7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
5.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-d16d94b00d advisory.
In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation. (CVE-2024-23850)
copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl. (CVE-2024-23851)
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
(CVE-2023-52437)
In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it’s the inverse order of what the submitting thread will do. (CVE-2024-26585)
In the Linux kernel, the following vulnerability has been resolved: net: tls: fix use-after-free with partial reads and async decrypt tls_decrypt_sg doesn’t take a reference on the pages from clear_skb, so the put_page() in tls_decrypt_done releases them, and we trigger a use-after-free in process_rx_list when we try to read from the partially-read skb. (CVE-2024-26582)
In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we’re setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina’s original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical. (CVE-2024-26584)
In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don’t futz with reiniting the completion, either, we are now tightly controlling when completion fires. (CVE-2024-26583)
In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call transactions According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer. The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read. (CVE-2024-26593)
In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Stop relying on userspace for info to fault in xsave buffer Before this change, the expected size of the user space buffer was taken from fx_sw->xstate_size. fx_sw->xstate_size can be changed from user-space, so it is possible construct a sigreturn frame where: * fx_sw->xstate_size is smaller than the size required by valid bits in fx_sw->xfeatures. * user-space unmaps parts of the sigrame fpu buffer so that not all of the buffer required by xrstor is accessible. In this case, xrstor tries to restore and accesses the unmapped area which results in a fault. But fault_in_readable succeeds because buf + fx_sw->xstate_size is within the still mapped area, so it goes back and tries xrstor again. It will spin in this loop forever. Instead, fault in the maximum size which can be touched by XRSTOR (taken from fpstate->user_size). [ dhansen: tweak subject / changelog ] (CVE-2024-26603)
In the Linux kernel, the following vulnerability has been resolved: Revert kobject: Remove redundant checks for whether ktype is NULL This reverts commit 1b28cb81dab7c1eedc6034206f4e8d644046ad31. It is reported to cause problems, so revert it for now until the root cause can be found. (CVE-2024-26604)
In the Linux kernel, the following vulnerability has been resolved: binder: signal epoll threads of self- work In (e)poll mode, threads often depend on I/O events to determine when data is ready for consumption.
Within binder, a thread may initiate a command via BINDER_WRITE_READ without a read buffer and then make use of epoll_wait() or similar to consume any responses afterwards. It is then crucial that epoll threads are signaled via wakeup when they queue their own work. Otherwise, they risk waiting indefinitely for an event leaving their work unhandled. What is worse, subsequent commands won’t trigger a wakeup either as the thread has pending work. (CVE-2024-26606)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory FEDORA-2024-d16d94b00d
#
include('compat.inc');
if (description)
{
script_id(191082);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/18");
script_cve_id(
"CVE-2023-52437",
"CVE-2024-23850",
"CVE-2024-23851",
"CVE-2024-26582",
"CVE-2024-26583",
"CVE-2024-26584",
"CVE-2024-26585",
"CVE-2024-26593",
"CVE-2024-26603",
"CVE-2024-26604",
"CVE-2024-26606"
);
script_xref(name:"FEDORA", value:"2024-d16d94b00d");
script_name(english:"Fedora 39 : kernel (2024-d16d94b00d)");
script_set_attribute(attribute:"synopsis", value:
"The remote Fedora host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the
FEDORA-2024-d16d94b00d advisory.
- In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion
failure and crash because a subvolume can be read out too soon after its root item is inserted upon
subvolume creation. (CVE-2024-23850)
- copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than
INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to
ctl_ioctl. (CVE-2024-23851)
- Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
(CVE-2023-52437)
- In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work
scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit
as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling
complete(). This seems more logical in the first place, as it's the inverse order of what the submitting
thread will do. (CVE-2024-26585)
- In the Linux kernel, the following vulnerability has been resolved: net: tls: fix use-after-free with
partial reads and async decrypt tls_decrypt_sg doesn't take a reference on the pages from clear_skb, so
the put_page() in tls_decrypt_done releases them, and we trigger a use-after-free in process_rx_list when
we try to read from the partially-read skb. (CVE-2024-26582)
- In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto
requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API,
crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example,
when the cryptd queue for AESNI is full (easy to trigger with an artificially low
cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case,
the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just
ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new
tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the
error handling paths. The handling is identical. (CVE-2024-26584)
- In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and
socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto
handler calls complete() so any code past that point risks touching already freed data. Try to avoid the
locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend
solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we
are now tightly controlling when completion fires. (CVE-2024-26583)
- In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call
transactions According to the Intel datasheets, software must reset the block buffer index twice for block
process call transactions: once before writing the outgoing data to the buffer, and once again before
reading the incoming data from the buffer. The driver is currently missing the second reset, causing the
wrong portion of the block buffer to be read. (CVE-2024-26593)
- In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Stop relying on userspace for
info to fault in xsave buffer Before this change, the expected size of the user space buffer was taken
from fx_sw->xstate_size. fx_sw->xstate_size can be changed from user-space, so it is possible construct a
sigreturn frame where: * fx_sw->xstate_size is smaller than the size required by valid bits in
fx_sw->xfeatures. * user-space unmaps parts of the sigrame fpu buffer so that not all of the buffer
required by xrstor is accessible. In this case, xrstor tries to restore and accesses the unmapped area
which results in a fault. But fault_in_readable succeeds because buf + fx_sw->xstate_size is within the
still mapped area, so it goes back and tries xrstor again. It will spin in this loop forever. Instead,
fault in the maximum size which can be touched by XRSTOR (taken from fpstate->user_size). [ dhansen: tweak
subject / changelog ] (CVE-2024-26603)
- In the Linux kernel, the following vulnerability has been resolved: Revert kobject: Remove redundant
checks for whether ktype is NULL This reverts commit 1b28cb81dab7c1eedc6034206f4e8d644046ad31. It is
reported to cause problems, so revert it for now until the root cause can be found. (CVE-2024-26604)
- In the Linux kernel, the following vulnerability has been resolved: binder: signal epoll threads of self-
work In (e)poll mode, threads often depend on I/O events to determine when data is ready for consumption.
Within binder, a thread may initiate a command via BINDER_WRITE_READ without a read buffer and then make
use of epoll_wait() or similar to consume any responses afterwards. It is then crucial that epoll threads
are signaled via wakeup when they queue their own work. Otherwise, they risk waiting indefinitely for an
event leaving their work unhandled. What is worse, subsequent commands won't trigger a wakeup either as
the thread has pending work. (CVE-2024-26606)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2024-d16d94b00d");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-26582");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/01/23");
script_set_attribute(attribute:"patch_publication_date", value:"2024/02/23");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/02/28");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:39");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Fedora Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include('rpm.inc');
include('ksplice.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Fedora' >!< os_release) audit(AUDIT_OS_NOT, 'Fedora');
var os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');
os_ver = os_ver[1];
if (! preg(pattern:"^39([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 39', 'Fedora ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
rm_kb_item(name:'Host/uptrack-uname-r');
var cve_list = make_list('CVE-2023-52437', 'CVE-2024-23850', 'CVE-2024-23851', 'CVE-2024-26582', 'CVE-2024-26583', 'CVE-2024-26584', 'CVE-2024-26585', 'CVE-2024-26593', 'CVE-2024-26603', 'CVE-2024-26604', 'CVE-2024-26606');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for FEDORA-2024-d16d94b00d');
}
else
{
__rpm_report = ksplice_reporting_text();
}
}
var pkgs = [
{'reference':'kernel-6.7.6-200.fc39', 'release':'FC39', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (reference && _release) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}
Vendor | Product | Version | CPE |
---|---|---|---|
fedoraproject | fedora | 39 | cpe:/o:fedoraproject:fedora:39 |
fedoraproject | fedora | kernel | p-cpe:/a:fedoraproject:fedora:kernel |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52437
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23850
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23851
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26582
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26583
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26584
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26585
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26593
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26603
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26604
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26606
bodhi.fedoraproject.org/updates/FEDORA-2024-d16d94b00d
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
5.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%