CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
76.8%
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:6901 advisory.
In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value. (CVE-2021-43975)
usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double free. (CVE-2022-28388)
A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.
(CVE-2022-3594)
A vulnerability, which was classified as critical, was found in Linux Kernel. Affected is the function l2cap_conn_del of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211944. (CVE-2022-3640)
A use-after-free(UAF) vulnerability was found in function ‘vmw_cmd_res_check’ in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel’s vmwgfx driver with device file ‘/dev/dri/renderD128 (or Dxxx)’. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). (CVE-2022-38457)
A use-after-free(UAF) vulnerability was found in function ‘vmw_execbuf_tie_context’ in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel’s vmwgfx driver with device file ‘/dev/dri/renderD128 (or Dxxx)’. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). (CVE-2022-40133)
Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2022-40982)
There is an infoleak vulnerability in the Linux kernel’s net/bluetooth/l2cap_core.c’s l2cap_parse_conf_req function which can be used to leak kernel pointers remotely. We recommend upgrading past commit https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e https://www.google.com/url (CVE-2022-42895)
A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the TDP MMU are enabled. (CVE-2022-45869)
An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call. (CVE-2022-45887)
A double-free flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-4744)
A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the ‘rlim’ variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)
A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 (net: sched: fix race condition in qdisc_graft()) not applied yet, then kernel could be affected. (CVE-2023-0590)
A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory. (CVE-2023-0597)
A memory corruption flaw was found in the Linux kernel’s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2023-1073)
A memory leak flaw was found in the Linux kernel’s Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)
A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. (CVE-2023-1075)
A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.
(CVE-2023-1079)
A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2023-1118)
A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%. (CVE-2023-1206)
A use-after-free flaw was found in the Linux kernel’s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9a2544037600 (ovl: fix use after free in struct ovl_aio_req) not applied yet, the kernel could be affected. (CVE-2023-1252)
A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc protocol in the Linux kernel. (CVE-2023-1382)
A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem.
(CVE-2023-1855)
A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices. (CVE-2023-1989)
The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection.
However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects. (CVE-2023-1998)
atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). (CVE-2023-23455)
A use-after-free vulnerability was found in the Linux kernel’s ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors. (CVE-2023-2513)
In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. (CVE-2023-26545)
A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device.
This flaw allows a local user to crash the system or potentially cause a denial of service.
(CVE-2023-28328)
An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow. (CVE-2023-28772)
An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4. (CVE-2023-30456)
An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process. (CVE-2023-31084)
A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak. (CVE-2023-3141)
qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. (CVE-2023-31436)
A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service. (CVE-2023-3161)
A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.
(CVE-2023-3212)
An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information. (CVE-2023-3268)
The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device.
(CVE-2023-33203)
A race condition vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within the handling of GEM objects. The issue results from improper locking when performing operations on an object. This flaw allows a local privileged user to disclose information in the context of the kernel.
(CVE-2023-33951)
A double-free vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within the handling of vmw_buffer_object objects. The issue results from the lack of validating the existence of an object prior to performing further free operations on the object. This flaw allows a local privileged user to escalate privileges and execute code in the context of the kernel. (CVE-2023-33952)
An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c. (CVE-2023-35823)
An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c. (CVE-2023-35824)
A use-after-free vulnerability in the Linux kernel’s net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
(CVE-2023-3609)
An out-of-bounds write vulnerability in the Linux kernel’s net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out- of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)
A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)
A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition. (CVE-2023-4132)
A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the VMGEXIT
handler recursively. If an attacker manages to call the handler multiple times, they can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (CONFIG_VMAP_STACK
). (CVE-2023-4155)
A use-after-free vulnerability in the Linux kernel’s net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
(CVE-2023-4206)
A use-after-free vulnerability in the Linux kernel’s net/sched: cls_fw component can be exploited to achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after- free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. (CVE-2023-4207)
A use-after-free vulnerability in the Linux kernel’s net/sched: cls_u32 component can be exploited to achieve local privilege escalation. When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.
(CVE-2023-4208)
A flaw was found in pfn_swap_entry_to_page in memory management subsystem in the Linux Kernel. In this flaw, an attacker with a local user privilege may cause a denial of service problem due to a BUG statement referencing pmd_t x. (CVE-2023-4732)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2023:6901. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(185666);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/16");
script_cve_id(
"CVE-2021-43975",
"CVE-2022-3594",
"CVE-2022-3640",
"CVE-2022-4744",
"CVE-2022-28388",
"CVE-2022-38457",
"CVE-2022-40133",
"CVE-2022-40982",
"CVE-2022-42895",
"CVE-2022-45869",
"CVE-2022-45887",
"CVE-2023-0458",
"CVE-2023-0590",
"CVE-2023-0597",
"CVE-2023-1073",
"CVE-2023-1074",
"CVE-2023-1075",
"CVE-2023-1079",
"CVE-2023-1118",
"CVE-2023-1206",
"CVE-2023-1252",
"CVE-2023-1382",
"CVE-2023-1855",
"CVE-2023-1989",
"CVE-2023-1998",
"CVE-2023-2513",
"CVE-2023-3141",
"CVE-2023-3161",
"CVE-2023-3212",
"CVE-2023-3268",
"CVE-2023-3609",
"CVE-2023-3611",
"CVE-2023-3772",
"CVE-2023-4128",
"CVE-2023-4132",
"CVE-2023-4155",
"CVE-2023-4206",
"CVE-2023-4207",
"CVE-2023-4208",
"CVE-2023-4732",
"CVE-2023-23455",
"CVE-2023-26545",
"CVE-2023-28328",
"CVE-2023-28772",
"CVE-2023-30456",
"CVE-2023-31084",
"CVE-2023-31436",
"CVE-2023-33203",
"CVE-2023-33951",
"CVE-2023-33952",
"CVE-2023-35823",
"CVE-2023-35824"
);
script_xref(name:"RHSA", value:"2023:6901");
script_name(english:"RHEL 8 : kernel-rt (RHSA-2023:6901)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as
referenced in the RHSA-2023:6901 advisory.
- In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in
drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a
crafted device) to trigger an out-of-bounds write via a crafted length value. (CVE-2021-43975)
- usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double
free. (CVE-2022-28388)
- A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this
vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The
manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to
apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.
(CVE-2022-3594)
- A vulnerability, which was classified as critical, was found in Linux Kernel. Affected is the function
l2cap_conn_del of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads
to use after free. It is recommended to apply a patch to fix this issue. The identifier of this
vulnerability is VDB-211944. (CVE-2022-3640)
- A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in
drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128
(or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing
a denial of service(DoS). (CVE-2022-38457)
- A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in
drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128
(or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing
a denial of service(DoS). (CVE-2022-40133)
- Information exposure through microarchitectural state after transient execution in certain vector
execution units for some Intel(R) Processors may allow an authenticated user to potentially enable
information disclosure via local access. (CVE-2022-40982)
- There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req
function which can be used to leak kernel pointers remotely. We recommend upgrading past commit
https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e
https://www.google.com/url (CVE-2022-42895)
- A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to
cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the
TDP MMU are enabled. (CVE-2022-45869)
- An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a
memory leak because of the lack of a dvb_frontend_detach call. (CVE-2022-45887)
- A double-free flaw was found in the Linux kernel's TUN/TAP device driver functionality in how a user
registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw
allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-4744)
- A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The
resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be
used to leak the contents. We recommend upgrading past version 6.1.8 or commit
739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)
- A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race
problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 (net: sched: fix race
condition in qdisc_graft()) not applied yet, then kernel could be affected. (CVE-2023-0590)
- A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was
found in the way user can guess location of exception stack(s) or other important data. A local user could
use this flaw to get access to some important data with expected location in memory. (CVE-2023-0597)
- A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a
user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their
privileges on the system. (CVE-2023-1073)
- A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may
occur when a user starts a malicious networking service and someone connects to this service. This could
allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)
- A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness,
potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field
that overlaps with rec->tx_ready. (CVE-2023-1075)
- A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when
plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to
the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED
controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led
structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.
(CVE-2023-1079)
- A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the
way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate
their privileges on the system. (CVE-2023-1118)
- A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel's IPv6
functionality when a user makes a new kind of SYN flood attack. A user located in the local network or
with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up
to 95%. (CVE-2023-1206)
- A use-after-free flaw was found in the Linux kernel's Ext4 File System in how a user triggers several file
operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially
escalate their privileges on the system. Only if patch 9a2544037600 (ovl: fix use after free in struct
ovl_aio_req) not applied yet, the kernel could be affected. (CVE-2023-1252)
- A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This
issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc
protocol in the Linux kernel. (CVE-2023-1382)
- A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware
Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system
due to a race problem. This vulnerability could even lead to a kernel information leak problem.
(CVE-2023-1855)
- A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In
this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on
hdev devices. (CVE-2023-1989)
- The Linux kernel allows userspace processes to enable mitigations by calling prctl with
PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed
that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to
attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be
observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened
because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that
STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection.
However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons,
which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target
injection against which STIBP protects. (CVE-2023-1998)
- atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial
of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition
rather than valid classification results). (CVE-2023-23455)
- A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the
extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system
crash or other undefined behaviors. (CVE-2023-2513)
- In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure
(for registering the sysctl table under a new location) during the renaming of a device. (CVE-2023-26545)
- A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in
the Linux Kernel. The message from user space is not checked properly before transferring into the device.
This flaw allows a local user to crash the system or potentially cause a denial of service.
(CVE-2023-28328)
- An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer
overflow. (CVE-2023-28772)
- An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64
lacks consistency checks for CR0 and CR4. (CVE-2023-30456)
- An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a
blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is
called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event,
down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and
down(&fepriv->sem) may block the process. (CVE-2023-31084)
- A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the
Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading
to a kernel information leak. (CVE-2023-3141)
- qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write
because lmax can exceed QFQ_MIN_LMAX. (CVE-2023-31436)
- A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and
font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds
occurs leading to undefined behavior and possible denial of service. (CVE-2023-3161)
- A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on
corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it
has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.
(CVE-2023-3212)
- An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in
kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel
internal information. (CVE-2023-3268)
- The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in
drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device.
(CVE-2023-33203)
- A race condition vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within
the handling of GEM objects. The issue results from improper locking when performing operations on an
object. This flaw allows a local privileged user to disclose information in the context of the kernel.
(CVE-2023-33951)
- A double-free vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within the
handling of vmw_buffer_object objects. The issue results from the lack of validating the existence of an
object prior to performing further free operations on the object. This flaw allows a local privileged user
to escalate privileges and execute code in the context of the kernel. (CVE-2023-33952)
- An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in
drivers/media/pci/saa7134/saa7134-core.c. (CVE-2023-35823)
- An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in
drivers/media/pci/dm1105/dm1105.c. (CVE-2023-35824)
- A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to
achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return
an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can
control the reference counter and set it to zero, they can cause the reference to be freed, leading to a
use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
(CVE-2023-3609)
- An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited
to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-
of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend
upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)
- A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue
may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in
xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)
- A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs
during device initialization when the siano device is plugged in. This flaw allows a local user to crash
the system, causing a denial of service condition. (CVE-2023-4132)
- A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using
SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke
the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can
trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel
configurations without stack guard pages (`CONFIG_VMAP_STACK`). (CVE-2023-4155)
- A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to
achieve local privilege escalation. When route4_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter. This causes a problem when
updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading
to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
(CVE-2023-4206)
- A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to
achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result
struct is always copied into the new instance of the filter. This causes a problem when updating a filter
bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path,
decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-
free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. (CVE-2023-4207)
- A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to
achieve local privilege escalation. When u32_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter. This causes a problem when
updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading
to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.
(CVE-2023-4208)
- A flaw was found in pfn_swap_entry_to_page in memory management subsystem in the Linux Kernel. In this
flaw, an attacker with a local user privilege may cause a denial of service problem due to a BUG statement
referencing pmd_t x. (CVE-2023-4732)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2021-43975");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2022-3594");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2022-3640");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2022-4744");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2022-28388");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2022-38457");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2022-40133");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2022-40982");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2022-42895");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2022-45869");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2022-45887");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-0458");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-0590");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-0597");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-1073");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-1074");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-1075");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-1079");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-1118");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-1206");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-1252");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-1382");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-1855");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-1989");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-1998");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-2513");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-3141");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-3161");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-3212");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-3268");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-3609");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-3611");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-3772");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-4128");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-4132");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-4155");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-4206");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-4207");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-4208");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-4732");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-23455");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-26545");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-28328");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-28772");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-30456");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-31084");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-31436");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-33203");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-33951");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-33952");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-35823");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-35824");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2023:6901");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-43975");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-3640");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(119, 125, 200, 226, 358, 362, 366, 367, 385, 400, 401, 415, 416, 476, 779, 787, 824, 843, 1335);
script_set_attribute(attribute:"vendor_severity", value:"Important");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/11/09");
script_set_attribute(attribute:"patch_publication_date", value:"2023/11/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-core");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-core");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-modules");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-modules-extra");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-modules");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-modules-extra");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
include('ksplice.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
rm_kb_item(name:'Host/uptrack-uname-r');
var cve_list = make_list('CVE-2021-43975', 'CVE-2022-3594', 'CVE-2022-3640', 'CVE-2022-4744', 'CVE-2022-28388', 'CVE-2022-38457', 'CVE-2022-40133', 'CVE-2022-40982', 'CVE-2022-42895', 'CVE-2022-45869', 'CVE-2022-45887', 'CVE-2023-0458', 'CVE-2023-0590', 'CVE-2023-0597', 'CVE-2023-1073', 'CVE-2023-1074', 'CVE-2023-1075', 'CVE-2023-1079', 'CVE-2023-1118', 'CVE-2023-1206', 'CVE-2023-1252', 'CVE-2023-1382', 'CVE-2023-1855', 'CVE-2023-1989', 'CVE-2023-1998', 'CVE-2023-2513', 'CVE-2023-3141', 'CVE-2023-3161', 'CVE-2023-3212', 'CVE-2023-3268', 'CVE-2023-3609', 'CVE-2023-3611', 'CVE-2023-3772', 'CVE-2023-4128', 'CVE-2023-4132', 'CVE-2023-4155', 'CVE-2023-4206', 'CVE-2023-4207', 'CVE-2023-4208', 'CVE-2023-4732', 'CVE-2023-23455', 'CVE-2023-26545', 'CVE-2023-28328', 'CVE-2023-28772', 'CVE-2023-30456', 'CVE-2023-31084', 'CVE-2023-31436', 'CVE-2023-33203', 'CVE-2023-33951', 'CVE-2023-33952', 'CVE-2023-35823', 'CVE-2023-35824', 'CVE-2023-35825');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for RHSA-2023:6901');
}
else
{
__rpm_report = ksplice_reporting_text();
}
}
var constraints = [
{
'repo_relative_urls': [
'content/dist/rhel8/8.6/x86_64/appstream/debug',
'content/dist/rhel8/8.6/x86_64/appstream/os',
'content/dist/rhel8/8.6/x86_64/appstream/source/SRPMS',
'content/dist/rhel8/8.6/x86_64/baseos/debug',
'content/dist/rhel8/8.6/x86_64/baseos/os',
'content/dist/rhel8/8.6/x86_64/baseos/source/SRPMS',
'content/dist/rhel8/8.6/x86_64/codeready-builder/debug',
'content/dist/rhel8/8.6/x86_64/codeready-builder/os',
'content/dist/rhel8/8.6/x86_64/codeready-builder/source/SRPMS',
'content/dist/rhel8/8.6/x86_64/highavailability/debug',
'content/dist/rhel8/8.6/x86_64/highavailability/os',
'content/dist/rhel8/8.6/x86_64/highavailability/source/SRPMS',
'content/dist/rhel8/8.6/x86_64/nfv/debug',
'content/dist/rhel8/8.6/x86_64/nfv/os',
'content/dist/rhel8/8.6/x86_64/nfv/source/SRPMS',
'content/dist/rhel8/8.6/x86_64/resilientstorage/debug',
'content/dist/rhel8/8.6/x86_64/resilientstorage/os',
'content/dist/rhel8/8.6/x86_64/resilientstorage/source/SRPMS',
'content/dist/rhel8/8.6/x86_64/rt/debug',
'content/dist/rhel8/8.6/x86_64/rt/os',
'content/dist/rhel8/8.6/x86_64/rt/source/SRPMS',
'content/dist/rhel8/8.6/x86_64/sap-solutions/debug',
'content/dist/rhel8/8.6/x86_64/sap-solutions/os',
'content/dist/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',
'content/dist/rhel8/8.6/x86_64/sap/debug',
'content/dist/rhel8/8.6/x86_64/sap/os',
'content/dist/rhel8/8.6/x86_64/sap/source/SRPMS',
'content/dist/rhel8/8.6/x86_64/supplementary/debug',
'content/dist/rhel8/8.6/x86_64/supplementary/os',
'content/dist/rhel8/8.6/x86_64/supplementary/source/SRPMS',
'content/dist/rhel8/8/x86_64/appstream/debug',
'content/dist/rhel8/8/x86_64/appstream/os',
'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',
'content/dist/rhel8/8/x86_64/baseos/debug',
'content/dist/rhel8/8/x86_64/baseos/os',
'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',
'content/dist/rhel8/8/x86_64/codeready-builder/debug',
'content/dist/rhel8/8/x86_64/codeready-builder/os',
'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',
'content/dist/rhel8/8/x86_64/highavailability/debug',
'content/dist/rhel8/8/x86_64/highavailability/os',
'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',
'content/dist/rhel8/8/x86_64/nfv/debug',
'content/dist/rhel8/8/x86_64/nfv/os',
'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',
'content/dist/rhel8/8/x86_64/resilientstorage/debug',
'content/dist/rhel8/8/x86_64/resilientstorage/os',
'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',
'content/dist/rhel8/8/x86_64/rt/debug',
'content/dist/rhel8/8/x86_64/rt/os',
'content/dist/rhel8/8/x86_64/rt/source/SRPMS',
'content/dist/rhel8/8/x86_64/sap-solutions/debug',
'content/dist/rhel8/8/x86_64/sap-solutions/os',
'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',
'content/dist/rhel8/8/x86_64/sap/debug',
'content/dist/rhel8/8/x86_64/sap/os',
'content/dist/rhel8/8/x86_64/sap/source/SRPMS',
'content/dist/rhel8/8/x86_64/supplementary/debug',
'content/dist/rhel8/8/x86_64/supplementary/os',
'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'
],
'pkgs': [
{'reference':'kernel-rt-4.18.0-513.5.1.rt7.307.el8_9', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-rt-core-4.18.0-513.5.1.rt7.307.el8_9', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-rt-debug-4.18.0-513.5.1.rt7.307.el8_9', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-rt-debug-core-4.18.0-513.5.1.rt7.307.el8_9', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-rt-debug-devel-4.18.0-513.5.1.rt7.307.el8_9', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-rt-debug-kvm-4.18.0-513.5.1.rt7.307.el8_9', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-rt-debug-modules-4.18.0-513.5.1.rt7.307.el8_9', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-rt-debug-modules-extra-4.18.0-513.5.1.rt7.307.el8_9', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-rt-devel-4.18.0-513.5.1.rt7.307.el8_9', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-rt-kvm-4.18.0-513.5.1.rt7.307.el8_9', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-rt-modules-4.18.0-513.5.1.rt7.307.el8_9', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-rt-modules-extra-4.18.0-513.5.1.rt7.307.el8_9', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}
]
}
];
var applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);
if(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];
foreach var pkg ( constraint_array['pkgs'] ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (reference &&
_release &&
rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&
(applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&
rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
var extra = NULL;
if (isnull(applicable_repo_urls) || !applicable_repo_urls) extra = rpm_report_get() + redhat_report_repo_caveat();
else extra = rpm_report_get();
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : extra
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-rt / kernel-rt-core / kernel-rt-debug / kernel-rt-debug-core / etc');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43975
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28388
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3594
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3640
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38457
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40133
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42895
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45869
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45887
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4744
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0458
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0590
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0597
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1073
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1074
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1075
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1079
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1118
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1206
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1252
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1382
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1855
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1989
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1998
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23455
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2513
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26545
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28328
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28772
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30456
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31084
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3141
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31436
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3161
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3212
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3268
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33203
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33951
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33952
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35823
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35824
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3609
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3611
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3772
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4128
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4132
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4155
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4206
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4207
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4208
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4732
access.redhat.com/errata/RHSA-2023:6901
access.redhat.com/security/cve/CVE-2021-43975
access.redhat.com/security/cve/CVE-2022-28388
access.redhat.com/security/cve/CVE-2022-3594
access.redhat.com/security/cve/CVE-2022-3640
access.redhat.com/security/cve/CVE-2022-38457
access.redhat.com/security/cve/CVE-2022-40133
access.redhat.com/security/cve/CVE-2022-40982
access.redhat.com/security/cve/CVE-2022-42895
access.redhat.com/security/cve/CVE-2022-45869
access.redhat.com/security/cve/CVE-2022-45887
access.redhat.com/security/cve/CVE-2022-4744
access.redhat.com/security/cve/CVE-2023-0458
access.redhat.com/security/cve/CVE-2023-0590
access.redhat.com/security/cve/CVE-2023-0597
access.redhat.com/security/cve/CVE-2023-1073
access.redhat.com/security/cve/CVE-2023-1074
access.redhat.com/security/cve/CVE-2023-1075
access.redhat.com/security/cve/CVE-2023-1079
access.redhat.com/security/cve/CVE-2023-1118
access.redhat.com/security/cve/CVE-2023-1206
access.redhat.com/security/cve/CVE-2023-1252
access.redhat.com/security/cve/CVE-2023-1382
access.redhat.com/security/cve/CVE-2023-1855
access.redhat.com/security/cve/CVE-2023-1989
access.redhat.com/security/cve/CVE-2023-1998
access.redhat.com/security/cve/CVE-2023-23455
access.redhat.com/security/cve/CVE-2023-2513
access.redhat.com/security/cve/CVE-2023-26545
access.redhat.com/security/cve/CVE-2023-28328
access.redhat.com/security/cve/CVE-2023-28772
access.redhat.com/security/cve/CVE-2023-30456
access.redhat.com/security/cve/CVE-2023-31084
access.redhat.com/security/cve/CVE-2023-3141
access.redhat.com/security/cve/CVE-2023-31436
access.redhat.com/security/cve/CVE-2023-3161
access.redhat.com/security/cve/CVE-2023-3212
access.redhat.com/security/cve/CVE-2023-3268
access.redhat.com/security/cve/CVE-2023-33203
access.redhat.com/security/cve/CVE-2023-33951
access.redhat.com/security/cve/CVE-2023-33952
access.redhat.com/security/cve/CVE-2023-35823
access.redhat.com/security/cve/CVE-2023-35824
access.redhat.com/security/cve/CVE-2023-3609
access.redhat.com/security/cve/CVE-2023-3611
access.redhat.com/security/cve/CVE-2023-3772
access.redhat.com/security/cve/CVE-2023-4128
access.redhat.com/security/cve/CVE-2023-4132
access.redhat.com/security/cve/CVE-2023-4155
access.redhat.com/security/cve/CVE-2023-4206
access.redhat.com/security/cve/CVE-2023-4207
access.redhat.com/security/cve/CVE-2023-4208
access.redhat.com/security/cve/CVE-2023-4732
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
76.8%