The version of microvm-kernel installed on the remote host is prior to 4.14.252-207.481. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2MICROVM-KERNEL-4.14-2023-001 advisory.
A flaw was found in the Linux kernel. A corrupted timer tree caused the task wakeup to be missing in the timerqueue_add function in lib/timerqueue.c. This flaw allows a local attacker with special user privileges to cause a denial of service, slowing and eventually stopping the system while running OSP.
(CVE-2021-20317)
A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.
(CVE-2021-20321)
hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.
(CVE-2021-37159)
A memory leak flaw was found in the Linux kernel in the ccp_run_aes_gcm_cmd() function in drivers/crypto/ccp/ccp-ops.c, which allows attackers to cause a denial of service (memory consumption).
This vulnerability is similar with the older CVE-2019-18808. (CVE-2021-3744)
A memory leak flaw was found in the Linux kernel’s ccp_run_aes_gcm_cmd() function that allows an attacker to cause a denial of service. The vulnerability is similar to the older CVE-2019-18808. The highest threat from this vulnerability is to system availability. (CVE-2021-3764)
arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context.
This occurs because conditional branches can exceed the 128 KB limit of the MIPS architecture.
(CVE-2021-38300)
prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel before 5.14.12 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write. (CVE-2021-41864)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALASMICROVM-KERNEL-4.14-2023-001.
##
include('compat.inc');
if (description)
{
script_id(181942);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/28");
script_cve_id(
"CVE-2021-3744",
"CVE-2021-3764",
"CVE-2021-20317",
"CVE-2021-20321",
"CVE-2021-37159",
"CVE-2021-38300",
"CVE-2021-41864"
);
script_name(english:"Amazon Linux 2 : microvm-kernel (ALASMICROVM-KERNEL-4.14-2023-001)");
script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The version of microvm-kernel installed on the remote host is prior to 4.14.252-207.481. It is, therefore, affected by
multiple vulnerabilities as referenced in the ALAS2MICROVM-KERNEL-4.14-2023-001 advisory.
- A flaw was found in the Linux kernel. A corrupted timer tree caused the task wakeup to be missing in the
timerqueue_add function in lib/timerqueue.c. This flaw allows a local attacker with special user
privileges to cause a denial of service, slowing and eventually stopping the system while running OSP.
(CVE-2021-20317)
- A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users
do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.
(CVE-2021-20321)
- hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev
without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.
(CVE-2021-37159)
- A memory leak flaw was found in the Linux kernel in the ccp_run_aes_gcm_cmd() function in
drivers/crypto/ccp/ccp-ops.c, which allows attackers to cause a denial of service (memory consumption).
This vulnerability is similar with the older CVE-2019-18808. (CVE-2021-3744)
- A memory leak flaw was found in the Linux kernel's ccp_run_aes_gcm_cmd() function that allows an attacker
to cause a denial of service. The vulnerability is similar to the older CVE-2019-18808. The highest threat
from this vulnerability is to system availability. (CVE-2021-3764)
- arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when
transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context.
This occurs because conditional branches can exceed the 128 KB limit of the MIPS architecture.
(CVE-2021-38300)
- prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel before 5.14.12 allows
unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds
write. (CVE-2021-41864)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALASMICROVM-KERNEL-4.14-2023-001.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-20317.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-20321.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-37159.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-3744.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-3764.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-38300.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-41864.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
script_set_attribute(attribute:"solution", value:
"Run 'yum update microvm-kernel' to update your system.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-38300");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-41864");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/21");
script_set_attribute(attribute:"patch_publication_date", value:"2023/09/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/27");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:microvm-kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:microvm-kernel-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:microvm-kernel-debuginfo-common-aarch64");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:microvm-kernel-debuginfo-common-x86_64");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:microvm-kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:microvm-kernel-headers");
script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Amazon Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
if (os_ver == 'A') os_ver = 'AMI';
audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}
if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var pkgs = [
{'reference':'microvm-kernel-4.14.252-207.481.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'microvm-kernel-4.14'},
{'reference':'microvm-kernel-4.14.252-207.481.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'microvm-kernel-4.14'},
{'reference':'microvm-kernel-debuginfo-4.14.252-207.481.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'microvm-kernel-4.14'},
{'reference':'microvm-kernel-debuginfo-4.14.252-207.481.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'microvm-kernel-4.14'},
{'reference':'microvm-kernel-debuginfo-common-aarch64-4.14.252-207.481.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'microvm-kernel-4.14'},
{'reference':'microvm-kernel-debuginfo-common-x86_64-4.14.252-207.481.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'microvm-kernel-4.14'},
{'reference':'microvm-kernel-devel-4.14.252-207.481.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'microvm-kernel-4.14'},
{'reference':'microvm-kernel-devel-4.14.252-207.481.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'microvm-kernel-4.14'},
{'reference':'microvm-kernel-headers-4.14.252-207.481.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'microvm-kernel-4.14'},
{'reference':'microvm-kernel-headers-4.14.252-207.481.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'microvm-kernel-4.14'},
{'reference':'microvm-kernel-headers-4.14.252-207.481.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'microvm-kernel-4.14'}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "microvm-kernel / microvm-kernel-debuginfo / microvm-kernel-debuginfo-common-x86_64 / etc");
}
Vendor | Product | Version | CPE |
---|---|---|---|
amazon | linux | microvm-kernel | p-cpe:/a:amazon:linux:microvm-kernel |
amazon | linux | microvm-kernel-debuginfo | p-cpe:/a:amazon:linux:microvm-kernel-debuginfo |
amazon | linux | microvm-kernel-debuginfo-common-aarch64 | p-cpe:/a:amazon:linux:microvm-kernel-debuginfo-common-aarch64 |
amazon | linux | microvm-kernel-debuginfo-common-x86_64 | p-cpe:/a:amazon:linux:microvm-kernel-debuginfo-common-x86_64 |
amazon | linux | microvm-kernel-devel | p-cpe:/a:amazon:linux:microvm-kernel-devel |
amazon | linux | microvm-kernel-headers | p-cpe:/a:amazon:linux:microvm-kernel-headers |
amazon | linux | 2 | cpe:/o:amazon:linux:2 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20317
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20321
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37159
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3744
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3764
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38300
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41864
alas.aws.amazon.com/AL2/ALASMICROVM-KERNEL-4.14-2023-001.html
alas.aws.amazon.com/cve/html/CVE-2021-20317.html
alas.aws.amazon.com/cve/html/CVE-2021-20321.html
alas.aws.amazon.com/cve/html/CVE-2021-37159.html
alas.aws.amazon.com/cve/html/CVE-2021-3744.html
alas.aws.amazon.com/cve/html/CVE-2021-3764.html
alas.aws.amazon.com/cve/html/CVE-2021-38300.html
alas.aws.amazon.com/cve/html/CVE-2021-41864.html
alas.aws.amazon.com/faqs.html