The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.
kernel: race condition in snd_pcm_hw_free leading to use-after-free (CVE-2022-1048)
Kernel: use-after-free in btf_dump_name_dups in tools/lib/bpf/btf_dump.c (CVE-2022-3534)
drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the relevance of this report because the failure can only occur for physically proximate attackers who unplug SAS Host Bus Adapter cables (CVE-2018-10021)
arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests. (CVE-2018-15594)
A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one. (CVE-2018-16862)
The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.
(CVE-2018-17977)
In the Linux kernel through 4.15.4, the floppy driver reveals the addresses of kernel functions and global variables using printk calls within the function show_floppy in drivers/block/floppy.c. An attacker can read this information from dmesg and use the addresses to find the locations of kernel code and data and bypass kernel security protections such as KASLR. (CVE-2018-7273)
The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c in the Linux kernel through 4.15.8 does not validate certain resource availability, which allows local users to cause a denial of service (NULL pointer dereference). (CVE-2018-8043)
An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver. (CVE-2019-15218)
An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does not check the nla_nest_start_noflag return value. (CVE-2019-16089)
drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: The security community disputes this issues as not being serious enough to be deserving a CVE id (CVE-2019-16229)
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program. NOTE: The BTRFS development team disputes this issues as not being a vulnerability because 1) The kernel provide facilities to restrict access to dmesg - dmesg_restrict=1 sysctl option. So it’s really up to the system administrator to judge whether dmesg access shall be disallowed or not. 2) WARN/WARN_ON are widely used macros in the linux kernel. If this CVE is considered valid this would mean there are literally thousands CVE lurking in the kernel - something which clearly is not the case. (CVE-2019-19039)
A memory leak in the nfp_abm_u32_knode_replace() function in drivers/net/ethernet/netronome/nfp/abm/cls.c in the Linux kernel before 5.3.6 allows attackers to cause a denial of service (memory consumption), aka CID-78beef629fd9. NOTE: This has been argued as not a valid vulnerability. The upstream commit 78beef629fd9 was reverted (CVE-2019-19076)
Four memory leaks in the nfp_flower_spawn_phy_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel before 5.3.4 allow attackers to cause a denial of service (memory consumption), aka CID-8572cea1461a. (CVE-2019-19080)
A memory leak in the nfp_flower_spawn_vnic_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel before 5.3.4 allows attackers to cause a denial of service (memory consumption), aka CID-8ce39eb5a67a. (CVE-2019-19081)
Memory leaks in *create_resource_pool() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption). This affects the dce120_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c, the dce110_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c, the dce100_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c, the dcn10_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, and the dce112_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c, aka CID-104c307147ad. (CVE-2019-19082)
Memory leaks in *clock_source_create() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel before 5.3.8 allow attackers to cause a denial of service (memory consumption). This affects the dce112_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c, the dce100_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c, the dcn10_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, the dcn20_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c, the dce120_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c, the dce110_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c, and the dce80_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c, aka CID-055e547478a1. (CVE-2019-19083)
relay_open in kernel/relay.c in the Linux kernel through 5.4.1 allows local users to cause a denial of service (such as relay blockage) by triggering a NULL alloc_percpu result. (CVE-2019-19462)
In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after- free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a service ipmievd restart loop. (CVE-2019-9003)
An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel 3.16 through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.
(CVE-2020-11494)
An issue was discovered in the Linux kernel before 5.6. svm_cpu_uninit in arch/x86/kvm/svm.c has a memory leak, aka CID-d80b64ff297e. NOTE: third parties dispute this issue because it’s a one-time leak at the boot, the size is negligible, and it can’t be triggered at will (CVE-2020-12768)
An issue was discovered in the Linux kernel before 5.4.17. drivers/spi/spi-dw.c allows attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one, aka CID-19b61392c5a8. (CVE-2020-12769)
A NULL pointer dereference flaw was found in the Linux kernel’s GPU Nouveau driver functionality in versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw allows a local user to crash the system. (CVE-2020-25639)
Insufficient access control in the Linux kernel driver for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2020-8694)
fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for those servers to be unreachable during trunking detection. (CVE-2021-38199)
The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a pointer leak. (CVE-2021-45402)
In the Linux kernel, the following vulnerability has been resolved: efi/fdt: fix panic when no valid fdt found setup_arch() would invoke efi_init()->efi_get_fdt_params(). If no valid fdt found then initial_boot_params will be null. So we should stop further fdt processing here. I encountered this issue on risc-v. (CVE-2021-47134)
An out-of-bounds memory read flaw was found in the Linux kernel’s BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data. (CVE-2022-2905)
A vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF. The manipulation leads to null pointer dereference. It is recommended to apply a patch to fix this issue. The identifier VDB-211749 was assigned to this vulnerability. (CVE-2022-3606)
A flaw named EntryBleed was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems. (CVE-2022-4543)
The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96 (CVE-2023-0045)
A memory leak flaw was found in the Linux kernel’s Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)
A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. (CVE-2023-1075)
A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters. (CVE-2023-1076)
In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption. (CVE-2023-1077)
A flaw was found in the Linux kernel’s TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 (tun: tun_chr_open(): correctly initialize socket uid), - 66b2c338adce (tap: tap_open():
correctly initialize socket uid), pass inode->i_uid to sock_init_data_uid() as the last parameter and that turns out to not be accurate. (CVE-2023-4194)
In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don’t use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map. (CVE-2023-52447)
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix accesses to uninit stack slots Privileged programs are supposed to be able to read uninitialized stack memory (ever since 6715df8d5) but, before this patch, these accesses were permitted inconsistently. In particular, accesses were permitted above state->allocated_stack, but not below it. In other words, if the stack was already large enough, the access was permitted, but otherwise the access was rejected instead of being allowed to grow the stack. This undesired rejection was happening in two places: - in check_stack_slot_within_bounds() - in check_stack_range_initialized() This patch arranges for these accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of them were changed to add also run unprivileged, in which case the old behavior persists. One tests couldn’t be updated - global_func16 - because it can’t run unprivileged for other reasons. This patch also fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same commit as the first one because they’re inter-related. Before this patch, writes to the stack using registers containing a variable offset (as opposed to registers with fixed, known values) were not properly contributing to the function’s needed stack size. As a result, it was possible for a program to verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been allocated for it. Each function tracks the size of the stack it needs in bpf_subprog_info.stack_depth, which is maintained by update_stack_depth(). For regular memory accesses, check_mem_access() was calling update_state_depth() but it was passing in only the fixed part of the offset register, ignoring the variable offset. This was incorrect; the minimum possible value of that register should be used instead.
This tracking is now fixed by centralizing the tracking of stack size in grow_stack_state(), and by lifting the calls to grow_stack_state() to check_stack_access_within_bounds() as suggested by Andrii. The code is now simpler and more convincingly tracks the correct maximum stack size.
check_stack_range_initialized() can now rely on enough stack having been allocated for the access; this helps with the fix for the first issue. A few tests were changed to also check the stack depth computation. The one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.
(CVE-2023-52452)
In the Linux kernel, the following vulnerability has been resolved: powerpc/mm: Fix null-pointer dereference in pgtable_cache_add kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity.
(CVE-2023-52607)
A flaw was found in the Netfilter subsystem in the Linux kernel. The issue is in the nft_byteorder_eval() function, where the code iterates through a loop and writes to the dst
array. On each iteration, 8 bytes are written, but dst
is an array of u32, so each element only has space for 4 bytes. That means every iteration overwrites part of the previous element corrupting this array of u32. This flaw allows a local user to cause a denial of service or potentially break NetFilter functionality. (CVE-2024-0607)
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked The SEV platform device can be shutdown with a null psp_master, e.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN: [ 137.148210] ccp 0000:23:00.1:
enabling device (0000 -> 0002) [ 137.162647] ccp 0000:23:00.1: no command queues available [ 137.170598] ccp 0000:23:00.1: sev enabled [ 137.174645] ccp 0000:23:00.1: psp enabled [ 137.178890] general protection fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI [ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7] [ 137.182693] CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311 [ 137.182693] RIP:
0010:__sev_platform_shutdown_locked+0x51/0x180 [ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b 1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c [ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216 [ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e [ 137.182693] RDX:
0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0 [ 137.182693] RBP: ffffc900000cf9c8 R08:
0000000000000000 R09: fffffbfff58f5a66 [ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12:
ffff8881e5052c28 [ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8 [ 137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000 [ 137.182693] CS:
0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000 CR4: 0000000000350ef0 [ 137.182693] Call Trace: [ 137.182693] <TASK> [ 137.182693] ? show_regs+0x6c/0x80 [ 137.182693] ? __die_body+0x24/0x70 [ 137.182693] ? die_addr+0x4b/0x80 [ 137.182693] ? exc_general_protection+0x126/0x230 [ 137.182693] ? asm_exc_general_protection+0x2b/0x30 [ 137.182693] ?
__sev_platform_shutdown_locked+0x51/0x180 [ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80 [ 137.182693] sev_dev_destroy+0x49/0x100 [ 137.182693] psp_dev_destroy+0x47/0xb0 [ 137.182693] sp_destroy+0xbb/0x240 [ 137.182693] sp_pci_remove+0x45/0x60 [ 137.182693] pci_device_remove+0xaa/0x1d0 [ 137.182693] device_remove+0xc7/0x170 [ 137.182693] really_probe+0x374/0xbe0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] __driver_probe_device+0x199/0x460 [ 137.182693] driver_probe_device+0x4e/0xd0 [ 137.182693] __driver_attach+0x191/0x3d0 [ 137.182693] ?
__pfx___driver_attach+0x10/0x10 [ 137.182693] bus_for_each_dev+0x100/0x190 [ 137.182693] ?
__pfx_bus_for_each_dev+0x10/0x10 [ 137.182693] ? __kasan_check_read+0x15/0x20 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? _raw_spin_unlock+0x27/0x50 [ 137.182693] driver_attach+0x41/0x60 [ 137.182693] bus_add_driver+0x2a8/0x580 [ 137.182693] driver_register+0x141/0x480 [ 137.182693] __pci_register_driver+0x1d6/0x2a0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? esrt_sysfs_init+0x1cd/0x5d0 [ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 [ 137.182693] sp_pci_init+0x22/0x30 [ 137.182693] sp_mod_init+0x14/0x30 [ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 [ 137.182693] do_one_initcall+0xd1/0x470 [ 137.182693] ? __pfx_do_one_initcall+0x10/0x10 [ 137.182693] ? parameq+0x80/0xf0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? __kmalloc+0x3b0/0x4e0 [ 137.182693] ? kernel_init_freeable+0x92d/0x1050 [ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] kernel_init_freeable+0xa64/0x1050 [ 137.182693] ?
__pfx_kernel_init+0x10/0x10 [ 137.182693] kernel_init+0x24/0x160 [ 137.182693] ? __switch_to_asm+0x3e/0x70 [ 137.182693] ret_from_fork+0x40/0x80 [ 137.182693] ? __pfx_kernel_init+0x1 —truncated— (CVE-2024-26695)
In the Linux kernel, the following vulnerability has been resolved: usb: roles: fix NULL pointer issue when put module’s reference In current design, usb role class driver will get usb_role_switch parent’s module reference after the user get usb_role_switch device and put the reference after the user put the usb_role_switch device. However, the parent device of usb_role_switch may be removed before the user put the usb_role_switch. If so, then, NULL pointer issue will be met when the user put the parent module’s reference. This will save the module pointer in structure of usb_role_switch. Then, we don’t need to find module by iterating long relations. (CVE-2024-26747)
Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory kernel. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(195630);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");
script_cve_id(
"CVE-2018-7273",
"CVE-2018-8043",
"CVE-2018-10021",
"CVE-2018-15594",
"CVE-2018-16862",
"CVE-2018-17977",
"CVE-2019-9003",
"CVE-2019-15218",
"CVE-2019-16089",
"CVE-2019-16229",
"CVE-2019-19039",
"CVE-2019-19076",
"CVE-2019-19080",
"CVE-2019-19081",
"CVE-2019-19082",
"CVE-2019-19083",
"CVE-2019-19462",
"CVE-2020-8694",
"CVE-2020-11494",
"CVE-2020-12768",
"CVE-2020-12769",
"CVE-2020-25639",
"CVE-2021-38199",
"CVE-2021-45402",
"CVE-2021-47134",
"CVE-2022-1048",
"CVE-2022-2905",
"CVE-2022-3534",
"CVE-2022-3606",
"CVE-2022-4543",
"CVE-2023-0045",
"CVE-2023-1074",
"CVE-2023-1075",
"CVE-2023-1076",
"CVE-2023-1077",
"CVE-2023-4194",
"CVE-2023-52447",
"CVE-2023-52452",
"CVE-2023-52607",
"CVE-2024-0607",
"CVE-2024-26695",
"CVE-2024-26747"
);
script_name(english:"RHEL 8 : kernel (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 8 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- kernel: race condition in snd_pcm_hw_free leading to use-after-free (CVE-2022-1048)
- Kernel: use-after-free in btf_dump_name_dups in tools/lib/bpf/btf_dump.c (CVE-2022-3534)
- drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial
of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the
relevance of this report because the failure can only occur for physically proximate attackers who unplug
SAS Host Bus Adapter cables (CVE-2018-10021)
- arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which
makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests. (CVE-2018-15594)
- A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after
the final file truncation (removal). The new file created with the same inode may contain leftover pages
from cleancache and the old file data instead of the new one. (CVE-2018-16862)
- The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets,
and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and
system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.
(CVE-2018-17977)
- In the Linux kernel through 4.15.4, the floppy driver reveals the addresses of kernel functions and global
variables using printk calls within the function show_floppy in drivers/block/floppy.c. An attacker can
read this information from dmesg and use the addresses to find the locations of kernel code and data and
bypass kernel security protections such as KASLR. (CVE-2018-7273)
- The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c in the Linux kernel through 4.15.8
does not validate certain resource availability, which allows local users to cause a denial of service
(NULL pointer dereference). (CVE-2018-8043)
- An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a
malicious USB device in the drivers/media/usb/siano/smsusb.c driver. (CVE-2019-15218)
- An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does
not check the nla_nest_start_noflag return value. (CVE-2019-16089)
- drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux kernel 5.2.14 does not check the alloc_workqueue
return value, leading to a NULL pointer dereference. NOTE: The security community disputes this issues as
not being serious enough to be deserving a CVE id (CVE-2019-16229)
- __btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in
a certain ENOENT case, which allows local users to obtain potentially sensitive information about register
values via the dmesg program. NOTE: The BTRFS development team disputes this issues as not being a
vulnerability because 1) The kernel provide facilities to restrict access to dmesg - dmesg_restrict=1
sysctl option. So it's really up to the system administrator to judge whether dmesg access shall be
disallowed or not. 2) WARN/WARN_ON are widely used macros in the linux kernel. If this CVE is considered
valid this would mean there are literally thousands CVE lurking in the kernel - something which clearly is
not the case. (CVE-2019-19039)
- A memory leak in the nfp_abm_u32_knode_replace() function in drivers/net/ethernet/netronome/nfp/abm/cls.c
in the Linux kernel before 5.3.6 allows attackers to cause a denial of service (memory consumption), aka
CID-78beef629fd9. NOTE: This has been argued as not a valid vulnerability. The upstream commit
78beef629fd9 was reverted (CVE-2019-19076)
- Four memory leaks in the nfp_flower_spawn_phy_reprs() function in
drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel before 5.3.4 allow attackers to cause
a denial of service (memory consumption), aka CID-8572cea1461a. (CVE-2019-19080)
- A memory leak in the nfp_flower_spawn_vnic_reprs() function in
drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel before 5.3.4 allows attackers to
cause a denial of service (memory consumption), aka CID-8ce39eb5a67a. (CVE-2019-19081)
- Memory leaks in *create_resource_pool() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel
through 5.3.11 allow attackers to cause a denial of service (memory consumption). This affects the
dce120_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c, the
dce110_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c, the
dce100_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c, the
dcn10_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, and the
dce112_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c, aka
CID-104c307147ad. (CVE-2019-19082)
- Memory leaks in *clock_source_create() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel
before 5.3.8 allow attackers to cause a denial of service (memory consumption). This affects the
dce112_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c, the
dce100_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c, the
dcn10_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, the
dcn20_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c, the
dce120_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c, the
dce110_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c, and the
dce80_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c, aka
CID-055e547478a1. (CVE-2019-19083)
- relay_open in kernel/relay.c in the Linux kernel through 5.4.1 allows local users to cause a denial of
service (such as relay blockage) by triggering a NULL alloc_percpu result. (CVE-2019-19462)
- In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-
free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a service
ipmievd restart loop. (CVE-2019-9003)
- An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel 3.16 through 5.6.2. It
allows attackers to read uninitialized can_frame data, potentially containing sensitive information from
kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.
(CVE-2020-11494)
- An issue was discovered in the Linux kernel before 5.6. svm_cpu_uninit in arch/x86/kvm/svm.c has a memory
leak, aka CID-d80b64ff297e. NOTE: third parties dispute this issue because it's a one-time leak at the
boot, the size is negligible, and it can't be triggered at will (CVE-2020-12768)
- An issue was discovered in the Linux kernel before 5.4.17. drivers/spi/spi-dw.c allows attackers to cause
a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one, aka CID-19b61392c5a8. (CVE-2020-12769)
- A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in
versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw
allows a local user to crash the system. (CVE-2020-25639)
- Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an
authenticated user to potentially enable information disclosure via local access. (CVE-2020-8694)
- fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which
allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for
those servers to be unreachable during trunking detection. (CVE-2021-38199)
- The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not
properly update bounds while handling the mov32 instruction, which allows local users to obtain
potentially sensitive address information, aka a pointer leak. (CVE-2021-45402)
- In the Linux kernel, the following vulnerability has been resolved: efi/fdt: fix panic when no valid fdt
found setup_arch() would invoke efi_init()->efi_get_fdt_params(). If no valid fdt found then
initial_boot_params will be null. So we should stop further fdt processing here. I encountered this issue
on risc-v. (CVE-2021-47134)
- An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the
bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to
gain unauthorized access to data. (CVE-2022-2905)
- A vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the
function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF. The manipulation
leads to null pointer dereference. It is recommended to apply a patch to fix this issue. The identifier
VDB-211749 was assigned to this vulnerability. (CVE-2022-3606)
- A flaw named EntryBleed was found in the Linux Kernel Page Table Isolation (KPTI). This issue could
allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel
systems. (CVE-2022-4543)
- The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The
ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL
MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the
TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to
the prctl syscall. The patch that added the support for the conditional mitigation via prctl
(ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit
a664ec9158eeddd75121d39c9a0758016097fa96 (CVE-2023-0045)
- A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may
occur when a user starts a malicious networking service and someone connects to this service. This could
allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)
- A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness,
potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field
that overlaps with rec->tx_ready. (CVE-2023-1075)
- A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a
type confusion in their initialization function. While it will be often correct, as tuntap devices require
CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This
would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing
network filters. (CVE-2023-1076)
- In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON
condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a
type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing
memory corruption. (CVE-2023-1077)
- A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to
bypass network filters and gain unauthorized access to some resources. The original patches fixing
CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits -
a096ccca6e50 (tun: tun_chr_open(): correctly initialize socket uid), - 66b2c338adce (tap: tap_open():
correctly initialize socket uid), pass inode->i_uid to sock_init_data_uid() as the last parameter and
that turns out to not be accurate. (CVE-2023-4194)
- In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when
necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed
by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of
the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most
cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free()
callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so
after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may
incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one
RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map
before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the
last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with
work field to reduce the size of bpf_map. (CVE-2023-52447)
- In the Linux kernel, the following vulnerability has been resolved: bpf: Fix accesses to uninit stack
slots Privileged programs are supposed to be able to read uninitialized stack memory (ever since
6715df8d5) but, before this patch, these accesses were permitted inconsistently. In particular, accesses
were permitted above state->allocated_stack, but not below it. In other words, if the stack was already
large enough, the access was permitted, but otherwise the access was rejected instead of being allowed
to grow the stack. This undesired rejection was happening in two places: - in
check_stack_slot_within_bounds() - in check_stack_range_initialized() This patch arranges for these
accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of
them were changed to add also run unprivileged, in which case the old behavior persists. One tests
couldn't be updated - global_func16 - because it can't run unprivileged for other reasons. This patch also
fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same
commit as the first one because they're inter-related. Before this patch, writes to the stack using
registers containing a variable offset (as opposed to registers with fixed, known values) were not
properly contributing to the function's needed stack size. As a result, it was possible for a program to
verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been
allocated for it. Each function tracks the size of the stack it needs in bpf_subprog_info.stack_depth,
which is maintained by update_stack_depth(). For regular memory accesses, check_mem_access() was calling
update_state_depth() but it was passing in only the fixed part of the offset register, ignoring the
variable offset. This was incorrect; the minimum possible value of that register should be used instead.
This tracking is now fixed by centralizing the tracking of stack size in grow_stack_state(), and by
lifting the calls to grow_stack_state() to check_stack_access_within_bounds() as suggested by Andrii. The
code is now simpler and more convincingly tracks the correct maximum stack size.
check_stack_range_initialized() can now rely on enough stack having been allocated for the access; this
helps with the fix for the first issue. A few tests were changed to also check the stack depth
computation. The one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.
(CVE-2023-52452)
- In the Linux kernel, the following vulnerability has been resolved: powerpc/mm: Fix null-pointer
dereference in pgtable_cache_add kasprintf() returns a pointer to dynamically allocated memory which can
be NULL upon failure. Ensure the allocation was successful by checking the pointer validity.
(CVE-2023-52607)
- A flaw was found in the Netfilter subsystem in the Linux kernel. The issue is in the nft_byteorder_eval()
function, where the code iterates through a loop and writes to the `dst` array. On each iteration, 8 bytes
are written, but `dst` is an array of u32, so each element only has space for 4 bytes. That means every
iteration overwrites part of the previous element corrupting this array of u32. This flaw allows a local
user to cause a denial of service or potentially break NetFilter functionality. (CVE-2024-0607)
- In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix null pointer
dereference in __sev_platform_shutdown_locked The SEV platform device can be shutdown with a null
psp_master, e.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN: [ 137.148210] ccp 0000:23:00.1:
enabling device (0000 -> 0002) [ 137.162647] ccp 0000:23:00.1: no command queues available [ 137.170598]
ccp 0000:23:00.1: sev enabled [ 137.174645] ccp 0000:23:00.1: psp enabled [ 137.178890] general protection
fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
NOPTI [ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7] [ 137.182693]
CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311 [ 137.182693] RIP:
0010:__sev_platform_shutdown_locked+0x51/0x180 [ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b
1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85
fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c [ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216
[ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e [ 137.182693] RDX:
0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0 [ 137.182693] RBP: ffffc900000cf9c8 R08:
0000000000000000 R09: fffffbfff58f5a66 [ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12:
ffff8881e5052c28 [ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8 [
137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000 [ 137.182693] CS:
0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000
CR4: 0000000000350ef0 [ 137.182693] Call Trace: [ 137.182693] <TASK> [ 137.182693] ? show_regs+0x6c/0x80 [
137.182693] ? __die_body+0x24/0x70 [ 137.182693] ? die_addr+0x4b/0x80 [ 137.182693] ?
exc_general_protection+0x126/0x230 [ 137.182693] ? asm_exc_general_protection+0x2b/0x30 [ 137.182693] ?
__sev_platform_shutdown_locked+0x51/0x180 [ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80 [
137.182693] sev_dev_destroy+0x49/0x100 [ 137.182693] psp_dev_destroy+0x47/0xb0 [ 137.182693]
sp_destroy+0xbb/0x240 [ 137.182693] sp_pci_remove+0x45/0x60 [ 137.182693] pci_device_remove+0xaa/0x1d0 [
137.182693] device_remove+0xc7/0x170 [ 137.182693] really_probe+0x374/0xbe0 [ 137.182693] ?
srso_return_thunk+0x5/0x5f [ 137.182693] __driver_probe_device+0x199/0x460 [ 137.182693]
driver_probe_device+0x4e/0xd0 [ 137.182693] __driver_attach+0x191/0x3d0 [ 137.182693] ?
__pfx___driver_attach+0x10/0x10 [ 137.182693] bus_for_each_dev+0x100/0x190 [ 137.182693] ?
__pfx_bus_for_each_dev+0x10/0x10 [ 137.182693] ? __kasan_check_read+0x15/0x20 [ 137.182693] ?
srso_return_thunk+0x5/0x5f [ 137.182693] ? _raw_spin_unlock+0x27/0x50 [ 137.182693]
driver_attach+0x41/0x60 [ 137.182693] bus_add_driver+0x2a8/0x580 [ 137.182693] driver_register+0x141/0x480
[ 137.182693] __pci_register_driver+0x1d6/0x2a0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ?
esrt_sysfs_init+0x1cd/0x5d0 [ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 [ 137.182693]
sp_pci_init+0x22/0x30 [ 137.182693] sp_mod_init+0x14/0x30 [ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 [
137.182693] do_one_initcall+0xd1/0x470 [ 137.182693] ? __pfx_do_one_initcall+0x10/0x10 [ 137.182693] ?
parameq+0x80/0xf0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? __kmalloc+0x3b0/0x4e0 [
137.182693] ? kernel_init_freeable+0x92d/0x1050 [ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190 [
137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] kernel_init_freeable+0xa64/0x1050 [ 137.182693] ?
__pfx_kernel_init+0x10/0x10 [ 137.182693] kernel_init+0x24/0x160 [ 137.182693] ? __switch_to_asm+0x3e/0x70
[ 137.182693] ret_from_fork+0x40/0x80 [ 137.182693] ? __pfx_kernel_init+0x1 ---truncated---
(CVE-2024-26695)
- In the Linux kernel, the following vulnerability has been resolved: usb: roles: fix NULL pointer issue
when put module's reference In current design, usb role class driver will get usb_role_switch parent's
module reference after the user get usb_role_switch device and put the reference after the user put the
usb_role_switch device. However, the parent device of usb_role_switch may be removed before the user put
the usb_role_switch. If so, then, NULL pointer issue will be met when the user put the parent module's
reference. This will save the module pointer in structure of usb_role_switch. Then, we don't need to find
module by iterating long relations. (CVE-2024-26747)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-1048");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-3534");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:9");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-alt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libbpf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:redhat-virtualization-host");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
include('ksplice.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'kernel', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'kernel', 'cves':['CVE-2018-7273', 'CVE-2018-8043', 'CVE-2018-10021', 'CVE-2018-15594', 'CVE-2018-16862', 'CVE-2018-17977', 'CVE-2019-15218', 'CVE-2019-16089', 'CVE-2019-16229', 'CVE-2019-19039', 'CVE-2019-19076', 'CVE-2019-19080', 'CVE-2019-19081', 'CVE-2019-19082', 'CVE-2019-19083', 'CVE-2019-19462', 'CVE-2020-8694', 'CVE-2020-11494', 'CVE-2020-12768', 'CVE-2020-12769', 'CVE-2020-25639', 'CVE-2021-38199', 'CVE-2021-45402', 'CVE-2021-47134', 'CVE-2022-2905', 'CVE-2022-3534', 'CVE-2022-3606', 'CVE-2023-0045', 'CVE-2023-52447', 'CVE-2023-52452', 'CVE-2024-0607', 'CVE-2024-26695', 'CVE-2024-26747']},
{'reference':'kernel-rt', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'kernel-rt', 'cves':['CVE-2018-16862', 'CVE-2018-17977', 'CVE-2019-9003', 'CVE-2019-15218', 'CVE-2019-16089', 'CVE-2019-16229', 'CVE-2019-19039', 'CVE-2019-19076', 'CVE-2019-19080', 'CVE-2019-19081', 'CVE-2019-19082', 'CVE-2019-19083', 'CVE-2019-19462', 'CVE-2020-8694', 'CVE-2020-11494', 'CVE-2020-12768', 'CVE-2020-25639', 'CVE-2021-45402', 'CVE-2021-47134', 'CVE-2022-2905', 'CVE-2022-3534', 'CVE-2022-3606', 'CVE-2023-52447', 'CVE-2023-52452', 'CVE-2023-52607', 'CVE-2024-0607', 'CVE-2024-26695', 'CVE-2024-26747']},
{'reference':'libbpf', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'libbpf', 'cves':['CVE-2022-3606']},
{'reference':'redhat-virtualization-host', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'redhat-virtualization-host', 'cves':['CVE-2022-1048', 'CVE-2022-4543', 'CVE-2023-1074', 'CVE-2023-1075', 'CVE-2023-1076', 'CVE-2023-1077', 'CVE-2023-4194']}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kernel-rt / libbpf / redhat-virtualization-host');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10021
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15594
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16862
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17977
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7273
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8043
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15218
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16089
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16229
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19039
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19076
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19080
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19081
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19082
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19083
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19462
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9003
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11494
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12768
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12769
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25639
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38199
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45402
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-47134
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1048
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2905
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3534
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3606
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4543
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0045
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1074
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1075
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1076
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1077
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4194
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52447
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52452
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52607
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0607
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26695
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26747