: mdt_loader: Detect truncated read of segments (git-fixes).\n\n - soc: qcom: mdt_loader: Validate that p_filesz < p_memsz (git-fixes).\n\n - soundwire: bus: Fix device found flag correctly (git-fixes).\n\n - soundwire: stream: fix memory leak in stream config error path (git-fixes).\n\n - spi: Introduce dspi_slave_abort() function for NXP's dspi SPI driver (bsc#1167260).\n\n - spi: fsl-dspi: fix NULL pointer dereference (bsc#1167260).\n\n - spi: fsl-dspi: fix use-after-free in remove path (bsc#1167260).\n\n - spi: fsl-dspi: fix wrong pointer in suspend/resume (bsc#1167260).\n\n - spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware() (git-fixes).\n\n - spi: spi-fsl-dspi: Accelerate transfers using larger word size if possible (bsc#1167260).\n\n - spi: spi-fsl-dspi: Add comments around dspi_pop_tx and dspi_push_rx functions (bsc#1167260).\n\n - spi: spi-fsl-dspi: Add support for LS1028A (bsc#1167260).\n\n - spi: spi-fsl-dspi: Adding shutdown hook (bsc#1167260).\n\n - spi: spi-fsl-dspi: Always use the TCFQ devices in poll mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Avoid NULL pointer in dspi_slave_abort for non-DMA mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Avoid reading more data than written in EOQ mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Change usage pattern of SPI_MCR_* and SPI_CTAR_* macros (bsc#1167260).\n\n - spi: spi-fsl-dspi: Convert TCFQ users to XSPI FIFO mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Convert the instantiations that support it to DMA (bsc#1167260).\n\n - spi: spi-fsl-dspi: Demistify magic value in SPI_SR_CLEAR (bsc#1167260).\n\n - spi: spi-fsl-dspi: Do not access reserved fields in SPI_MCR (bsc#1167260).\n\n - spi: spi-fsl-dspi: Do not mask off undefined bits (bsc#1167260).\n\n - spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix 16-bit word order in 32-bit XSPI mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix bits-per-word acceleration in DMA mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix code alignment (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix external abort on interrupt in resume or exit paths (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix interrupt-less DMA mode taking an XSPI code path (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix little endian access to PUSHR CMD and TXDATA (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix lockup if device is removed during SPI transfer (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix lockup if device is shutdown during SPI transfer (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix race condition in TCFQ/EOQ interrupt (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix typos (bsc#1167260).\n\n - spi: spi-fsl-dspi: Free DMA memory with matching function (bsc#1167260).\n\n - spi: spi-fsl-dspi: Implement .max_message_size method for EOQ mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Initialize completion before possible interrupt (bsc#1167260).\n\n - spi: spi-fsl-dspi: LS2080A and LX2160A support XSPI mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Make bus-num property optional (bsc#1167260).\n\n - spi: spi-fsl-dspi: Move dspi_interrupt above dspi_transfer_one_message (bsc#1167260).\n\n - spi: spi-fsl-dspi: Move invariant configs out of dspi_transfer_one_message (bsc#1167260).\n\n - spi: spi-fsl-dspi: Optimize dspi_setup_accel for lowest interrupt count (bsc#1167260).\n\n - spi: spi-fsl-dspi: Parameterize the FIFO size and DMA buffer size (bsc#1167260).\n\n - spi: spi-fsl-dspi: Protect against races on dspi->words_in_flight (bsc#1167260).\n\n - spi: spi-fsl-dspi: Reduce indentation in dspi_release_dma() (bsc#1167260).\n\n - spi: spi-fsl-dspi: Reduce indentation level in dspi_interrupt (bsc#1167260).\n\n - spi: spi-fsl-dspi: Remove impossible to reach error check (bsc#1167260).\n\n - spi: spi-fsl-dspi: Remove pointless assignment of master->transfer to NULL (bsc#1167260).\n\n - spi: spi-fsl-dspi: Remove unused chip->void_write_data (bsc#1167260).\n\n - spi: spi-fsl-dspi: Remove unused defines and includes (bsc#1167260).\n\n - spi: spi-fsl-dspi: Remove unused initialization of 'ret' in dspi_probe (bsc#1167260).\n\n - spi: spi-fsl-dspi: Rename fifo_(read,write) and (tx,cmd)_fifo_write (bsc#1167260).\n\n - spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion (bsc#1167260).\n\n - spi: spi-fsl-dspi: Replace legacy spi_master names with spi_controller (bsc#1167260).\n\n - spi: spi-fsl-dspi: Simplify bytes_per_word gymnastics (bsc#1167260).\n\n - spi: spi-fsl-dspi: Take software timestamp in dspi_fifo_write (bsc#1167260).\n\n - spi: spi-fsl-dspi: Use BIT() and GENMASK() macros (bsc#1167260).\n\n - spi: spi-fsl-dspi: Use EOQ for last word in buffer even for XSPI mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1167260).\n\n - spi: spi-fsl-dspi: Use poll mode in case the platform IRQ is missing (bsc#1167260).\n\n - spi: spi-fsl-dspi: Use reverse Christmas tree declaration order (bsc#1167260).\n\n - spi: spi-fsl-dspi: Use specific compatible strings for all SoC instantiations (bsc#1167260).\n\n - spi: spi-fsl-dspi: delete EOQ transfer mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: fix DMA mapping (bsc#1167260).\n\n - spi: spi-fsl-dspi: fix native data copy (bsc#1167260).\n\n - spi: spi-fsl-dspi: remove git-fixes Remove git-fixes.\n Prepare to update the driver. References: bsc#1167260\n\n - spi: spi-fsl-dspi: set ColdFire to DMA mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: use XSPI mode instead of DMA for DPAA2 SoCs (bsc#1167260).\n\n - spi: spi-ti-qspi: Free DMA resources (git-fixes).\n\n - staging: fwserial: fix TIOCGSERIAL implementation (git-fixes).\n\n - staging: fwserial: fix TIOCSSERIAL implementation (git-fixes).\n\n - staging: fwserial: fix TIOCSSERIAL jiffies conversions (git-fixes).\n\n - staging: fwserial: fix TIOCSSERIAL permission check (git-fixes).\n\n - staging: rtl8192u: Fix potential infinite loop (git-fixes).\n\n - thermal/drivers/cpufreq_cooling: Update cpufreq_state only if state has changed (git-fixes).\n\n - usb: Remove dev_err() usage after platform_get_irq() (git-fixes).\n\n - usb: dwc2: Fix hibernation between host and device modes (git-fixes).\n\n - usb: dwc2: Fix host mode hibernation exit with remote wakeup flow (git-fixes).\n\n - usb: dwc2: Fix session request interrupt handler (git-fixes).\n\n - usb: dwc3: Switch to use device_property_count_u32() (git-fixes).\n\n - usb: dwc3: Update soft-reset wait polling rate (git-fixes).\n\n - usb: dwc3: gadget: Fix START_TRANSFER link state check (git-fixes).\n\n - usb: dwc3: keystone: use devm_platform_ioremap_resource() to simplify code (git-fixes).\n\n - usb: dwc3: meson-g12a: use devm_platform_ioremap_resource() to simplify code (git-fixes).\n\n - usb: gadget: Fix double free of device descriptor pointers (git-fixes).\n\n - usb: gadget: aspeed: fix dma map failure (git-fixes).\n\n - usb: gadget: pch_udc: Check for DMA mapping error (git-fixes).\n\n - usb: gadget: pch_udc: Check if driver is present before calling ->setup() (git-fixes).\n\n - usb: gadget: pch_udc: Move pch_udc_init() to satisfy kernel doc (git-fixes).\n\n - usb: gadget: pch_udc: Replace cpu_to_le32() by lower_32_bits() (git-fixes).\n\n - usb: gadget: pch_udc: Revert d3cb25a12138 completely (git-fixes).\n\n - usb: gadget: r8a66597: Add missing null check on return from platform_get_resource (git-fixes).\n\n - usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS (git-fixes).\n\n - usb: typec: tcpm: Address incorrect values of tcpm psy for fixed supply (git-fixes).\n\n - usb: typec: tcpm: Honour pSnkStdby requirement during negotiation (git-fixes).\n\n - veth: Store queue_mapping independently of XDP prog presence (git-fixes).\n\n - vfio/pci: Add missing range check in vfio_pci_mmap (git-fixes).\n\n - virt_wifi: Return micros for BSS TSF values (git-fixes).\n\n - vxlan: move debug check after netdev unregister (git-fixes).\n\n - workqueue: Move the position of debug_work_activate() in\n __queue_work() (bsc#1184893).\n\n - x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access (bsc#1152489).\n\n - x86/insn: Add some Intel instructions to the opcode map (bsc#1184760).\n\n - x86/insn: Add some more Intel instructions to the opcode map (bsc#1184760).\n\n - x86/microcode: Check for offline CPUs before requesting new microcode (bsc#1152489).\n\n - x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd (bsc#1152489).\n\n - x86/platform/uv: Set section block size for hubless architectures (bsc#1152489).\n\n - x86/reboot: Force all cpus to exit VMX root if VMX is supported (bsc#1152489).", "cvss3": {}, "published": "2021-05-18T00:00:00", "type": "nessus", "title": "openSUSE Security Update : the Linux Kernel (openSUSE-2021-716)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-29155", "CVE-2021-29650"], "modified": "2021-05-20T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:kernel-debug", "p-cpe:/a:novell:opensuse:kernel-debug-debuginfo", "p-cpe:/a:novell:opensuse:kernel-debug-debugsource", "p-cpe:/a:novell:opensuse:kernel-debug-devel", "p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default", "p-cpe:/a:novell:opensuse:kernel-default-base", "p-cpe:/a:novell:opensuse:kernel-default-base-rebuild", "p-cpe:/a:novell:opensuse:kernel-default-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default-debugsource", "p-cpe:/a:novell:opensuse:kernel-default-devel", "p-cpe:/a:novell:opensuse:kernel-default-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-devel", "p-cpe:/a:novell:opensuse:kernel-docs-html", "p-cpe:/a:novell:opensuse:kernel-kvmsmall", "p-cpe:/a:novell:opensuse:kernel-kvmsmall-debuginfo", "p-cpe:/a:novell:opensuse:kernel-kvmsmall-debugsource", "p-cpe:/a:novell:opensuse:kernel-kvmsmall-devel", "p-cpe:/a:novell:opensuse:kernel-kvmsmall-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-macros", "p-cpe:/a:novell:opensuse:kernel-obs-build", "p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource", "p-cpe:/a:novell:opensuse:kernel-obs-qa", "p-cpe:/a:novell:opensuse:kernel-preempt", "p-cpe:/a:novell:opensuse:kernel-preempt-debuginfo", "p-cpe:/a:novell:opensuse:kernel-preempt-debugsource", "p-cpe:/a:novell:opensuse:kernel-preempt-devel", "p-cpe:/a:novell:opensuse:kernel-preempt-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-source", "p-cpe:/a:novell:opensuse:kernel-source-vanilla", "p-cpe:/a:novell:opensuse:kernel-syms", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-716.NASL", "href": "https://www.tenable.com/plugins/nessus/149584", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-716.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149584);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/05/20\");\n\n script_cve_id(\"CVE-2021-29155\", \"CVE-2021-29650\");\n\n script_name(english:\"openSUSE Security Update : the Linux Kernel (openSUSE-2021-716)\");\n script_summary(english:\"Check for the openSUSE-2021-716 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The openSUSE Leap 15.2 kernel was updated to receive various security\nand bugfixes.\n\nThe following security bugs were fixed :\n\n - CVE-2021-29650: The netfilter subsystem allowed\n attackers to cause a denial of service (panic) because\n net/netfilter/x_tables.c and\n include/linux/netfilter/x_tables.h lack a full memory\n barrier upon the assignment of a new table value, aka\n CID-175e476b8cdf (bnc#1184208).\n\n - CVE-2021-29155: kernel/bpf/verifier.c performs\n undesirable out-of-bounds speculation on pointer\n arithmetic, leading to side-channel attacks that defeat\n Spectre mitigations and obtain sensitive information\n from kernel memory. Specifically, for sequences of\n pointer arithmetic operations, the pointer modification\n performed by the first operation is not correctly\n accounted for when restricting subsequent operations\n (bnc#1184942).\n\nThe following non-security bugs were fixed :\n\n - ACPI: CPPC: Replace cppc_attr with kobj_attribute\n (git-fixes).\n\n - ALSA: core: remove redundant spin_lock pair in\n snd_card_disconnect (git-fixes).\n\n - ALSA: emu8000: Fix a use after free in\n snd_emu8000_create_mixer (git-fixes).\n\n - ALSA: hda/cirrus: Add Headphone and Headset MIC Volume\n Control (git-fixes).\n\n - ALSA: hda/cirrus: Add error handling into CS8409 I2C\n functions (git-fixes).\n\n - ALSA: hda/cirrus: Add jack detect interrupt support from\n CS42L42 companion codec (git-fixes).\n\n - ALSA: hda/cirrus: Add support for CS8409 HDA bridge and\n CS42L42 companion codec (git-fixes).\n\n - ALSA: hda/cirrus: Cleanup patch_cirrus.c code\n (git-fixes).\n\n - ALSA: hda/cirrus: Fix CS42L42 Headset Mic volume control\n name (git-fixes).\n\n - ALSA: hda/cirrus: Make CS8409 driver more generic by\n using fixups (git-fixes).\n\n - ALSA: hda/cirrus: Set Initial DMIC volume for Bullseye\n to -26 dB (git-fixes).\n\n - ALSA: hda/cirrus: Use CS8409 filter to fix abnormal\n sounds on Bullseye (git-fixes).\n\n - ALSA: hda/realtek - Headset Mic issue on HP platform\n (git-fixes).\n\n - ALSA: hda/realtek: Add quirk for Intel Clevo PCx0Dx\n (git-fixes).\n\n - ALSA: hda/realtek: GA503 use same quirks as GA401\n (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC269 ASUS quirk table\n entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC269 Acer quirk table\n entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC269 Dell quirk table\n entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC269 HP quirk table\n entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table\n entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC269 Sony quirk table\n entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC662 quirk table entries\n (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC882 Acer quirk table\n entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC882 Clevo quirk table\n entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order ALC882 Sony quirk table\n entries (git-fixes).\n\n - ALSA: hda/realtek: Re-order remaining ALC269 quirk table\n entries (git-fixes).\n\n - ALSA: hda/realtek: Remove redundant entry for ALC861\n Haier/Uniwill devices (git-fixes).\n\n - ALSA: hda/realtek: fix mic boost on Intel NUC 8\n (git-fixes).\n\n - ALSA: hda/realtek: fix static noise on ALC285 Lenovo\n laptops (git-fixes).\n\n - ALSA: sb: Fix two use after free in snd_sb_qsound_build\n (git-fixes).\n\n - ALSA: usb-audio: Add DJM450 to Pioneer format quirk\n (git-fixes).\n\n - ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX\n (git-fixes).\n\n - ALSA: usb-audio: Add error checks for\n usb_driver_claim_interface() calls (git-fixes).\n\n - ALSA: usb-audio: Configure Pioneer DJM-850 samplerate\n (git-fixes).\n\n - ALSA: usb-audio: DJM-750: ensure format is set\n (git-fixes).\n\n - ALSA: usb-audio: Explicitly set up the clock selector\n (git-fixes).\n\n - ALSA: usb-audio: Fix Pioneer DJM devices URB_CONTROL\n request direction to set samplerate (git-fixes).\n\n - ALSA: usb-audio: Fix implicit sync clearance at stopping\n stream (git-fixes).\n\n - ALSA: usb: midi: do not return -ENOMEM when\n usb_urb_ep_type_check fails (git-fixes).\n\n - ASoC: Intel: kbl_da7219_max98927: Fix kabylake_ssp_fixup\n function (git-fixes).\n\n - ASoC: SOF: Intel: HDA: fix core status verification\n (git-fixes).\n\n - ASoC: SOF: Intel: hda: remove unnecessary parentheses\n (git-fixes).\n\n - ASoC: ak5558: Fix s/show/slow/ typo (git-fixes).\n\n - ASoC: ak5558: correct reset polarity (git-fixes).\n\n - ASoC: samsung: tm2_wm5110: check of of_parse return\n value (git-fixes).\n\n - ASoC: simple-card: fix possible uninitialized single_cpu\n local variable (git-fixes).\n\n - HID: alps: fix error return code in\n alps_input_configured() (git-fixes).\n\n - HID: google: add don USB id (git-fixes).\n\n - HID: plantronics: Workaround for double volume key\n presses (git-fixes).\n\n - HID: wacom: Assign boolean values to a bool variable\n (git-fixes).\n\n - HID: wacom: set EV_KEY and EV_ABS only for\n non-HID_GENERIC type of devices (git-fixes).\n\n - Input: i8042 - fix Pegatron C15B ID entry (git-fixes).\n\n - Input: nspire-keypad - enable interrupts only when\n opened (git-fixes).\n\n - Input: s6sy761 - fix coordinate read bit shift\n (git-fixes).\n\n - KVM: PPC: Book3S HV P9: Restore host CTRL SPR after\n guest exit (bsc#1156395).\n\n - KVM: PPC: Make the VMX instruction emulation routines\n static (bsc#1156395).\n\n - KVM: kvmclock: Fix vCPUs > 64 can't be online/hotpluged\n (bsc#1152489).\n\n - Move upstreamed i915 fix into sorted section\n\n - PCI/AER: Add RCEC AER error injection support\n (bsc#1174426).\n\n - PCI/AER: Add pcie_walk_rcec() to RCEC AER handling\n (bsc#1174426).\n\n - PCI/AER: Clear AER status from Root Port when resetting\n Downstream Port (bsc#1174426).\n\n - PCI/AER: Specify the type of Port that was reset\n (bsc#1174426).\n\n - PCI/AER: Use 'aer' variable for capability offset\n (bsc#1174426).\n\n - PCI/AER: Write AER Capability only when we control it\n (bsc#1174426).\n\n - PCI/ERR: Add pci_walk_bridge() to pcie_do_recovery()\n (bsc#1174426).\n\n - PCI/ERR: Add pcie_link_rcec() to associate RCiEPs\n (bsc#1174426).\n\n - PCI/ERR: Avoid negated conditional for clarity\n (bsc#1174426).\n\n - PCI/ERR: Bind RCEC devices to the Root Port driver\n (bsc#1174426).\n\n - PCI/ERR: Cache RCEC EA Capability offset in\n pci_init_capabilities() (bsc#1174426).\n\n - PCI/ERR: Clear AER status only when we control AER\n (bsc#1174426).\n\n - PCI/ERR: Clear PCIe Device Status errors only if OS owns\n AER (bsc#1174426).\n\n - PCI/ERR: Clear status of the reporting device\n (bsc#1174426).\n\n - PCI/ERR: Recover from RCEC AER errors (bsc#1174426).\n\n - PCI/ERR: Recover from RCiEP AER errors (bsc#1174426).\n\n - PCI/ERR: Rename reset_link() to reset_subordinates()\n (bsc#1174426).\n\n - PCI/ERR: Retain status from error notification\n (bsc#1174426).\n\n - PCI/ERR: Simplify by computing pci_pcie_type() once\n (bsc#1174426).\n\n - PCI/ERR: Simplify by using pci_upstream_bridge()\n (bsc#1174426).\n\n - PCI/ERR: Use 'bridge' for clarity in pcie_do_recovery()\n (bsc#1174426).\n\n - PCI/PME: Add pcie_walk_rcec() to RCEC PME handling\n (bsc#1174426).\n\n - PCI/portdrv: Report reset for frozen channel\n (bsc#1174426).\n\n - PCI: designware-ep: Fix the Header Type check\n (git-fixes).\n\n - PCI: tegra: Fix ASPM-L1SS advertisement disable code\n (git-fixes).\n\n - PCI: tegra: Move 'dbi' accesses to post common DWC\n initialization (git-fixes).\n\n - PM: runtime: Add documentation for\n pm_runtime_resume_and_get() (git-fixes).\n\n - Revert 'USB: cdc-acm: fix rounding error in TIOCSSERIAL'\n (git-fixes).\n\n - Revert 'bcache: Kill btree_io_wq' (git-fixes).\n\n - Revert 'dm cache: fix arm link errors with inline'\n (git-fixes).\n\n - USB: CDC-ACM: fix poison/unpoison imbalance\n (bsc#1184984).\n\n - USB: CDC-ACM: fix poison/unpoison imbalance (git-fixes).\n\n - USB: cdc-acm: fix TIOCGSERIAL implementation\n (git-fixes).\n\n - USB: cdc-acm: fix unprivileged TIOCCSERIAL (git-fixes).\n\n - USB: gadget: udc: fix wrong pointer passed to IS_ERR()\n and PTR_ERR() (git-fixes).\n\n - USB: serial: ark3116: fix TIOCGSERIAL implementation\n (git-fixes).\n\n - USB: serial: f81232: fix TIOCGSERIAL implementation\n (git-fixes).\n\n - USB: serial: f81534: fix TIOCGSERIAL implementation\n (git-fixes).\n\n - USB: serial: fix return value for unsupported ioctls\n (git-fixes).\n\n - USB: serial: mos7720: fix TIOCGSERIAL implementation\n (git-fixes).\n\n - USB: serial: opticon: fix TIOCGSERIAL implementation\n (git-fixes).\n\n - USB: serial: quatech2: fix TIOCGSERIAL implementation\n (git-fixes).\n\n - USB: serial: ssu100: fix TIOCGSERIAL implementation\n (git-fixes).\n\n - USB: serial: usb_wwan: fix TIOCGSERIAL implementation\n (git-fixes).\n\n - USB: serial: usb_wwan: fix TIOCSSERIAL jiffies\n conversions (git-fixes).\n\n - USB: serial: usb_wwan: fix unprivileged TIOCCSERIAL\n (git-fixes).\n\n - arm: dts: add imx7d pcf2127 fix to blacklist\n\n - ata: libahci_platform: fix IRQ check (git-fixes).\n\n - ath10k: Fix ath10k_wmi_tlv_op_pull_peer_stats_info()\n unlock without lock (git-fixes).\n\n - ath9k: Fix error check in ath9k_hw_read_revisions() for\n PCI devices (git-fixes).\n\n - backlight: journada720: Fix Wmisleading-indentation\n warning (git-fixes).\n\n - blkcg: fix memleak for iolatency (git-fixes).\n\n - block, bfq: set next_rq to waker_bfqq->next_rq in waker\n injection (bsc#1168838). \n\n - block: recalculate segment count for multi-segment\n discards correctly (bsc#1184724).\n\n - block: rsxx: select CONFIG_CRC32 (git-fixes).\n\n - bluetooth: eliminate the potential race condition when\n removing the HCI controller (git-fixes).\n\n - bnxt_en: reverse order of TX disable and carrier off\n (git-fixes).\n\n - bsg: free the request before return error code\n (git-fixes).\n\n - btrfs: fix qgroup data rsv leak caused by falloc failure\n (bsc#1185549).\n\n - btrfs: fix race between swap file activation and\n snapshot creation (bsc#1185587).\n\n - btrfs: fix race between writes to swap files and scrub\n (bsc#1185586).\n\n - btrfs: track qgroup released data in own variable in\n insert_prealloc_file_extent (bsc#1185549).\n\n - bus: qcom: Put child node before return (git-fixes).\n\n - cfg80211: remove WARN_ON() in cfg80211_sme_connect\n (git-fixes).\n\n - clk: exynos7: Mark aclk_fsys1_200 as critical\n (git-fixes).\n\n - clk: mvebu: armada-37xx-periph: Fix switching CPU freq\n from 250 Mhz to 1 GHz (git-fixes).\n\n - clk: mvebu: armada-37xx-periph: Fix workaround for\n switching from L1 to L0 (git-fixes).\n\n - clk: mvebu: armada-37xx-periph: remove .set_parent\n method for CPU PM clock (git-fixes).\n\n - clk: qcom: a53-pll: Add missing MODULE_DEVICE_TABLE\n (git-fixes).\n\n - clk: uniphier: Fix potential infinite loop (git-fixes).\n\n - clk: zynqmp: move zynqmp_pll_set_mode out of round_rate\n callback (git-fixes).\n\n - coresight: etm4x: Fix issues on trcseqevr access\n (git-fixes).\n\n - coresight: etm4x: Fix save and restore of TRCVMIDCCTLR1\n register (git-fixes).\n\n - coresight: tmc-etr: Fix barrier packet insertion for\n perf buffer (git-fixes).\n\n - cpufreq: Kconfig: fix documentation links (git-fixes).\n\n - cpufreq: armada-37xx: Fix determining base CPU frequency\n (git-fixes).\n\n - cpufreq: armada-37xx: Fix driver cleanup when\n registration failed (git-fixes).\n\n - cpufreq: armada-37xx: Fix setting TBG parent for load\n levels (git-fixes).\n\n - cpufreq: armada-37xx: Fix the AVS value for load L1\n (git-fixes).\n\n - crypto: arm/curve25519 - Move '.fpu' after '.arch'\n (git-fixes).\n\n - crypto: rng - fix crypto_rng_reset() refcounting when\n !CRYPTO_STATS (git-fixes).\n\n - cxgb4/chtls/cxgbit: Keeping the max ofld immediate data\n size same in cxgb4 and ulds (git-fixes).\n\n - cxgb4: avoid collecting SGE_QBASE regs during traffic\n (git-fixes).\n\n - dm era: Fix bitset memory leaks (git-fixes).\n\n - dm era: Recover committed writeset after crash\n (git-fixes).\n\n - dm era: Reinitialize bitset cache before digesting a new\n writeset (git-fixes).\n\n - dm era: Update in-core bitset after committing the\n metadata (git-fixes).\n\n - dm era: Use correct value size in equality function of\n writeset tree (git-fixes).\n\n - dm era: Verify the data block size hasn't changed\n (git-fixes).\n\n - dm era: only resize metadata in preresume (git-fixes).\n\n - dm integrity: fix error reporting in bitmap mode after\n creation (git-fixes).\n\n - dm ioctl: fix error return code in target_message\n (git-fixes).\n\n - dm mpath: fix racey management of PG initialization\n (git-fixes).\n\n - dm raid: fix discard limits for raid1 (git-fixes).\n\n - dm writecache: fix the maximum number of arguments\n (git-fixes).\n\n - dm writecache: handle DAX to partitions on persistent\n memory correctly (git-fixes).\n\n - dm writecache: remove BUG() and fail gracefully instead\n (git-fixes).\n\n - dm zoned: select CONFIG_CRC32 (git-fixes).\n\n - dm: eliminate potential source of excessive kernel log\n noise (git-fixes).\n\n - dm: fix bug with RCU locking in dm_blk_report_zones\n (git-fixes).\n\n - dm: remove invalid sparse __acquires and __releases\n annotations (git-fixes).\n\n - dmaengine: dw: Make it dependent to HAS_IOMEM\n (git-fixes).\n\n - dpaa_eth: Remove unnecessary boolean expression in\n dpaa_get_headroom (git-fixes).\n\n - dpaa_eth: Use random MAC address when none is given\n (bsc#1184811).\n\n - dpaa_eth: copy timestamp fields to new skb in A-050385\n workaround (git-fixes).\n\n - dpaa_eth: fix the RX headroom size alignment\n (git-fixes).\n\n - dpaa_eth: update the buffer layout for non-A050385\n erratum scenarios (git-fixes).\n\n - drivers: net: xgene: Fix the order of the arguments of\n 'alloc_etherdev_mqs()' (git-fixes).\n\n - drm/amdkfd: fix build error with AMD_IOMMU_V2=m\n (git-fixes).\n\n - drm/ast: AST2500 fixups (bsc#1174416).\n\n - drm/ast: Add 25MHz refclk support (bsc#1174416).\n\n - drm/ast: Add support for 1152x864 mode (bsc#1174416).\n\n - drm/ast: Add support for AIP200 (bsc#1174416).\n\n - drm/ast: Correct mode table for AST2500 precatch\n (bsc#1174416).\n\n - drm/ast: Disable VGA decoding while driver is active\n (bsc#1174416).\n\n - drm/ast: Disable screen on register init (bsc#1174416).\n\n - drm/ast: Fix P2A config detection (bsc#1174416).\n\n - drm/ast: Fix register access in non-P2A mode for DP501\n (bsc#1174416).\n\n - drm/ast: Keep MISC fields when enabling VGA\n (bsc#1174416).\n\n - drm/ast: drm/ast: Fix boot address for AST2500\n (bsc#1174416).\n\n - drm/i915/gvt: Fix error code in intel_gvt_init_device()\n (git-fixes).\n\n - drm/imx: imx-ldb: fix out of bounds array access warning\n (git-fixes).\n\n - drm/msm: Fix a5xx/a6xx timestamps (git-fixes).\n\n - drm/omap: fix misleading indentation in pixinc()\n (git-fixes).\n\n - drm/radeon: fix copy of uninitialized variable back to\n userspace (git-fixes).\n\n - drm/tegra: dc: Do not set PLL clock to 0Hz (git-fixes).\n\n - e1000e: Fix duplicate include guard (git-fixes).\n\n - e1000e: Fix error handling in\n e1000_set_d0_lplu_state_82571 (git-fixes).\n\n - e1000e: add rtnl_lock() to e1000_reset_task (git-fixes).\n\n - enetc: Let the hardware auto-advance the taprio\n base-time of 0 (git-fixes).\n\n - enetc: Workaround for MDIO register access issue\n (git-fixes).\n\n - ethernet/netronome/nfp: Fix a use after free in\n nfp_bpf_ctrl_msg_rx (git-fixes).\n\n - ext4: do not try to set xattr into ea_inode if value is\n empty (bsc#1184730).\n\n - ext4: find old entry again if failed to rename whiteout\n (bsc#1184742).\n\n - ext4: fix potential error in ext4_do_update_inode\n (bsc#1184731).\n\n - ext4: fix potential htree index checksum corruption\n (bsc#1184728).\n\n - firmware: qcom-scm: Fix QCOM_SCM configuration\n (git-fixes).\n\n - fnic: use scsi_host_busy_iter() to traverse commands\n (bsc#1179851).\n\n - fotg210-udc: Complete OUT requests on short packets\n (git-fixes).\n\n - fotg210-udc: Do not DMA more than the buffer can take\n (git-fixes).\n\n - fotg210-udc: Fix DMA on EP0 for length > max packet size\n (git-fixes).\n\n - fotg210-udc: Fix EP0 IN requests bigger than two packets\n (git-fixes).\n\n - fotg210-udc: Mask GRP2 interrupts we do not handle\n (git-fixes).\n\n - fotg210-udc: Remove a dubious condition leading to\n fotg210_done (git-fixes).\n\n - fs/jfs: fix potential integer overflow on shift of a int\n (bsc#1184741).\n\n - fs: direct-io: fix missing sdio->boundary (bsc#1184736).\n\n - fsl/fman: reuse set_mac_address() in dtsec init()\n (bsc#1184811).\n\n - fsl/fman: tolerate missing MAC address in device tree\n (bsc#1184811).\n\n - gpio: omap: Save and restore sysconfig (git-fixes).\n\n - gpio: sysfs: Obey valid_mask (git-fixes).\n\n - i2c: cadence: add IRQ check (git-fixes).\n\n - i2c: emev2: add IRQ check (git-fixes).\n\n - i2c: img-scb: fix reference leak when\n pm_runtime_get_sync fails (git-fixes).\n\n - i2c: imx-lpi2c: fix reference leak when\n pm_runtime_get_sync fails (git-fixes).\n\n - i2c: jz4780: add IRQ check (git-fixes).\n\n - i2c: omap: fix reference leak when pm_runtime_get_sync\n fails (git-fixes).\n\n - i2c: sh7760: add IRQ check (git-fixes).\n\n - i2c: sh7760: fix IRQ error path (git-fixes).\n\n - i2c: sprd: fix reference leak when pm_runtime_get_sync\n fails (git-fixes).\n\n - i40e: Add zero-initialization of AQ command structures\n (git-fixes).\n\n - i40e: Added Asym_Pause to supported link modes\n (git-fixes).\n\n - i40e: Fix add TC filter for IPv6 (git-fixes).\n\n - i40e: Fix addition of RX filters after enabling FW LLDP\n agent (git-fixes).\n\n - i40e: Fix display statistics for veb_tc (git-fixes).\n\n - i40e: Fix endianness conversions (git-fixes).\n\n - i40e: Fix flow for IPv6 next header (extension header)\n (git-fixes).\n\n - i40e: Fix kernel oops when i40e driver removes VF's\n (git-fixes).\n\n - i40e: Fix overwriting flow control settings during\n driver loading (git-fixes).\n\n - i40e: Fix sparse errors in i40e_txrx.c (git-fixes).\n\n - i40e: Fix sparse warning: missing error code 'err'\n (git-fixes).\n\n - i40e: fix the panic when running bpf in xdpdrv mode\n (git-fixes).\n\n - ibmvnic: avoid calling napi_disable() twice\n (bsc#1065729).\n\n - ibmvnic: clean up the remaining debugfs data structures\n (bsc#1065729).\n\n - ibmvnic: correctly use dev_consume/free_skb_irq\n (jsc#SLE-17268 jsc#SLE-17043 bsc#1179243 ltc#189290\n git-fixes).\n\n - ibmvnic: improve failover sysfs entry (bsc#1043990\n ltc#155681 git-fixes).\n\n - ibmvnic: print adapter state as a string (bsc#1152457\n ltc#174432 git-fixes).\n\n - ibmvnic: print reset reason as a string (bsc#1152457\n ltc#174432 git-fixes).\n\n - ibmvnic: queue reset work in system_long_wq (bsc#1152457\n ltc#174432 git-fixes).\n\n - ibmvnic: remove duplicate napi_schedule call in do_reset\n function (bsc#1065729).\n\n - ibmvnic: remove duplicate napi_schedule call in open\n function (bsc#1065729).\n\n - ice: Account for port VLAN in VF max packet size\n calculation (git-fixes).\n\n - ice: Cleanup fltr list in case of allocation issues\n (git-fixes).\n\n - ice: Fix for dereference of NULL pointer (git-fixes).\n\n - ice: Increase control queue timeout (git-fixes).\n\n - ice: prevent ice_open and ice_stop during reset\n (git-fixes).\n\n - igb: Fix duplicate include guard (git-fixes).\n\n - igb: check timestamp validity (git-fixes).\n\n - igc: Fix Pause Frame Advertising (git-fixes).\n\n - igc: Fix Supported Pause Frame Link Setting (git-fixes).\n\n - igc: reinit_locked() should be called with rtnl_lock\n (git-fixes).\n\n - iio:accel:adis16201: Fix wrong axis assignment that\n prevents loading (git-fixes).\n\n - ima: Free IMA measurement buffer after kexec syscall\n (git-fixes).\n\n - interconnect: core: fix error return code of\n icc_link_destroy() (git-fixes).\n\n - iopoll: introduce read_poll_timeout macro (git-fixes).\n\n - ipw2x00: potential buffer overflow in\n libipw_wx_set_encodeext() (git-fixes).\n\n - irqchip/ls-extirq: Add LS1043A, LS1088A external\n interrupt support (bsc#1185233).\n\n - irqchip/ls-extirq: add IRQCHIP_SKIP_SET_WAKE to the\n irqchip flags (bsc#1185233).\n\n - irqchip: Add support for Layerscape external interrupt\n lines (bsc#1185233).\n\n - isofs: release buffer head before return (bsc#1182613).\n\n - ixgbe: fail to create xfrm offload of IPsec tunnel mode\n SA (git-fixes).\n\n - jffs2: fix use after free in jffs2_sum_write_data()\n (bsc#1184740).\n\n - kABI: Fix kABI caused by fixes for bsc#1174426\n (bsc#1174426).\n\n - kABI: cover up change in struct kvm_arch (bsc#1184969).\n\n - kABI: powerpc/pseries: Add shutdown() to vio_driver and\n vio_bus (bsc#1184209 ltc#190917).\n\n - kernel/smp: make csdlock timeout depend on boot\n parameter (bsc#1180846).\n\n - libnvdimm/label: Return -ENXIO for no slot in\n __blk_label_update (bsc#1185269).\n\n - libnvdimm/namespace: Fix reaping of invalidated\n block-window-namespace labels (bsc#1185269).\n\n - libnvdimm/region: Fix nvdimm_has_flush() to handle\n ND_REGION_ASYNC (bsc#1184969 git-fixes).\n\n - libnvdimm/security: ensure sysfs poll thread woke up and\n fetch updated attr (git-fixes).\n\n - liquidio: Fix unintented sign extension of a left shift\n of a u16 (git-fixes).\n\n - locking/qrwlock: Fix ordering in\n queued_write_lock_slowpath() (bsc#1185041).\n\n - mac80211: bail out if cipher schemes are invalid\n (git-fixes).\n\n - mac80211: clear sta->fast_rx when STA removed from\n 4-addr VLAN (git-fixes).\n\n - macvlan: macvlan_count_rx() needs to be aware of\n preemption (git-fixes).\n\n - media: dvbdev: Fix memory leak in\n dvb_media_device_free() (git-fixes).\n\n - media: m88rs6000t: avoid potential out-of-bounds reads\n on arrays (git-fixes).\n\n - media: mantis: remove orphan mantis_core.c (git-fixes).\n\n - media: omap4iss: return error code when omap4iss_get()\n failed (git-fixes).\n\n - media: platform: sunxi: sun6i-csi: fix error return code\n of sun6i_video_start_streaming() (git-fixes).\n\n - media: staging/intel-ipu3: Fix memory leak in imu_fmt\n (git-fixes).\n\n - media: staging/intel-ipu3: Fix race condition during\n set_fmt (git-fixes).\n\n - media: staging/intel-ipu3: Fix set_fmt error handling\n (git-fixes).\n\n - media: v4l2-ctrls.c: fix race condition in hdl->requests\n list (git-fixes).\n\n - memory: gpmc: fix out of bounds read and dereference on\n gpmc_cs[] (git-fixes).\n\n - memory: pl353: fix mask of ECC page_size config register\n (git-fixes).\n\n - mfd: lpc_sch: Partially revert 'Add support for Intel\n Quark X1000' (git-fixes).\n\n - mfd: stm32-timers: Avoid clearing auto reload register\n (git-fixes).\n\n - misc: lis3lv02d: Fix false-positive WARN on various HP\n models (git-fixes).\n\n - misc: vmw_vmci: explicitly initialize vmci_datagram\n payload (git-fixes).\n\n - misc: vmw_vmci: explicitly initialize\n vmci_notify_bm_set_msg struct (git-fixes).\n\n - mm/rmap: fix potential pte_unmap on an not mapped pte\n (git-fixes).\n\n - mm: memcontrol: fix cpuhotplug statistics flushing\n (bsc#1185606).\n\n - mmc: core: Correct descriptions in mmc_of_parse()\n (git-fixes).\n\n - mmc: cqhci: Add cqhci_deactivate() (git-fixes).\n\n - mmc: mmc_spi: Drop unused NO_IRQ definition (git-fixes).\n\n - mmc: sdhci-of-arasan: Add missed checks for\n devm_clk_register() (git-fixes).\n\n - mmc: sdhci-of-dwcmshc: fix rpmb access (git-fixes).\n\n - mmc: sdhci-of-dwcmshc: implement specific\n set_uhs_signaling (git-fixes).\n\n - mmc: sdhci-of-esdhc: make sure delay chain locked for\n HS400 (git-fixes).\n\n - mmc: sdhci-of-esdhc: set timeout to max before tuning\n (git-fixes).\n\n - mmc: sdhci-pci: Fix SDHCI_RESET_ALL for CQHCI for Intel\n GLK-based controllers (git-fixes).\n\n - mmc: sdhci: Use Auto CMD Auto Select only when v4_mode\n is true (git-fixes).\n\n - mmc: uniphier-sd: Fix a resource leak in the remove\n function (git-fixes).\n\n - mmc: uniphier-sd: Fix an error handling path in\n uniphier_sd_probe() (git-fixes).\n\n - mt7601u: fix always true expression (git-fixes).\n\n - mtd: Handle possible -EPROBE_DEFER from\n parse_mtd_partitions() (git-fixes).\n\n - mtd: rawnand: atmel: Update ecc_stats.corrected counter\n (git-fixes).\n\n - mtd: rawnand: brcmnand: fix OOB R/W with Hamming ECC\n (git-fixes).\n\n - mtd: rawnand: fsmc: Fix error code in fsmc_nand_probe()\n (git-fixes).\n\n - mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init\n (git-fixes).\n\n - mtd: rawnand: qcom: Return actual error code instead of\n -ENODEV (git-fixes).\n\n - mtd: require write permissions for locking and badblock\n ioctls (git-fixes).\n\n - mtd: spi-nor: Rename 'n25q512a' to 'mt25qu512a\n (n25q512a)' (bsc#1167260).\n\n - mtd: spi-nor: Split mt25qu512a (n25q512a) entry into two\n (bsc#1167260).\n\n - mtd: spinand: core: add missing MODULE_DEVICE_TABLE()\n (git-fixes).\n\n - nbd: fix a block_device refcount leak in nbd_release\n (git-fixes).\n\n - net/mlx4_core: Add missed mlx4_free_cmd_mailbox()\n (git-fixes).\n\n - net/mlx4_en: update moderation when config reset\n (git-fixes).\n\n - net/mlx5: Do not request more than supported EQs\n (git-fixes).\n\n - net/mlx5e: Do not match on Geneve options in case option\n masks are all zero (git-fixes).\n\n - net/mlx5e: Fix error path for ethtool set-priv-flag\n (git-fixes).\n\n - net/mlx5e: Fix ethtool indication of connector type\n (git-fixes).\n\n - net/mlx5e: fix ingress_ifindex check in\n mlx5e_flower_parse_meta (jsc#SLE-8464).\n\n - net/qlcnic: Fix a use after free in\n qlcnic_83xx_get_minidump_template (git-fixes).\n\n - net: atlantic: fix out of range usage of active_vlans\n array (git-fixes).\n\n - net: atlantic: fix potential error handling (git-fixes).\n\n - net: atlantic: fix use after free kasan warn\n (git-fixes).\n\n - net: dsa: felix: implement port flushing on\n .phylink_mac_link_down (git-fixes).\n\n - net: enetc: remove bogus write to SIRXIDR from\n enetc_setup_rxbdr (git-fixes).\n\n - net: enetc: take the MDIO lock only once per NAPI poll\n cycle (git-fixes).\n\n - net: geneve: check skb is large enough for IPv4/IPv6\n header (git-fixes).\n\n - net: geneve: modify IP header check in geneve6_xmit_skb\n and geneve_xmit_skb (git-fixes).\n\n - net: hns3: Remove un-necessary 'else-if' in the\n hclge_reset_event() (git-fixes).\n\n - net: hns3: clear VF down state bit before request link\n status (git-fixes).\n\n - net: hns3: fix bug when calculating the TCAM table info\n (git-fixes).\n\n - net: hns3: fix query vlan mask value error for flow\n director (git-fixes).\n\n - net: ll_temac: Add more error handling of\n dma_map_single() calls (git-fixes).\n\n - net: ll_temac: Fix RX buffer descriptor handling on\n GFP_ATOMIC pressure (git-fixes).\n\n - net: ll_temac: Fix race condition causing TX hang\n (git-fixes).\n\n - net: ll_temac: Handle DMA halt condition caused by\n buffer underrun (git-fixes).\n\n - net: phy: intel-xway: enable integrated led functions\n (git-fixes).\n\n - net: phy: marvell: fix m88e1011_set_downshift\n (git-fixes).\n\n - net: phy: marvell: fix m88e1111_set_downshift\n (git-fixes).\n\n - net: smc911x: Adjust indentation in\n smc911x_phy_configure (git-fixes).\n\n - net: stmmac: fix missing IFF_MULTICAST check in\n dwmac4_set_filter (git-fixes).\n\n - net: stmmac: xgmac: fix missing IFF_MULTICAST checki in\n dwxgmac2_set_filter (git-fixes).\n\n - net: tulip: Adjust indentation in (dmfe,\n uli526x)_init_module (git-fixes).\n\n - net:nfc:digital: Fix a double free in\n digital_tg_recv_dep_req (git-fixes).\n\n - nfc: pn533: prevent potential memory corruption\n (git-fixes).\n\n - nfp: flower: ignore duplicate merge hints from FW\n (git-fixes).\n\n - node: fix device cleanups in error handling code\n (git-fixes).\n\n - null_blk: fix passing of REQ_FUA flag in null_handle_rq\n (git-fixes).\n\n - nvme-fabrics: reject I/O to offline device\n (bsc#1181161).\n\n - nvme-multipath: reset bdev to ns head when failover\n (bsc#178378 bsc#1182999).\n\n - nvme-tcp: fix possible hang when failing to set io\n queues (bsc#1181161).\n\n - nvme: add 'kato' sysfs attribute (bsc#1179825).\n\n - nvme: sanitize KATO setting (bsc#1179825).\n\n - ocfs2: fix a use after free on error (bsc#1184738).\n\n - pata_arasan_cf: fix IRQ check (git-fixes).\n\n - pata_ipx4xx_cf: fix IRQ check (git-fixes).\n\n - phy: marvell: ARMADA375_USBCLUSTER_PHY should not\n default to y, unconditionally (git-fixes).\n\n - pinctrl: Ingenic: Add missing pins to the JZ4770 MAC MII\n group (git-fixes).\n\n - pinctrl: core: Fix kernel doc string for pin_get_name()\n (git-fixes).\n\n - pinctrl: lewisburg: Update number of pins in community\n (git-fixes).\n\n - platform/x86: pmc_atom: Match all Beckhoff Automation\n baytrail boards with critclk_systems DMI table\n (git-fixes).\n\n - powerepc/book3s64/hash: Align start/end address\n correctly with bolt mapping (bsc#1184957).\n\n - powerpc/64s: Fix pte update for kernel memory on radix\n (bsc#1055117 git-fixes).\n\n - powerpc/asm-offsets: GPR14 is not needed either\n (bsc#1065729).\n\n - powerpc/eeh: Fix EEH handling for hugepages in ioremap\n space (bsc#1156395).\n\n - powerpc/fadump: Mark fadump_calculate_reserve_size as\n __init (bsc#1065729).\n\n - powerpc/mm: Add cond_resched() while removing hpte\n mappings (bsc#1183289 ltc#191637).\n\n - powerpc/papr_scm: Fix build error due to wrong printf\n specifier (bsc#1184969).\n\n - powerpc/papr_scm: Implement support for H_SCM_FLUSH\n hcall (bsc#1184969).\n\n - powerpc/perf: Fix PMU constraint check for EBB events\n (bsc#1065729).\n\n - powerpc/prom: Mark identical_pvr_fixup as __init\n (bsc#1065729).\n\n - powerpc/pseries: Add shutdown() to vio_driver and\n vio_bus (bsc#1184209 ltc#190917).\n\n - powerpc/time: Enable sched clock for irqtime\n (bsc#1156395).\n\n - regmap: set debugfs_name to NULL after it is freed\n (git-fixes).\n\n - regulator: Avoid a double 'of_node_get' in\n 'regulator_of_get_init_node()' (git-fixes).\n\n - reintroduce cqhci_suspend for kABI (git-fixes).\n\n - reiserfs: update reiserfs_xattrs_initialized() condition\n (bsc#1184737).\n\n - rsi: Use resume_noirq for SDIO (git-fixes).\n\n - rsxx: remove extraneous 'const' qualifier (git-fixes).\n\n - rtc: ds1307: Fix wday settings for rx8130 (git-fixes).\n\n - rtc: fsl-ftm-alarm: add MODULE_TABLE() (bsc#1185454).\n\n - rtc: fsl-ftm-alarm: avoid struct rtc_time conversions\n (bsc#1185454).\n\n - rtc: fsl-ftm-alarm: enable acpi support (bsc#1185454).\n\n - rtc: fsl-ftm-alarm: fix freeze(s2idle) failed to wake\n (bsc#1185454).\n\n - rtc: fsl-ftm-alarm: report alarm to core (bsc#1185454).\n\n - rtc: fsl-ftm-alarm: switch to ktime_get_real_seconds\n (bsc#1185454).\n\n - rtc: fsl-ftm-alarm: switch to\n rtc_time64_to_tm/rtc_tm_to_time64 (bsc#1185454).\n\n - rtc: fsl-ftm-alarm: update acpi device id (bsc#1185454).\n\n - rtc: pcf2127: add alarm support (bsc#1185233).\n\n - rtc: pcf2127: add pca2129 device id (bsc#1185233).\n\n - rtc: pcf2127: add tamper detection support\n (bsc#1185233).\n\n - rtc: pcf2127: add watchdog feature support\n (bsc#1185233).\n\n - rtc: pcf2127: bugfix: watchdog build dependency\n (bsc#1185233).\n\n - rtc: pcf2127: cleanup register and bit defines\n (bsc#1185233).\n\n - rtc: pcf2127: convert to devm_rtc_allocate_device\n (bsc#1185233).\n\n - rtc: pcf2127: fix a bug when not specify interrupts\n property (bsc#1185233).\n\n - rtc: pcf2127: fix alarm handling (bsc#1185233).\n\n - rtc: pcf2127: fix pcf2127_nvmem_read/write() returns\n (bsc#1185233).\n\n - rtc: pcf2127: handle boot-enabled watchdog feature\n (bsc#1185233).\n\n - rtc: pcf2127: let the core handle rtc range\n (bsc#1185233).\n\n - rtc: pcf2127: move watchdog initialisation to a separate\n function (bsc#1185233).\n\n - rtc: pcf2127: only use watchdog when explicitly\n available (bsc#1185233).\n\n - rtc: pcf2127: properly set flag WD_CD for rtc\n chips(pcf2129, pca2129) (bsc#1185233).\n\n - rtc: pcf2127: remove unnecessary #ifdef (bsc#1185233).\n\n - rtc: pcf2127: set regmap max_register (bsc#1185233).\n\n - rtc: pcf2127: watchdog: handle nowayout feature\n (bsc#1185233).\n\n - rtlwifi: 8821ae: upgrade PHY and RF parameters\n (git-fixes).\n\n - rtw88: Fix array overrun in rtw_get_tx_power_params()\n (git-fixes).\n\n - sata_mv: add IRQ checks (git-fixes).\n\n - scsi: block: Fix a race in the runtime power management\n code (git-fixes).\n\n - scsi: core: Only return started requests from\n scsi_host_find_tag() (bsc#1179851).\n\n - scsi: core: add scsi_host_busy_iter() (bsc#1179851).\n\n - scsi: lpfc: Copyright updates for 12.8.0.9 patches\n (bsc#1185472).\n\n - scsi: lpfc: Eliminate use of LPFC_DRIVER_NAME in\n lpfc_attr.c (bsc#1185472).\n\n - scsi: lpfc: Fix DMA virtual address ptr assignment in\n bsg (bsc#1185365).\n\n - scsi: lpfc: Fix NMI crash during rmmod due to circular\n hbalock dependency (bsc#1185472).\n\n - scsi: lpfc: Fix a bunch of kernel-doc issues\n (bsc#1185472).\n\n - scsi: lpfc: Fix a bunch of kernel-doc misdemeanours\n (bsc#1185472).\n\n - scsi: lpfc: Fix a bunch of misnamed functions\n (bsc#1185472).\n\n - scsi: lpfc: Fix a few incorrectly named functions\n (bsc#1185472).\n\n - scsi: lpfc: Fix a typo (bsc#1185472).\n\n - scsi: lpfc: Fix crash when a REG_RPI mailbox fails\n triggering a LOGO response (bsc#1185472).\n\n - scsi: lpfc: Fix error handling for mailboxes completed\n in MBX_POLL mode (bsc#1185472).\n\n - scsi: lpfc: Fix formatting and misspelling issues\n (bsc#1185472).\n\n - scsi: lpfc: Fix gcc -Wstringop-overread warning\n (bsc#1185472).\n\n - scsi: lpfc: Fix illegal memory access on Abort IOCBs\n (bsc#1183203).\n\n - scsi: lpfc: Fix incorrect naming of\n __lpfc_update_fcf_record() (bsc#1185472).\n\n - scsi: lpfc: Fix incorrectly documented function\n lpfc_debugfs_commonxripools_data() (bsc#1185472).\n\n - scsi: lpfc: Fix kernel-doc formatting issue\n (bsc#1185472).\n\n - scsi: lpfc: Fix lack of device removal on port swaps\n with PRLIs (bsc#1185472).\n\n - scsi: lpfc: Fix lpfc_hdw_queue attribute being ignored\n (bsc#1185472).\n\n - scsi: lpfc: Fix missing FDMI registrations after Mgmt\n Svc login (bsc#1185472).\n\n - scsi: lpfc: Fix reference counting errors in\n lpfc_cmpl_els_rsp() (bsc#1185472).\n\n - scsi: lpfc: Fix rmmod crash due to bad ring pointers to\n abort_iotag (bsc#1185472).\n\n - scsi: lpfc: Fix silent memory allocation failure in\n lpfc_sli4_bsg_link_diag_test() (bsc#1185472).\n\n - scsi: lpfc: Fix some error codes in debugfs\n (bsc#1185472).\n\n - scsi: lpfc: Fix use-after-free on unused nodes after\n port swap (bsc#1185472).\n\n - scsi: lpfc: Fix various trivial errors in comments and\n log messages (bsc#1185472).\n\n - scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES\n logic (bsc#1185472).\n\n - scsi: lpfc: Standardize discovery object logging format\n (bsc#1185472).\n\n - scsi: lpfc: Update lpfc version to 12.8.0.9\n (bsc#1185472).\n\n - scsi: qla2xxx: Add H:C:T info in the log message for fc\n ports (bsc#1185491).\n\n - scsi: qla2xxx: Add error counters to debugfs node\n (bsc#1185491).\n\n - scsi: qla2xxx: Always check the return value of\n qla24xx_get_isp_stats() (bsc#1185491).\n\n - scsi: qla2xxx: Assign boolean values to a bool variable\n (bsc#1185491).\n\n - scsi: qla2xxx: Check kzalloc() return value\n (bsc#1185491).\n\n - scsi: qla2xxx: Consolidate zio threshold setting for\n both FCP & NVMe (bsc#1185491).\n\n - scsi: qla2xxx: Constify struct qla_tgt_func_tmpl\n (bsc#1185491).\n\n - scsi: qla2xxx: Do logout even if fabric scan retries got\n exhausted (bsc#1185491).\n\n - scsi: qla2xxx: Enable NVMe CONF (BIT_7) when enabling\n SLER (bsc#1185491).\n\n - scsi: qla2xxx: Fix IOPS drop seen in some adapters\n (bsc#1185491).\n\n - scsi: qla2xxx: Fix RISC RESET completion polling\n (bsc#1185491).\n\n - scsi: qla2xxx: Fix a couple of misdocumented functions\n (bsc#1185491).\n\n - scsi: qla2xxx: Fix a couple of misnamed functions\n (bsc#1185491).\n\n - scsi: qla2xxx: Fix broken #endif placement\n (bsc#1185491).\n\n - scsi: qla2xxx: Fix crash in PCIe error handling\n (bsc#1185491).\n\n - scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand()\n (bsc#1185491).\n\n - scsi: qla2xxx: Fix endianness annotations (bsc#1185491).\n\n - scsi: qla2xxx: Fix incorrectly named function\n qla8044_check_temp() (bsc#1185491).\n\n - scsi: qla2xxx: Fix mailbox Ch erroneous error\n (bsc#1185491).\n\n - scsi: qla2xxx: Fix mailbox recovery during PCIe error\n (bsc#1185491).\n\n - scsi: qla2xxx: Fix some incorrect formatting/spelling\n issues (bsc#1185491).\n\n - scsi: qla2xxx: Fix some memory corruption (bsc#1185491).\n\n - scsi: qla2xxx: Fix stuck session (bsc#1185491).\n\n - scsi: qla2xxx: Fix use after free in bsg (bsc#1185491).\n\n - scsi: qla2xxx: Implementation to get and manage host,\n target stats and initiator port (bsc#1185491).\n\n - scsi: qla2xxx: Move some messages from debug to normal\n log level (bsc#1185491).\n\n - scsi: qla2xxx: Remove redundant NULL check\n (bsc#1185491).\n\n - scsi: qla2xxx: Remove unnecessary NULL check\n (bsc#1185491).\n\n - scsi: qla2xxx: Remove unneeded if-null-free check\n (bsc#1185491).\n\n - scsi: qla2xxx: Replace __qla2x00_marker()'s missing\n underscores (bsc#1185491).\n\n - scsi: qla2xxx: Reserve extra IRQ vectors (bsc#1184436).\n\n - scsi: qla2xxx: Reuse existing error handling path\n (bsc#1185491).\n\n - scsi: qla2xxx: Simplify if statement (bsc#1185491).\n\n - scsi: qla2xxx: Simplify\n qla8044_minidump_process_control() (bsc#1185491).\n\n - scsi: qla2xxx: Simplify the calculation of variables\n (bsc#1185491).\n\n - scsi: qla2xxx: Suppress Coverity complaints about\n dseg_r* (bsc#1185491).\n\n - scsi: qla2xxx: Update default AER debug mask\n (bsc#1185491).\n\n - scsi: qla2xxx: Update version to 10.02.00.105-k\n (bsc#1185491).\n\n - scsi: qla2xxx: Update version to 10.02.00.106-k\n (bsc#1185491).\n\n - scsi: qla2xxx: Use dma_pool_zalloc() (bsc#1185491).\n\n - scsi: qla2xxx: Wait for ABTS response on I/O timeouts\n for NVMe (bsc#1185491).\n\n - scsi: qla2xxx: fc_remote_port_chkready() returns a SCSI\n result value (bsc#1185491).\n\n - scsi: smartpqi: Correct driver removal with HBA disks\n (bsc#1178089).\n\n - scsi: smartpqi: Correct pqi_sas_smp_handler busy\n condition (bsc#1178089).\n\n - scsi: smartpqi: Update version to 1.2.16-012\n (bsc#1178089).\n\n - selftests/powerpc: Add pkey helpers for rights\n (bsc#1184934 ltc#191460).\n\n - selftests/powerpc: Add test for execute-disabled pkeys\n (bsc#1184934 ltc#191460).\n\n - selftests/powerpc: Add test for pkey siginfo\n verification (bsc#1184934 ltc#191460).\n\n - selftests/powerpc: Add wrapper for gettid (bsc#1184934\n ltc#191460).\n\n - selftests/powerpc: Fix L1D flushing tests for Power10\n (bsc#1184934 ltc#191460).\n\n - selftests/powerpc: Fix exit status of pkey tests\n (bsc#1184934 ltc#191460).\n\n - selftests/powerpc: Fix pkey syscall redefinitions\n (bsc#1184934 ltc#191460).\n\n - selftests/powerpc: Move pkey helpers to headers\n (bsc#1184934 ltc#191460).\n\n - selftests/powerpc: refactor entry and rfi_flush tests\n (bsc#1184934 ltc#191460).\n\n - series.conf: cleanup\n\n - series.conf: cleanup\n\n - series.conf: cleanup\n\n - soc: aspeed: fix a ternary sign expansion bug\n (git-fixes).\n\n - soc: qcom: mdt_loader: Detect truncated read of segments\n (git-fixes).\n\n - soc: qcom: mdt_loader: Validate that p_filesz < p_memsz\n (git-fixes).\n\n - soundwire: bus: Fix device found flag correctly\n (git-fixes).\n\n - soundwire: stream: fix memory leak in stream config\n error path (git-fixes).\n\n - spi: Introduce dspi_slave_abort() function for NXP's\n dspi SPI driver (bsc#1167260).\n\n - spi: fsl-dspi: fix NULL pointer dereference\n (bsc#1167260).\n\n - spi: fsl-dspi: fix use-after-free in remove path\n (bsc#1167260).\n\n - spi: fsl-dspi: fix wrong pointer in suspend/resume\n (bsc#1167260).\n\n - spi: fsl-lpspi: Fix PM reference leak in\n lpspi_prepare_xfer_hardware() (git-fixes).\n\n - spi: spi-fsl-dspi: Accelerate transfers using larger\n word size if possible (bsc#1167260).\n\n - spi: spi-fsl-dspi: Add comments around dspi_pop_tx and\n dspi_push_rx functions (bsc#1167260).\n\n - spi: spi-fsl-dspi: Add support for LS1028A\n (bsc#1167260).\n\n - spi: spi-fsl-dspi: Adding shutdown hook (bsc#1167260).\n\n - spi: spi-fsl-dspi: Always use the TCFQ devices in poll\n mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Avoid NULL pointer in\n dspi_slave_abort for non-DMA mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Avoid reading more data than written\n in EOQ mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Change usage pattern of SPI_MCR_* and\n SPI_CTAR_* macros (bsc#1167260).\n\n - spi: spi-fsl-dspi: Convert TCFQ users to XSPI FIFO mode\n (bsc#1167260).\n\n - spi: spi-fsl-dspi: Convert the instantiations that\n support it to DMA (bsc#1167260).\n\n - spi: spi-fsl-dspi: Demistify magic value in SPI_SR_CLEAR\n (bsc#1167260).\n\n - spi: spi-fsl-dspi: Do not access reserved fields in\n SPI_MCR (bsc#1167260).\n\n - spi: spi-fsl-dspi: Do not mask off undefined bits\n (bsc#1167260).\n\n - spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's\n not ours (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix 16-bit word order in 32-bit XSPI\n mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix bits-per-word acceleration in DMA\n mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix code alignment (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix external abort on interrupt in\n resume or exit paths (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix interrupt-less DMA mode taking an\n XSPI code path (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix little endian access to PUSHR CMD\n and TXDATA (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix lockup if device is removed\n during SPI transfer (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix lockup if device is shutdown\n during SPI transfer (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix race condition in TCFQ/EOQ\n interrupt (bsc#1167260).\n\n - spi: spi-fsl-dspi: Fix typos (bsc#1167260).\n\n - spi: spi-fsl-dspi: Free DMA memory with matching\n function (bsc#1167260).\n\n - spi: spi-fsl-dspi: Implement .max_message_size method\n for EOQ mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Initialize completion before possible\n interrupt (bsc#1167260).\n\n - spi: spi-fsl-dspi: LS2080A and LX2160A support XSPI mode\n (bsc#1167260).\n\n - spi: spi-fsl-dspi: Make bus-num property optional\n (bsc#1167260).\n\n - spi: spi-fsl-dspi: Move dspi_interrupt above\n dspi_transfer_one_message (bsc#1167260).\n\n - spi: spi-fsl-dspi: Move invariant configs out of\n dspi_transfer_one_message (bsc#1167260).\n\n - spi: spi-fsl-dspi: Optimize dspi_setup_accel for lowest\n interrupt count (bsc#1167260).\n\n - spi: spi-fsl-dspi: Parameterize the FIFO size and DMA\n buffer size (bsc#1167260).\n\n - spi: spi-fsl-dspi: Protect against races on\n dspi->words_in_flight (bsc#1167260).\n\n - spi: spi-fsl-dspi: Reduce indentation in\n dspi_release_dma() (bsc#1167260).\n\n - spi: spi-fsl-dspi: Reduce indentation level in\n dspi_interrupt (bsc#1167260).\n\n - spi: spi-fsl-dspi: Remove impossible to reach error\n check (bsc#1167260).\n\n - spi: spi-fsl-dspi: Remove pointless assignment of\n master->transfer to NULL (bsc#1167260).\n\n - spi: spi-fsl-dspi: Remove unused chip->void_write_data\n (bsc#1167260).\n\n - spi: spi-fsl-dspi: Remove unused defines and includes\n (bsc#1167260).\n\n - spi: spi-fsl-dspi: Remove unused initialization of 'ret'\n in dspi_probe (bsc#1167260).\n\n - spi: spi-fsl-dspi: Rename fifo_(read,write) and\n (tx,cmd)_fifo_write (bsc#1167260).\n\n - spi: spi-fsl-dspi: Replace interruptible wait queue with\n a simple completion (bsc#1167260).\n\n - spi: spi-fsl-dspi: Replace legacy spi_master names with\n spi_controller (bsc#1167260).\n\n - spi: spi-fsl-dspi: Simplify bytes_per_word gymnastics\n (bsc#1167260).\n\n - spi: spi-fsl-dspi: Take software timestamp in\n dspi_fifo_write (bsc#1167260).\n\n - spi: spi-fsl-dspi: Use BIT() and GENMASK() macros\n (bsc#1167260).\n\n - spi: spi-fsl-dspi: Use EOQ for last word in buffer even\n for XSPI mode (bsc#1167260).\n\n - spi: spi-fsl-dspi: Use dma_request_chan() instead\n dma_request_slave_channel() (bsc#1167260).\n\n - spi: spi-fsl-dspi: Use poll mode in case the platform\n IRQ is missing (bsc#1167260).\n\n - spi: spi-fsl-dspi: Use reverse Christmas tree\n declaration order (bsc#1167260).\n\n - spi: spi-fsl-dspi: Use specific compatible strings for\n all SoC instantiations (bsc#1167260).\n\n - spi: spi-fsl-dspi: delete EOQ transfer mode\n (bsc#1167260).\n\n - spi: spi-fsl-dspi: fix DMA mapping (bsc#1167260).\n\n - spi: spi-fsl-dspi: fix native data copy (bsc#1167260).\n\n - spi: spi-fsl-dspi: remove git-fixes Remove git-fixes.\n Prepare to update the driver. References: bsc#1167260\n\n - spi: spi-fsl-dspi: set ColdFire to DMA mode\n (bsc#1167260).\n\n - spi: spi-fsl-dspi: use XSPI mode instead of DMA for\n DPAA2 SoCs (bsc#1167260).\n\n - spi: spi-ti-qspi: Free DMA resources (git-fixes).\n\n - staging: fwserial: fix TIOCGSERIAL implementation\n (git-fixes).\n\n - staging: fwserial: fix TIOCSSERIAL implementation\n (git-fixes).\n\n - staging: fwserial: fix TIOCSSERIAL jiffies conversions\n (git-fixes).\n\n - staging: fwserial: fix TIOCSSERIAL permission check\n (git-fixes).\n\n - staging: rtl8192u: Fix potential infinite loop\n (git-fixes).\n\n - thermal/drivers/cpufreq_cooling: Update cpufreq_state\n only if state has changed (git-fixes).\n\n - usb: Remove dev_err() usage after platform_get_irq()\n (git-fixes).\n\n - usb: dwc2: Fix hibernation between host and device modes\n (git-fixes).\n\n - usb: dwc2: Fix host mode hibernation exit with remote\n wakeup flow (git-fixes).\n\n - usb: dwc2: Fix session request interrupt handler\n (git-fixes).\n\n - usb: dwc3: Switch to use device_property_count_u32()\n (git-fixes).\n\n - usb: dwc3: Update soft-reset wait polling rate\n (git-fixes).\n\n - usb: dwc3: gadget: Fix START_TRANSFER link state check\n (git-fixes).\n\n - usb: dwc3: keystone: use\n devm_platform_ioremap_resource() to simplify code\n (git-fixes).\n\n - usb: dwc3: meson-g12a: use\n devm_platform_ioremap_resource() to simplify code\n (git-fixes).\n\n - usb: gadget: Fix double free of device descriptor\n pointers (git-fixes).\n\n - usb: gadget: aspeed: fix dma map failure (git-fixes).\n\n - usb: gadget: pch_udc: Check for DMA mapping error\n (git-fixes).\n\n - usb: gadget: pch_udc: Check if driver is present before\n calling ->setup() (git-fixes).\n\n - usb: gadget: pch_udc: Move pch_udc_init() to satisfy\n kernel doc (git-fixes).\n\n - usb: gadget: pch_udc: Replace cpu_to_le32() by\n lower_32_bits() (git-fixes).\n\n - usb: gadget: pch_udc: Revert d3cb25a12138 completely\n (git-fixes).\n\n - usb: gadget: r8a66597: Add missing null check on return\n from platform_get_resource (git-fixes).\n\n - usb: typec: tcpci: Check ROLE_CONTROL while interpreting\n CC_STATUS (git-fixes).\n\n - usb: typec: tcpm: Address incorrect values of tcpm psy\n for fixed supply (git-fixes).\n\n - usb: typec: tcpm: Honour pSnkStdby requirement during\n negotiation (git-fixes).\n\n - veth: Store queue_mapping independently of XDP prog\n presence (git-fixes).\n\n - vfio/pci: Add missing range check in vfio_pci_mmap\n (git-fixes).\n\n - virt_wifi: Return micros for BSS TSF values (git-fixes).\n\n - vxlan: move debug check after netdev unregister\n (git-fixes).\n\n - workqueue: Move the position of debug_work_activate() in\n __queue_work() (bsc#1184893).\n\n - x86/crash: Fix crash_setup_memmap_entries()\n out-of-bounds access (bsc#1152489).\n\n - x86/insn: Add some Intel instructions to the opcode map\n (bsc#1184760).\n\n - x86/insn: Add some more Intel instructions to the opcode\n map (bsc#1184760).\n\n - x86/microcode: Check for offline CPUs before requesting\n new microcode (bsc#1152489).\n\n - x86/mm: Fix NX bit clearing issue in\n kernel_map_pages_in_pgd (bsc#1152489).\n\n - x86/platform/uv: Set section block size for hubless\n architectures (bsc#1152489).\n\n - x86/reboot: Force all cpus to exit VMX root if VMX is\n supported (bsc#1152489).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1043990\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1055117\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1065729\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1152457\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1152489\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1156395\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1167260\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1168838\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1174416\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1174426\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1178089\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1179243\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1179825\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1179851\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1180846\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1181161\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1182613\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1182999\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1183063\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1183203\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1183289\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184208\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184209\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184436\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184514\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184650\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184724\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184728\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184730\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184731\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184736\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184737\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184738\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184740\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184741\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184742\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184760\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184811\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184893\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184942\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184957\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184969\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184984\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185041\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185113\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185233\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185244\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185269\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185365\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185454\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185472\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185491\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185549\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185586\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185587\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185606\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected the Linux Kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-29155\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base-rebuild\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-docs-html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-kvmsmall\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-kvmsmall-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-kvmsmall-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-kvmsmall-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-kvmsmall-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-qa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-preempt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-preempt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-preempt-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-preempt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-preempt-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-debug-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-debug-debuginfo-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-debug-debugsource-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-debug-devel-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-debug-devel-debuginfo-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-base-5.3.18-lp152.75.1.lp152.8.32.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-base-rebuild-5.3.18-lp152.75.1.lp152.8.32.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-debuginfo-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-debugsource-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-devel-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-devel-debuginfo-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-devel-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-docs-html-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-kvmsmall-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-kvmsmall-debuginfo-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-kvmsmall-debugsource-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-kvmsmall-devel-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-kvmsmall-devel-debuginfo-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-macros-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-obs-build-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-obs-build-debugsource-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-obs-qa-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-preempt-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-preempt-debuginfo-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-preempt-debugsource-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-preempt-devel-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-preempt-devel-debuginfo-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-source-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-source-vanilla-5.3.18-lp152.75.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-syms-5.3.18-lp152.75.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-debug / kernel-debug-debuginfo / kernel-debug-debugsource / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:17:48", "description": "The SUSE Linux Enterprise 15 SP2 RT kernel was updated to receive various security and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2021-29650: Fixed an issue with the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).\n\nCVE-2021-29155: Fixed an issue that was discovered in kernel/bpf/verifier.c that performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation was not correctly accounted for when restricting subsequent operations (bnc#1184942).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-05-13T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1571-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-29155", "CVE-2021-29650"], "modified": "2021-05-17T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-rt", "p-cpe:/a:novell:suse_linux:kernel-rt-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-rt-debugsource", "p-cpe:/a:novell:suse_linux:kernel-rt-devel", "p-cpe:/a:novell:suse_linux:kernel-rt-devel-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-rt_debug", "p-cpe:/a:novell:suse_linux:kernel-rt_debug-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-rt_debug-debugsource", "p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel", "p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-syms-rt", "p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt", "p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt-debuginfo", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt", "p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt-debuginfo", "p-cpe:/a:novell:suse_linux:dlm-kmp-rt", "p-cpe:/a:novell:suse_linux:dlm-kmp-rt-debuginfo", "p-cpe:/a:novell:suse_linux:gfs2-kmp-rt", "p-cpe:/a:novell:suse_linux:gfs2-kmp-rt-debuginfo"], "id": "SUSE_SU-2021-1571-1.NASL", "href": "https://www.tenable.com/plugins/nessus/149457", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1571-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149457);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/05/17\");\n\n script_cve_id(\"CVE-2021-29155\", \"CVE-2021-29650\");\n\n script_name(english:\"SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1571-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The SUSE Linux Enterprise 15 SP2 RT kernel was updated to receive\nvarious security and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2021-29650: Fixed an issue with the netfilter subsystem that\nallowed attackers to cause a denial of service (panic) because\nnet/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a\nfull memory barrier upon the assignment of a new table value\n(bnc#1184208).\n\nCVE-2021-29155: Fixed an issue that was discovered in\nkernel/bpf/verifier.c that performs undesirable out-of-bounds\nspeculation on pointer arithmetic, leading to side-channel attacks\nthat defeat Spectre mitigations and obtain sensitive information from\nkernel memory. Specifically, for sequences of pointer arithmetic\noperations, the pointer modification performed by the first operation\nwas not correctly accounted for when restricting subsequent operations\n(bnc#1184942).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1043990\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1055117\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1065729\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1152457\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1152489\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1155518\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1156395\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1167260\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1167574\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1168838\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174416\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174426\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1175995\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178089\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179243\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179851\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1180846\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181161\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182613\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183063\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183203\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183289\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184208\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184209\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184436\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184485\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184514\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184585\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184650\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184724\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184728\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184730\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184731\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184736\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184737\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184738\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184740\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184741\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184742\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184760\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184811\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184893\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184942\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184957\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184969\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184984\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185041\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185113\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185233\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185244\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185269\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185365\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185454\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185472\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185491\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185549\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185586\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185587\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-29155/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-29650/\"\n );\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211571-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8b807ed5\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Realtime 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-RT-15-SP2-2021-1571=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-29155\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-rt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-rt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"cluster-md-kmp-rt-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"cluster-md-kmp-rt-debuginfo-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"dlm-kmp-rt-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"dlm-kmp-rt-debuginfo-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"gfs2-kmp-rt-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"gfs2-kmp-rt-debuginfo-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-rt-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-rt-debugsource-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-rt-devel-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-rt-devel-debuginfo-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-rt_debug-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-rt_debug-debuginfo-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-rt_debug-debugsource-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-rt_debug-devel-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-rt_debug-devel-debuginfo-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-syms-rt-5.3.18-36.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"ocfs2-kmp-rt-5.3.18-36.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"ocfs2-kmp-rt-debuginfo-5.3.18-36.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:19:32", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:0873-1 advisory.\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.\n (CVE-2021-29650)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-28T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : kernel (openSUSE-SU-2021:0873-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-29155", "CVE-2021-29650"], "modified": "2021-06-28T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:cluster-md-kmp-rt", "p-cpe:/a:novell:opensuse:cluster-md-kmp-rt_debug", "p-cpe:/a:novell:opensuse:dlm-kmp-rt", "p-cpe:/a:novell:opensuse:dlm-kmp-rt_debug", "p-cpe:/a:novell:opensuse:kselftests-kmp-rt", "p-cpe:/a:novell:opensuse:kselftests-kmp-rt_debug", "p-cpe:/a:novell:opensuse:ocfs2-kmp-rt", "p-cpe:/a:novell:opensuse:ocfs2-kmp-rt_debug", "p-cpe:/a:novell:opensuse:reiserfs-kmp-rt", "p-cpe:/a:novell:opensuse:reiserfs-kmp-rt_debug", "cpe:/o:novell:opensuse:15.2", "p-cpe:/a:novell:opensuse:gfs2-kmp-rt", "p-cpe:/a:novell:opensuse:gfs2-kmp-rt_debug", "p-cpe:/a:novell:opensuse:kernel-devel-rt", "p-cpe:/a:novell:opensuse:kernel-rt", "p-cpe:/a:novell:opensuse:kernel-rt-devel", "p-cpe:/a:novell:opensuse:kernel-rt-extra", "p-cpe:/a:novell:opensuse:kernel-rt_debug", "p-cpe:/a:novell:opensuse:kernel-rt_debug-devel", "p-cpe:/a:novell:opensuse:kernel-rt_debug-extra", "p-cpe:/a:novell:opensuse:kernel-source-rt", "p-cpe:/a:novell:opensuse:kernel-syms-rt"], "id": "OPENSUSE-2021-873.NASL", "href": "https://www.tenable.com/plugins/nessus/151080", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:0873-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151080);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/28\");\n\n script_cve_id(\"CVE-2021-29155\", \"CVE-2021-29650\");\n\n script_name(english:\"openSUSE 15 Security Update : kernel (openSUSE-SU-2021:0873-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe openSUSE-SU-2021:0873-1 advisory.\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to\n cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h\n lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.\n (CVE-2021-29650)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1043990\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1055117\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1065729\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155518\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1156395\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1167260\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1167574\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1168838\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1174416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1174426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1175995\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178089\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179243\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179851\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180846\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181161\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182613\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183063\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183203\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183289\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184208\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184209\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184436\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184485\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184514\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184585\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184724\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184728\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184730\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184731\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184736\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184737\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184740\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184741\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184742\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184760\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184811\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184893\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184934\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184942\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184957\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184969\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184984\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185041\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185113\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185233\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185244\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185269\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185365\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185454\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185472\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185491\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185549\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185587\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/THW3Z3CCX5HRFD2KJ3A4TDO27FGBEKNN/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ec9148fd\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29155\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29650\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-29155\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cluster-md-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cluster-md-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dlm-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dlm-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:gfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:gfs2-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-devel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt_debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt_debug-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-syms-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kselftests-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kselftests-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ocfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ocfs2-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:reiserfs-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:reiserfs-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nos_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.2', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\npkgs = [\n {'reference':'cluster-md-kmp-rt-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'cluster-md-kmp-rt_debug-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dlm-kmp-rt-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dlm-kmp-rt_debug-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'gfs2-kmp-rt-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'gfs2-kmp-rt_debug-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-rt-5.3.18-lp152.3.11.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-devel-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-extra-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt_debug-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt_debug-devel-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt_debug-extra-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-source-rt-5.3.18-lp152.3.11.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-syms-rt-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kselftests-kmp-rt-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kselftests-kmp-rt_debug-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ocfs2-kmp-rt-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ocfs2-kmp-rt_debug-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'reiserfs-kmp-rt-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'reiserfs-kmp-rt_debug-5.3.18-lp152.3.11.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-rt / cluster-md-kmp-rt_debug / dlm-kmp-rt / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:18:04", "description": "The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2021-29650: Fixed an issue with the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).\n\nCVE-2021-29155: Fixed an issue that was discovered in kernel/bpf/verifier.c that performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation was not correctly accounted for when restricting subsequent operations (bnc#1184942).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-05-13T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:1574-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-29155", "CVE-2021-29650"], "modified": "2021-05-17T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-devel-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-obs-build", "p-cpe:/a:novell:suse_linux:kernel-obs-build-debugsource", "p-cpe:/a:novell:suse_linux:kernel-preempt", "p-cpe:/a:novell:suse_linux:kernel-preempt-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-preempt-debugsource", "p-cpe:/a:novell:suse_linux:kernel-preempt-devel", "p-cpe:/a:novell:suse_linux:kernel-preempt-devel-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:reiserfs-kmp-default", "p-cpe:/a:novell:suse_linux:reiserfs-kmp-default-debuginfo", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-1574-1.NASL", "href": "https://www.tenable.com/plugins/nessus/149463", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1574-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149463);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/05/17\");\n\n script_cve_id(\"CVE-2021-29155\", \"CVE-2021-29650\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:1574-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various\nsecurity and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2021-29650: Fixed an issue with the netfilter subsystem that\nallowed attackers to cause a denial of service (panic) because\nnet/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a\nfull memory barrier upon the assignment of a new table value\n(bnc#1184208).\n\nCVE-2021-29155: Fixed an issue that was discovered in\nkernel/bpf/verifier.c that performs undesirable out-of-bounds\nspeculation on pointer arithmetic, leading to side-channel attacks\nthat defeat Spectre mitigations and obtain sensitive information from\nkernel memory. Specifically, for sequences of pointer arithmetic\noperations, the pointer modification performed by the first operation\nwas not correctly accounted for when restricting subsequent operations\n(bnc#1184942).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1043990\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1055117\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1065729\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1152457\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1152489\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1156395\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1167260\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1168838\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174416\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174426\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178089\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179243\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179851\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1180846\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181161\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182613\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183063\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183203\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183289\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184208\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184209\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184436\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184514\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184650\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184724\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184728\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184730\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184731\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184736\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184737\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184738\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184740\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184741\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184742\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184760\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184811\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184893\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184942\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184957\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184969\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184984\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185041\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185113\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185233\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185244\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185269\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185365\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185454\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185472\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185491\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185549\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185586\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185587\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-29155/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-29650/\"\n );\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211574-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c208593e\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE MicroOS 5.0 :\n\nzypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1574=1\n\nSUSE Linux Enterprise Workstation Extension 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-1574=1\n\nSUSE Linux Enterprise Module for Live Patching 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-1574=1\n\nSUSE Linux Enterprise Module for Legacy Software 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2021-1574=1\n\nSUSE Linux Enterprise Module for Development Tools 15-SP2 :\n\nzypper in -t patch\nSUSE-SLE-Module-Development-Tools-15-SP2-2021-1574=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1574=1\n\nSUSE Linux Enterprise High Availability 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Product-HA-15-SP2-2021-1574=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-29155\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-obs-build-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-preempt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-preempt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-preempt-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-preempt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-preempt-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:reiserfs-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:reiserfs-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-preempt-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-preempt-debuginfo-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-preempt-debugsource-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-preempt-devel-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-preempt-devel-debuginfo-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"kernel-default-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"kernel-default-base-5.3.18-24.64.1.9.28.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"kernel-default-debuginfo-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"kernel-default-debugsource-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"kernel-default-devel-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"kernel-default-devel-debuginfo-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"kernel-obs-build-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"kernel-obs-build-debugsource-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"kernel-syms-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"reiserfs-kmp-default-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"reiserfs-kmp-default-debuginfo-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-preempt-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-preempt-debuginfo-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-preempt-debugsource-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-preempt-devel-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-preempt-devel-debuginfo-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"kernel-default-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"kernel-default-base-5.3.18-24.64.1.9.28.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"kernel-default-debuginfo-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"kernel-default-debugsource-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"kernel-default-devel-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"kernel-default-devel-debuginfo-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"kernel-obs-build-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"kernel-obs-build-debugsource-5.3.18-24.64.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"kernel-syms-5.3.18-24.64.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-14T14:23:51", "description": "The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1915-1 advisory.\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.\n (CVE-2021-29650)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-10T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1915-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-29155", "CVE-2021-29650"], "modified": "2023-07-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt", "p-cpe:/a:novell:suse_linux:dlm-kmp-rt", "p-cpe:/a:novell:suse_linux:gfs2-kmp-rt", "p-cpe:/a:novell:suse_linux:kernel-devel-rt", "p-cpe:/a:novell:suse_linux:kernel-rt", "p-cpe:/a:novell:suse_linux:kernel-rt-devel", "p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel", "p-cpe:/a:novell:suse_linux:kernel-source-rt", "p-cpe:/a:novell:suse_linux:kernel-syms-rt", "p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-1915-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150476", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1915-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150476);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/13\");\n\n script_cve_id(\"CVE-2021-29155\", \"CVE-2021-29650\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1915-1\");\n\n script_name(english:\"SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1915-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:1915-1 advisory.\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to\n cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h\n lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.\n (CVE-2021-29650)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1043990\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1055117\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1065729\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155518\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1156395\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1167260\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1167574\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1168838\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1174416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1174426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1175995\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178089\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179243\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179851\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180846\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181161\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182613\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183063\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183203\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183289\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184208\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184209\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184436\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184485\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184514\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184585\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184724\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184728\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184730\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184731\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184736\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184737\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184740\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184741\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184742\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184760\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184811\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184893\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184934\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184942\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184957\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184969\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184984\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185041\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185113\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185233\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185244\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185269\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185365\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185454\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185472\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185491\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185549\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29155\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29650\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008971.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f557a114\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-29155\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(3)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES15 SP3\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'cluster-md-kmp-rt-5.3.18-8.10', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},\n {'reference':'dlm-kmp-rt-5.3.18-8.10', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},\n {'reference':'gfs2-kmp-rt-5.3.18-8.10', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},\n {'reference':'kernel-devel-rt-5.3.18-8.10', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},\n {'reference':'kernel-rt-5.3.18-8.10', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},\n {'reference':'kernel-rt-devel-5.3.18-8.10', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},\n {'reference':'kernel-rt_debug-devel-5.3.18-8.10', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},\n {'reference':'kernel-source-rt-5.3.18-8.10', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},\n {'reference':'kernel-syms-rt-5.3.18-8.10', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']},\n {'reference':'ocfs2-kmp-rt-5.3.18-8.10', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-rt-release-15.3']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-rt / dlm-kmp-rt / gfs2-kmp-rt / kernel-devel-rt / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:29:19", "description": "The version of kernel installed on the remote host is prior to 4.14.232-176.381. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1636 advisory.\n\n - An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.\n (CVE-2020-29374)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-05-24T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : kernel (ALAS-2021-1636)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-29374", "CVE-2021-23133", "CVE-2021-29155", "CVE-2021-31829"], "modified": "2021-05-24T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:kernel-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:kernel-headers", "p-cpe:/a:amazon:linux:kernel-livepatch-4.14.232-176.381", "p-cpe:/a:amazon:linux:kernel-tools", "p-cpe:/a:amazon:linux:kernel-tools-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools-devel", "p-cpe:/a:amazon:linux:perf", "p-cpe:/a:amazon:linux:perf-debuginfo", "p-cpe:/a:amazon:linux:python-perf", "p-cpe:/a:amazon:linux:python-perf-debuginfo", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2021-1636.NASL", "href": "https://www.tenable.com/plugins/nessus/149870", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2021-1636.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149870);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/05/24\");\n\n script_cve_id(\n \"CVE-2020-29374\",\n \"CVE-2021-23133\",\n \"CVE-2021-29155\",\n \"CVE-2021-31829\"\n );\n script_xref(name:\"ALAS\", value:\"2021-1636\");\n\n script_name(english:\"Amazon Linux 2 : kernel (ALAS-2021-1636)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of kernel installed on the remote host is prior to 4.14.232-176.381. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS2-2021-1636 advisory.\n\n - An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The\n get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider\n the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.\n (CVE-2020-29374)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2021-1636.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-29374\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-23133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-29155\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-31829\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update kernel' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-23133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-livepatch-4.14.232-176.381\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"hotfixes.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (get_one_kb_item(\"Host/kpatch/kernel-cves\"))\n{\n set_hotfix_type(\"kpatch\");\n cve_list = make_list(\"CVE-2020-29374\", \"CVE-2021-23133\", \"CVE-2021-29155\", \"CVE-2021-31829\");\n if (hotfix_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"kpatch hotfix for ALAS-2021-1636\");\n }\n else\n {\n __rpm_report = hotfix_reporting_text();\n }\n}\npkgs = [\n {'reference':'kernel-4.14.232-176.381.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-4.14.232-176.381.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-4.14.232-176.381.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-4.14.232-176.381.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-common-aarch64-4.14.232-176.381.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-common-x86_64-4.14.232-176.381.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.14.232-176.381.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.14.232-176.381.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.14.232-176.381.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.14.232-176.381.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.14.232-176.381.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-livepatch-4.14.232-176.381-1.0-0.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.14.232-176.381.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.14.232-176.381.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-debuginfo-4.14.232-176.381.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-debuginfo-4.14.232-176.381.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-devel-4.14.232-176.381.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-devel-4.14.232-176.381.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.14.232-176.381.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.14.232-176.381.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-debuginfo-4.14.232-176.381.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-debuginfo-4.14.232-176.381.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-4.14.232-176.381.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-4.14.232-176.381.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-debuginfo-4.14.232-176.381.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-debuginfo-4.14.232-176.381.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debuginfo / kernel-debuginfo-common-x86_64 / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-21T16:24:21", "description": "The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4983-1 advisory.\n\n - A flaw was found in the Linux kernel in versions before 5.12. The value of internal.ndata, in the KVM API, is mapped to an array index, which can be updated by a user process at anytime which could lead to an out- of-bounds write. The highest threat from this vulnerability is to data integrity and system availability.\n (CVE-2021-3501)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-04T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS : Linux kernel (OEM) vulnerabilities (USN-4983-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-29155", "CVE-2021-31829", "CVE-2021-33200", "CVE-2021-3501"], "modified": "2023-10-20T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.10.0-1029-oem"], "id": "UBUNTU_USN-4983-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150234", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4983-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150234);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/20\");\n\n script_cve_id(\n \"CVE-2021-3501\",\n \"CVE-2021-29155\",\n \"CVE-2021-31829\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"USN\", value:\"4983-1\");\n\n script_name(english:\"Ubuntu 20.04 LTS : Linux kernel (OEM) vulnerabilities (USN-4983-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe USN-4983-1 advisory.\n\n - A flaw was found in the Linux kernel in versions before 5.12. The value of internal.ndata, in the KVM API,\n is mapped to an array index, which can be updated by a user process at anytime which could lead to an out-\n of-bounds write. The highest threat from this vulnerability is to data integrity and system availability.\n (CVE-2021-3501)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4983-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-33200\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.10.0-1029-oem\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('20.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar kernel_mappings = {\n '20.04': {\n '5.10.0': {\n 'oem': '5.10.0-1029'\n }\n }\n};\n\nvar host_kernel_release = get_kb_item_or_exit('Host/uname-r');\nvar host_kernel_version = get_kb_item_or_exit('Host/Debian/kernel-version');\nvar host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');\nvar host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');\nif(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);\n\nvar extra = '';\nvar kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type];\nif (deb_ver_cmp(ver1:host_kernel_version, ver2:kernel_fixed_version) < 0)\n{\n extra = extra + 'Running Kernel level of ' + host_kernel_version + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\\n\\n';\n}\n else\n{\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-4983-1');\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2021-3501', 'CVE-2021-29155', 'CVE-2021-31829', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-4983-1');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:04", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.(CVE-2021-31829)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.(CVE-2021-33033)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root.\n In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.(CVE-2021-33200)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.(CVE-2021-31916)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.(CVE-2021-29155)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-08-09T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP8 : kernel (EulerOS-SA-2021-2301)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-29155", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33033", "CVE-2021-33200"], "modified": "2021-08-11T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:bpftool", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-source", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:python3-perf", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2301.NASL", "href": "https://www.tenable.com/plugins/nessus/152327", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152327);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/08/11\");\n\n script_cve_id(\n \"CVE-2021-29155\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-33033\",\n \"CVE-2021-33200\"\n );\n\n script_name(english:\"EulerOS 2.0 SP8 : kernel (EulerOS-SA-2021-2301)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - kernel/bpf/verifier.c in the Linux kernel through\n 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel\n attacks, aka CID-801c6058d14a. The specific concern is\n not protecting the BPF stack area against speculative\n loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information\n previously operated on by the kernel.(CVE-2021-31829)\n\n - The Linux kernel before 5.11.14 has a use-after-free in\n cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the\n CIPSO and CALIPSO refcounting for the DOI definitions\n is mishandled, aka CID-ad5d07f4a9cd. This leads to\n writing an arbitrary value.(CVE-2021-33033)\n\n - kernel/bpf/verifier.c in the Linux kernel through\n 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to\n perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root.\n In particular, there is a corner case where the off reg\n causes a masking direction change, which then results\n in an incorrect final aux->alu_limit.(CVE-2021-33200)\n\n - An out-of-bounds (OOB) memory write flaw was found in\n list_devices in drivers/md/dm-ioctl.c in the\n Multi-device driver module in the Linux kernel before\n 5.12. A bound check failure allows an attacker with\n special user (CAP_SYS_ADMIN) privilege to gain access\n to out-of-bounds memory leading to a system crash or a\n leak of internal kernel information. The highest threat\n from this vulnerability is to system\n availability.(CVE-2021-31916)\n\n - An issue was discovered in the Linux kernel through\n 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic,\n leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from\n kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification\n performed by the first operation is not correctly\n accounted for when restricting subsequent\n operations.(CVE-2021-29155)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2301\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd8f418c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python3-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"bpftool-4.19.36-vhulk1907.1.0.h1046.eulerosv2r8\",\n \"kernel-4.19.36-vhulk1907.1.0.h1046.eulerosv2r8\",\n \"kernel-devel-4.19.36-vhulk1907.1.0.h1046.eulerosv2r8\",\n \"kernel-headers-4.19.36-vhulk1907.1.0.h1046.eulerosv2r8\",\n \"kernel-source-4.19.36-vhulk1907.1.0.h1046.eulerosv2r8\",\n \"kernel-tools-4.19.36-vhulk1907.1.0.h1046.eulerosv2r8\",\n \"kernel-tools-libs-4.19.36-vhulk1907.1.0.h1046.eulerosv2r8\",\n \"perf-4.19.36-vhulk1907.1.0.h1046.eulerosv2r8\",\n \"python-perf-4.19.36-vhulk1907.1.0.h1046.eulerosv2r8\",\n \"python3-perf-4.19.36-vhulk1907.1.0.h1046.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:30:12", "description": "The remote Ubuntu 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4977-1 advisory.\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations. (CVE-2020-25670)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after- free which might lead to privilege escalations. (CVE-2020-25671)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)\n\n - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system. (CVE-2020-25673)\n\n - A flaw was found in the Linux kernel in versions before 5.12. The value of internal.ndata, in the KVM API, is mapped to an array index, which can be updated by a user process at anytime which could lead to an out- of-bounds write. The highest threat from this vulnerability is to data integrity and system availability.\n (CVE-2021-3501)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-02T00:00:00", "type": "nessus", "title": "Ubuntu 21.04 : Linux kernel vulnerabilities (USN-4977-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2020-25673", "CVE-2021-29155", "CVE-2021-3501"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:21.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1006-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1007-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1008-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1008-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1008-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-18-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-18-generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-18-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-18-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04-edge"], "id": "UBUNTU_USN-4977-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150151", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4977-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150151);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2020-25670\",\n \"CVE-2020-25671\",\n \"CVE-2020-25672\",\n \"CVE-2020-25673\",\n \"CVE-2021-3501\",\n \"CVE-2021-29155\"\n );\n script_xref(name:\"USN\", value:\"4977-1\");\n\n script_name(english:\"Ubuntu 21.04 : Linux kernel vulnerabilities (USN-4977-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nUSN-4977-1 advisory.\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free\n which might lead to privilege escalations. (CVE-2020-25670)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-\n free which might lead to privilege escalations. (CVE-2020-25671)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)\n\n - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak\n and eventually hanging-up the system. (CVE-2020-25673)\n\n - A flaw was found in the Linux kernel in versions before 5.12. The value of internal.ndata, in the KVM API,\n is mapped to an array index, which can be updated by a user process at anytime which could lead to an out-\n of-bounds write. The highest threat from this vulnerability is to data integrity and system availability.\n (CVE-2021-3501)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4977-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25671\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:21.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1006-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1007-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1008-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1008-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1008-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-18-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-18-generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-18-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-18-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04-edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(21\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 21.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n cve_list = make_list('CVE-2020-25670', 'CVE-2020-25671', 'CVE-2020-25672', 'CVE-2020-25673', 'CVE-2021-3501', 'CVE-2021-29155');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-4977-1');\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\npkgs = [\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-1006-azure', 'pkgver': '5.11.0-1006.6'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-1007-oracle', 'pkgver': '5.11.0-1007.7'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-1008-aws', 'pkgver': '5.11.0-1008.8'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-1008-gcp', 'pkgver': '5.11.0-1008.9'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-1008-kvm', 'pkgver': '5.11.0-1008.8'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-18-generic', 'pkgver': '5.11.0-18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-18-generic-64k', 'pkgver': '5.11.0-18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-18-generic-lpae', 'pkgver': '5.11.0-18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-18-lowlatency', 'pkgver': '5.11.0-18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-aws', 'pkgver': '5.11.0.1008.8'},\n {'osver': '21.04', 'pkgname': 'linux-image-azure', 'pkgver': '5.11.0.1006.6'},\n {'osver': '21.04', 'pkgname': 'linux-image-gcp', 'pkgver': '5.11.0.1008.8'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic', 'pkgver': '5.11.0.18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-64k', 'pkgver': '5.11.0.18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-64k-hwe-20.04', 'pkgver': '5.11.0.18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-64k-hwe-20.04-edge', 'pkgver': '5.11.0.18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-hwe-20.04', 'pkgver': '5.11.0.18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-hwe-20.04-edge', 'pkgver': '5.11.0.18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-lpae', 'pkgver': '5.11.0.18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-lpae-hwe-20.04', 'pkgver': '5.11.0.18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-lpae-hwe-20.04-edge', 'pkgver': '5.11.0.18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-gke', 'pkgver': '5.11.0.1008.8'},\n {'osver': '21.04', 'pkgname': 'linux-image-kvm', 'pkgver': '5.11.0.1008.8'},\n {'osver': '21.04', 'pkgname': 'linux-image-lowlatency', 'pkgver': '5.11.0.18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-lowlatency-hwe-20.04', 'pkgver': '5.11.0.18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-lowlatency-hwe-20.04-edge', 'pkgver': '5.11.0.18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-oem-20.04', 'pkgver': '5.11.0.18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-oracle', 'pkgver': '5.11.0.1007.7'},\n {'osver': '21.04', 'pkgname': 'linux-image-virtual', 'pkgver': '5.11.0.18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-virtual-hwe-20.04', 'pkgver': '5.11.0.18.19'},\n {'osver': '21.04', 'pkgname': 'linux-image-virtual-hwe-20.04-edge', 'pkgver': '5.11.0.18.19'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'linux-image-5.11.0-1006-azure / linux-image-5.11.0-1007-oracle / etc');\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:28:26", "description": "The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2020-36312: Fixed an issue within virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).\n\nCVE-2021-29650: Fixed an issue within the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).\n\nCVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (bnc#1184942).\n\nCVE-2020-36310: Fixed an issue within arch/x86/kvm/svm/svm.c that allowed a set_memory_region_test infinite loop for certain nested page faults (bnc#1184512).\n\nCVE-2021-28950: Fixed an issue within fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).\n\nCVE-2020-36322: Fixed an issue within the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211, bnc#1184952).\n\nCVE-2021-3444: Fixed incorrect mod32 BPF verifier truncation (bsc#1184170).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-05-13T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1572-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-36310", "CVE-2020-36312", "CVE-2020-36322", "CVE-2021-28950", "CVE-2021-29155", "CVE-2021-29650", "CVE-2021-3444"], "modified": "2021-05-17T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-azure", "p-cpe:/a:novell:suse_linux:kernel-azure-base", "p-cpe:/a:novell:suse_linux:kernel-azure-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-azure-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-azure-debugsource", "p-cpe:/a:novell:suse_linux:kernel-azure-devel", "p-cpe:/a:novell:suse_linux:kernel-syms-azure", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-1572-1.NASL", "href": "https://www.tenable.com/plugins/nessus/149456", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1572-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149456);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/05/17\");\n\n script_cve_id(\"CVE-2020-36310\", \"CVE-2020-36312\", \"CVE-2020-36322\", \"CVE-2021-28950\", \"CVE-2021-29155\", \"CVE-2021-29650\", \"CVE-2021-3444\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1572-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive\nvarious security and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2020-36312: Fixed an issue within virt/kvm/kvm_main.c that had a\nkvm_io_bus_unregister_dev memory leak upon a kmalloc failure\n(bnc#1184509).\n\nCVE-2021-29650: Fixed an issue within the netfilter subsystem that\nallowed attackers to cause a denial of service (panic) because\nnet/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a\nfull memory barrier upon the assignment of a new table value\n(bnc#1184208).\n\nCVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that\nperformed undesirable out-of-bounds speculation on pointer arithmetic,\nleading to side-channel attacks that defeat Spectre mitigations and\nobtain sensitive information from kernel memory. Specifically, for\nsequences of pointer arithmetic operations, the pointer modification\nperformed by the first operation is not correctly accounted for when\nrestricting subsequent operations (bnc#1184942).\n\nCVE-2020-36310: Fixed an issue within arch/x86/kvm/svm/svm.c that\nallowed a set_memory_region_test infinite loop for certain nested page\nfaults (bnc#1184512).\n\nCVE-2021-28950: Fixed an issue within fs/fuse/fuse_i.h where a 'stall\non CPU' could have occured because a retry loop continually finds the\nsame bad inode (bnc#1184194, bnc#1184211).\n\nCVE-2020-36322: Fixed an issue within the FUSE filesystem\nimplementation where fuse_do_getattr() calls make_bad_inode() in\ninappropriate situations, causing a system crash. NOTE: the original\nfix for this vulnerability was incomplete, and its incompleteness is\ntracked as CVE-2021-28950 (bnc#1184211, bnc#1184952).\n\nCVE-2021-3444: Fixed incorrect mod32 BPF verifier truncation\n(bsc#1184170).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1043990\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1046303\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1047233\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1055117\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1056787\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1065729\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1087405\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1097583\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1097584\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1097585\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1097586\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1097587\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1097588\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1101816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1103990\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1104353\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1109837\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1111981\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1114648\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1118657\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1118661\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1151794\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1152457\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1175306\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178089\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1180624\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1180846\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181062\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181161\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182613\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182672\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183063\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183203\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183289\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184170\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184194\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184208\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184209\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184211\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184350\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184388\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184509\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184512\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184514\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184647\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184650\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184724\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184731\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184736\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184737\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184738\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184742\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184760\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184942\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184952\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184957\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184984\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185041\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185113\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185195\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185197\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185244\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185269\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185335\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185365\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185472\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185491\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185549\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36310/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36312/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36322/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-28950/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-29155/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-29650/\"\n );\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211572-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ab05afda\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1572=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3444\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"kernel-azure-4.12.14-16.56.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"kernel-azure-base-4.12.14-16.56.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"kernel-azure-base-debuginfo-4.12.14-16.56.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"kernel-azure-debuginfo-4.12.14-16.56.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"kernel-azure-debugsource-4.12.14-16.56.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"kernel-azure-devel-4.12.14-16.56.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"kernel-syms-azure-4.12.14-16.56.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:28:21", "description": "The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2020-36312: Fixed an issue within virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).\n\nCVE-2021-29650: Fixed an issue within the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).\n\nCVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (bnc#1184942).\n\nCVE-2020-36310: Fixed an issue within arch/x86/kvm/svm/svm.c that allowed a set_memory_region_test infinite loop for certain nested page faults (bnc#1184512).\n\nCVE-2021-28950: Fixed an issue within fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).\n\nCVE-2020-36322: Fixed an issue within the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211, bnc#1184952).\n\nCVE-2021-3444: Fixed incorrect mod32 BPF verifier truncation (bsc#1184170).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-05-14T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1595-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-36310", "CVE-2020-36312", "CVE-2020-36322", "CVE-2021-28950", "CVE-2021-29155", "CVE-2021-29650", "CVE-2021-3444"], "modified": "2021-05-18T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-devel-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-syms", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-1595-1.NASL", "href": "https://www.tenable.com/plugins/nessus/149487", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1595-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149487);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/05/18\");\n\n script_cve_id(\"CVE-2020-36310\", \"CVE-2020-36312\", \"CVE-2020-36322\", \"CVE-2021-28950\", \"CVE-2021-29155\", \"CVE-2021-29650\", \"CVE-2021-3444\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1595-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various\nsecurity and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2020-36312: Fixed an issue within virt/kvm/kvm_main.c that had a\nkvm_io_bus_unregister_dev memory leak upon a kmalloc failure\n(bnc#1184509).\n\nCVE-2021-29650: Fixed an issue within the netfilter subsystem that\nallowed attackers to cause a denial of service (panic) because\nnet/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a\nfull memory barrier upon the assignment of a new table value\n(bnc#1184208).\n\nCVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that\nperformed undesirable out-of-bounds speculation on pointer arithmetic,\nleading to side-channel attacks that defeat Spectre mitigations and\nobtain sensitive information from kernel memory. Specifically, for\nsequences of pointer arithmetic operations, the pointer modification\nperformed by the first operation is not correctly accounted for when\nrestricting subsequent operations (bnc#1184942).\n\nCVE-2020-36310: Fixed an issue within arch/x86/kvm/svm/svm.c that\nallowed a set_memory_region_test infinite loop for certain nested page\nfaults (bnc#1184512).\n\nCVE-2021-28950: Fixed an issue within fs/fuse/fuse_i.h where a 'stall\non CPU' could have occured because a retry loop continually finds the\nsame bad inode (bnc#1184194, bnc#1184211).\n\nCVE-2020-36322: Fixed an issue within the FUSE filesystem\nimplementation where fuse_do_getattr() calls make_bad_inode() in\ninappropriate situations, causing a system crash. NOTE: the original\nfix for this vulnerability was incomplete, and its incompleteness is\ntracked as CVE-2021-28950 (bnc#1184211, bnc#1184952).\n\nCVE-2021-3444: Fixed incorrect mod32 BPF verifier truncation\n(bsc#1184170).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1043990\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1046303\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1047233\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1055117\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1056787\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1065729\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1087405\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1097583\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1097584\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1097585\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1097586\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1097587\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1097588\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1101816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1103990\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1104353\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1109837\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1111981\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1114648\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1118657\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1118661\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1151794\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1152457\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1175306\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178089\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1180624\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1180846\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181062\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181161\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182613\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182672\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183063\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183203\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183289\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183947\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184170\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184194\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184208\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184209\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184211\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184350\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184388\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184509\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184512\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184514\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184647\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184650\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184724\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184731\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184736\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184737\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184738\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184742\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184760\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184942\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184952\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184957\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184984\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185041\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185113\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185195\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185197\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185244\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185269\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185335\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185365\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185472\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185491\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185549\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36310/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36312/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36322/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-28950/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-29155/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-29650/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-3444/\"\n );\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211595-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fc024750\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP5 :\n\nzypper in -t patch SUSE-SLE-WE-12-SP5-2021-1595=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1595=1\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1595=1\n\nSUSE Linux Enterprise Live Patching 12-SP5 :\n\nzypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-1595=1\n\nSUSE Linux Enterprise High Availability 12-SP5 :\n\nzypper in -t patch SUSE-SLE-HA-12-SP5-2021-1595=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3444\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"kernel-default-devel-debuginfo-4.12.14-122.71.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"s390x\", reference:\"kernel-default-man-4.12.14-122.71.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"kernel-default-4.12.14-122.71.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"kernel-default-base-4.12.14-122.71.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"kernel-default-base-debuginfo-4.12.14-122.71.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"kernel-default-debuginfo-4.12.14-122.71.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"kernel-default-debugsource-4.12.14-122.71.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"kernel-default-devel-4.12.14-122.71.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"kernel-syms-4.12.14-122.71.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-09T15:24:52", "description": "The version of kernel installed on the remote host is prior to 5.4.117-58.216. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.4-2022-003 advisory.\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations. (CVE-2020-25670)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after- free which might lead to privilege escalations. (CVE-2020-25671)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)\n\n - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system. (CVE-2020-25673)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-02T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : kernel (ALASKERNEL-5.4-2022-003)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2020-25673", "CVE-2021-23133", "CVE-2021-29154", "CVE-2021-29155", "CVE-2021-31829"], "modified": "2023-09-05T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:python-perf", "cpe:/o:amazon:linux:2", "p-cpe:/a:amazon:linux:perf", "p-cpe:/a:amazon:linux:kernel-headers", "p-cpe:/a:amazon:linux:kernel-tools-devel", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:bpftool-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools-debuginfo", "p-cpe:/a:amazon:linux:bpftool", "p-cpe:/a:amazon:linux:python-perf-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:perf-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo"], "id": "AL2_ALASKERNEL-5_4-2022-003.NASL", "href": "https://www.tenable.com/plugins/nessus/160442", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALASKERNEL-5.4-2022-003.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160442);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/05\");\n\n script_cve_id(\n \"CVE-2020-25670\",\n \"CVE-2020-25671\",\n \"CVE-2020-25672\",\n \"CVE-2020-25673\",\n \"CVE-2021-23133\",\n \"CVE-2021-29154\",\n \"CVE-2021-29155\",\n \"CVE-2021-31829\"\n );\n\n script_name(english:\"Amazon Linux 2 : kernel (ALASKERNEL-5.4-2022-003)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of kernel installed on the remote host is prior to 5.4.117-58.216. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS2KERNEL-5.4-2022-003 advisory.\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free\n which might lead to privilege escalations. (CVE-2020-25670)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-\n free which might lead to privilege escalations. (CVE-2020-25671)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)\n\n - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak\n and eventually hanging-up the system. (CVE-2020-25673)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements,\n allowing them to execute arbitrary code within the kernel context. This affects\n arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2022-003.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-25670.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-25671.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-25672.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-25673.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-23133.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-29154.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-29155.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-31829.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update kernel' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-29154\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"kpatch.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\ninclude(\"hotfixes.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar alas_release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d+|-\\d+)\", string:alas_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (get_one_kb_item(\"Host/kpatch/kernel-cves\"))\n{\n set_hotfix_type(\"kpatch\");\n var cve_list = make_list(\"CVE-2020-25670\", \"CVE-2020-25671\", \"CVE-2020-25672\", \"CVE-2020-25673\", \"CVE-2021-23133\", \"CVE-2021-29154\", \"CVE-2021-29155\", \"CVE-2021-31829\");\n if (hotfix_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"kpatch hotfix for ALASKERNEL-5.4-2022-003\");\n }\n else\n {\n __rpm_report = hotfix_reporting_text();\n }\n}\nvar pkgs = [\n {'reference':'bpftool-5.4.117-58.216.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'bpftool-5.4.117-58.216.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'bpftool-debuginfo-5.4.117-58.216.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'bpftool-debuginfo-5.4.117-58.216.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-5.4.117-58.216.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-5.4.117-58.216.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-5.4.117-58.216.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-5.4.117-58.216.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-common-aarch64-5.4.117-58.216.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-common-x86_64-5.4.117-58.216.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-devel-5.4.117-58.216.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-devel-5.4.117-58.216.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-headers-5.4.117-58.216.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-headers-5.4.117-58.216.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-headers-5.4.117-58.216.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-5.4.117-58.216.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-5.4.117-58.216.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-debuginfo-5.4.117-58.216.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-debuginfo-5.4.117-58.216.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-devel-5.4.117-58.216.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-devel-5.4.117-58.216.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-5.4.117-58.216.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-5.4.117-58.216.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-debuginfo-5.4.117-58.216.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-debuginfo-5.4.117-58.216.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-5.4.117-58.216.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-5.4.117-58.216.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-debuginfo-5.4.117-58.216.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-debuginfo-5.4.117-58.216.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bpftool / bpftool-debuginfo / kernel / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-15T15:24:45", "description": "The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9363 advisory.\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. (CVE-2021-33033)\n\n - User application could potentially make RPC call to the fastrpc driver and the driver will allow the message to go through to the remote subsystem in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 (CVE-2019-2308)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after- free which might lead to privilege escalations. (CVE-2020-25671)\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations. (CVE-2020-25670)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-07-16T00:00:00", "type": "nessus", "title": "Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2021-9363)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-2308", "CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2021-23133", "CVE-2021-29155", "CVE-2021-31829", "CVE-2021-32399", "CVE-2021-33033", "CVE-2021-33034"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:kernel-uek-container", "p-cpe:/a:oracle:linux:kernel-uek-container-debug"], "id": "ORACLELINUX_ELSA-2021-9363.NASL", "href": "https://www.tenable.com/plugins/nessus/151689", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-9363.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151689);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\n \"CVE-2019-2308\",\n \"CVE-2020-25670\",\n \"CVE-2020-25671\",\n \"CVE-2020-25672\",\n \"CVE-2021-23133\",\n \"CVE-2021-29155\",\n \"CVE-2021-31829\",\n \"CVE-2021-32399\",\n \"CVE-2021-33033\",\n \"CVE-2021-33034\"\n );\n\n script_name(english:\"Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2021-9363)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe ELSA-2021-9363 advisory.\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because\n the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads\n to writing an arbitrary value. (CVE-2021-33033)\n\n - User application could potentially make RPC call to the fastrpc driver and the driver will allow the\n message to go through to the remote subsystem in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon\n Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9607,\n MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 425, SD 427, SD 430, SD 435, SD 439 / SD\n 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD\n 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 (CVE-2019-2308)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-\n free which might lead to privilege escalations. (CVE-2020-25671)\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free\n which might lead to privilege escalations. (CVE-2020-25670)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-9363.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel-uek-container and / or kernel-uek-container-debug packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25671\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container-debug\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^(7|8)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7 / 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar pkgs = [\n {'reference':'kernel-uek-container-5.4.17-2102.203.5.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-5.4.17'},\n {'reference':'kernel-uek-container-debug-5.4.17-2102.203.5.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-debug-5.4.17'},\n {'reference':'kernel-uek-container-5.4.17-2102.203.5.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-5.4.17'},\n {'reference':'kernel-uek-container-debug-5.4.17-2102.203.5.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-debug-5.4.17'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek-container / kernel-uek-container-debug');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-15T15:24:57", "description": "The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9362 advisory.\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. (CVE-2021-33033)\n\n - User application could potentially make RPC call to the fastrpc driver and the driver will allow the message to go through to the remote subsystem in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 (CVE-2019-2308)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after- free which might lead to privilege escalations. (CVE-2020-25671)\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations. (CVE-2020-25670)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-07-16T00:00:00", "type": "nessus", "title": "Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2021-9362)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-2308", "CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2021-23133", "CVE-2021-29155", "CVE-2021-31829", "CVE-2021-32399", "CVE-2021-33033", "CVE-2021-33034"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-tools", "p-cpe:/a:oracle:linux:kernel-uek-tools-libs", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2021-9362.NASL", "href": "https://www.tenable.com/plugins/nessus/151690", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-9362.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151690);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\n \"CVE-2019-2308\",\n \"CVE-2020-25670\",\n \"CVE-2020-25671\",\n \"CVE-2020-25672\",\n \"CVE-2021-23133\",\n \"CVE-2021-29155\",\n \"CVE-2021-31829\",\n \"CVE-2021-32399\",\n \"CVE-2021-33033\",\n \"CVE-2021-33034\"\n );\n\n script_name(english:\"Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2021-9362)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe ELSA-2021-9362 advisory.\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because\n the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads\n to writing an arbitrary value. (CVE-2021-33033)\n\n - User application could potentially make RPC call to the fastrpc driver and the driver will allow the\n message to go through to the remote subsystem in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon\n Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9607,\n MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 425, SD 427, SD 430, SD 435, SD 439 / SD\n 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD\n 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 (CVE-2019-2308)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-\n free which might lead to privilege escalations. (CVE-2020-25671)\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free\n which might lead to privilege escalations. (CVE-2020-25670)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-9362.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25671\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^(7|8)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7 / 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['5.4.17-2102.203.5.el7uek', '5.4.17-2102.203.5.el8uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2021-9362');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '5.4';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-5.4.17-2102.203.5.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-5.4.17-2102.203.5.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.203.5.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.203.5.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.203.5.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.203.5.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.203.5.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.203.5.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-doc-5.4.17-2102.203.5.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-5.4.17'},\n {'reference':'kernel-uek-tools-5.4.17-2102.203.5.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-5.4.17'},\n {'reference':'kernel-uek-tools-5.4.17-2102.203.5.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-5.4.17'},\n {'reference':'kernel-uek-tools-libs-5.4.17-2102.203.5.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-libs-5.4.17'},\n {'reference':'perf-5.4.17-2102.203.5.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-5.4.17-2102.203.5.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-uek-5.4.17-2102.203.5.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-5.4.17-2102.203.5.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.203.5.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.203.5.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.203.5.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.203.5.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.203.5.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.203.5.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-doc-5.4.17-2102.203.5.el8uek', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-5.4.17'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-debug / kernel-uek-debug-devel / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-09T15:23:20", "description": "The version of kernel installed on the remote host is prior to 5.10.35-31.135. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2022-001 advisory.\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations. (CVE-2020-25670)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after- free which might lead to privilege escalations. (CVE-2020-25671)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)\n\n - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system. (CVE-2020-25673)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier support for it) (v5.8-rc1). (CVE-2021-3489)\n\n - The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e (bpf: Fix alu32 const subreg bound tracking on bitwise operations) (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 (bpf: Verifier, do explicit ALU32 bounds tracking) (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 (bpf:Fix a verifier failure with xor) ( 5.10-rc1). (CVE-2021-3490)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\n - A flaw was found in the Linux kernel in versions before 5.12. The value of internal.ndata, in the KVM API, is mapped to an array index, which can be updated by a user process at anytime which could lead to an out- of-bounds write. The highest threat from this vulnerability is to data integrity and system availability.\n (CVE-2021-3501)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-02T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : kernel (ALASKERNEL-5.10-2022-001)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2020-25673", "CVE-2021-23133", "CVE-2021-29155", "CVE-2021-31829", "CVE-2021-3489", "CVE-2021-3490", "CVE-2021-3491", "CVE-2021-3501"], "modified": "2023-09-05T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:python-perf", "cpe:/o:amazon:linux:2", "p-cpe:/a:amazon:linux:perf", "p-cpe:/a:amazon:linux:kernel-headers", "p-cpe:/a:amazon:linux:kernel-tools-devel", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:bpftool-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools-debuginfo", "p-cpe:/a:amazon:linux:bpftool", "p-cpe:/a:amazon:linux:python-perf-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:perf-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo"], "id": "AL2_ALASKERNEL-5_10-2022-001.NASL", "href": "https://www.tenable.com/plugins/nessus/160443", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALASKERNEL-5.10-2022-001.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160443);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/05\");\n\n script_cve_id(\n \"CVE-2020-25670\",\n \"CVE-2020-25671\",\n \"CVE-2020-25672\",\n \"CVE-2020-25673\",\n \"CVE-2021-3489\",\n \"CVE-2021-3490\",\n \"CVE-2021-3491\",\n \"CVE-2021-3501\",\n \"CVE-2021-23133\",\n \"CVE-2021-29155\",\n \"CVE-2021-31829\"\n );\n\n script_name(english:\"Amazon Linux 2 : kernel (ALASKERNEL-5.10-2022-001)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of kernel installed on the remote host is prior to 5.10.35-31.135. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS2KERNEL-5.10-2022-001 advisory.\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free\n which might lead to privilege escalations. (CVE-2020-25670)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-\n free which might lead to privilege escalations. (CVE-2020-25671)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)\n\n - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak\n and eventually hanging-up the system. (CVE-2020-25673)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size\n was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel\n and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny\n reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4,\n v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier\n support for it) (v5.8-rc1). (CVE-2021-3489)\n\n - The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly\n update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and\n therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e (bpf: Fix alu32 const\n subreg bound tracking on bitwise operations) (v5.13-rc4) and backported to the stable kernels in v5.12.4,\n v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 (bpf: Verifier, do\n explicit ALU32 bounds tracking) (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 (bpf:Fix a\n verifier failure with xor) ( 5.10-rc1). (CVE-2021-3490)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\n - A flaw was found in the Linux kernel in versions before 5.12. The value of internal.ndata, in the KVM API,\n is mapped to an array index, which can be updated by a user process at anytime which could lead to an out-\n of-bounds write. The highest threat from this vulnerability is to data integrity and system availability.\n (CVE-2021-3501)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2022-001.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-25670.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-25671.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-25672.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-25673.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-23133.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-29155.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-31829.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-3489.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-3490.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-3491.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-3501.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update kernel' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux eBPF ALU32 32-bit Invalid Bounds Tracking LPE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"kpatch.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\ninclude(\"hotfixes.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar alas_release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d+|-\\d+)\", string:alas_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (get_one_kb_item(\"Host/kpatch/kernel-cves\"))\n{\n set_hotfix_type(\"kpatch\");\n var cve_list = make_list(\"CVE-2020-25670\", \"CVE-2020-25671\", \"CVE-2020-25672\", \"CVE-2020-25673\", \"CVE-2021-3489\", \"CVE-2021-3490\", \"CVE-2021-3491\", \"CVE-2021-3501\", \"CVE-2021-23133\", \"CVE-2021-29155\", \"CVE-2021-31829\");\n if (hotfix_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"kpatch hotfix for ALASKERNEL-5.10-2022-001\");\n }\n else\n {\n __rpm_report = hotfix_reporting_text();\n }\n}\nvar pkgs = [\n {'reference':'bpftool-5.10.35-31.135.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'bpftool-5.10.35-31.135.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'bpftool-debuginfo-5.10.35-31.135.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'bpftool-debuginfo-5.10.35-31.135.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-5.10.35-31.135.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-5.10.35-31.135.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-debuginfo-5.10.35-31.135.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-debuginfo-5.10.35-31.135.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-debuginfo-common-aarch64-5.10.35-31.135.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-debuginfo-common-x86_64-5.10.35-31.135.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-devel-5.10.35-31.135.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-devel-5.10.35-31.135.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-headers-5.10.35-31.135.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-headers-5.10.35-31.135.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-headers-5.10.35-31.135.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-tools-5.10.35-31.135.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-tools-5.10.35-31.135.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-tools-debuginfo-5.10.35-31.135.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-tools-debuginfo-5.10.35-31.135.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-tools-devel-5.10.35-31.135.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-tools-devel-5.10.35-31.135.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'perf-5.10.35-31.135.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'perf-5.10.35-31.135.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'perf-debuginfo-5.10.35-31.135.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'perf-debuginfo-5.10.35-31.135.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'python-perf-5.10.35-31.135.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'python-perf-5.10.35-31.135.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'python-perf-debuginfo-5.10.35-31.135.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'python-perf-debuginfo-5.10.35-31.135.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bpftool / bpftool-debuginfo / kernel / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:34", "description": "According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - The Linux Kernel, the operating system core itself.\n Security Fix(es):An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A 'stall on CPU' can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1.(CVE-2021-28950)An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.(CVE-2021-31916)An issue was discovered in the Linux kernel through 5.2.13.\n nbd_genl_status in drivers/blockbd.c does not check the nla_nest_start_noflag return value.(CVE-2019-16089)The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 ('bpf: Fix truncation handling for mod32(CVE-2021-3444)An issue was discovered in the Linux kernel through 5.11.x.\n kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.(CVE-2021-29155)net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.\n (CVE-2021-32399)kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.(CVE-2021-31829)The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.(CVE-2021-33033)Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.(CVE-2021-23134)A memory leak vulnerability was found in Linux kernel in llcp_sock_connect(CVE-2020-25672)A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-free which might lead to privilege escalations.(CVE-2020-25671)A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations.(CVE-2020-25670)In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.(CVE-2021-33034)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-07-13T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.9.0 : kernel (EulerOS-SA-2021-2195)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16089", "CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2021-23134", "CVE-2021-28950", "CVE-2021-29155", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-32399", "CVE-2021-33033", "CVE-2021-33034", "CVE-2021-3444"], "modified": "2021-07-15T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:perf", "cpe:/o:huawei:euleros:uvp:2.9.0"], "id": "EULEROS_SA-2021-2195.NASL", "href": "https://www.tenable.com/plugins/nessus/151570", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151570);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/15\");\n\n script_cve_id(\n \"CVE-2019-16089\",\n \"CVE-2020-25670\",\n \"CVE-2020-25671\",\n \"CVE-2020-25672\",\n \"CVE-2021-23134\",\n \"CVE-2021-28950\",\n \"CVE-2021-29155\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-32399\",\n \"CVE-2021-33033\",\n \"CVE-2021-33034\",\n \"CVE-2021-3444\"\n );\n\n script_name(english:\"EulerOS Virtualization 2.9.0 : kernel (EulerOS-SA-2021-2195)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - The Linux Kernel, the operating system core itself.\n Security Fix(es):An issue was discovered in\n fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A\n 'stall on CPU' can occur because a retry loop\n continually finds the same bad inode, aka\n CID-775c5033a0d1.(CVE-2021-28950)An out-of-bounds (OOB)\n memory write flaw was found in list_devices in\n drivers/md/dm-ioctl.c in the Multi-device driver module\n in the Linux kernel before 5.12. A bound check failure\n allows an attacker with special user (CAP_SYS_ADMIN)\n privilege to gain access to out-of-bounds memory\n leading to a system crash or a leak of internal kernel\n information. The highest threat from this vulnerability\n is to system availability.(CVE-2021-31916)An issue was\n discovered in the Linux kernel through 5.2.13.\n nbd_genl_status in drivers/blockbd.c does not check the\n nla_nest_start_noflag return value.(CVE-2019-16089)The\n bpf verifier in the Linux kernel did not properly\n handle mod32 destination register truncation when the\n source register was known to be 0. A local attacker\n with the ability to load bpf programs could use this\n gain out-of-bounds reads in kernel memory leading to\n information disclosure (kernel memory), and possibly\n out-of-bounds writes that could potentially lead to\n code execution. This issue was addressed in the\n upstream kernel in commit 9b00f1b78809 ('bpf: Fix\n truncation handling for mod32(CVE-2021-3444)An issue\n was discovered in the Linux kernel through 5.11.x.\n kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic,\n leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from\n kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification\n performed by the first operation is not correctly\n accounted for when restricting subsequent\n operations.(CVE-2021-29155)net/bluetooth/hci_request.c\n in the Linux kernel through 5.12.2 has a race condition\n for removal of the HCI controller.\n (CVE-2021-32399)kernel/bpf/verifier.c in the Linux\n kernel through 5.12.1 performs undesirable speculative\n loads, leading to disclosure of stack content via\n side-channel attacks, aka CID-801c6058d14a. The\n specific concern is not protecting the BPF stack area\n against speculative loads. Also, the BPF stack can\n contain uninitialized data that might represent\n sensitive information previously operated on by the\n kernel.(CVE-2021-31829)The Linux kernel before 5.11.14\n has a use-after-free in cipso_v4_genopt in\n net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO\n refcounting for the DOI definitions is mishandled, aka\n CID-ad5d07f4a9cd. This leads to writing an arbitrary\n value.(CVE-2021-33033)Use After Free vulnerability in\n nfc sockets in the Linux Kernel before 5.12.4 allows\n local attackers to elevate their privileges. In typical\n configurations, the issue can only be triggered by a\n privileged local user with the CAP_NET_RAW\n capability.(CVE-2021-23134)A memory leak vulnerability\n was found in Linux kernel in\n llcp_sock_connect(CVE-2020-25672)A vulnerability was\n found in Linux Kernel, where a refcount leak in\n llcp_sock_connect() causing use-after-free which might\n lead to privilege escalations.(CVE-2020-25671)A\n vulnerability was found in Linux Kernel where refcount\n leak in llcp_sock_bind() causing use-after-free which\n might lead to privilege escalations.(CVE-2020-25670)In\n the Linux kernel before 5.12.4,\n net/bluetooth/hci_event.c has a use-after-free when\n destroying an hci_chan, aka CID-5c4c8c954409. This\n leads to writing an arbitrary value.(CVE-2021-33034)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2195\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7a3e9fb0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.9.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.9.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.9.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.18.0-147.5.1.6.h475.eulerosv2r9\",\n \"kernel-tools-4.18.0-147.5.1.6.h475.eulerosv2r9\",\n \"kernel-tools-libs-4.18.0-147.5.1.6.h475.eulerosv2r9\",\n \"perf-4.18.0-147.5.1.6.h475.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:04", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does not check the nla_nest_start_noflag return value.(CVE-2019-16089)\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations.(CVE-2020-25670)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-free which might lead to privilege escalations.(CVE-2020-25671)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect(CVE-2020-25672)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.(CVE-2021-31916)\n\n - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A 'stall on CPU' can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1.(CVE-2021-28950)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.(CVE-2021-23134)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.(CVE-2021-29155)\n\n - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 ('bpf: Fix truncation handling for mod32 dst reg wrt zero') and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101.(CVE-2021-3444)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.(CVE-2021-33033)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.(CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.(CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.(CVE-2021-33034)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-08-09T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-2246)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16089", "CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2021-23134", "CVE-2021-28950", "CVE-2021-29155", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-32399", "CVE-2021-33033", "CVE-2021-33034", "CVE-2021-3444"], "modified": "2021-08-11T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:python3-perf", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2246.NASL", "href": "https://www.tenable.com/plugins/nessus/152308", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152308);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/08/11\");\n\n script_cve_id(\n \"CVE-2019-16089\",\n \"CVE-2020-25670\",\n \"CVE-2020-25671\",\n \"CVE-2020-25672\",\n \"CVE-2021-23134\",\n \"CVE-2021-28950\",\n \"CVE-2021-29155\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-32399\",\n \"CVE-2021-33033\",\n \"CVE-2021-33034\",\n \"CVE-2021-3444\"\n );\n\n script_name(english:\"EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-2246)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - An issue was discovered in the Linux kernel through\n 5.2.13. nbd_genl_status in drivers/block/nbd.c does not\n check the nla_nest_start_noflag return\n value.(CVE-2019-16089)\n\n - A vulnerability was found in Linux Kernel where\n refcount leak in llcp_sock_bind() causing\n use-after-free which might lead to privilege\n escalations.(CVE-2020-25670)\n\n - A vulnerability was found in Linux Kernel, where a\n refcount leak in llcp_sock_connect() causing\n use-after-free which might lead to privilege\n escalations.(CVE-2020-25671)\n\n - A memory leak vulnerability was found in Linux kernel\n in llcp_sock_connect(CVE-2020-25672)\n\n - An out-of-bounds (OOB) memory write flaw was found in\n list_devices in drivers/md/dm-ioctl.c in the\n Multi-device driver module in the Linux kernel before\n 5.12. A bound check failure allows an attacker with\n special user (CAP_SYS_ADMIN) privilege to gain access\n to out-of-bounds memory leading to a system crash or a\n leak of internal kernel information. The highest threat\n from this vulnerability is to system\n availability.(CVE-2021-31916)\n\n - An issue was discovered in fs/fuse/fuse_i.h in the\n Linux kernel before 5.11.8. A 'stall on CPU' can occur\n because a retry loop continually finds the same bad\n inode, aka CID-775c5033a0d1.(CVE-2021-28950)\n\n - Use After Free vulnerability in nfc sockets in the\n Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations,\n the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability.(CVE-2021-23134)\n\n - An issue was discovered in the Linux kernel through\n 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic,\n leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from\n kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification\n performed by the first operation is not correctly\n accounted for when restricting subsequent\n operations.(CVE-2021-29155)\n\n - The bpf verifier in the Linux kernel did not properly\n handle mod32 destination register truncation when the\n source register was known to be 0. A local attacker\n with the ability to load bpf programs could use this\n gain out-of-bounds reads in kernel memory leading to\n information disclosure (kernel memory), and possibly\n out-of-bounds writes that could potentially lead to\n code execution. This issue was addressed in the\n upstream kernel in commit 9b00f1b78809 ('bpf: Fix\n truncation handling for mod32 dst reg wrt zero') and in\n Linux stable kernels 5.11.2, 5.10.19, and\n 5.4.101.(CVE-2021-3444)\n\n - The Linux kernel before 5.11.14 has a use-after-free in\n cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the\n CIPSO and CALIPSO refcounting for the DOI definitions\n is mishandled, aka CID-ad5d07f4a9cd. This leads to\n writing an arbitrary value.(CVE-2021-33033)\n\n - kernel/bpf/verifier.c in the Linux kernel through\n 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel\n attacks, aka CID-801c6058d14a. The specific concern is\n not protecting the BPF stack area against speculative\n loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information\n previously operated on by the kernel.(CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through\n 5.12.2 has a race condition for removal of the HCI\n controller.(CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4,\n net/bluetooth/hci_event.c has a use-after-free when\n destroying an hci_chan, aka CID-5c4c8c954409. This\n leads to writing an arbitrary value.(CVE-2021-33034)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2246\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d37ffdd6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python3-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.18.0-147.5.1.6.h475.eulerosv2r9\",\n \"kernel-tools-4.18.0-147.5.1.6.h475.eulerosv2r9\",\n \"kernel-tools-libs-4.18.0-147.5.1.6.h475.eulerosv2r9\",\n \"python3-perf-4.18.0-147.5.1.6.h475.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-15T15:18:05", "description": "The version of kernel installed on the remote host is prior to 4.14.232-123.381. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2021-1503 advisory.\n\n - An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.\n (CVE-2020-29374)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable.\n XSA-365 was classified to affect versions back to at least 3.11. (CVE-2021-28688)\n\n - A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc. (CVE-2021-28964)\n\n - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)\n\n - BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi- device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-31916)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. (CVE-2021-33033)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-05-24T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : kernel (ALAS-2021-1503)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2020-25673", "CVE-2020-29374", "CVE-2021-23133", "CVE-2021-28688", "CVE-2021-28964", "CVE-2021-28971", "CVE-2021-29154", "CVE-2021-29155", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33033"], "modified": "2021-05-24T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:kernel-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:kernel-headers", "p-cpe:/a:amazon:linux:kernel-tools", "p-cpe:/a:amazon:linux:kernel-tools-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools-devel", "p-cpe:/a:amazon:linux:perf", "p-cpe:/a:amazon:linux:perf-debuginfo", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2021-1503.NASL", "href": "https://www.tenable.com/plugins/nessus/149872", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2021-1503.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149872);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/05/24\");\n\n script_cve_id(\n \"CVE-2020-25670\",\n \"CVE-2020-25671\",\n \"CVE-2020-25672\",\n \"CVE-2020-25673\",\n \"CVE-2020-29374\",\n \"CVE-2021-23133\",\n \"CVE-2021-28688\",\n \"CVE-2021-28964\",\n \"CVE-2021-28971\",\n \"CVE-2021-29154\",\n \"CVE-2021-29155\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-33033\"\n );\n script_xref(name:\"ALAS\", value:\"2021-1503\");\n\n script_name(english:\"Amazon Linux AMI : kernel (ALAS-2021-1503)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of kernel installed on the remote host is prior to 4.14.232-123.381. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS-2021-1503 advisory.\n\n - An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The\n get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider\n the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.\n (CVE-2020-29374)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use\n uninitialized or stale values. This initialization went too far and may under certain conditions also\n overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking\n persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died,\n leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable.\n XSA-365 was classified to affect versions back to at least 3.11. (CVE-2021-28688)\n\n - A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It\n allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer\n before a cloning operation, aka CID-dbcc7d57bffc. (CVE-2021-28964)\n\n - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some\n Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS\n status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)\n\n - BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements,\n allowing them to execute arbitrary code within the kernel context. This affects\n arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-\n device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with\n special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or\n a leak of internal kernel information. The highest threat from this vulnerability is to system\n availability. (CVE-2021-31916)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because\n the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads\n to writing an arbitrary value. (CVE-2021-33033)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2021-1503.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25670\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25671\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25672\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25673\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-29374\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-23133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-28688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-28964\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-28971\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-29154\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-29155\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-31829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-31916\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-33033\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update kernel' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-29154\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"hotfixes.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (get_one_kb_item(\"Host/kpatch/kernel-cves\"))\n{\n set_hotfix_type(\"kpatch\");\n cve_list = make_list(\"CVE-2020-25670\", \"CVE-2020-25671\", \"CVE-2020-25672\", \"CVE-2020-25673\", \"CVE-2020-29374\", \"CVE-2021-23133\", \"CVE-2021-28688\", \"CVE-2021-28964\", \"CVE-2021-28971\", \"CVE-2021-29154\", \"CVE-2021-29155\", \"CVE-2021-31829\", \"CVE-2021-31916\", \"CVE-2021-33033\");\n if (hotfix_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"kpatch hotfix for ALAS-2021-1503\");\n }\n else\n {\n __rpm_report = hotfix_reporting_text();\n }\n}\npkgs = [\n {'reference':'kernel-4.14.232-123.381.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-4.14.232-123.381.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-4.14.232-123.381.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-4.14.232-123.381.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-common-i686-4.14.232-123.381.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-common-x86_64-4.14.232-123.381.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.14.232-123.381.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.14.232-123.381.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.14.232-123.381.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.14.232-123.381.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.14.232-123.381.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.14.232-123.381.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-debuginfo-4.14.232-123.381.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-debuginfo-4.14.232-123.381.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-devel-4.14.232-123.381.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-devel-4.14.232-123.381.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.14.232-123.381.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.14.232-123.381.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-debuginfo-4.14.232-123.381.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-debuginfo-4.14.232-123.381.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debuginfo / kernel-debuginfo-common-x86_64 / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-21T16:23:44", "description": "The remote Ubuntu 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4999-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations. (CVE-2020-25670)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after- free which might lead to privilege escalations. (CVE-2020-25671)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)\n\n - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system. (CVE-2020-25673)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-23T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS : Linux kernel vulnerabilities (USN-4999-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2020-25673", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-29155", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-33200", "CVE-2021-3609"], "modified": "2023-10-20T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1033-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1035-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1036-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1038-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-lowlatency"], "id": "UBUNTU_USN-4999-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150954", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4999-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150954);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/20\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-25670\",\n \"CVE-2020-25671\",\n \"CVE-2020-25672\",\n \"CVE-2020-25673\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3609\",\n \"CVE-2021-23133\",\n \"CVE-2021-29155\",\n \"CVE-2021-31440\",\n \"CVE-2021-31829\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"USN\", value:\"4999-1\");\n\n script_name(english:\"Ubuntu 20.04 LTS : Linux kernel vulnerabilities (USN-4999-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the USN-4999-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free\n which might lead to privilege escalations. (CVE-2020-25670)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-\n free which might lead to privilege escalations. (CVE-2020-25671)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)\n\n - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak\n and eventually hanging-up the system. (CVE-2020-25673)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel\n 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in\n order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The\n issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the\n context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4999-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-33200\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1033-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1035-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1036-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1038-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-lowlatency\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('20.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar kernel_mappings = {\n '20.04': {\n '5.8.0': {\n 'generic': '5.8.0-59',\n 'generic-64k': '5.8.0-59',\n 'generic-lpae': '5.8.0-59',\n 'lowlatency': '5.8.0-59',\n 'oracle': '5.8.0-1033',\n 'gcp': '5.8.0-1035',\n 'azure': '5.8.0-1036',\n 'aws': '5.8.0-1038'\n }\n }\n};\n\nvar host_kernel_release = get_kb_item_or_exit('Host/uname-r');\nvar host_kernel_version = get_kb_item_or_exit('Host/Debian/kernel-version');\nvar host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');\nvar host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');\nif(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);\n\nvar extra = '';\nvar kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type];\nif (deb_ver_cmp(ver1:host_kernel_version, ver2:kernel_fixed_version) < 0)\n{\n extra = extra + 'Running Kernel level of ' + host_kernel_version + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\\n\\n';\n}\n else\n{\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-4999-1');\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-25670', 'CVE-2020-25671', 'CVE-2020-25672', 'CVE-2020-25673', 'CVE-2020-26139', 'CVE-2020-26141', 'CVE-2020-26145', 'CVE-2020-26147', 'CVE-2021-3609', 'CVE-2021-23133', 'CVE-2021-29155', 'CVE-2021-31440', 'CVE-2021-31829', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-4999-1');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:35", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system:\n memory allocation, process allocation, device input and output, etc.Security Fix(es):kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.(CVE-2021-33200)A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations.(CVE-2020-25670)A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-free which might lead to privilege escalations.(CVE-2020-25671)A memory leak vulnerability was found in Linux kernel in llcp_sock_connect(CVE-2020-25672)An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/ Node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.(CVE-2021-3506)The Linux kernel 4.9.x before 4.9.233, 4.14.x before 4.14.194, and 4.19.x before 4.19.140 has a use-after-free because skcd->no_refcnt was not considered during a backport of a CVE-2020-14356 patch. This is related to the cgroups feature.(CVE-2020-25220)The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.(CVE-2021-33033)kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a.\n The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.(CVE-2021-31829)An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8.\n A(CVE-2021-28950)net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.(CVE-2021-32399)In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.(CVE-2021-33034)An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.(CVE-2021-31916)Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.(CVE-2021-23134)An issue was discovered in the Linux kernel before 5.9.\n arch/x86/kvm/svm/sev.c allows attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions), aka CID-7be74942f184.(CVE-2020-36311)An issue was discovered in the Linux kernel before 5.8.10.\n virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d.(CVE-2020-36312)The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 ('bpf: Fix truncation handling for mod32 dst reg wrt zero') and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101.(CVE-2021-3444)An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.(CVE-2021-29155)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-08-09T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-2272)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14356", "CVE-2020-25220", "CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2020-36311", "CVE-2020-36312", "CVE-2021-23134", "CVE-2021-28950", "CVE-2021-29155", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-32399", "CVE-2021-33033", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3444", "CVE-2021-3506"], "modified": "2021-08-11T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:python3-perf", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2272.NASL", "href": "https://www.tenable.com/plugins/nessus/152313", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152313);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/08/11\");\n\n script_cve_id(\n \"CVE-2020-25220\",\n \"CVE-2020-25670\",\n \"CVE-2020-25671\",\n \"CVE-2020-25672\",\n \"CVE-2020-36311\",\n \"CVE-2020-36312\",\n \"CVE-2021-23134\",\n \"CVE-2021-28950\",\n \"CVE-2021-29155\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-32399\",\n \"CVE-2021-33033\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\",\n \"CVE-2021-3444\",\n \"CVE-2021-3506\"\n );\n\n script_name(english:\"EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-2272)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - The kernel package contains the Linux kernel (vmlinuz),\n the core of any Linux operating system. The kernel\n handles the basic functions of the operating system:\n memory allocation, process allocation, device input and\n output, etc.Security Fix(es):kernel/bpf/verifier.c in\n the Linux kernel through 5.12.7 enforces incorrect\n limits for pointer arithmetic operations, aka\n CID-bb01a1bba579. This can be abused to perform\n out-of-bounds reads and writes in kernel memory,\n leading to local privilege escalation to root. In\n particular, there is a corner case where the off reg\n causes a masking direction change, which then results\n in an incorrect final aux->alu_limit.(CVE-2021-33200)A\n vulnerability was found in Linux Kernel where refcount\n leak in llcp_sock_bind() causing use-after-free which\n might lead to privilege escalations.(CVE-2020-25670)A\n vulnerability was found in Linux Kernel, where a\n refcount leak in llcp_sock_connect() causing\n use-after-free which might lead to privilege\n escalations.(CVE-2020-25671)A memory leak vulnerability\n was found in Linux kernel in\n llcp_sock_connect(CVE-2020-25672)An out-of-bounds (OOB)\n memory access flaw was found in fs/f2fs/ Node.c in the\n f2fs module in the Linux kernel in versions before\n 5.12.0-rc4. A bounds check failure allows a local\n attacker to gain access to out-of-bounds memory leading\n to a system crash or a leak of internal kernel\n information. The highest threat from this vulnerability\n is to system availability.(CVE-2021-3506)The Linux\n kernel 4.9.x before 4.9.233, 4.14.x before 4.14.194,\n and 4.19.x before 4.19.140 has a use-after-free because\n skcd->no_refcnt was not considered during a backport of\n a CVE-2020-14356 patch. This is related to the cgroups\n feature.(CVE-2020-25220)The Linux kernel before 5.11.14\n has a use-after-free in cipso_v4_genopt in\n net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO\n refcounting for the DOI definitions is mishandled, aka\n CID-ad5d07f4a9cd. This leads to writing an arbitrary\n value.(CVE-2021-33033)kernel/bpf/verifier.c in the\n Linux kernel through 5.12.1 performs undesirable\n speculative loads, leading to disclosure of stack\n content via side-channel attacks, aka CID-801c6058d14a.\n The specific concern is not protecting the BPF stack\n area against speculative loads. Also, the BPF stack can\n contain uninitialized data that might represent\n sensitive information previously operated on by the\n kernel.(CVE-2021-31829)An issue was discovered in\n fs/fuse/fuse_i.h in the Linux kernel before 5.11.8.\n A(CVE-2021-28950)net/bluetooth/hci_request.c in the\n Linux kernel through 5.12.2 has a race condition for\n removal of the HCI controller.(CVE-2021-32399)In the\n Linux kernel before 5.12.4, net/bluetooth/hci_event.c\n has a use-after-free when destroying an hci_chan, aka\n CID-5c4c8c954409. This leads to writing an arbitrary\n value.(CVE-2021-33034)An out-of-bounds (OOB) memory\n write flaw was found in list_devices in\n drivers/md/dm-ioctl.c in the Multi-device driver module\n in the Linux kernel before 5.12. A bound check failure\n allows an attacker with special user (CAP_SYS_ADMIN)\n privilege to gain access to out-of-bounds memory\n leading to a system crash or a leak of internal kernel\n information. The highest threat from this vulnerability\n is to system availability.(CVE-2021-31916)Use After\n Free vulnerability in nfc sockets in the Linux Kernel\n before 5.12.4 allows local attackers to elevate their\n privileges. In typical configurations, the issue can\n only be triggered by a privileged local user with the\n CAP_NET_RAW capability.(CVE-2021-23134)An issue was\n discovered in the Linux kernel before 5.9.\n arch/x86/kvm/svm/sev.c allows attackers to cause a\n denial of service (soft lockup) by triggering\n destruction of a large SEV VM (which requires\n unregistering many encrypted regions), aka\n CID-7be74942f184.(CVE-2020-36311)An issue was\n discovered in the Linux kernel before 5.8.10.\n virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev\n memory leak upon a kmalloc failure, aka\n CID-f65886606c2d.(CVE-2020-36312)The bpf verifier in\n the Linux kernel did not properly handle mod32\n destination register truncation when the source\n register was known to be 0. A local attacker with the\n ability to load bpf programs could use this gain\n out-of-bounds reads in kernel memory leading to\n information disclosure (kernel memory), and possibly\n out-of-bounds writes that could potentially lead to\n code execution. This issue was addressed in the\n upstream kernel in commit 9b00f1b78809 ('bpf: Fix\n truncation handling for mod32 dst reg wrt zero') and in\n Linux stable kernels 5.11.2, 5.10.19, and\n 5.4.101.(CVE-2021-3444)An issue was discovered in the\n Linux kernel through 5.11.x. kernel/bpf/verifier.c\n performs undesirable out-of-bounds speculation on\n pointer arithmetic, leading to side-channel attacks\n that defeat Spectre mitigations and obtain sensitive\n information from kernel memory. Specifically, for\n sequences of pointer arithmetic operations, the pointer\n modification performed by the first operation is not\n correctly accounted for when restricting subsequent\n operations.(CVE-2021-29155)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2272\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0abdb7aa\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python3-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.19.90-vhulk2103.1.0.h487.eulerosv2r9\",\n \"kernel-tools-4.19.90-vhulk2103.1.0.h487.eulerosv2r9\",\n \"kernel-tools-libs-4.19.90-vhulk2103.1.0.h487.eulerosv2r9\",\n \"python3-perf-4.19.90-vhulk2103.1.0.h487.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:56", "description": "According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A 'stall on CPU' can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1.(CVE-2021-28950)\n\n - An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d.(CVE-2020-36312)\n\n - An issue was discovered in the Linux kernel before 5.9.\n arch/x86/kvm/svm/sev.c allows attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions), aka CID-7be74942f184.(CVE-2020-36311)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.(CVE-2021-3506)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.(CVE-2021-31916)\n\n - An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does not check the nla_nest_start_noflag return value.(CVE-2019-16089)\n\n - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 ('bpf: Fix truncation handling for mod32 dst reg wrt zero') and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101.(CVE-2021-3444)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.(CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.(CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.(CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.(CVE-2021-33034)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.(CVE-2021-33033)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.(CVE-2021-23134)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect(CVE-2020-25672)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-free which might lead to privilege escalations.(CVE-2020-25671)\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations.(CVE-2020-25670)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root.\n In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.(CVE-2021-33200)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-07-13T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.9.1 : kernel (EulerOS-SA-2021-2183)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16089", "CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2020-36311", "CVE-2020-36312", "CVE-2021-23134", "CVE-2021-28950", "CVE-2021-29155", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-32399", "CVE-2021-33033", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3444", "CVE-2021-3506"], "modified": "2021-07-15T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:perf", "cpe:/o:huawei:euleros:uvp:2.9.1"], "id": "EULEROS_SA-2021-2183.NASL", "href": "https://www.tenable.com/plugins/nessus/151562", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151562);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/15\");\n\n script_cve_id(\n \"CVE-2019-16089\",\n \"CVE-2020-25670\",\n \"CVE-2020-25671\",\n \"CVE-2020-25672\",\n \"CVE-2020-36311\",\n \"CVE-2020-36312\",\n \"CVE-2021-23134\",\n \"CVE-2021-28950\",\n \"CVE-2021-29155\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-32399\",\n \"CVE-2021-33033\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\",\n \"CVE-2021-3444\",\n \"CVE-2021-3506\"\n );\n\n script_name(english:\"EulerOS Virtualization 2.9.1 : kernel (EulerOS-SA-2021-2183)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - An issue was discovered in fs/fuse/fuse_i.h in the\n Linux kernel before 5.11.8. A 'stall on CPU' can occur\n because a retry loop continually finds the same bad\n inode, aka CID-775c5033a0d1.(CVE-2021-28950)\n\n - An issue was discovered in the Linux kernel before\n 5.8.10. virt/kvm/kvm_main.c has a\n kvm_io_bus_unregister_dev memory leak upon a kmalloc\n failure, aka CID-f65886606c2d.(CVE-2020-36312)\n\n - An issue was discovered in the Linux kernel before 5.9.\n arch/x86/kvm/svm/sev.c allows attackers to cause a\n denial of service (soft lockup) by triggering\n destruction of a large SEV VM (which requires\n unregistering many encrypted regions), aka\n CID-7be74942f184.(CVE-2020-36311)\n\n - An out-of-bounds (OOB) memory access flaw was found in\n fs/f2fs/node.c in the f2fs module in the Linux kernel\n in versions before 5.12.0-rc4. A bounds check failure\n allows a local attacker to gain access to out-of-bounds\n memory leading to a system crash or a leak of internal\n kernel information. The highest threat from this\n vulnerability is to system availability.(CVE-2021-3506)\n\n - An out-of-bounds (OOB) memory write flaw was found in\n list_devices in drivers/md/dm-ioctl.c in the\n Multi-device driver module in the Linux kernel before\n 5.12. A bound check failure allows an attacker with\n special user (CAP_SYS_ADMIN) privilege to gain access\n to out-of-bounds memory leading to a system crash or a\n leak of internal kernel information. The highest threat\n from this vulnerability is to system\n availability.(CVE-2021-31916)\n\n - An issue was discovered in the Linux kernel through\n 5.2.13. nbd_genl_status in drivers/block/nbd.c does not\n check the nla_nest_start_noflag return\n value.(CVE-2019-16089)\n\n - The bpf verifier in the Linux kernel did not properly\n handle mod32 destination register truncation when the\n source register was known to be 0. A local attacker\n with the ability to load bpf programs could use this\n gain out-of-bounds reads in kernel memory leading to\n information disclosure (kernel memory), and possibly\n out-of-bounds writes that could potentially lead to\n code execution. This issue was addressed in the\n upstream kernel in commit 9b00f1b78809 ('bpf: Fix\n truncation handling for mod32 dst reg wrt zero') and in\n Linux stable kernels 5.11.2, 5.10.19, and\n 5.4.101.(CVE-2021-3444)\n\n - An issue was discovered in the Linux kernel through\n 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic,\n leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from\n kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification\n performed by the first operation is not correctly\n accounted for when restricting subsequent\n operations.(CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through\n 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel\n attacks, aka CID-801c6058d14a. The specific concern is\n not protecting the BPF stack area against speculative\n loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information\n previously operated on by the kernel.(CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through\n 5.12.2 has a race condition for removal of the HCI\n controller.(CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4,\n net/bluetooth/hci_event.c has a use-after-free when\n destroying an hci_chan, aka CID-5c4c8c954409. This\n leads to writing an arbitrary value.(CVE-2021-33034)\n\n - The Linux kernel before 5.11.14 has a use-after-free in\n cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the\n CIPSO and CALIPSO refcounting for the DOI definitions\n is mishandled, aka CID-ad5d07f4a9cd. This leads to\n writing an arbitrary value.(CVE-2021-33033)\n\n - Use After Free vulnerability in nfc sockets in the\n Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations,\n the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability.(CVE-2021-23134)\n\n - A memory leak vulnerability was found in Linux kernel\n in llcp_sock_connect(CVE-2020-25672)\n\n - A vulnerability was found in Linux Kernel, where a\n refcount leak in llcp_sock_connect() causing\n use-after-free which might lead to privilege\n escalations.(CVE-2020-25671)\n\n - A vulnerability was found in Linux Kernel where\n refcount leak in llcp_sock_bind() causing\n use-after-free which might lead to privilege\n escalations.(CVE-2020-25670)\n\n - kernel/bpf/verifier.c in the Linux kernel through\n 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to\n perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root.\n In particular, there is a corner case where the off reg\n causes a masking direction change, which then results\n in an incorrect final aux->alu_limit.(CVE-2021-33200)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2183\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0e73babb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.9.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.9.1\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.9.1\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.19.90-vhulk2103.1.0.h487.eulerosv2r9\",\n \"kernel-tools-4.19.90-vhulk2103.1.0.h487.eulerosv2r9\",\n \"kernel-tools-libs-4.19.90-vhulk2103.1.0.h487.eulerosv2r9\",\n \"perf-4.19.90-vhulk2103.1.0.h487.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:41:25", "description": "According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - An issue was discovered in the Linux kernel before 5.0.19. The XFRM subsystem has a use-after-free, related to an xfrm_state_fini panic, aka CID-dbb2483b2a46. (CVE-2019-25045)\n\n - An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after- free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka CID-f5449e74802c. (CVE-2020-36385)\n\n - In pfkey_dump of af_key.c, there is a possible out-of-bounds read due to a missing bounds check. This could lead to local information disclosure in the kernel with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-110373476 (CVE-2021-0605)\n\n - An information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66 and v5.4.54. The latest version (5.11-rc4) seems to still be vulnerable. A userland application can read the contents of the sigpage, which can leak kernel memory contents. An attacker can read a process's memory at a specific offset to trigger this vulnerability. This was fixed in kernel releases: 4.14.222 4.19.177 5.4.99 5.10.17 5.11 (CVE-2021-21781)\n\n - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.\n This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space (CVE-2021-22555)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi- device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-31916)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. (CVE-2021-33033)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db. (CVE-2021-33624)\n\n - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)\n\n - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 ('bpf: Fix truncation handling for mod32 dst reg wrt zero') and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. (CVE-2021-3444)\n\n - net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. (CVE-2021-34693)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.\n (CVE-2021-37159)\n\n - arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for those servers to be unreachable during trunking detection. (CVE-2021-38199)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-02-13T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.6.0 : kernel (EulerOS-SA-2022-1070)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-25045", "CVE-2020-36385", "CVE-2021-0605", "CVE-2021-21781", "CVE-2021-22555", "CVE-2021-29155", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33033", "CVE-2021-33200", "CVE-2021-33624", "CVE-2021-33909", "CVE-2021-3444", "CVE-2021-34693", "CVE-2021-3600", "CVE-2021-3609", "CVE-2021-3679", "CVE-2021-37159", "CVE-2021-3753", "CVE-2021-37576", "CVE-2021-38160", "CVE-2021-38199"], "modified": "2023-01-16T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:bpftool", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-source", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:python3-perf", "cpe:/o:huawei:euleros:uvp:3.0.6.0"], "id": "EULEROS_SA-2022-1070.NASL", "href": "https://www.tenable.com/plugins/nessus/158016", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(158016);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2019-25045\",\n \"CVE-2020-36385\",\n \"CVE-2021-0605\",\n \"CVE-2021-3444\",\n \"CVE-2021-3600\",\n \"CVE-2021-3609\",\n \"CVE-2021-3679\",\n \"CVE-2021-3753\",\n \"CVE-2021-21781\",\n \"CVE-2021-22555\",\n \"CVE-2021-29155\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-33033\",\n \"CVE-2021-33200\",\n \"CVE-2021-33624\",\n \"CVE-2021-33909\",\n \"CVE-2021-34693\",\n \"CVE-2021-37159\",\n \"CVE-2021-37576\",\n \"CVE-2021-38160\",\n \"CVE-2021-38199\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0350\");\n\n script_name(english:\"EulerOS Virtualization 3.0.6.0 : kernel (EulerOS-SA-2022-1070)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - An issue was discovered in the Linux kernel before 5.0.19. The XFRM subsystem has a use-after-free,\n related to an xfrm_state_fini panic, aka CID-dbb2483b2a46. (CVE-2019-25045)\n\n - An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-\n free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is\n called, aka CID-f5449e74802c. (CVE-2020-36385)\n\n - In pfkey_dump of af_key.c, there is a possible out-of-bounds read due to a missing bounds check. This\n could lead to local information disclosure in the kernel with System execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-110373476\n (CVE-2021-0605)\n\n - An information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66\n and v5.4.54. The latest version (5.11-rc4) seems to still be vulnerable. A userland application can read\n the contents of the sigpage, which can leak kernel memory contents. An attacker can read a process's\n memory at a specific offset to trigger this vulnerability. This was fixed in kernel releases: 4.14.222\n 4.19.177 5.4.99 5.10.17 5.11 (CVE-2021-21781)\n\n - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.\n This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name\n space (CVE-2021-22555)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-\n device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with\n special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or\n a leak of internal kernel information. The highest threat from this vulnerability is to system\n availability. (CVE-2021-31916)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because\n the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads\n to writing an arbitrary value. (CVE-2021-33033)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because\n of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a\n side-channel attack, aka CID-9183671af6db. (CVE-2021-33624)\n\n - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer\n allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an\n unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)\n\n - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when\n the source register was known to be 0. A local attacker with the ability to load bpf programs could use\n this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and\n possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in\n the upstream kernel in commit 9b00f1b78809 ('bpf: Fix truncation handling for mod32 dst reg wrt zero') and\n in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. (CVE-2021-3444)\n\n - net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from\n kernel stack memory because parts of a data structure are uninitialized. (CVE-2021-34693)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was\n found in the way user uses trace ring buffer in a specific way. Only privileged local users (with\n CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev\n without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.\n (CVE-2021-37159)\n\n - arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest\n OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss\n can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the\n length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which\n allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for\n those servers to be unreachable during trunking detection. (CVE-2021-38199)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1070\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1a24f539\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-38160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Netfilter x_tables Heap OOB Write Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python3-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"bpftool-4.19.36-vhulk1907.1.0.h1103.eulerosv2r8\",\n \"kernel-4.19.36-vhulk1907.1.0.h1103.eulerosv2r8\",\n \"kernel-devel-4.19.36-vhulk1907.1.0.h1103.eulerosv2r8\",\n \"kernel-headers-4.19.36-vhulk1907.1.0.h1103.eulerosv2r8\",\n \"kernel-source-4.19.36-vhulk1907.1.0.h1103.eulerosv2r8\",\n \"kernel-tools-4.19.36-vhulk1907.1.0.h1103.eulerosv2r8\",\n \"kernel-tools-libs-4.19.36-vhulk1907.1.0.h1103.eulerosv2r8\",\n \"perf-4.19.36-vhulk1907.1.0.h1103.eulerosv2r8\",\n \"python-perf-4.19.36-vhulk1907.1.0.h1103.eulerosv2r8\",\n \"python3-perf-4.19.36-vhulk1907.1.0.h1103.eulerosv2r8\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-15T15:21:18", "description": "Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service, or information leaks.\n\nCVE-2020-24586, CVE-2020-24587, CVE-2020-26147\n\nMathy Vanhoef discovered that many Wi-Fi implementations, including Linux's mac80211, did not correctly implement reassembly of fragmented packets. In some circumstances, an attacker within range of a network could exploit these flaws to forge arbitrary packets and/or to access sensitive data on that network.\n\nCVE-2020-24588\n\nMathy Vanhoef discovered that most Wi-Fi implementations, including Linux's mac80211, did not authenticate the 'is aggregated' packet header flag. An attacker within range of a network could exploit this to forge arbitrary packets on that network.\n\nCVE-2020-25670, CVE-2020-25671, CVE-2021-23134\n\nkiyin (尹亮) of TenCent discovered several reference counting bugs in the NFC LLCP implementation which could lead to use-after-free. A local user could exploit these for denial of service (crash or memory corruption) or possibly for privilege escalation.\n\nNadav Markus and Or Cohen of Palo Alto Networks discovered that the original fixes for these introduced a new bug that could result in use-after-free and double-free. This has also been fixed.\n\nCVE-2020-25672\n\nkiyin (尹亮) of TenCent discovered a memory leak in the NFC LLCP implementation. A local user could exploit this for denial of service (memory exhaustion).\n\nCVE-2020-26139\n\nMathy Vanhoef discovered that a bug in some Wi-Fi implementations, including Linux's mac80211. When operating in AP mode, they would forward EAPOL frames from one client to another while the sender was not yet authenticated. An attacker within range of a network could use this for denial of service or as an aid to exploiting other vulnerabilities.\n\nCVE-2020-26558, CVE-2021-0129\n\nResearchers at ANSSI discovered vulnerabilities in the Bluetooth Passkey authentication method, and in Linux's implementation of it. An attacker within range of two Bluetooth devices while they pair using Passkey authentication could exploit this to obtain the shared secret (Passkey) and then impersonate either of the devices to each other.\n\nCVE-2020-29374\n\nJann Horn of Google reported a flaw in Linux's virtual memory management. A parent and child process initially share all their memory, but when either writes to a shared page, the page is duplicated and unshared (copy-on-write). However, in case an operation such as vmsplice() required the kernel to take an additional reference to a shared page, and a copy-on-write occurs during this operation, the kernel might have accessed the wrong process's memory. For some programs, this could lead to an information leak or data corruption.\n\nCVE-2021-3483\n\n马哲宇 (Zheyu Ma) reported a bug in the 'nosy' driver for TI PCILynx FireWire controllers, which could lead to list corruption and a use-after-free. On a system that uses this driver, local users granted access to /dev/nosy could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.\n\nCVE-2021-3506\n\nThe ADLab of venustech discovered a bug in the F2FS driver which could lead to an out-of-bounds read when accessing a crafted filesystem. A local user permitted to mount arbitrary filesystems could exploit this to cause a denial of service (crash) or other security impact.\n\nCVE-2021-3564, CVE-2021-3573, CVE-2021-32399\n\nThe BlockSec team discovered several race conditions in the Bluetooth subsystem that could lead to a use-after-free or double-free. A local user could exploit these to caue a denial of service (crash or memory corruption) or possibly for privilege escalation.\n\nCVE-2021-3587\n\nActive Defense Lab of Venustech discovered a potential NULL pointer dereference in the NFC LLCP implementation. A local user could use this to cause a denial of service (crash).\n\nCVE-2021-23133\n\nOr Cohen of Palo Alto Networks discovered a race condition in the SCTP implementation, which can lead to list corruption. A local user could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.\n\nCVE-2021-28688 (XSA-371)\n\nIt was discovered that the original fix for CVE-2021-26930 (XSA-365) introduced a potential resource leak. A malicious guest could presumably exploit this to cause a denial of service (resource exhaustion) within the host.\n\nCVE-2021-28964\n\nZygo Blaxell reported a race condition in the Btrfs driver which can lead to an assertion failure. On systems using Btrfs, a local user could exploit this to cause a denial of service (crash).\n\nCVE-2021-28971\n\nVince Weaver reported a bug in the performance event handler for Intel PEBS. A workaround for a hardware bug on Intel CPUs codenamed 'Haswell' and earlier could lead to a NULL pointer dereference. On systems with the affected CPUs, if users are permitted to access performance events, a local user may exploit this to cause a denial of service (crash).\n\nBy default, unprivileged users do not have access to performance events, which mitigates this issue. This is controlled by the kernel.perf_event_paranoid sysctl.\n\nCVE-2021-29154\n\nIt was discovered that the Extended BPF (eBPF) JIT compiler for x86_64 generated incorrect branch instructions in some cases. On systems where eBPF JIT is enabled, users could exploit this to execute arbitrary code in the kernel.\n\nBy default, eBPF JIT is disabled, mitigating this issue.\nThis is controlled by the net.core.bpf_jit_enable sysctl.\n\nCVE-2021-29155, CVE-2021-31829\n\nPiotr Krysiuk and Benedict Schlueter discovered that the Extended BPF (eBPF) verifier did not completely protect against information leaks due to speculative execution. A local user could exploit these to obtain sensitive information from kernel memory.\n\nCVE-2021-29264\n\nIt was discovered that the 'gianfar' Ethernet driver used with some Freescale SoCs did not correctly handle a Rx queue overrun when jumbo packets were enabled. On systems using this driver and jumbo packets, an attacker on the network could exploit this to cause a denial of service (crash).\n\nThis driver is not enabled in Debian's official kernel configurations.\n\nCVE-2021-29647\n\nThe syzbot tool found an information leak in the Qualcomm IPC Router (qrtr) implementation.\n\nThis protocol is not enabled in Debian's official kernel configurations.\n\nCVE-2021-29650\n\nIt was discovered that a data race in the netfilter subsystem could lead to a NULL pointer dereference during replacement of a table. A local user with CAP_NET_ADMIN capability in any user namespace could use this to cause a denial of service (crash).\n\nBy default, unprivileged users cannot create user namespaces, which mitigates this issue. This is controlled by the kernel.unprivileged_userns_clone sysctl.\n\nCVE-2021-31916\n\nDan Carpenter reported incorrect parameter validation in the device-mapper (dm) subsystem, which could lead to a heap buffer overrun. However, only users with CAP_SYS_ADMIN capability (i.e.\nroot-equivalent) could trigger this bug, so it did not have any security impact in this kernel version.\n\nCVE-2021-33034\n\nThe syzbot tool found a bug in the Bluetooth subsystem that could lead to a use-after-free. A local user could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.\n\nFor Debian 9 stretch, these problems have been fixed in version 4.19.194-1~deb9u1. This update additionally fixes Debian bug #986949, #988352, and #989451; and includes many more bug fixes from stable updates 4.19.182-4.19.194 inclusive.\n\nWe recommend that you upgrade your linux-4.19 packages.\n\nFor the detailed security status of linux-4.19 please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/linux-4.19\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-06-24T00:00:00", "type": "nessus", "title": "Debian DLA-2690-1 : linux-4.19 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2020-26139", "CVE-2020-26147", "CVE-2020-26558", "CVE-2020-29374", "CVE-2021-0129", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-26930", "CVE-2021-28688", "CVE-2021-28964", "CVE-2021-28971", "CVE-2021-29154", "CVE-2021-29155", "CVE-2021-29264", "CVE-2021-29647", "CVE-2021-29650", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-3483", "CVE-2021-3506", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-3587"], "modified": "2021-06-29T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-686", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-686-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-686-pae", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-686-pae-dbg", "p-cpe:/a:debian:debian_linux:linux-config-4.19", "p-cpe:/a:debian:debian_linux:linux-doc-4.19", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-686", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-686-pae", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all-amd64", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all-arm64", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all-armel", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all-armhf", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all-i386", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-amd64", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-arm64", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-armmp", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-armmp-lpae", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-cloud-amd64", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-common", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-common-rt", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-marvell", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-rpi", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-rt-686-pae", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-rt-amd64", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-rt-arm64", "p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-rt-armmp", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-amd64", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-amd64-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-arm64", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-arm64-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-armmp", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-armmp-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-armmp-lpae", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-armmp-lpae-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-cloud-amd64", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-cloud-amd64-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-marvell", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-marvell-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rpi", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rpi-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-686-pae", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-686-pae-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-amd64", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-amd64-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-arm64", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-arm64-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-armmp", "p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-armmp-dbg", "p-cpe:/a:debian:debian_linux:linux-kbuild-4.19", "p-cpe:/a:debian:debian_linux:linux-perf-4.19", "p-cpe:/a:debian:debian_linux:linux-source-4.19", "p-cpe:/a:debian:debian_linux:linux-support-4.19.0-0.bpo.10", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2690.NASL", "href": "https://www.tenable.com/plugins/nessus/150984", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2690-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(150984);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/29\");\n\n script_cve_id(\"CVE-2020-24586\", \"CVE-2020-24587\", \"CVE-2020-24588\", \"CVE-2020-25670\", \"CVE-2020-25671\", \"CVE-2020-25672\", \"CVE-2020-26139\", \"CVE-2020-26147\", \"CVE-2020-26558\", \"CVE-2020-29374\", \"CVE-2021-0129\", \"CVE-2021-23133\", \"CVE-2021-23134\", \"CVE-2021-28688\", \"CVE-2021-28964\", \"CVE-2021-28971\", \"CVE-2021-29154\", \"CVE-2021-29155\", \"CVE-2021-29264\", \"CVE-2021-29647\", \"CVE-2021-29650\", \"CVE-2021-31829\", \"CVE-2021-31916\", \"CVE-2021-32399\", \"CVE-2021-33034\", \"CVE-2021-3483\", \"CVE-2021-3506\", \"CVE-2021-3564\", \"CVE-2021-3573\", \"CVE-2021-3587\");\n\n script_name(english:\"Debian DLA-2690-1 : linux-4.19 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities have been discovered in the Linux kernel that\nmay lead to the execution of arbitrary code, privilege escalation,\ndenial of service, or information leaks.\n\nCVE-2020-24586, CVE-2020-24587, CVE-2020-26147\n\nMathy Vanhoef discovered that many Wi-Fi implementations, including\nLinux's mac80211, did not correctly implement reassembly of fragmented\npackets. In some circumstances, an attacker within range of a network\ncould exploit these flaws to forge arbitrary packets and/or to access\nsensitive data on that network.\n\nCVE-2020-24588\n\nMathy Vanhoef discovered that most Wi-Fi implementations, including\nLinux's mac80211, did not authenticate the 'is aggregated' packet\nheader flag. An attacker within range of a network could exploit this\nto forge arbitrary packets on that network.\n\nCVE-2020-25670, CVE-2020-25671, CVE-2021-23134\n\nkiyin (尹亮) of TenCent discovered several reference\ncounting bugs in the NFC LLCP implementation which could lead to\nuse-after-free. A local user could exploit these for denial of service\n(crash or memory corruption) or possibly for privilege escalation.\n\nNadav Markus and Or Cohen of Palo Alto Networks discovered\nthat the original fixes for these introduced a new bug that\ncould result in use-after-free and double-free. This has\nalso been fixed.\n\nCVE-2020-25672\n\nkiyin (尹亮) of TenCent discovered a memory leak in the\nNFC LLCP implementation. A local user could exploit this for denial of\nservice (memory exhaustion).\n\nCVE-2020-26139\n\nMathy Vanhoef discovered that a bug in some Wi-Fi implementations,\nincluding Linux's mac80211. When operating in AP mode, they would\nforward EAPOL frames from one client to another while the sender was\nnot yet authenticated. An attacker within range of a network could use\nthis for denial of service or as an aid to exploiting other\nvulnerabilities.\n\nCVE-2020-26558, CVE-2021-0129\n\nResearchers at ANSSI discovered vulnerabilities in the Bluetooth\nPasskey authentication method, and in Linux's implementation of it. An\nattacker within range of two Bluetooth devices while they pair using\nPasskey authentication could exploit this to obtain the shared secret\n(Passkey) and then impersonate either of the devices to each other.\n\nCVE-2020-29374\n\nJann Horn of Google reported a flaw in Linux's virtual memory\nmanagement. A parent and child process initially share all their\nmemory, but when either writes to a shared page, the page is\nduplicated and unshared (copy-on-write). However, in case an operation\nsuch as vmsplice() required the kernel to take an additional reference\nto a shared page, and a copy-on-write occurs during this operation,\nthe kernel might have accessed the wrong process's memory. For some\nprograms, this could lead to an information leak or data corruption.\n\nCVE-2021-3483\n\n马哲宇 (Zheyu Ma) reported a bug in the 'nosy'\ndriver for TI PCILynx FireWire controllers, which could lead to list\ncorruption and a use-after-free. On a system that uses this driver,\nlocal users granted access to /dev/nosy could exploit this to cause a\ndenial of service (crash or memory corruption) or possibly for\nprivilege escalation.\n\nCVE-2021-3506\n\nThe ADLab of venustech discovered a bug in the F2FS driver which could\nlead to an out-of-bounds read when accessing a crafted filesystem. A\nlocal user permitted to mount arbitrary filesystems could exploit this\nto cause a denial of service (crash) or other security impact.\n\nCVE-2021-3564, CVE-2021-3573, CVE-2021-32399\n\nThe BlockSec team discovered several race conditions in the Bluetooth\nsubsystem that could lead to a use-after-free or double-free. A local\nuser could exploit these to caue a denial of service (crash or memory\ncorruption) or possibly for privilege escalation.\n\nCVE-2021-3587\n\nActive Defense Lab of Venustech discovered a potential NULL pointer\ndereference in the NFC LLCP implementation. A local user could use\nthis to cause a denial of service (crash).\n\nCVE-2021-23133\n\nOr Cohen of Palo Alto Networks discovered a race condition in the SCTP\nimplementation, which can lead to list corruption. A local user could\nexploit this to cause a denial of service (crash or memory corruption)\nor possibly for privilege escalation.\n\nCVE-2021-28688 (XSA-371)\n\nIt was discovered that the original fix for CVE-2021-26930 (XSA-365)\nintroduced a potential resource leak. A malicious guest could\npresumably exploit this to cause a denial of service (resource\nexhaustion) within the host.\n\nCVE-2021-28964\n\nZygo Blaxell reported a race condition in the Btrfs driver which can\nlead to an assertion failure. On systems using Btrfs, a local user\ncould exploit this to cause a denial of service (crash).\n\nCVE-2021-28971\n\nVince Weaver reported a bug in the performance event handler for Intel\nPEBS. A workaround for a hardware bug on Intel CPUs codenamed\n'Haswell' and earlier could lead to a NULL pointer dereference. On\nsystems with the affected CPUs, if users are permitted to access\nperformance events, a local user may exploit this to cause a denial of\nservice (crash).\n\nBy default, unprivileged users do not have access to\nperformance events, which mitigates this issue. This is\ncontrolled by the kernel.perf_event_paranoid sysctl.\n\nCVE-2021-29154\n\nIt was discovered that the Extended BPF (eBPF) JIT compiler for x86_64\ngenerated incorrect branch instructions in some cases. On systems\nwhere eBPF JIT is enabled, users could exploit this to execute\narbitrary code in the kernel.\n\nBy default, eBPF JIT is disabled, mitigating this issue.\nThis is controlled by the net.core.bpf_jit_enable sysctl.\n\nCVE-2021-29155, CVE-2021-31829\n\nPiotr Krysiuk and Benedict Schlueter discovered that the Extended BPF\n(eBPF) verifier did not completely protect against information leaks\ndue to speculative execution. A local user could exploit these to\nobtain sensitive information from kernel memory.\n\nCVE-2021-29264\n\nIt was discovered that the 'gianfar' Ethernet driver used with some\nFreescale SoCs did not correctly handle a Rx queue overrun when jumbo\npackets were enabled. On systems using this driver and jumbo packets,\nan attacker on the network could exploit this to cause a denial of\nservice (crash).\n\nThis driver is not enabled in Debian's official kernel\nconfigurations.\n\nCVE-2021-29647\n\nThe syzbot tool found an information leak in the Qualcomm IPC Router\n(qrtr) implementation.\n\nThis protocol is not enabled in Debian's official kernel\nconfigurations.\n\nCVE-2021-29650\n\nIt was discovered that a data race in the netfilter subsystem could\nlead to a NULL pointer dereference during replacement of a table. A\nlocal user with CAP_NET_ADMIN capability in any user namespace could\nuse this to cause a denial of service (crash).\n\nBy default, unprivileged users cannot create user\nnamespaces, which mitigates this issue. This is controlled\nby the kernel.unprivileged_userns_clone sysctl.\n\nCVE-2021-31916\n\nDan Carpenter reported incorrect parameter validation in the\ndevice-mapper (dm) subsystem, which could lead to a heap buffer\noverrun. However, only users with CAP_SYS_ADMIN capability (i.e.\nroot-equivalent) could trigger this bug, so it did not have any\nsecurity impact in this kernel version.\n\nCVE-2021-33034\n\nThe syzbot tool found a bug in the Bluetooth subsystem that could lead\nto a use-after-free. A local user could use this to cause a denial of\nservice (crash or memory corruption) or possibly for privilege\nescalation.\n\nFor Debian 9 stretch, these problems have been fixed in version\n4.19.194-1~deb9u1. This update additionally fixes Debian bug #986949,\n#988352, and #989451; and includes many more bug fixes from stable\nupdates 4.19.182-4.19.194 inclusive.\n\nWe recommend that you upgrade your linux-4.19 packages.\n\nFor the detailed security status of linux-4.19 please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/linux-4.19\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/linux-4.19\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/linux-4.19\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-config-4.19\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-doc-4.19\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-686-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all-arm64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all-armel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all-armhf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-all-i386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-arm64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-armmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-armmp-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-cloud-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-common-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-marvell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-rpi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-rt-686-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-rt-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-rt-arm64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.19.0-0.bpo.10-rt-armmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-686-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-686-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-686-pae-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-amd64-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-arm64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-arm64-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-armmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-armmp-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-armmp-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-armmp-lpae-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-cloud-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-cloud-amd64-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-marvell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-marvell-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rpi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rpi-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-686-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-686-pae-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-amd64-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-arm64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-arm64-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-armmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.19.0-0.bpo.10-rt-armmp-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-kbuild-4.19\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-perf-4.19\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-source-4.19\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-support-4.19.0-0.bpo.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"linux-config-4.19\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-doc-4.19\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-686\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-686-pae\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-all\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-all-amd64\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-all-arm64\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-all-armel\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-all-armhf\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-all-i386\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-amd64\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-arm64\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-armmp\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-armmp-lpae\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-cloud-amd64\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-common\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-common-rt\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-marvell\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-rpi\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-rt-686-pae\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-rt-amd64\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-rt-arm64\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.19.0-0.bpo.10-rt-armmp\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-686\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-686-dbg\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-686-pae\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-686-pae-dbg\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-amd64\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-amd64-dbg\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-arm64\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-arm64-dbg\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-armmp\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-armmp-dbg\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-armmp-lpae\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-armmp-lpae-dbg\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-cloud-amd64\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-cloud-amd64-dbg\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-marvell\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-marvell-dbg\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-rpi\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-rpi-dbg\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-rt-686-pae\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-rt-686-pae-dbg\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-rt-amd64\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-rt-amd64-dbg\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-rt-arm64\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-rt-arm64-dbg\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-rt-armmp\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.19.0-0.bpo.10-rt-armmp-dbg\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-kbuild-4.19\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-perf-4.19\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-source-4.19\", reference:\"4.19.194-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-support-4.19.0-0.bpo.10\", reference:\"4.19.194-1~deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-21T14:54:02", "description": "According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :\n\n - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system:\n memory allocation, process allocation, device input and output, etc. Security Fix(es):A vulnerability was found in the Linux Kernel where the function sunkbd_reinit having been scheduled by sunkbd_interrupt before sunkbd being freed. Though the dangling pointer is set to NULL in sunkbd_disconnect, there is still an alias in sunkbd_reinit causing Use After Free.(CVE-2020-25669)An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x.\n drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash via events for an in-reconfiguration paravirtualized device, aka CID-073d0552ead5.(CVE-2020-27675)An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.(CVE-2020-27673)An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.(CVE-2020-29368)An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9. Local attackers on systems with the speakup driver could cause a local denial of service attack, aka CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.(CVE-2020-28941)** DISPUTED ** fsfsd fs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE:\n some parties argue that such a subdirectory export is not intended to prevent this attack see also the exports(5) no_subtree_check default behavior.(CVE-2021-3178)An issue was discovered in the Linux kernel through 5.11.3.\n drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.(CVE-2021-27364)An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables.(CVE-2021-27363)ntfs_read_locked_inode in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a use-after-free read and possibly cause a denial of service (kernel oops or panic) via a crafted ntfs filesystem.(CVE-2018-12929)In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in hfs_ext_read_extent in hfs.ko. This can occur during a mount of a crafted hfs filesystem.(CVE-2018-12928)rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6 allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases, CVE IDs are not normally used for drivers/staging/* (unfinished work) however, system integrators may have situations in which a drivers/staging issue is relevant to their own customer base.(CVE-2021-28660)There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm ouveau ouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.(CVE-2021-20292)A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions before kernel 5.12-rc6 are affected(CVE-2021-3483)In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\\0' termination, aka CID-cc7a0bb058b8.(CVE-2021-28972)A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc.(CVE-2021-28964)An issue was discovered in the Linux kernel before 5.11.7.\n usbip_sockfd_store in drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.(CVE-2021-29265)The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable. XSA-365 was classified to affect versions back to at least 3.11.(CVE-2021-28688)An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.(CVE-2021-30002)An issue was discovered in the Linux kernel before 5.8.10.\n virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d.(CVE-2020-36312)An issue was discovered in the Linux kernel before 5.9.\n arch/x86/kvm/svm/sev.c allows attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions), aka CID-7be74942f184.(CVE-2020-36311)An issue was discovered in the Linux kernel before 5.11.11.\n qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure, aka CID-50535249f624.(CVE-2021-29647)An issue was discovered in the Linux kernel through 5.11.10.\n driverset/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled, aka CID-d8861bab48b6.(CVE-2021-29264)An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5.\n A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-35519)An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.(CVE-2020-27171)An issue was discovered in the Linux kernel before 5.11.8.\n kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit.(CVE-2020-27170)BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86 et/bpf_jit_comp.c and arch/x86 et/bpf_jit_comp32.c.(CVE-2021-29154)A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.(CVE-2021-23133)An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf.\n fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE:\n the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950.(CVE-2020-36322)An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.(CVE-2021-31916)An issue was discovered in the Linux kernel through 5.11.x.\n kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.(CVE-2021-29155)kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a.\n The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.(CVE-2021-31829)The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.(CVE-2021-33033)kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.(CVE-2021-33200)An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message.(CVE-2021-27365)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-07-02T00:00:00", "type": "nessus", "title": "EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2021-2075)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-12928", "CVE-2018-12929", "CVE-2020-25669", "CVE-2020-27170", "CVE-2020-27171", "CVE-2020-27673", "CVE-2020-27675", "CVE-2020-28941", "CVE-2020-29368", "CVE-2020-35519", "CVE-2020-36311", "CVE-2020-36312", "CVE-2020-36322", "CVE-2021-20292", "CVE-2021-23133", "CVE-2021-27363", "CVE-2021-27364", "CVE-2021-27365", "CVE-2021-28660", "CVE-2021-28688", "CVE-2021-28950", "CVE-2021-28964", "CVE-2021-28972", "CVE-2021-29154", "CVE-2021-29155", "CVE-2021-29264", "CVE-2021-29265", "CVE-2021-29647", "CVE-2021-30002", "CVE-2021-3178", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33033", "CVE-2021-33200", "CVE-2021-3483"], "modified": "2023-03-23T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-tools-libs-devel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:uvp:3.0.2.0"], "id": "EULEROS_SA-2021-2075.NASL", "href": "https://www.tenable.com/plugins/nessus/151307", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151307);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/23\");\n\n script_cve_id(\n \"CVE-2018-12928\",\n \"CVE-2018-12929\",\n \"CVE-2020-25669\",\n \"CVE-2020-27170\",\n \"CVE-2020-27171\",\n \"CVE-2020-27673\",\n \"CVE-2020-27675\",\n \"CVE-2020-28941\",\n \"CVE-2020-29368\",\n \"CVE-2020-35519\",\n \"CVE-2020-36311\",\n \"CVE-2020-36312\",\n \"CVE-2020-36322\",\n \"CVE-2021-3178\",\n \"CVE-2021-3483\",\n \"CVE-2021-20292\",\n \"CVE-2021-23133\",\n \"CVE-2021-27363\",\n \"CVE-2021-27364\",\n \"CVE-2021-27365\",\n \"CVE-2021-28660\",\n \"CVE-2021-28688\",\n \"CVE-2021-28964\",\n \"CVE-2021-28972\",\n \"CVE-2021-29154\",\n \"CVE-2021-29155\",\n \"CVE-2021-29264\",\n \"CVE-2021-29265\",\n \"CVE-2021-29647\",\n \"CVE-2021-30002\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-33033\",\n \"CVE-2021-33200\"\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2021-2075)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - The kernel package contains the Linux kernel (vmlinuz),\n the core of any Linux operating system. The kernel\n handles the basic functions of the operating system:\n memory allocation, process allocation, device input and\n output, etc. Security Fix(es):A vulnerability was found\n in the Linux Kernel where the function sunkbd_reinit\n having been scheduled by sunkbd_interrupt before sunkbd\n being freed. Though the dangling pointer is set to NULL\n in sunkbd_disconnect, there is still an alias in\n sunkbd_reinit causing Use After Free.(CVE-2020-25669)An\n issue was discovered in the Linux kernel through 5.9.1,\n as used with Xen through 4.14.x.\n drivers/xen/events/events_base.c allows event-channel\n removal during the event-handling loop (a race\n condition). This can cause a use-after-free or NULL\n pointer dereference, as demonstrated by a dom0 crash\n via events for an in-reconfiguration paravirtualized\n device, aka CID-073d0552ead5.(CVE-2020-27675)An issue\n was discovered in the Linux kernel through 5.9.1, as\n used with Xen through 4.14.x. Guest OS users can cause\n a denial of service (host OS hang) via a high rate of\n events to dom0, aka CID-e99502f76271.(CVE-2020-27673)An\n issue was discovered in __split_huge_pmd in\n mm/huge_memory.c in the Linux kernel before 5.7.5. The\n copy-on-write implementation can grant unintended write\n access because of a race condition in a THP mapcount\n check, aka CID-c444eb564fb1.(CVE-2020-29368)An issue\n was discovered in\n drivers/accessibility/speakup/spk_ttyio.c in the Linux\n kernel through 5.9.9. Local attackers on systems with\n the speakup driver could cause a local denial of\n service attack, aka CID-d41227544427. This occurs\n because of an invalid free when the line discipline is\n used more than once.(CVE-2020-28941)** DISPUTED **\n fsfsd fs3xdr.c in the Linux kernel through 5.10.8, when\n there is an NFS export of a subdirectory of a\n filesystem, allows remote attackers to traverse to\n other parts of the filesystem via READDIRPLUS. NOTE:\n some parties argue that such a subdirectory export is\n not intended to prevent this attack see also the\n exports(5) no_subtree_check default\n behavior.(CVE-2021-3178)An issue was discovered in the\n Linux kernel through 5.11.3.\n drivers/scsi/scsi_transport_iscsi.c is adversely\n affected by the ability of an unprivileged user to\n craft Netlink messages.(CVE-2021-27364)An issue was\n discovered in the Linux kernel through 5.11.3. A kernel\n pointer leak can be used to determine the address of\n the iscsi_transport structure. When an iSCSI transport\n is registered with the iSCSI subsystem, the transport's\n handle is available to unprivileged users via the sysfs\n file system, at\n /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When\n read, the show_transport_handle function (in\n drivers/scsi/scsi_transport_iscsi.c) is called, which\n leaks the handle. This handle is actually the pointer\n to an iscsi_transport struct in the kernel module's\n global variables.(CVE-2021-27363)ntfs_read_locked_inode\n in the ntfs.ko filesystem driver in the Linux kernel\n 4.15.0 allows attackers to trigger a use-after-free\n read and possibly cause a denial of service (kernel\n oops or panic) via a crafted ntfs\n filesystem.(CVE-2018-12929)In the Linux kernel 4.15.0,\n a NULL pointer dereference was discovered in\n hfs_ext_read_extent in hfs.ko. This can occur during a\n mount of a crafted hfs\n filesystem.(CVE-2018-12928)rtw_wx_set_scan in\n drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the\n Linux kernel through 5.11.6 allows writing beyond the\n end of the ->ssid[] array. NOTE: from the perspective\n of kernel.org releases, CVE IDs are not normally used\n for drivers/staging/* (unfinished work) however, system\n integrators may have situations in which a\n drivers/staging issue is relevant to their own customer\n base.(CVE-2021-28660)There is a flaw reported in the\n Linux kernel in versions before 5.9 in drivers/gpu/drm\n ouveau ouveau_sgdma.c in nouveau_sgdma_create_ttm in\n Nouveau DRM subsystem. The issue results from the lack\n of validating the existence of an object prior to\n performing operations on the object. An attacker with a\n local account with a root privilege, can leverage this\n vulnerability to escalate privileges and execute code\n in the context of the kernel.(CVE-2021-20292)A flaw was\n found in the Nosy driver in the Linux kernel. This\n issue allows a device to be inserted twice into a\n doubly-linked list, leading to a use-after-free when\n one of these devices is removed. The highest threat\n from this vulnerability is to confidentiality,\n integrity, as well as system availability. Versions\n before kernel 5.12-rc6 are affected(CVE-2021-3483)In\n drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux\n kernel through 5.11.8, the RPA PCI Hotplug driver has a\n user-tolerable buffer overflow when writing a new\n device name to the driver from userspace, allowing\n userspace to write data to the kernel stack frame\n directly. This occurs because add_slot_store and\n remove_slot_store mishandle drc_name '\\0' termination,\n aka CID-cc7a0bb058b8.(CVE-2021-28972)A race condition\n was discovered in get_old_root in fs/btrfs/ctree.c in\n the Linux kernel through 5.11.8. It allows attackers to\n cause a denial of service (BUG) because of a lack of\n locking on an extent buffer before a cloning operation,\n aka CID-dbcc7d57bffc.(CVE-2021-28964)An issue was\n discovered in the Linux kernel before 5.11.7.\n usbip_sockfd_store in drivers/usb/usbip/stub_dev.c\n allows attackers to cause a denial of service (GPF)\n because the stub-up sequence has race conditions during\n an update of the local and shared status, aka\n CID-9380afd6df70.(CVE-2021-29265)The fix for XSA-365\n includes initialization of pointers such that\n subsequent cleanup code wouldn't use uninitialized or\n stale values. This initialization went too far and may\n under certain conditions also overwrite pointers which\n are in need of cleaning up. The lack of cleanup would\n result in leaking persistent grants. The leak in turn\n would prevent fully cleaning up after a respective\n guest has died, leaving around zombie domains. All\n Linux versions having the fix for XSA-365 applied are\n vulnerable. XSA-365 was classified to affect versions\n back to at least 3.11.(CVE-2021-28688)An issue was\n discovered in the Linux kernel before 5.11.3 when a\n webcam device exists. video_usercopy in\n drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak\n for large arguments, aka\n CID-fb18802a338b.(CVE-2021-30002)An issue was\n discovered in the Linux kernel before 5.8.10.\n virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev\n memory leak upon a kmalloc failure, aka\n CID-f65886606c2d.(CVE-2020-36312)An issue was\n discovered in the Linux kernel before 5.9.\n arch/x86/kvm/svm/sev.c allows attackers to cause a\n denial of service (soft lockup) by triggering\n destruction of a large SEV VM (which requires\n unregistering many encrypted regions), aka\n CID-7be74942f184.(CVE-2020-36311)An issue was\n discovered in the Linux kernel before 5.11.11.\n qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to\n obtain sensitive information from kernel memory because\n of a partially uninitialized data structure, aka\n CID-50535249f624.(CVE-2021-29647)An issue was\n discovered in the Linux kernel through 5.11.10.\n driverset/ethernet/freescale/gianfar.c in the Freescale\n Gianfar Ethernet driver allows attackers to cause a\n system crash because a negative fragment size is\n calculated in situations involving an rx queue overrun\n when jumbo packets are used and NAPI is enabled, aka\n CID-d8861bab48b6.(CVE-2021-29264)An out-of-bounds (OOB)\n memory access flaw was found in x25_bind in\n net/x25/af_x25.c in the Linux kernel version v5.12-rc5.\n A bounds check failure allows a local attacker with a\n user account on the system to gain access to\n out-of-bounds memory, leading to a system crash or a\n leak of internal kernel information. The highest threat\n from this vulnerability is to confidentiality,\n integrity, as well as system\n availability.(CVE-2020-35519)An issue was discovered in\n the Linux kernel before 5.11.8. kernel/bpf/verifier.c\n has an off-by-one error (with a resultant integer\n underflow) affecting out-of-bounds speculation on\n pointer arithmetic, leading to side-channel attacks\n that defeat Spectre mitigations and obtain sensitive\n information from kernel memory, aka\n CID-10d2bb2e6b1d.(CVE-2020-27171)An issue was\n discovered in the Linux kernel before 5.11.8.\n kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic,\n leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from\n kernel memory, aka CID-f232326f6966. This affects\n pointer types that do not define a\n ptr_limit.(CVE-2020-27170)BPF JIT compilers in the\n Linux kernel through 5.11.12 have incorrect computation\n of branch displacements, allowing them to execute\n arbitrary code within the kernel context. This affects\n arch/x86 et/bpf_jit_comp.c and arch/x86\n et/bpf_jit_comp32.c.(CVE-2021-29154)A race condition in\n Linux kernel SCTP sockets (net/sctp/socket.c) before\n 5.12-rc8 can lead to kernel privilege escalation from\n the context of a network service or an unprivileged\n process. If sctp_destroy_sock is called without\n sock_net(sk)->sctp.addr_wq_lock then an element is\n removed from the auto_asconf_splist list without any\n proper locking. This can be exploited by an attacker\n with network service privileges to escalate to root or\n from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies\n creation of some SCTP socket.(CVE-2021-23133)An issue\n was discovered in the FUSE filesystem implementation in\n the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf.\n fuse_do_getattr() calls make_bad_inode() in\n inappropriate situations, causing a system crash. NOTE:\n the original fix for this vulnerability was incomplete,\n and its incompleteness is tracked as\n CVE-2021-28950.(CVE-2020-36322)An out-of-bounds (OOB)\n memory write flaw was found in list_devices in\n drivers/md/dm-ioctl.c in the Multi-device driver module\n in the Linux kernel before 5.12. A bound check failure\n allows an attacker with special user (CAP_SYS_ADMIN)\n privilege to gain access to out-of-bounds memory\n leading to a system crash or a leak of internal kernel\n information. The highest threat from this vulnerability\n is to system availability.(CVE-2021-31916)An issue was\n discovered in the Linux kernel through 5.11.x.\n kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic,\n leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from\n kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification\n performed by the first operation is not correctly\n accounted for when restricting subsequent\n operations.(CVE-2021-29155)kernel/bpf/verifier.c in the\n Linux kernel through 5.12.1 performs undesirable\n speculative loads, leading to disclosure of stack\n content via side-channel attacks, aka CID-801c6058d14a.\n The specific concern is not protecting the BPF stack\n area against speculative loads. Also, the BPF stack can\n contain uninitialized data that might represent\n sensitive information previously operated on by the\n kernel.(CVE-2021-31829)The Linux kernel before 5.11.14\n has a use-after-free in cipso_v4_genopt in\n net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO\n refcounting for the DOI definitions is mishandled, aka\n CID-ad5d07f4a9cd. This leads to writing an arbitrary\n value.(CVE-2021-33033)kernel/bpf/verifier.c in the\n Linux kernel through 5.12.7 enforces incorrect limits\n for pointer arithmetic operations, aka\n CID-bb01a1bba579. This can be abused to perform\n out-of-bounds reads and writes in kernel memory,\n leading to local privilege escalation to root. In\n particular, there is a corner case where the off reg\n causes a masking direction change, which then results\n in an incorrect final aux->alu_limit.(CVE-2021-33200)An\n issue was discovered in the Linux kernel through\n 5.11.3. Certain iSCSI data structures do not have\n appropriate length constraints or checks, and can\n exceed the PAGE_SIZE value. An unprivileged user can\n send a Netlink message that is associated with iSCSI,\n and has a length up to the maximum length of a Netlink\n message.(CVE-2021-27365)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2075\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2e9097c8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28660\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.19.36-vhulk1907.1.0.h1043\",\n \"kernel-devel-4.19.36-vhulk1907.1.0.h1043\",\n \"kernel-headers-4.19.36-vhulk1907.1.0.h1043\",\n \"kernel-tools-4.19.36-vhulk1907.1.0.h1043\",\n \"kernel-tools-libs-4.19.36-vhulk1907.1.0.h1043\",\n \"kernel-tools-libs-devel-4.19.36-vhulk1907.1.0.h1043\",\n \"perf-4.19.36-vhulk1907.1.0.h1043\",\n \"python-perf-4.19.36-vhulk1907.1.0.h1043\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-24T15:16:32", "description": "The SUSE Linux Enterprise 12 SP4 LTSS kernel was updated to receive various security and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).\n\nCVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).\n\nCVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (bnc#1184942).\n\nCVE-2020-36310: Fixed an issue in arch/x86/kvm/svm/svm.c that allowed a set_memory_region_test infinite loop for certain nested page faults (bnc#1184512).\n\nCVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).\n\nCVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).\n\nCVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).\n\nCVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).\n\nCVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).\n\nCVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).\n\nCVE-2020-36311: Fixed an issue in arch/x86/kvm/svm/sev.c that allowed attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions) (bnc#1184511).\n\nCVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).\n\nCVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).\n\nCVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).\n\nCVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).\n\nCVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).\n\nCVE-2021-28964: Fixed a race condition in fs/btrfs/ctree.c that could have caused a denial of service because of a lack of locking on an extent buffer before a cloning operation (bnc#1184193).\n\nCVE-2021-3444: Fixed the bpf verifier as it did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution (bnc#1184170).\n\nCVE-2021-28971: Fixed a potential local denial of service in intel_pmu_drain_pebs_nhm where userspace applications can cause a system crash because the PEBS status in a PEBS record is mishandled (bnc#1184196).\n\nCVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up.\nThe lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bnc#1183646).\n\nCVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).\n\nCVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).\n\nCVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\\0' termination (bnc#1184198).\n\nCVE-2021-29647: Fixed an issue in kernel qrtr_recvmsg in net/qrtr/qrtr.c that allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bnc#1184192).\n\nCVE-2020-27171: Fixed an issue in kernel/bpf/verifier.c that had an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bnc#1183686, bnc#1183775).\n\nCVE-2020-27170: Fixed an issue in kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. This affects pointer types that do not define a ptr_limit (bnc#1183686 bnc#1183775).\n\nCVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).\n\nCVE-2020-35519: Update patch reference for x25 fix (bsc#1183696).\n\nCVE-2021-3428: Fixed ext4 integer overflow in ext4_es_cache_extent (bsc#1173485, bsc#1183509).\n\nCVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened.\nThis could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).\n\nCVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).\n\nCVE-2020-27815: Fixed jfs array index bounds check in dbAdjTree (bsc#1179454).\n\nCVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).\n\nCVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).\n\nCVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-05-14T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1596-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0433", "CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2020-25673", "CVE-2020-27170", "CVE-2020-27171", "CVE-2020-27673", "CVE-2020-27815", "CVE-2020-35519", "CVE-2020-36310", "CVE-2020-36311", "CVE-2020-36312", "CVE-2020-36322", "CVE-2021-20219", "CVE-2021-26931", "CVE-2021-27363", "CVE-2021-27364", "CVE-2021-27365", "CVE-2021-28038", "CVE-2021-28660", "CVE-2021-28688", "CVE-2021-28950", "CVE-2021-28964", "CVE-2021-28971", "CVE-2021-28972", "CVE-2021-29154", "CVE-2021-29155", "CVE-2021-29264", "CVE-2021-29265", "CVE-2021-29647", "CVE-2021-29650", "CVE-2021-30002", "CVE-2021-3428", "CVE-2021-3444", "CVE-2021-3483"], "modified": "2023-03-23T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-devel-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-syms", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-1596-1.NASL", "href": "https://www.tenable.com/plugins/nessus/149491", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1596-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149491);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/23\");\n\n script_cve_id(\n \"CVE-2020-0433\",\n \"CVE-2020-25670\",\n \"CVE-2020-25671\",\n \"CVE-2020-25672\",\n \"CVE-2020-25673\",\n \"CVE-2020-27170\",\n \"CVE-2020-27171\",\n \"CVE-2020-27673\",\n \"CVE-2020-27815\",\n \"CVE-2020-35519\",\n \"CVE-2020-36310\",\n \"CVE-2020-36311\",\n \"CVE-2020-36312\",\n \"CVE-2020-36322\",\n \"CVE-2021-3428\",\n \"CVE-2021-3444\",\n \"CVE-2021-3483\",\n \"CVE-2021-20219\",\n \"CVE-2021-26931\",\n \"CVE-2021-27363\",\n \"CVE-2021-27364\",\n \"CVE-2021-27365\",\n \"CVE-2021-28038\",\n \"CVE-2021-28660\",\n \"CVE-2021-28688\",\n \"CVE-2021-28950\",\n \"CVE-2021-28964\",\n \"CVE-2021-28971\",\n \"CVE-2021-28972\",\n \"CVE-2021-29154\",\n \"CVE-2021-29155\",\n \"CVE-2021-29264\",\n \"CVE-2021-29265\",\n \"CVE-2021-29647\",\n \"CVE-2021-29650\",\n \"CVE-2021-30002\"\n );\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1596-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The SUSE Linux Enterprise 12 SP4 LTSS kernel was updated to receive\nvarious security and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a\nkvm_io_bus_unregister_dev memory leak upon a kmalloc failure\n(bnc#1184509).\n\nCVE-2021-29650: Fixed an issue inside the netfilter subsystem that\nallowed attackers to cause a denial of service (panic) because\nnet/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a\nfull memory barrier upon the assignment of a new table value\n(bnc#1184208).\n\nCVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that\nperformed undesirable out-of-bounds speculation on pointer arithmetic,\nleading to side-channel attacks that defeat Spectre mitigations and\nobtain sensitive information from kernel memory. Specifically, for\nsequences of pointer arithmetic operations, the pointer modification\nperformed by the first operation is not correctly accounted for when\nrestricting subsequent operations (bnc#1184942).\n\nCVE-2020-36310: Fixed an issue in arch/x86/kvm/svm/svm.c that allowed\na set_memory_region_test infinite loop for certain nested page faults\n(bnc#1184512).\n\nCVE-2020-27673: Fixed an issue in Xen where a guest OS users could\nhave caused a denial of service (host OS hang) via a high rate of\nevents to dom0 (bnc#1177411, bnc#1184583).\n\nCVE-2021-29154: Fixed BPF JIT compilers that allowed to execute\narbitrary code within the kernel context (bnc#1184391).\n\nCVE-2020-25673: Fixed NFC endless loops caused by repeated\nllcp_sock_connect() (bsc#1178181).\n\nCVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect()\n(bsc#1178181).\n\nCVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect()\n(bsc#1178181).\n\nCVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind()\n(bsc#1178181).\n\nCVE-2020-36311: Fixed an issue in arch/x86/kvm/svm/sev.c that allowed\nattackers to cause a denial of service (soft lockup) by triggering\ndestruction of a large SEV VM (which requires unregistering many\nencrypted regions) (bnc#1184511).\n\nCVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on\nCPU' could have occured because a retry loop continually finds the\nsame bad inode (bnc#1184194, bnc#1184211).\n\nCVE-2020-36322: Fixed an issue inside the FUSE filesystem\nimplementation where fuse_do_getattr() calls make_bad_inode() in\ninappropriate situations, could have caused a system crash. NOTE: the\noriginal fix for this vulnerability was incomplete, and its\nincompleteness is tracked as CVE-2021-28950 (bnc#1184211).\n\nCVE-2021-30002: Fixed a memory leak issue when a webcam device exists\n(bnc#1184120).\n\nCVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl()\n(bsc#1184393).\n\nCVE-2021-20219: Fixed a denial of service vulnerability in\ndrivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker\nwith a normal user privilege could have delayed the loop and cause a\nthreat to the system availability (bnc#1184397).\n\nCVE-2021-28964: Fixed a race condition in fs/btrfs/ctree.c that could\nhave caused a denial of service because of a lack of locking on an\nextent buffer before a cloning operation (bnc#1184193).\n\nCVE-2021-3444: Fixed the bpf verifier as it did not properly handle\nmod32 destination register truncation when the source register was\nknown to be 0. A local attacker with the ability to load bpf programs\ncould use this gain out-of-bounds reads in kernel memory leading to\ninformation disclosure (kernel memory), and possibly out-of-bounds\nwrites that could potentially lead to code execution (bnc#1184170).\n\nCVE-2021-28971: Fixed a potential local denial of service in\nintel_pmu_drain_pebs_nhm where userspace applications can cause a\nsystem crash because the PEBS status in a PEBS record is mishandled\n(bnc#1184196).\n\nCVE-2021-28688: Fixed XSA-365 that includes initialization of pointers\nsuch that subsequent cleanup code wouldn't use uninitialized or stale\nvalues. This initialization went too far and may under certain\nconditions also overwrite pointers which are in need of cleaning up.\nThe lack of cleanup would result in leaking persistent grants. The\nleak in turn would prevent fully cleaning up after a respective guest\nhas died, leaving around zombie domains (bnc#1183646).\n\nCVE-2021-29265: Fixed an issue in usbip_sockfd_store in\ndrivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial\nof service (GPF) because the stub-up sequence has race conditions\nduring an update of the local and shared status (bnc#1184167).\n\nCVE-2021-29264: Fixed an issue in\ndrivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar\nEthernet driver that allowed attackers to cause a system crash because\na negative fragment size is calculated in situations involving an rx\nqueue overrun when jumbo packets are used and NAPI is enabled\n(bnc#1184168).\n\nCVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c\nwhere the RPA PCI Hotplug driver had a user-tolerable buffer overflow\nwhen writing a new device name to the driver from userspace, allowing\nuserspace to write data to the kernel stack frame directly. This\noccurs because add_slot_store and remove_slot_store mishandle drc_name\n'\\0' termination (bnc#1184198).\n\nCVE-2021-29647: Fixed an issue in kernel qrtr_recvmsg in\nnet/qrtr/qrtr.c that allowed attackers to obtain sensitive information\nfrom kernel memory because of a partially uninitialized data structure\n(bnc#1184192).\n\nCVE-2020-27171: Fixed an issue in kernel/bpf/verifier.c that had an\noff-by-one error (with a resultant integer underflow) affecting\nout-of-bounds speculation on pointer arithmetic, leading to\nside-channel attacks that defeat Spectre mitigations and obtain\nsensitive information from kernel memory (bnc#1183686, bnc#1183775).\n\nCVE-2020-27170: Fixed an issue in kernel/bpf/verifier.c that performed\nundesirable out-of-bounds speculation on pointer arithmetic, leading\nto side-channel attacks that defeat Spectre mitigations and obtain\nsensitive information from kernel memory. This affects pointer types\nthat do not define a ptr_limit (bnc#1183686 bnc#1183775).\n\nCVE-2021-28660: Fixed rtw_wx_set_scan in\ndrivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing\nbeyond the end of the ssid array (bnc#1183593).\n\nCVE-2020-35519: Update patch reference for x25 fix (bsc#1183696).\n\nCVE-2021-3428: Fixed ext4 integer overflow in ext4_es_cache_extent\n(bsc#1173485, bsc#1183509).\n\nCVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where\na possible use after free due to improper locking could have happened.\nThis could have led to local escalation of privilege with no\nadditional execution privileges needed. User interaction is not needed\nfor exploitation (bnc#1176720).\n\nCVE-2021-28038: Fixed an issue with Xen PV. A certain part of the\nnetback driver lacks necessary treatment of errors such as failed\nmemory allocations (as a result of changes to the handling of grant\nmapping errors). A host OS denial of service may occur during\nmisbehavior of a networking frontend driver. NOTE: this issue exists\nbecause of an incomplete fix for CVE-2021-26931 (bnc#1183022,\nbnc#1183069).\n\nCVE-2020-27815: Fixed jfs array index bounds check in dbAdjTree\n(bsc#1179454).\n\nCVE-2021-27365: Fixed an issue inside the iSCSI data structures that\ndoes not have appropriate length constraints or checks, and can exceed\nthe PAGE_SIZE value. An unprivileged user can send a Netlink message\nthat is associated with iSCSI, and has a length up to the maximum\nlength of a Netlink message (bnc#1182715).\n\nCVE-2021-27363: Fixed an issue with a kernel pointer leak that could\nhave been used to determine the address of the iscsi_transport\nstructure. When an iSCSI transport is registered with the iSCSI\nsubsystem, the transport's handle is available to unprivileged users\nvia the sysfs file system, at\n/sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the\nshow_transport_handle function (in\ndrivers/scsi/scsi_transport_iscsi.c) is called, which leaks the\nhandle. This handle is actually the pointer to an iscsi_transport\nstruct in the kernel module's global variables (bnc#1182716).\n\nCVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c\nwhere an unprivileged user can craft Netlink messages (bnc#1182717).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1040855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1044767\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1047233\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1065729\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1094840\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1171078\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173485\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1175873\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176700\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176720\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1177411\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1177753\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178181\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179454\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181032\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181960\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182194\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182672\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182715\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182716\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182717\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183022\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183063\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183069\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183509\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183593\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183646\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183696\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183775\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184120\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184167\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184168\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184170\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184192\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184193\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184194\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184196\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184198\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184208\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184211\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184388\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184391\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184393\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184397\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184509\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184511\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184512\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184514\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184583\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184942\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185113\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185244\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185248\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-0433/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25670/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25671/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25672/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25673/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-27170/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-27171/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-27673/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-27815/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-35519/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36310/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36311/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36312/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36322/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-20219/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-27363/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-27364/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-27365/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28038/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28660/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28688/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28950/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28964/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28971/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28972/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29154/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29155/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29264/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29265/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29647/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29650/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-30002/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3428/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3444/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3483/\");\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211596-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5a2d3ed3\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud Crowbar 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1596=1\n\nSUSE OpenStack Cloud 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-9-2021-1596=1\n\nSUSE Linux Enterprise Server for SAP 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1596=1\n\nSUSE Linux Enterprise Server 12-SP4-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1596=1\n\nSUSE Linux Enterprise Live Patching 12-SP4 :\n\nzypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2021-1596=1\n\nSUSE Linux Enterprise High Availability 12-SP4 :\n\nzypper in -t patch SUSE-SLE-HA-12-SP4-2021-1596=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28660\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-default-devel-debuginfo-4.12.14-95.74.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", cpu:\"s390x\", reference:\"kernel-default-man-4.12.14-95.74.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"kernel-default-4.12.14-95.74.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"kernel-default-base-4.12.14-95.74.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"kernel-default-base-debuginfo-4.12.14-95.74.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"kernel-default-debuginfo-4.12.14-95.74.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"kernel-default-debugsource-4.12.14-95.74.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"kernel-default-devel-4.12.14-95.74.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"kernel-syms-4.12.14-95.74.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-23T15:26:26", "description": "The SUSE Linux Enterprise 15 SP1 LTSS kernel was updated to receive various security and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).\n\nCVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).\n\nCVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (bnc#1184942).\n\nCVE-2020-36310: Fixed an issue in arch/x86/kvm/svm/svm.c that allowed a set_memory_region_test infinite loop for certain nested page faults (bnc#1184512).\n\nCVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).\n\nCVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).\n\nCVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).\n\nCVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).\n\nCVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).\n\nCVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).\n\nCVE-2020-36311: Fixed an issue in arch/x86/kvm/svm/sev.c that allowed attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions) (bnc#1184511).\n\nCVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).\n\nCVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).\n\nCVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).\n\nCVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).\n\nCVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).\n\nCVE-2021-28964: Fixed a race condition in fs/btrfs/ctree.c that could have caused a denial of service because of a lack of locking on an extent buffer before a cloning operation (bnc#1184193).\n\nCVE-2021-3444: Fixed the bpf verifier as it did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution (bnc#1184170).\n\nCVE-2021-28971: Fixed a potential local denial of service in intel_pmu_drain_pebs_nhm where userspace applications can cause a system crash because the PEBS status in a PEBS record is mishandled (bnc#1184196).\n\nCVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up.\nThe lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bnc#1183646).\n\nCVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).\n\nCVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).\n\nCVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\\0' termination (bnc#1184198).\n\nCVE-2021-29647: Fixed an issue in kernel qrtr_recvmsg in net/qrtr/qrtr.c that allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bnc#1184192).\n\nCVE-2020-27171: Fixed an issue in kernel/bpf/verifier.c that had an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bnc#1183686, bnc#1183775).\n\nCVE-2020-27170: Fixed an issue in kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. This affects pointer types that do not define a ptr_limit (bnc#1183686 bnc#1183775).\n\nCVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).\n\nCVE-2020-35519: Update patch reference for x25 fix (bsc#1183696).\n\nCVE-2021-3428: Fixed ext4 integer overflow in ext4_es_cache_extent (bsc#1173485, bsc#1183509).\n\nCVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened.\nThis could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).\n\nCVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).\n\nCVE-2020-27815: Fixed jfs array index bounds check in dbAdjTree (bsc#1179454).\n\nCVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).\n\nCVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).\n\nCVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-05-19T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1624-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0433", "CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2020-25673", "CVE-2020-27170", "CVE-2020-27171", "CVE-2020-27673", "CVE-2020-27815", "CVE-2020-35519", "CVE-2020-36310", "CVE-2020-36311", "CVE-2020-36312", "CVE-2020-36322", "CVE-2021-20219", "CVE-2021-26931", "CVE-2021-27363", "CVE-2021-27364", "CVE-2021-27365", "CVE-2021-28038", "CVE-2021-28660", "CVE-2021-28688", "CVE-2021-28950", "CVE-2021-28964", "CVE-2021-28971", "CVE-2021-28972", "CVE-2021-29154", "CVE-2021-29155", "CVE-2021-29264", "CVE-2021-29265", "CVE-2021-29647", "CVE-2021-29650", "CVE-2021-30002", "CVE-2021-3428", "CVE-2021-3444", "CVE-2021-3483"], "modified": "2023-03-23T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-devel-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-obs-build", "p-cpe:/a:novell:suse_linux:kernel-obs-build-debugsource", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-zfcpdump-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-zfcpdump-debugsource", "p-cpe:/a:novell:suse_linux:reiserfs-kmp-default", "p-cpe:/a:novell:suse_linux:reiserfs-kmp-default-debuginfo", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-1624-1.NASL", "href": "https://www.tenable.com/plugins/nessus/149717", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1624-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149717);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/23\");\n\n script_cve_id(\n \"CVE-2020-0433\",\n \"CVE-2020-25670\",\n \"CVE-2020-25671\",\n \"CVE-2020-25672\",\n \"CVE-2020-25673\",\n \"CVE-2020-27170\",\n \"CVE-2020-27171\",\n \"CVE-2020-27673\",\n \"CVE-2020-27815\",\n \"CVE-2020-35519\",\n \"CVE-2020-36310\",\n \"CVE-2020-36311\",\n \"CVE-2020-36312\",\n \"CVE-2020-36322\",\n \"CVE-2021-3428\",\n \"CVE-2021-3444\",\n \"CVE-2021-3483\",\n \"CVE-2021-20219\",\n \"CVE-2021-26931\",\n \"CVE-2021-27363\",\n \"CVE-2021-27364\",\n \"CVE-2021-27365\",\n \"CVE-2021-28038\",\n \"CVE-2021-28660\",\n \"CVE-2021-28688\",\n \"CVE-2021-28950\",\n \"CVE-2021-28964\",\n \"CVE-2021-28971\",\n \"CVE-2021-28972\",\n \"CVE-2021-29154\",\n \"CVE-2021-29155\",\n \"CVE-2021-29264\",\n \"CVE-2021-29265\",\n \"CVE-2021-29647\",\n \"CVE-2021-29650\",\n \"CVE-2021-30002\"\n );\n\n script_name(english:\"SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1624-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The SUSE Linux Enterprise 15 SP1 LTSS kernel was updated to receive\nvarious security and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a\nkvm_io_bus_unregister_dev memory leak upon a kmalloc failure\n(bnc#1184509).\n\nCVE-2021-29650: Fixed an issue inside the netfilter subsystem that\nallowed attackers to cause a denial of service (panic) because\nnet/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a\nfull memory barrier upon the assignment of a new table value\n(bnc#1184208).\n\nCVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that\nperformed undesirable out-of-bounds speculation on pointer arithmetic,\nleading to side-channel attacks that defeat Spectre mitigations and\nobtain sensitive information from kernel memory. Specifically, for\nsequences of pointer arithmetic operations, the pointer modification\nperformed by the first operation is not correctly accounted for when\nrestricting subsequent operations (bnc#1184942).\n\nCVE-2020-36310: Fixed an issue in arch/x86/kvm/svm/svm.c that allowed\na set_memory_region_test infinite loop for certain nested page faults\n(bnc#1184512).\n\nCVE-2020-27673: Fixed an issue in Xen where a guest OS users could\nhave caused a denial of service (host OS hang) via a high rate of\nevents to dom0 (bnc#1177411, bnc#1184583).\n\nCVE-2021-29154: Fixed BPF JIT compilers that allowed to execute\narbitrary code within the kernel context (bnc#1184391).\n\nCVE-2020-25673: Fixed NFC endless loops caused by repeated\nllcp_sock_connect() (bsc#1178181).\n\nCVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect()\n(bsc#1178181).\n\nCVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect()\n(bsc#1178181).\n\nCVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind()\n(bsc#1178181).\n\nCVE-2020-36311: Fixed an issue in arch/x86/kvm/svm/sev.c that allowed\nattackers to cause a denial of service (soft lockup) by triggering\ndestruction of a large SEV VM (which requires unregistering many\nencrypted regions) (bnc#1184511).\n\nCVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on\nCPU' could have occured because a retry loop continually finds the\nsame bad inode (bnc#1184194, bnc#1184211).\n\nCVE-2020-36322: Fixed an issue inside the FUSE filesystem\nimplementation where fuse_do_getattr() calls make_bad_inode() in\ninappropriate situations, could have caused a system crash. NOTE: the\noriginal fix for this vulnerability was incomplete, and its\nincompleteness is tracked as CVE-2021-28950 (bnc#1184211).\n\nCVE-2021-30002: Fixed a memory leak issue when a webcam device exists\n(bnc#1184120).\n\nCVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl()\n(bsc#1184393).\n\nCVE-2021-20219: Fixed a denial of service vulnerability in\ndrivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker\nwith a normal user privilege could have delayed the loop and cause a\nthreat to the system availability (bnc#1184397).\n\nCVE-2021-28964: Fixed a race condition in fs/btrfs/ctree.c that could\nhave caused a denial of service because of a lack of locking on an\nextent buffer before a cloning operation (bnc#1184193).\n\nCVE-2021-3444: Fixed the bpf verifier as it did not properly handle\nmod32 destination register truncation when the source register was\nknown to be 0. A local attacker with the ability to load bpf programs\ncould use this gain out-of-bounds reads in kernel memory leading to\ninformation disclosure (kernel memory), and possibly out-of-bounds\nwrites that could potentially lead to code execution (bnc#1184170).\n\nCVE-2021-28971: Fixed a potential local denial of service in\nintel_pmu_drain_pebs_nhm where userspace applications can cause a\nsystem crash because the PEBS status in a PEBS record is mishandled\n(bnc#1184196).\n\nCVE-2021-28688: Fixed XSA-365 that includes initialization of pointers\nsuch that subsequent cleanup code wouldn't use uninitialized or stale\nvalues. This initialization went too far and may under certain\nconditions also overwrite pointers which are in need of cleaning up.\nThe lack of cleanup would result in leaking persistent grants. The\nleak in turn would prevent fully cleaning up after a respective guest\nhas died, leaving around zombie domains (bnc#1183646).\n\nCVE-2021-29265: Fixed an issue in usbip_sockfd_store in\ndrivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial\nof service (GPF) because the stub-up sequence has race conditions\nduring an update of the local and shared status (bnc#1184167).\n\nCVE-2021-29264: Fixed an issue in\ndrivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar\nEthernet driver that allowed attackers to cause a system crash because\na negative fragment size is calculated in situations involving an rx\nqueue overrun when jumbo packets are used and NAPI is enabled\n(bnc#1184168).\n\nCVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c\nwhere the RPA PCI Hotplug driver had a user-tolerable buffer overflow\nwhen writing a new device name to the driver from userspace, allowing\nuserspace to write data to the kernel stack frame directly. This\noccurs because add_slot_store and remove_slot_store mishandle drc_name\n'\\0' termination (bnc#1184198).\n\nCVE-2021-29647: Fixed an issue in kernel qrtr_recvmsg in\nnet/qrtr/qrtr.c that allowed attackers to obtain sensitive information\nfrom kernel memory because of a partially uninitialized data structure\n(bnc#1184192).\n\nCVE-2020-27171: Fixed an issue in kernel/bpf/verifier.c that had an\noff-by-one error (with a resultant integer underflow) affecting\nout-of-bounds speculation on pointer arithmetic, leading to\nside-channel attacks that defeat Spectre mitigations and obtain\nsensitive information from kernel memory (bnc#1183686, bnc#1183775).\n\nCVE-2020-27170: Fixed an issue in kernel/bpf/verifier.c that performed\nundesirable out-of-bounds speculation on pointer arithmetic, leading\nto side-channel attacks that defeat Spectre mitigations and obtain\nsensitive information from kernel memory. This affects pointer types\nthat do not define a ptr_limit (bnc#1183686 bnc#1183775).\n\nCVE-2021-28660: Fixed rtw_wx_set_scan in\ndrivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing\nbeyond the end of the ssid array (bnc#1183593).\n\nCVE-2020-35519: Update patch reference for x25 fix (bsc#1183696).\n\nCVE-2021-3428: Fixed ext4 integer overflow in ext4_es_cache_extent\n(bsc#1173485, bsc#1183509).\n\nCVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where\na possible use after free due to improper locking could have happened.\nThis could have led to local escalation of privilege with no\nadditional execution privileges needed. User interaction is not needed\nfor exploitation (bnc#1176720).\n\nCVE-2021-28038: Fixed an issue with Xen PV. A certain part of the\nnetback driver lacks necessary treatment of errors such as failed\nmemory allocations (as a result of changes to the handling of grant\nmapping errors). A host OS denial of service may occur during\nmisbehavior of a networking frontend driver. NOTE: this issue exists\nbecause of an incomplete fix for CVE-2021-26931 (bnc#1183022,\nbnc#1183069).\n\nCVE-2020-27815: Fixed jfs array index bounds check in dbAdjTree\n(bsc#1179454).\n\nCVE-2021-27365: Fixed an issue inside the iSCSI data structures that\ndoes not have appropriate length constraints or checks, and can exceed\nthe PAGE_SIZE value. An unprivileged user can send a Netlink message\nthat is associated with iSCSI, and has a length up to the maximum\nlength of a Netlink message (bnc#1182715).\n\nCVE-2021-27363: Fixed an issue with a kernel pointer leak that could\nhave been used to determine the address of the iscsi_transport\nstructure. When an iSCSI transport is registered with the iSCSI\nsubsystem, the transport's handle is available to unprivileged users\nvia the sysfs file system, at\n/sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the\nshow_transport_handle function (in\ndrivers/scsi/scsi_transport_iscsi.c) is called, which leaks the\nhandle. This handle is actually the pointer to an iscsi_transport\nstruct in the kernel module's global variables (bnc#1182716).\n\nCVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c\nwhere an unprivileged user can craft Netlink messages (bnc#1182717).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1047233\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172455\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173485\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176720\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1177411\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178181\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179454\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1180197\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181960\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182011\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182672\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182715\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182716\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182717\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183022\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183063\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183069\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183509\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183593\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183646\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183696\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183775\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184120\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184167\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184168\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184170\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184192\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184193\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184194\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184196\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184198\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184208\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184211\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184388\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184391\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184393\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184397\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184509\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184511\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184512\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184514\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184583\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184942\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185113\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185244\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-0433/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25670/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25671/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25672/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25673/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-27170/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-27171/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-27673/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-27815/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-35519/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36310/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36311/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36312/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36322/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-20219/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-27363/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-27364/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-27365/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28038/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28660/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28688/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28950/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28964/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28971/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28972/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29154/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29155/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29264/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29265/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29647/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29650/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-30002/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3428/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3444/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3483/\");\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211624-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?38d85273\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Manager Server 4.0 :\n\nzypper in -t patch\nSUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1624=1\n\nSUSE Manager Retail Branch Server 4.0 :\n\nzypper in -t patch\nSUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1624=1\n\nSUSE Manager Proxy 4.0 :\n\nzypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1624=1\n\nSUSE Linux Enterprise Server for SAP 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1624=1\n\nSUSE Linux Enterprise Server 15-SP1-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1624=1\n\nSUSE Linux Enterprise Server 15-SP1-BCL :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1624=1\n\nSUSE Linux Enterprise Module for Live Patching 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-1624=1\n\nSUSE Linux Enterprise High Performance Computing 15-SP1-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1624=1\n\nSUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1624=1\n\nSUSE Linux Enterprise High Availability 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Product-HA-15-SP1-2021-1624=1\n\nSUSE Enterprise Storage 6 :\n\nzypper in -t patch SUSE-Storage-6-2021-1624=1\n\nSUSE CaaS Platform 4.0 :\n\nTo install this update, use the SUSE CaaS Platform 'skuba' tool. I\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28660\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-obs-build-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-zfcpdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-zfcpdump-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:reiserfs-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:reiserfs-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"s390x\", reference:\"kernel-default-man-4.12.14-197.89.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"s390x\", reference:\"kernel-zfcpdump-debuginfo-4.12.14-197.89.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"s390x\", reference:\"kernel-zfcpdump-debugsource-4.12.14-197.89.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"kernel-default-4.12.14-197.89.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"kernel-default-base-4.12.14-197.89.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"kernel-default-base-debuginfo-4.12.14-197.89.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"kernel-default-debuginfo-4.12.14-197.89.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"kernel-default-debugsource-4.12.14-197.89.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"kernel-default-devel-4.12.14-197.89.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"kernel-default-devel-debuginfo-4.12.14-197.89.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"kernel-obs-build-4.12.14-197.89.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"kernel-obs-build-debugsource-4.12.14-197.89.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"kernel-syms-4.12.14-197.89.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"reiserfs-kmp-default-4.12.14-197.89.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"reiserfs-kmp-default-debuginfo-4.12.14-197.89.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-23T15:27:12", "description": "The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).\n\nCVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).\n\nCVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (bnc#1184942).\n\nCVE-2020-36310: Fixed an issue in arch/x86/kvm/svm/svm.c that allowed a set_memory_region_test infinite loop for certain nested page faults (bnc#1184512).\n\nCVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).\n\nCVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).\n\nCVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).\n\nCVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).\n\nCVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).\n\nCVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).\n\nCVE-2020-36311: Fixed an issue in arch/x86/kvm/svm/sev.c that allowed attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions) (bnc#1184511).\n\nCVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).\n\nCVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).\n\nCVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).\n\nCVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).\n\nCVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).\n\nCVE-2021-28964: Fixed a race condition in fs/btrfs/ctree.c that could have caused a denial of service because of a lack of locking on an extent buffer before a cloning operation (bnc#1184193).\n\nCVE-2021-3444: Fixed the bpf verifier as it did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution (bnc#1184170).\n\nCVE-2021-28971: Fixed a potential local denial of service in intel_pmu_drain_pebs_nhm where userspace applications can cause a system crash because the PEBS status in a PEBS record is mishandled (bnc#1184196).\n\nCVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up.\nThe lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bnc#1183646).\n\nCVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).\n\nCVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).\n\nCVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\\0' termination (bnc#1184198).\n\nCVE-2021-29647: Fixed an issue in kernel qrtr_recvmsg in net/qrtr/qrtr.c that allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bnc#1184192).\n\nCVE-2020-27171: Fixed an issue in kernel/bpf/verifier.c that had an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bnc#1183686, bnc#1183775).\n\nCVE-2020-27170: Fixed an issue in kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. This affects pointer types that do not define a ptr_limit (bnc#1183686 bnc#1183775).\n\nCVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).\n\nCVE-2020-35519: Update patch reference for x25 fix (bsc#1183696).\n\nCVE-2021-3428: Fixed ext4 integer overflow in ext4_es_cache_extent (bsc#1173485, bsc#1183509).\n\nCVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened.\nThis could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).\n\nCVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).\n\nCVE-2020-27815: Fixed jfs array index bounds check in dbAdjTree (bsc#1179454).\n\nCVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).\n\nCVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).\n\nCVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-05-13T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1573-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0433", "CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2020-25673", "CVE-2020-27170", "CVE-2020-27171", "CVE-2020-27673", "CVE-2020-27815", "CVE-2020-35519", "CVE-2020-36310", "CVE-2020-36311", "CVE-2020-36312", "CVE-2020-36322", "CVE-2021-20219", "CVE-2021-26931", "CVE-2021-27363", "CVE-2021-27364", "CVE-2021-27365", "CVE-2021-28038", "CVE-2021-28660", "CVE-2021-28688", "CVE-2021-28950", "CVE-2021-28964", "CVE-2021-28971", "CVE-2021-28972", "CVE-2021-29154", "CVE-2021-29155", "CVE-2021-29264", "CVE-2021-29265", "CVE-2021-29647", "CVE-2021-29650", "CVE-2021-30002", "CVE-2021-3428", "CVE-2021-3444", "CVE-2021-3483"], "modified": "2023-03-23T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-devel-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-obs-build", "p-cpe:/a:novell:suse_linux:kernel-obs-build-debugsource", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-vanilla-base", "p-cpe:/a:novell:suse_linux:kernel-vanilla-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-vanilla-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-vanilla-debugsource", "p-cpe:/a:novell:suse_linux:kernel-zfcpdump-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-zfcpdump-debugsource", "p-cpe:/a:novell:suse_linux:reiserfs-kmp-default", "p-cpe:/a:novell:suse_linux:reiserfs-kmp-default-debuginfo", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-1573-1.NASL", "href": "https://www.tenable.com/plugins/nessus/149462", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1573-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149462);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/23\");\n\n script_cve_id(\n \"CVE-2020-0433\",\n \"CVE-2020-25670\",\n \"CVE-2020-25671\",\n \"CVE-2020-25672\",\n \"CVE-2020-25673\",\n \"CVE-2020-27170\",\n \"CVE-2020-27171\",\n \"CVE-2020-27673\",\n \"CVE-2020-27815\",\n \"CVE-2020-35519\",\n \"CVE-2020-36310\",\n \"CVE-2020-36311\",\n \"CVE-2020-36312\",\n \"CVE-2020-36322\",\n \"CVE-2021-3428\",\n \"CVE-2021-3444\",\n \"CVE-2021-3483\",\n \"CVE-2021-20219\",\n \"CVE-2021-26931\",\n \"CVE-2021-27363\",\n \"CVE-2021-27364\",\n \"CVE-2021-27365\",\n \"CVE-2021-28038\",\n \"CVE-2021-28660\",\n \"CVE-2021-28688\",\n \"CVE-2021-28950\",\n \"CVE-2021-28964\",\n \"CVE-2021-28971\",\n \"CVE-2021-28972\",\n \"CVE-2021-29154\",\n \"CVE-2021-29155\",\n \"CVE-2021-29264\",\n \"CVE-2021-29265\",\n \"CVE-2021-29647\",\n \"CVE-2021-29650\",\n \"CVE-2021-30002\"\n );\n\n script_name(english:\"SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1573-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The SUSE Linux Enterprise 15 kernel was updated to receive various\nsecurity and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a\nkvm_io_bus_unregister_dev memory leak upon a kmalloc failure\n(bnc#1184509).\n\nCVE-2021-29650: Fixed an issue inside the netfilter subsystem that\nallowed attackers to cause a denial of service (panic) because\nnet/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a\nfull memory barrier upon the assignment of a new table value\n(bnc#1184208).\n\nCVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that\nperformed undesirable out-of-bounds speculation on pointer arithmetic,\nleading to side-channel attacks that defeat Spectre mitigations and\nobtain sensitive information from kernel memory. Specifically, for\nsequences of pointer arithmetic operations, the pointer modification\nperformed by the first operation is not correctly accounted for when\nrestricting subsequent operations (bnc#1184942).\n\nCVE-2020-36310: Fixed an issue in arch/x86/kvm/svm/svm.c that allowed\na set_memory_region_test infinite loop for certain nested page faults\n(bnc#1184512).\n\nCVE-2020-27673: Fixed an issue in Xen where a guest OS users could\nhave caused a denial of service (host OS hang) via a high rate of\nevents to dom0 (bnc#1177411, bnc#1184583).\n\nCVE-2021-29154: Fixed BPF JIT compilers that allowed to execute\narbitrary code within the kernel context (bnc#1184391).\n\nCVE-2020-25673: Fixed NFC endless loops caused by repeated\nllcp_sock_connect() (bsc#1178181).\n\nCVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect()\n(bsc#1178181).\n\nCVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect()\n(bsc#1178181).\n\nCVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind()\n(bsc#1178181).\n\nCVE-2020-36311: Fixed an issue in arch/x86/kvm/svm/sev.c that allowed\nattackers to cause a denial of service (soft lockup) by triggering\ndestruction of a large SEV VM (which requires unregistering many\nencrypted regions) (bnc#1184511).\n\nCVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on\nCPU' could have occured because a retry loop continually finds the\nsame bad inode (bnc#1184194, bnc#1184211).\n\nCVE-2020-36322: Fixed an issue inside the FUSE filesystem\nimplementation where fuse_do_getattr() calls make_bad_inode() in\ninappropriate situations, could have caused a system crash. NOTE: the\noriginal fix for this vulnerability was incomplete, and its\nincompleteness is tracked as CVE-2021-28950 (bnc#1184211).\n\nCVE-2021-30002: Fixed a memory leak issue when a webcam device exists\n(bnc#1184120).\n\nCVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl()\n(bsc#1184393).\n\nCVE-2021-20219: Fixed a denial of service vulnerability in\ndrivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker\nwith a normal user privilege could have delayed the loop and cause a\nthreat to the system availability (bnc#1184397).\n\nCVE-2021-28964: Fixed a race condition in fs/btrfs/ctree.c that could\nhave caused a denial of service because of a lack of locking on an\nextent buffer before a cloning operation (bnc#1184193).\n\nCVE-2021-3444: Fixed the bpf verifier as it did not properly handle\nmod32 destination register truncation when the source register was\nknown to be 0. A local attacker with the ability to load bpf programs\ncould use this gain out-of-bounds reads in kernel memory leading to\ninformation disclosure (kernel memory), and possibly out-of-bounds\nwrites that could potentially lead to code execution (bnc#1184170).\n\nCVE-2021-28971: Fixed a potential local denial of service in\nintel_pmu_drain_pebs_nhm where userspace applications can cause a\nsystem crash because the PEBS status in a PEBS record is mishandled\n(bnc#1184196).\n\nCVE-2021-28688: Fixed XSA-365 that includes initialization of pointers\nsuch that subsequent cleanup code wouldn't use uninitialized or stale\nvalues. This initialization went too far and may under certain\nconditions also overwrite pointers which are in need of cleaning up.\nThe lack of cleanup would result in leaking persistent grants. The\nleak in turn would prevent fully cleaning up after a respective guest\nhas died, leaving around zombie domains (bnc#1183646).\n\nCVE-2021-29265: Fixed an issue in usbip_sockfd_store in\ndrivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial\nof service (GPF) because the stub-up sequence has race conditions\nduring an update of the local and shared status (bnc#1184167).\n\nCVE-2021-29264: Fixed an issue in\ndrivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar\nEthernet driver that allowed attackers to cause a system crash because\na negative fragment size is calculated in situations involving an rx\nqueue overrun when jumbo packets are used and NAPI is enabled\n(bnc#1184168).\n\nCVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c\nwhere the RPA PCI Hotplug driver had a user-tolerable buffer overflow\nwhen writing a new device name to the driver from userspace, allowing\nuserspace to write data to the kernel stack frame directly. This\noccurs because add_slot_store and remove_slot_store mishandle drc_name\n'\\0' termination (bnc#1184198).\n\nCVE-2021-29647: Fixed an issue in kernel qrtr_recvmsg in\nnet/qrtr/qrtr.c that allowed attackers to obtain sensitive information\nfrom kernel memory because of a partially uninitialized data structure\n(bnc#1184192).\n\nCVE-2020-27171: Fixed an issue in kernel/bpf/verifier.c that had an\noff-by-one error (with a resultant integer underflow) affecting\nout-of-bounds speculation on pointer arithmetic, leading to\nside-channel attacks that defeat Spectre mitigations and obtain\nsensitive information from kernel memory (bnc#1183686, bnc#1183775).\n\nCVE-2020-27170: Fixed an issue in kernel/bpf/verifier.c that performed\nundesirable out-of-bounds speculation on pointer arithmetic, leading\nto side-channel attacks that defeat Spectre mitigations and obtain\nsensitive information from kernel memory. This affects pointer types\nthat do not define a ptr_limit (bnc#1183686 bnc#1183775).\n\nCVE-2021-28660: Fixed rtw_wx_set_scan in\ndrivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing\nbeyond the end of the ssid array (bnc#1183593).\n\nCVE-2020-35519: Update patch reference for x25 fix (bsc#1183696).\n\nCVE-2021-3428: Fixed ext4 integer overflow in ext4_es_cache_extent\n(bsc#1173485, bsc#1183509).\n\nCVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where\na possible use after free due to improper locking could have happened.\nThis could have led to local escalation of privilege with no\nadditional execution privileges needed. User interaction is not needed\nfor exploitation (bnc#1176720).\n\nCVE-2021-28038: Fixed an issue with Xen PV. A certain part of the\nnetback driver lacks necessary treatment of errors such as failed\nmemory allocations (as a result of changes to the handling of grant\nmapping errors). A host OS denial of service may occur during\nmisbehavior of a networking frontend driver. NOTE: this issue exists\nbecause of an incomplete fix for CVE-2021-26931 (bnc#1183022,\nbnc#1183069).\n\nCVE-2020-27815: Fixed jfs array index bounds check in dbAdjTree\n(bsc#1179454).\n\nCVE-2021-27365: Fixed an issue inside the iSCSI data structures that\ndoes not have appropriate length constraints or checks, and can exceed\nthe PAGE_SIZE value. An unprivileged user can send a Netlink message\nthat is associated with iSCSI, and has a length up to the maximum\nlength of a Netlink message (bnc#1182715).\n\nCVE-2021-27363: Fixed an issue with a kernel pointer leak that could\nhave been used to determine the address of the iscsi_transport\nstructure. When an iSCSI transport is registered with the iSCSI\nsubsystem, the transport's handle is available to unprivileged users\nvia the sysfs file system, at\n/sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the\nshow_transport_handle function (in\ndrivers/scsi/scsi_transport_iscsi.c) is called, which leaks the\nhandle. This handle is actually the pointer to an iscsi_transport\nstruct in the kernel module's global variables (bnc#1182716).\n\nCVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c\nwhere an unprivileged user can craft Netlink messages (bnc#1182717).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1047233\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173485\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176720\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1177411\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178181\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179454\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181032\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182672\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182715\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182716\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182717\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183022\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183063\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183069\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183509\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183593\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183646\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183696\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183775\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184120\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184167\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184168\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184170\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184192\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184193\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184194\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184196\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184198\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184208\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184211\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184388\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184391\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184393\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184397\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184509\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184511\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184512\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184514\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184583\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184942\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185113\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185244\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1185248\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-0433/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25670/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25671/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25672/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25673/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-27170/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-27171/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-27673/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-27815/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-35519/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36310/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36311/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36312/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36322/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-20219/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-27363/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-27364/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-27365/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28038/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28660/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28688/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28950/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28964/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28971/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28972/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29154/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29155/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29264/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29265/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29647/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-29650/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-30002/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3428/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3444/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3483/\");\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211573-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?78e5e7d1\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 15 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1573=1\n\nSUSE Linux Enterprise Server 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-2021-1573=1\n\nSUSE Linux Enterprise Module for Live Patching 15 :\n\nzypper in -t patch SUSE-SLE-Module-Live-Patching-15-2021-1573=1\n\nSUSE Linux Enterprise High Performance Computing 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2021-1573=1\n\nSUSE Linux Enterprise High Performance Computing 15-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2021-1573=1\n\nSUSE Linux Enterprise High Availability 15 :\n\nzypper in -t patch SUSE-SLE-Product-HA-15-2021-1573=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28660\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-obs-build-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-vanilla-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-vanilla-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-vanilla-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-vanilla-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-zfcpdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-zfcpdump-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:reiserfs-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:reiserfs-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"s390x\") audit(AUDIT_ARCH_NOT, \"s390x\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-default-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-default-base-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-default-debuginfo-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-default-debugsource-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-default-devel-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-default-devel-debuginfo-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-default-man-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-obs-build-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-obs-build-debugsource-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-syms-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-vanilla-base-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-vanilla-base-debuginfo-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-vanilla-debuginfo-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-vanilla-debugsource-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-zfcpdump-debuginfo-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-zfcpdump-debugsource-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"reiserfs-kmp-default-4.12.14-150.72.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"reiserfs-kmp-default-debuginfo-4.12.14-150.72.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-25T15:27:37", "description": "The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-4356 advisory.\n\n - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.\n (CVE-2021-29650)\n\n - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)\n\n - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)\n\n - A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel internal addresses. The highest threat from this vulnerability is to confidentiality. (CVE-2021-20239)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after- free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)\n\n - In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171 (CVE-2020-0427)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24. (CVE-2020-29660)\n\n - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.\n (CVE-2020-36158)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi- device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-31916)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel. (CVE-2020-27777)\n\n - A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5. (CVE-2021-3573)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier support for it) (v5.8-rc1). (CVE-2021-3489)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of- bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf. (CVE-2020-36386)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access. (CVE-2021-0129)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732)\n\n - Improper input validation in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 and before version 1.4.29.0 for Windows*, may allow an authenticated user to potentially enable a denial of service via local access. (CVE-2020-24502)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable information disclosure via local access.\n (CVE-2020-24503)\n\n - Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable denial of service via local access.\n (CVE-2020-24504)\n\n - An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1. (CVE-2020-29368)\n\n - There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation. (CVE-2021-20194)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.\n (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does not properly validate certain data sizes, aka CID-0217ed2848e8. (CVE-2021-29646)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-17T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : kernel (ELSA-2021-4356)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0427", "CVE-2020-24502", "CVE-2020-24503", "CVE-2020-24504", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2020-27777", "CVE-2020-29368", "CVE-2020-29660", "CVE-2020-36158", "CVE-2020-36386", "CVE-2021-0129", "CVE-2021-20194", "CVE-2021-20239", "CVE-2021-23133", "CVE-2021-28950", "CVE-2021-28971", "CVE-2021-29155", "CVE-2021-29646", "CVE-2021-29650", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33200", "CVE-2021-3348", "CVE-2021-3489", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-3600", "CVE-2021-3635", "CVE-2021-3659", "CVE-2021-3679", "CVE-2021-3732"], "modified": "2023-11-23T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:bpftool", "p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-abi-stablelists", "p-cpe:/a:oracle:linux:kernel-core", "p-cpe:/a:oracle:linux:kernel-cross-headers", "p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-debug-core", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-debug-modules", "p-cpe:/a:oracle:linux:kernel-debug-modules-extra", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:kernel-modules", "p-cpe:/a:oracle:linux:kernel-modules-extra", "p-cpe:/a:oracle:linux:kernel-tools", "p-cpe:/a:oracle:linux:kernel-tools-libs", "p-cpe:/a:oracle:linux:kernel-tools-libs-devel", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:python3-perf"], "id": "ORACLELINUX_ELSA-2021-4356.NASL", "href": "https://www.tenable.com/plugins/nessus/155425", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-4356.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155425);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/23\");\n\n script_cve_id(\n \"CVE-2020-0427\",\n \"CVE-2020-24502\",\n \"CVE-2020-24503\",\n \"CVE-2020-24504\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2020-27777\",\n \"CVE-2020-29368\",\n \"CVE-2020-29660\",\n \"CVE-2020-36158\",\n \"CVE-2020-36386\",\n \"CVE-2021-0129\",\n \"CVE-2021-3348\",\n \"CVE-2021-3489\",\n \"CVE-2021-3564\",\n \"CVE-2021-3573\",\n \"CVE-2021-3600\",\n \"CVE-2021-3635\",\n \"CVE-2021-3659\",\n \"CVE-2021-3679\",\n \"CVE-2021-3732\",\n \"CVE-2021-20194\",\n \"CVE-2021-20239\",\n \"CVE-2021-23133\",\n \"CVE-2021-28950\",\n \"CVE-2021-28971\",\n \"CVE-2021-29155\",\n \"CVE-2021-29646\",\n \"CVE-2021-29650\",\n \"CVE-2021-31440\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"Oracle Linux 8 : kernel (ELSA-2021-4356)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2021-4356 advisory.\n\n - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to\n cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h\n lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.\n (CVE-2021-29650)\n\n - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur\n because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)\n\n - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some\n Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS\n status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)\n\n - A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an\n attacker with a local account to leak information about kernel internal addresses. The highest threat from\n this vulnerability is to confidentiality. (CVE-2021-20239)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel\n 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in\n order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The\n issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the\n context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-\n free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a\n certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)\n\n - In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could\n lead to local information disclosure with no additional execution privileges needed. User interaction is\n not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171\n (CVE-2020-0427)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,\n aka CID-c8bcd9c5be24. (CVE-2020-29660)\n\n - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through\n 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.\n (CVE-2020-36158)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-\n device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with\n special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or\n a leak of internal kernel information. The highest threat from this vulnerability is to system\n availability. (CVE-2021-31916)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked\n down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries\n platform) a root like local user could use this flaw to further increase their privileges to that of a\n running kernel. (CVE-2020-27777)\n\n - A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way\n user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev()\n together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(),\n hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their\n privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5. (CVE-2021-3573)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was\n found in the way user uses trace ring buffer in a specific way. Only privileged local users (with\n CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size\n was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel\n and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny\n reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4,\n v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier\n support for it) (v5.8-rc1). (CVE-2021-3489)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042\n (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations\n reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate\n selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the\n WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by\n design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-\n bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf. (CVE-2020-36386)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in\n the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the\n system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - Improper access control in BlueZ may allow an authenticated user to potentially enable information\n disclosure via adjacent access. (CVE-2021-0129)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files\n (CVE-2021-3732)\n\n - Improper input validation in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4\n and before version 1.4.29.0 for Windows*, may allow an authenticated user to potentially enable a denial\n of service via local access. (CVE-2020-24502)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4\n may allow an authenticated user to potentially enable information disclosure via local access.\n (CVE-2020-24503)\n\n - Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers for Linux before version\n 1.0.4 may allow an authenticated user to potentially enable denial of service via local access.\n (CVE-2020-24504)\n\n - An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The\n copy-on-write implementation can grant unintended write access because of a race condition in a THP\n mapcount check, aka CID-c444eb564fb1. (CVE-2020-29368)\n\n - There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config\n params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y ,\n CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution,\n the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap\n overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly\n privileges escalation. (CVE-2021-20194)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with\n root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.\n (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does\n not properly validate certain data sizes, aka CID-0217ed2848e8. (CVE-2021-29646)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-4356.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3489\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-abi-stablelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-cross-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python3-perf\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['4.18.0-348.el8'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2021-4356');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '4.18';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'bpftool-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'bpftool-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-4.18.0'},\n {'reference':'kernel-abi-stablelists-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-abi-stablelists-4.18.0'},\n {'reference':'kernel-core-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-core-4.18.0'},\n {'reference':'kernel-cross-headers-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-cross-headers-4.18.0'},\n {'reference':'kernel-cross-headers-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-cross-headers-4.18.0'},\n {'reference':'kernel-debug-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-4.18.0'},\n {'reference':'kernel-debug-core-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-core-4.18.0'},\n {'reference':'kernel-debug-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-devel-4.18.0'},\n {'reference':'kernel-debug-modules-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-modules-4.18.0'},\n {'reference':'kernel-debug-modules-extra-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-modules-extra-4.18.0'},\n {'reference':'kernel-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-devel-4.18.0'},\n {'reference':'kernel-headers-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-headers-4.18.0'},\n {'reference':'kernel-headers-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-headers-4.18.0'},\n {'reference':'kernel-modules-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-modules-4.18.0'},\n {'reference':'kernel-modules-extra-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-modules-extra-4.18.0'},\n {'reference':'kernel-tools-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-4.18.0'},\n {'reference':'kernel-tools-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-4.18.0'},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-libs-4.18.0'},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-libs-4.18.0'},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-libs-devel-4.18.0'},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-libs-devel-4.18.0'},\n {'reference':'perf-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel / kernel-abi-stablelists / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-14T14:47:04", "description": "The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2021:4356 advisory.\n\n - Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.\n (CVE-2019-14615)\n\n - In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171 (CVE-2020-0427)\n\n - Improper input validation in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 and before version 1.4.29.0 for Windows*, may allow an authenticated user to potentially enable a denial of service via local access. (CVE-2020-24502)\n\n - Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable information disclosure via local access.\n (CVE-2020-24503)\n\n - Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable denial of service via local access.\n (CVE-2020-24504)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel. (CVE-2020-27777)\n\n - An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1. (CVE-2020-29368)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24. (CVE-2020-29660)\n\n - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.\n (CVE-2020-36158)\n\n - An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d. (CVE-2020-36312)\n\n - An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of- bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf. (CVE-2020-36386)\n\n - Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access. (CVE-2021-0129)\n\n - nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after- free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)\n\n - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier support for it) (v5.8-rc1). (CVE-2021-3489)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5. (CVE-2021-3573)\n\n - A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.\n (CVE-2021-3635)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation. (CVE-2021-20194)\n\n - A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel internal addresses. The highest threat from this vulnerability is to confidentiality. (CVE-2021-20239)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)\n\n - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does not properly validate certain data sizes, aka CID-0217ed2848e8. (CVE-2021-29646)\n\n - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.\n (CVE-2021-29650)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi- device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-31916)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. (CVE-2021-33033)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-02-09T00:00:00", "type": "nessus", "title": "AlmaLinux 8 : kernel (ALSA-2021:4356)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14615", "CVE-2020-0427", "CVE-2020-24502", "CVE-2020-24503", "CVE-2020-24504", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2020-27777", "CVE-2020-29368", "CVE-2020-29660", "CVE-2020-36158", "CVE-2020-36312", "CVE-2020-36386", "CVE-2021-0129", "CVE-2021-20194", "CVE-2021-20239", "CVE-2021-23133", "CVE-2021-28950", "CVE-2021-28971", "CVE-2021-29155", "CVE-2021-29646", "CVE-2021-29650", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33033", "CVE-2021-33200", "CVE-2021-3348", "CVE-2021-3489", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-3600", "CVE-2021-3635", "CVE-2021-3659", "CVE-2021-3679", "CVE-2021-3732"], "modified": "2023-11-13T00:00:00", "cpe": ["p-cpe:/a:alma:linux:bpftool", "p-cpe:/a:alma:linux:kernel", "p-cpe:/a:alma:linux:kernel-abi-stablelists", "p-cpe:/a:alma:linux:kernel-core", "p-cpe:/a:alma:linux:kernel-cross-headers", "p-cpe:/a:alma:linux:kernel-debug", "p-cpe:/a:alma:linux:kernel-debug-core", "p-cpe:/a:alma:linux:kernel-debug-devel", "p-cpe:/a:alma:linux:kernel-debug-modules", "p-cpe:/a:alma:linux:kernel-debug-modules-extra", "p-cpe:/a:alma:linux:kernel-devel", "p-cpe:/a:alma:linux:kernel-headers", "p-cpe:/a:alma:linux:kernel-modules", "p-cpe:/a:alma:linux:kernel-modules-extra", "p-cpe:/a:alma:linux:kernel-tools", "p-cpe:/a:alma:linux:kernel-tools-libs", "p-cpe:/a:alma:linux:kernel-tools-libs-devel", "p-cpe:/a:alma:linux:perf", "p-cpe:/a:alma:linux:python3-perf", "cpe:/o:alma:linux:8"], "id": "ALMA_LINUX_ALSA-2021-4356.NASL", "href": "https://www.tenable.com/plugins/nessus/157497", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# AlmaLinux Security Advisory ALSA-2021:4356.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157497);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/13\");\n\n script_cve_id(\n \"CVE-2019-14615\",\n \"CVE-2020-0427\",\n \"CVE-2020-24502\",\n \"CVE-2020-24503\",\n \"CVE-2020-24504\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2020-27777\",\n \"CVE-2020-29368\",\n \"CVE-2020-29660\",\n \"CVE-2020-36158\",\n \"CVE-2020-36312\",\n \"CVE-2020-36386\",\n \"CVE-2021-0129\",\n \"CVE-2021-3348\",\n \"CVE-2021-3489\",\n \"CVE-2021-3564\",\n \"CVE-2021-3573\",\n \"CVE-2021-3600\",\n \"CVE-2021-3635\",\n \"CVE-2021-3659\",\n \"CVE-2021-3679\",\n \"CVE-2021-3732\",\n \"CVE-2021-20194\",\n \"CVE-2021-20239\",\n \"CVE-2021-23133\",\n \"CVE-2021-28950\",\n \"CVE-2021-28971\",\n \"CVE-2021-29155\",\n \"CVE-2021-29646\",\n \"CVE-2021-29650\",\n \"CVE-2021-31440\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-33033\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"ALSA\", value:\"2021:4356\");\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"AlmaLinux 8 : kernel (ALSA-2021:4356)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AlmaLinux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nALSA-2021:4356 advisory.\n\n - Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor\n Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.\n (CVE-2019-14615)\n\n - In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could\n lead to local information disclosure with no additional execution privileges needed. User interaction is\n not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171\n (CVE-2020-0427)\n\n - Improper input validation in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4\n and before version 1.4.29.0 for Windows*, may allow an authenticated user to potentially enable a denial\n of service via local access. (CVE-2020-24502)\n\n - Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4\n may allow an authenticated user to potentially enable information disclosure via local access.\n (CVE-2020-24503)\n\n - Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers for Linux before version\n 1.0.4 may allow an authenticated user to potentially enable denial of service via local access.\n (CVE-2020-24504)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042\n (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations\n reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate\n selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the\n WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by\n design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked\n down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries\n platform) a root like local user could use this flaw to further increase their privileges to that of a\n running kernel. (CVE-2020-27777)\n\n - An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The\n copy-on-write implementation can grant unintended write access because of a race condition in a THP\n mapcount check, aka CID-c444eb564fb1. (CVE-2020-29368)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,\n aka CID-c8bcd9c5be24. (CVE-2020-29660)\n\n - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through\n 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.\n (CVE-2020-36158)\n\n - An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a\n kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d. (CVE-2020-36312)\n\n - An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-\n bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf. (CVE-2020-36386)\n\n - Improper access control in BlueZ may allow an authenticated user to potentially enable information\n disclosure via adjacent access. (CVE-2021-0129)\n\n - nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-\n free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a\n certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)\n\n - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size\n was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel\n and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny\n reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4,\n v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier\n support for it) (v5.8-rc1). (CVE-2021-3489)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in\n the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the\n system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way\n user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev()\n together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(),\n hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their\n privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5. (CVE-2021-3573)\n\n - A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with\n root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.\n (CVE-2021-3635)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was\n found in the way user uses trace ring buffer in a specific way. Only privileged local users (with\n CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config\n params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y ,\n CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution,\n the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap\n overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly\n privileges escalation. (CVE-2021-20194)\n\n - A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an\n attacker with a local account to leak information about kernel internal addresses. The highest threat from\n this vulnerability is to confidentiality. (CVE-2021-20239)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur\n because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)\n\n - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some\n Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS\n status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does\n not properly validate certain data sizes, aka CID-0217ed2848e8. (CVE-2021-29646)\n\n - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to\n cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h\n lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.\n (CVE-2021-29650)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel\n 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in\n order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The\n issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the\n context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-\n device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with\n special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or\n a leak of internal kernel information. The highest threat from this vulnerability is to system\n availability. (CVE-2021-31916)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because\n the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads\n to writing an arbitrary value. (CVE-2021-33033)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.almalinux.org/8/ALSA-2021-4356.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3489\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-abi-stablelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-cross-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-debug-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-debug-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-debug-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:python3-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Alma Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AlmaLinux/release\", \"Host/AlmaLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/AlmaLinux/release');\nif (isnull(release) || 'AlmaLinux' >!< release) audit(AUDIT_OS_NOT, 'AlmaLinux');\nvar os_ver = pregmatch(pattern: \"AlmaLinux release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'AlmaLinux 8.x', 'AlmaLinux ' + os_ver);\n\nif (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2019-14615', 'CVE-2020-0427', 'CVE-2020-24502', 'CVE-2020-24503', 'CVE-2020-24504', 'CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-26139', 'CVE-2020-26140', 'CVE-2020-26141', 'CVE-2020-26143', 'CVE-2020-26144', 'CVE-2020-26145', 'CVE-2020-26146', 'CVE-2020-26147', 'CVE-2020-27777', 'CVE-2020-29368', 'CVE-2020-29660', 'CVE-2020-36158', 'CVE-2020-36312', 'CVE-2020-36386', 'CVE-2021-0129', 'CVE-2021-3348', 'CVE-2021-3489', 'CVE-2021-3564', 'CVE-2021-3573', 'CVE-2021-3600', 'CVE-2021-3635', 'CVE-2021-3659', 'CVE-2021-3679', 'CVE-2021-3732', 'CVE-2021-20194', 'CVE-2021-20239', 'CVE-2021-23133', 'CVE-2021-28950', 'CVE-2021-28971', 'CVE-2021-29155', 'CVE-2021-29646', 'CVE-2021-29650', 'CVE-2021-31440', 'CVE-2021-31829', 'CVE-2021-31916', 'CVE-2021-33033', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ALSA-2021:4356');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\nvar pkgs = [\n {'reference':'bpftool-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-abi-stablelists-4.18.0-348.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-core-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-cross-headers-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-core-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-extra-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-extra-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'Alma-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel / kernel-abi-stablelists / kernel-core / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-25T15:27:36", "description": "The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:4140 advisory.\n\n - kernel: Intel graphics card information leak. (CVE-2019-14615)\n\n - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)\n\n - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)\n\n - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)\n\n - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)\n\n - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)\n\n - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)\n\n - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)\n\n - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)\n\n - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)\n\n - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)\n\n - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)\n\n - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)\n\n - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)\n\n - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)\n\n - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)\n\n - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check (CVE-2020-29368)\n\n - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read- after-free (CVE-2020-29660)\n\n - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)\n\n - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c (CVE-2020-36312)\n\n - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c (CVE-2020-36386)\n\n - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)\n\n - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)\n\n - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)\n\n - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)\n\n - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode (CVE-2021-28950)\n\n - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)\n\n - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds loads can be bypassed to leak content of kernel memory (CVE-2021-29155)\n\n - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)\n\n - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)\n\n - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)\n\n - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory (CVE-2021-31829)\n\n - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)\n\n - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)\n\n - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations by BPF verifier (CVE-2021-33200)\n\n - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)\n\n - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)\n\n - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)\n\n - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "CentOS 8 : kernel-rt (CESA-2021:4140)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14615", "CVE-2020-0427", "CVE-2020-24502", "CVE-2020-24503", "CVE-2020-24504", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2020-29368", "CVE-2020-29660", "CVE-2020-36158", "CVE-2020-36312", "CVE-2020-36386", "CVE-2021-0129", "CVE-2021-20194", "CVE-2021-20239", "CVE-2021-23133", "CVE-2021-28950", "CVE-2021-28971", "CVE-2021-29155", "CVE-2021-29646", "CVE-2021-29650", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33033", "CVE-2021-33200", "CVE-2021-3348", "CVE-2021-3489", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-3600", "CVE-2021-3635", "CVE-2021-3659", "CVE-2021-3679", "CVE-2021-3732"], "modified": "2023-11-24T00:00:00", "cpe": ["cpe:/o:centos:centos:8-stream", "p-cpe:/a:centos:centos:kernel-rt", "p-cpe:/a:centos:centos:kernel-rt-core", "p-cpe:/a:centos:centos:kernel-rt-debug", "p-cpe:/a:centos:centos:kernel-rt-debug-core", "p-cpe:/a:centos:centos:kernel-rt-debug-devel", "p-cpe:/a:centos:centos:kernel-rt-debug-modules", "p-cpe:/a:centos:centos:kernel-rt-debug-modules-extra", "p-cpe:/a:centos:centos:kernel-rt-devel", "p-cpe:/a:centos:centos:kernel-rt-modules", "p-cpe:/a:centos:centos:kernel-rt-modules-extra"], "id": "CENTOS8_RHSA-2021-4140.NASL", "href": "https://www.tenable.com/plugins/nessus/155070", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# Red Hat Security Advisory RHSA-2021:4140. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155070);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/24\");\n\n script_cve_id(\n \"CVE-2019-14615\",\n \"CVE-2020-0427\",\n \"CVE-2020-24502\",\n \"CVE-2020-24503\",\n \"CVE-2020-24504\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2020-29368\",\n \"CVE-2020-29660\",\n \"CVE-2020-36158\",\n \"CVE-2020-36312\",\n \"CVE-2020-36386\",\n \"CVE-2021-0129\",\n \"CVE-2021-3348\",\n \"CVE-2021-3489\",\n \"CVE-2021-3564\",\n \"CVE-2021-3573\",\n \"CVE-2021-3600\",\n \"CVE-2021-3635\",\n \"CVE-2021-3659\",\n \"CVE-2021-3679\",\n \"CVE-2021-3732\",\n \"CVE-2021-20194\",\n \"CVE-2021-20239\",\n \"CVE-2021-23133\",\n \"CVE-2021-28950\",\n \"CVE-2021-28971\",\n \"CVE-2021-29155\",\n \"CVE-2021-29646\",\n \"CVE-2021-29650\",\n \"CVE-2021-31440\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-33033\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"RHSA\", value:\"2021:4140\");\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"CentOS 8 : kernel-rt (CESA-2021:4140)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2021:4140 advisory.\n\n - kernel: Intel graphics card information leak. (CVE-2019-14615)\n\n - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)\n\n - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)\n\n - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)\n\n - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)\n\n - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)\n\n - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)\n\n - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)\n\n - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)\n\n - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)\n\n - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)\n\n - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)\n\n - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)\n\n - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)\n\n - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)\n\n - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)\n\n - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in\n a THP mapcount check (CVE-2020-29368)\n\n - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-\n after-free (CVE-2020-29660)\n\n - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in\n drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)\n\n - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c\n (CVE-2020-36312)\n\n - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c\n (CVE-2020-36386)\n\n - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)\n\n - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)\n\n - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)\n\n - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)\n\n - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode\n (CVE-2021-28950)\n\n - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)\n\n - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds\n loads can be bypassed to leak content of kernel memory (CVE-2021-29155)\n\n - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)\n\n - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c\n and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)\n\n - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)\n\n - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content\n of kernel memory (CVE-2021-31829)\n\n - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)\n\n - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)\n\n - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations\n by BPF verifier (CVE-2021-33200)\n\n - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)\n\n - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)\n\n - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)\n\n - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files\n (CVE-2021-3732)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:4140\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3489\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:8-stream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-debug-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-debug-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-debug-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-rt-modules-extra\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nvar os_ver = pregmatch(pattern: \"CentOS(?: Stream)?(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nvar os_ver = os_ver[1];\nif ('CentOS Stream' >!< release) audit(AUDIT_OS_NOT, 'CentOS 8-Stream');\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2019-14615', 'CVE-2020-0427', 'CVE-2020-24502', 'CVE-2020-24503', 'CVE-2020-24504', 'CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-26139', 'CVE-2020-26140', 'CVE-2020-26141', 'CVE-2020-26143', 'CVE-2020-26144', 'CVE-2020-26145', 'CVE-2020-26146', 'CVE-2020-26147', 'CVE-2020-29368', 'CVE-2020-29660', 'CVE-2020-36158', 'CVE-2020-36312', 'CVE-2020-36386', 'CVE-2021-0129', 'CVE-2021-3348', 'CVE-2021-3489', 'CVE-2021-3564', 'CVE-2021-3573', 'CVE-2021-3600', 'CVE-2021-3635', 'CVE-2021-3659', 'CVE-2021-3679', 'CVE-2021-3732', 'CVE-2021-20194', 'CVE-2021-20239', 'CVE-2021-23133', 'CVE-2021-28950', 'CVE-2021-28971', 'CVE-2021-29155', 'CVE-2021-29646', 'CVE-2021-29650', 'CVE-2021-31440', 'CVE-2021-31829', 'CVE-2021-31916', 'CVE-2021-33033', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for CESA-2021:4140');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nvar pkgs = [\n {'reference':'kernel-rt-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-core-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-core-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-devel-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-modules-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-debug-modules-extra-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-devel-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-modules-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-modules-extra-4.18.0-348.rt7.130.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'CentOS-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-rt / kernel-rt-core / kernel-rt-debug / kernel-rt-debug-core / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-25T15:28:16", "description": "The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:4356 advisory.\n\n - kernel: Intel graphics card information leak. (CVE-2019-14615)\n\n - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)\n\n - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)\n\n - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)\n\n - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)\n\n - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)\n\n - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)\n\n - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)\n\n - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)\n\n - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)\n\n - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)\n\n - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)\n\n - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)\n\n - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)\n\n - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)\n\n - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)\n\n - kernel: powerpc: RTAS calls can be used to compromise kernel integrity (CVE-2020-27777)\n\n - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check (CVE-2020-29368)\n\n - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read- after-free (CVE-2020-29660)\n\n - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)\n\n - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c (CVE-2020-36312)\n\n - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c (CVE-2020-36386)\n\n - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)\n\n - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)\n\n - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)\n\n - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)\n\n - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode (CVE-2021-28950)\n\n - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)\n\n - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds loads can be bypassed to leak content of kernel memory (CVE-2021-29155)\n\n - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)\n\n - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)\n\n - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)\n\n - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory (CVE-2021-31829)\n\n - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)\n\n - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)\n\n - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations by BPF verifier (CVE-2021-33200)\n\n - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)\n\n - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)\n\n - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)\n\n - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "CentOS 8 : kernel (CESA-2021:4356)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14615", "CVE-2020-0427", "CVE-2020-24502", "CVE-2020-24503", "CVE-2020-24504", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2020-27777", "CVE-2020-29368", "CVE-2020-29660", "CVE-2020-36158", "CVE-2020-36312", "CVE-2020-36386", "CVE-2021-0129", "CVE-2021-20194", "CVE-2021-20239", "CVE-2021-23133", "CVE-2021-28950", "CVE-2021-28971", "CVE-2021-29155", "CVE-2021-29646", "CVE-2021-29650", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33033", "CVE-2021-33200", "CVE-2021-3348", "CVE-2021-3489", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-3600", "CVE-2021-3635", "CVE-2021-3659", "CVE-2021-3679", "CVE-2021-3732"], "modified": "2023-11-24T00:00:00", "cpe": ["cpe:/o:centos:centos:8-stream", "p-cpe:/a:centos:centos:bpftool", "p-cpe:/a:centos:centos:kernel", "p-cpe:/a:centos:centos:kernel-abi-stablelists", "p-cpe:/a:centos:centos:kernel-core", "p-cpe:/a:centos:centos:kernel-cross-headers", "p-cpe:/a:centos:centos:kernel-debug", "p-cpe:/a:centos:centos:kernel-debug-core", "p-cpe:/a:centos:centos:kernel-debug-devel", "p-cpe:/a:centos:centos:kernel-debug-modules", "p-cpe:/a:centos:centos:kernel-debug-modules-extra", "p-cpe:/a:centos:centos:kernel-devel", "p-cpe:/a:centos:centos:kernel-headers", "p-cpe:/a:centos:centos:kernel-modules", "p-cpe:/a:centos:centos:kernel-modules-extra", "p-cpe:/a:centos:centos:kernel-tools", "p-cpe:/a:centos:centos:kernel-tools-libs", "p-cpe:/a:centos:centos:kernel-tools-libs-devel", "p-cpe:/a:centos:centos:perf", "p-cpe:/a:centos:centos:python3-perf"], "id": "CENTOS8_RHSA-2021-4356.NASL", "href": "https://www.tenable.com/plugins/nessus/155145", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# Red Hat Security Advisory RHSA-2021:4356. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155145);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/24\");\n\n script_cve_id(\n \"CVE-2019-14615\",\n \"CVE-2020-0427\",\n \"CVE-2020-24502\",\n \"CVE-2020-24503\",\n \"CVE-2020-24504\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2020-27777\",\n \"CVE-2020-29368\",\n \"CVE-2020-29660\",\n \"CVE-2020-36158\",\n \"CVE-2020-36312\",\n \"CVE-2020-36386\",\n \"CVE-2021-0129\",\n \"CVE-2021-3348\",\n \"CVE-2021-3489\",\n \"CVE-2021-3564\",\n \"CVE-2021-3573\",\n \"CVE-2021-3600\",\n \"CVE-2021-3635\",\n \"CVE-2021-3659\",\n \"CVE-2021-3679\",\n \"CVE-2021-3732\",\n \"CVE-2021-20194\",\n \"CVE-2021-20239\",\n \"CVE-2021-23133\",\n \"CVE-2021-28950\",\n \"CVE-2021-28971\",\n \"CVE-2021-29155\",\n \"CVE-2021-29646\",\n \"CVE-2021-29650\",\n \"CVE-2021-31440\",\n \"CVE-2021-31829\",\n \"CVE-2021-31916\",\n \"CVE-2021-33033\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"RHSA\", value:\"2021:4356\");\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"CentOS 8 : kernel (CESA-2021:4356)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2021:4356 advisory.\n\n - kernel: Intel graphics card information leak. (CVE-2019-14615)\n\n - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)\n\n - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)\n\n - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)\n\n - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)\n\n - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)\n\n - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)\n\n - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)\n\n - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)\n\n - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)\n\n - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)\n\n - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)\n\n - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)\n\n - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)\n\n - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)\n\n - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)\n\n - kernel: powerpc: RTAS calls can be used to compromise kernel integrity (CVE-2020-27777)\n\n - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in\n a THP mapcount check (CVE-2020-29368)\n\n - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-\n after-free (CVE-2020-29660)\n\n - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in\n drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)\n\n - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c\n (CVE-2020-36312)\n\n - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c\n (CVE-2020-36386)\n\n - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)\n\n - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)\n\n - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)\n\n - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)\n\n - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode\n (CVE-2021-28950)\n\n - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)\n\n - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds\n loads can be bypassed to leak content of kernel memory (CVE-2021-29155)\n\n - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)\n\n - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c\n and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)\n\n - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)\n\n - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content\n of kernel memory (CVE-2021-31829)\n\n - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)\n\n - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)\n\n - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations\n by BPF verifier (CVE-2021-33200)\n\n - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)\n\n - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)\n\n - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)\n\n - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files\n (CVE-2021-3732)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:4356\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3489\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:8-stream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-abi-stablelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-cross-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python3-perf\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nvar os_ver = pregmatch(pattern: \"CentOS(?: Stream)?(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nvar os_ver = os_ver[1];\nif ('CentOS Stream' >!< release) audit(AUDIT_OS_NOT, 'CentOS 8-Stream');\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2019-14615', 'CVE-2020-0427', 'CVE-2020-24502', 'CVE-2020-24503', 'CVE-2020-24504', 'CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-26139', 'CVE-2020-26140', 'CVE-2020-26141', 'CVE-2020-26143', 'CVE-2020-26144', 'CVE-2020-26145', 'CVE-2020-26146', 'CVE-2020-26147', 'CVE-2020-27777', 'CVE-2020-29368', 'CVE-2020-29660', 'CVE-2020-36158', 'CVE-2020-36312', 'CVE-2020-36386', 'CVE-2021-0129', 'CVE-2021-3348', 'CVE-2021-3489', 'CVE-2021-3564', 'CVE-2021-3573', 'CVE-2021-3600', 'CVE-2021-3635', 'CVE-2021-3659', 'CVE-2021-3679', 'CVE-2021-3732', 'CVE-2021-20194', 'CVE-2021-20239', 'CVE-2021-23133', 'CVE-2021-28950', 'CVE-2021-28971', 'CVE-2021-29155', 'CVE-2021-29646', 'CVE-2021-29650', 'CVE-2021-31440', 'CVE-2021-31829', 'CVE-2021-31916', 'CVE-2021-33033', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for CESA-2021:4356');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nvar pkgs = [\n {'reference':'bpftool-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'bpftool-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-abi-stablelists-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-abi-stablelists-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-core-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-core-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-cross-headers-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-cross-headers-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-core-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-core-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-devel-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-extra-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-modules-extra-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-extra-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-modules-extra-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-libs-devel-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-4.18.0-348.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-4.18.0-348.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'CentOS-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel / kernel-abi-stablelists / kernel-core / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-25T15:28:05", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4356 advisory.\n\n - kernel: Intel graphics card information leak. (CVE-2019-14615)\n\n - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)\n\n - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)\n\n - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)\n\n - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)\n\n - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)\n\n - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)\n\n - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)\n\n - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)\n\n - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)\n\n - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)\n\n - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)\n\n - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)\n\n - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)\n\n - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)\n\n - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)\n\n - kernel: powerpc: RTAS calls can be used to compromise kernel integrity (CVE-2020-27777)\n\n - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check (CVE-2020-29368)\n\n - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read- after-free (CVE-2020-29660)\n\n - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)\n\n - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c (CVE-2020-36312)\n\n - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c (CVE-2020-36386)\n\n - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)\n\n - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)\n\n - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)\n\n - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)\n\n - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode (CVE-2021-28950)\n\n - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)\n\n - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds loads can be bypassed to leak content of kernel memory (CVE-2021-29155)\n\n - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)\n\n - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)\n\n - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)\n\n - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory (CVE-2021-31829)\n\n - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)\n\n - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)\n\n - kernel: Improper input validation in the Intel(R) Ethernet ixgbe driver may allow an authenticated user to potentially enable DoS via local access (CVE-2021-33098)\n\n - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations by BPF verifier (CVE-2021-33200)\n\n - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)\n\n - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)\n\n - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)\n\n - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)\n\n - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)\n\n - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "RHEL 8 : kernel (RHSA-2021:4356)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14615", "CVE-2020-0427", "CVE-2020-24502", "CVE-2020-24503", "CVE-2020-24504", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2020-27777", "CVE-2020-29368", "CVE-2020-29660", "CVE-2020-36158", "CVE-2020-36312", "CVE-2020-36386", "CVE-2021-0129", "CVE-2021-20194", "CVE-2021-20239", "CVE-2021-23133", "CVE-2021-28950", "CVE-2021-28971", "CVE-2021-29155", "CVE-2021-29646", "CVE-2021-29650", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33033", "CVE-2021-33098", "CVE-2021-33200", "CVE-2021-3348", "CVE-2021-3489", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-3600", "CVE-2021-3635", "CVE-2021-3659", "CVE-2021-3679", "CVE-2021-3732"], "modified": "2023-11-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_aus:8.6", "cpe:/o:redhat:rhel_e4s:8.6", "cpe:/o:redhat:rhel_eus:8.6", "cpe:/o:redhat:rhel_tus:8.6", "p-cpe:/a:redhat:enterprise_linux:bpftool", "p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-stablelists", "p-cpe:/a:redhat:enterprise_linux:kernel-core", "p-cpe:/a:redhat:enterprise_linux:kernel-cross-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-core", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-modules", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-modules-extra", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-modules", "p-cpe:/a:redhat:enterprise_linux:kernel-modules-extra", "p-cpe:/a:redhat:enterprise_linux:kernel-tools", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump", "p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-core", "p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-modules", "p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-modules-extra", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:python3-perf"], "id": "REDHAT-RHSA-2021-4356.NASL", "href": "https://www.tenable.com/plugins/nessus/155219", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:4356. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155219);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/24\");\n\n script_cve_id(\n \"CVE-2019-14615\",\n \"CVE-2020-0427\",\n \"CVE-2020-24502\",\n \"CVE-2020-24503\",\n \"CVE-2020-24504\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2020-27777\",\n \"CVE-2020-29368\",\n \"CVE-2020-29660\",\n \"CVE-2020-36158\",\n \"CVE-2020-36312\",\n \"CVE-2020-36386\",\n \"CVE-2021-0129\",\n \"CVE-2021-3348\",\n \"CVE-2021
CVE-2021-29155
