The version of kernel installed on the remote host is prior to 4.14.231-173.360. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1627 advisory.
A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.
(CVE-2019-19060)
kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks. (CVE-2019-7308)
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d. (CVE-2020-27171)
rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6 allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases, CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may have situations in which a drivers/staging issue is relevant to their own customer base. (CVE-2021-28660)
The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn’t use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable.
XSA-365 was classified to affect versions back to at least 3.11. (CVE-2021-28688)
A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc. (CVE-2021-28964)
In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name ‘\0’ termination, aka CID-cc7a0bb058b8. (CVE-2021-28972)
BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)
An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.
(CVE-2021-29265)
An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure, aka CID-50535249f624. (CVE-2021-29647)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
##
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2021-1627.
##
include('compat.inc');
if (description)
{
script_id(148919);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/03/23");
script_cve_id(
"CVE-2019-7308",
"CVE-2019-19060",
"CVE-2020-25670",
"CVE-2020-25671",
"CVE-2020-25672",
"CVE-2020-27171",
"CVE-2021-3483",
"CVE-2021-28660",
"CVE-2021-28688",
"CVE-2021-28964",
"CVE-2021-28972",
"CVE-2021-29154",
"CVE-2021-29265",
"CVE-2021-29647"
);
script_xref(name:"ALAS", value:"2021-1627");
script_name(english:"Amazon Linux 2 : kernel (ALAS-2021-1627)");
script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The version of kernel installed on the remote host is prior to 4.14.231-173.360. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2-2021-1627 advisory.
- A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel
before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.
(CVE-2019-19060)
- kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable out-of-bounds speculation on
pointer arithmetic in various cases, including cases of different branches with different state or limits
to sanitize, leading to side-channel attacks. (CVE-2019-7308)
- An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error
(with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to
side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory,
aka CID-10d2bb2e6b1d. (CVE-2020-27171)
- rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6
allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases,
CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may
have situations in which a drivers/staging issue is relevant to their own customer base. (CVE-2021-28660)
- The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use
uninitialized or stale values. This initialization went too far and may under certain conditions also
overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking
persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died,
leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable.
XSA-365 was classified to affect versions back to at least 3.11. (CVE-2021-28688)
- A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It
allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer
before a cloning operation, aka CID-dbcc7d57bffc. (CVE-2021-28964)
- In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has
a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing
userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and
remove_slot_store mishandle drc_name '\0' termination, aka CID-cc7a0bb058b8. (CVE-2021-28972)
- BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements,
allowing them to execute arbitrary code within the kernel context. This affects
arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)
- An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in
drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up
sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.
(CVE-2021-29265)
- An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows
attackers to obtain sensitive information from kernel memory because of a partially uninitialized data
structure, aka CID-50535249f624. (CVE-2021-29647)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALAS-2021-1627.html");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-19060");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-7308");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-25670");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-25671");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-25672");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-27171");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2021-28660");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2021-28688");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2021-28964");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2021-28972");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2021-29154");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2021-29265");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2021-29647");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2021-3483");
script_set_attribute(attribute:"solution", value:
"Run 'yum update kernel' to update your system.");
script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-28660");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/31");
script_set_attribute(attribute:"patch_publication_date", value:"2021/04/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/04/22");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-livepatch-4.14.231-173.360");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python-perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python-perf-debuginfo");
script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Amazon Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
include("hotfixes.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
if (os_ver == 'A') os_ver = 'AMI';
audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}
if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
if (get_one_kb_item("Host/kpatch/kernel-cves"))
{
set_hotfix_type("kpatch");
cve_list = make_list("CVE-2019-7308", "CVE-2019-19060", "CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2020-27171", "CVE-2021-3483", "CVE-2021-28660", "CVE-2021-28688", "CVE-2021-28964", "CVE-2021-28972", "CVE-2021-29154", "CVE-2021-29265", "CVE-2021-29647");
if (hotfix_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, "kpatch hotfix for ALAS-2021-1627");
}
else
{
__rpm_report = hotfix_reporting_text();
}
}
pkgs = [
{'reference':'kernel-4.14.231-173.360.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-4.14.231-173.360.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-debuginfo-4.14.231-173.360.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-debuginfo-4.14.231-173.360.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-debuginfo-common-aarch64-4.14.231-173.360.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-debuginfo-common-x86_64-4.14.231-173.360.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-devel-4.14.231-173.360.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-devel-4.14.231-173.360.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-headers-4.14.231-173.360.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-headers-4.14.231-173.360.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-headers-4.14.231-173.360.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-livepatch-4.14.231-173.360-1.0-0.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-4.14.231-173.360.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-4.14.231-173.360.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-debuginfo-4.14.231-173.360.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-debuginfo-4.14.231-173.360.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-devel-4.14.231-173.360.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-devel-4.14.231-173.360.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'perf-4.14.231-173.360.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'perf-4.14.231-173.360.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'perf-debuginfo-4.14.231-173.360.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'perf-debuginfo-4.14.231-173.360.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python-perf-4.14.231-173.360.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python-perf-4.14.231-173.360.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python-perf-debuginfo-4.14.231-173.360.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python-perf-debuginfo-4.14.231-173.360.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];
flag = 0;
foreach package_array ( pkgs ) {
reference = NULL;
release = NULL;
cpu = NULL;
el_string = NULL;
rpm_spec_vers_cmp = NULL;
allowmaj = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) release = package_array['release'];
if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (reference && release) {
if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-debuginfo / kernel-debuginfo-common-x86_64 / etc");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19060
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7308
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25670
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25671
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25672
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27171
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28660
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28688
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28964
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28972
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29154
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29265
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29647
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3483
access.redhat.com/security/cve/CVE-2019-19060
access.redhat.com/security/cve/CVE-2019-7308
access.redhat.com/security/cve/CVE-2020-25670
access.redhat.com/security/cve/CVE-2020-25671
access.redhat.com/security/cve/CVE-2020-25672
access.redhat.com/security/cve/CVE-2020-27171
access.redhat.com/security/cve/CVE-2021-28660
access.redhat.com/security/cve/CVE-2021-28688
access.redhat.com/security/cve/CVE-2021-28964
access.redhat.com/security/cve/CVE-2021-28972
access.redhat.com/security/cve/CVE-2021-29154
access.redhat.com/security/cve/CVE-2021-29265
access.redhat.com/security/cve/CVE-2021-29647
access.redhat.com/security/cve/CVE-2021-3483
alas.aws.amazon.com/AL2/ALAS-2021-1627.html