The remote Redhat Enterprise Linux 9 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.
kernel: Linux ebpf logic vulnerability leads to critical memory read and write gaining root privileges (CVE-2022-0500)
Kernel: use-after-free in btf_dump_name_dups in tools/lib/bpf/btf_dump.c (CVE-2022-3534)
An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does not check the nla_nest_start_noflag return value. (CVE-2019-16089)
A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged. (CVE-2021-3714)
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-18198. Reason: This candidate is a reservation duplicate of CVE-2019-18198. Notes: All CVE users should reference CVE-2019-18198 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage (CVE-2021-3892)
A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem while the device is getting removed, leading to a privilege escalation problem. (CVE-2021-4202)
The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a pointer leak. (CVE-2021-45402)
An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their count and use are zero. (CVE-2022-1247)
An issue was discovered in the Linux kernel before 5.16.5. There is a memory leak in yam_siocdevprivate in drivers/net/hamradio/yam.c. (CVE-2022-24959)
drivers/bluetooth/virtio_bt.c in the Linux kernel before 5.16.3 has a memory leak (socket buffers have memory allocated but not freed). (CVE-2022-26878)
An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device. (CVE-2022-26966)
There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c (CVE-2022-2785)
An out-of-bounds memory read flaw was found in the Linux kernel’s BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data. (CVE-2022-2905)
A vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF. The manipulation leads to null pointer dereference. It is recommended to apply a patch to fix this issue. The identifier VDB-211749 was assigned to this vulnerability. (CVE-2022-3606)
A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c. The manipulation leads to memory leak.
The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.
(CVE-2022-3629)
A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function j1939_session_destroy of the file net/can/j1939/transport.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211932.
(CVE-2022-3633)
The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96 (CVE-2023-0045)
A flaw was found in the Linux kernel’s netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system. (CVE-2023-2019)
A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol.
This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system. (CVE-2023-2156)
In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don’t use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map. (CVE-2023-52447)
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix accesses to uninit stack slots Privileged programs are supposed to be able to read uninitialized stack memory (ever since 6715df8d5) but, before this patch, these accesses were permitted inconsistently. In particular, accesses were permitted above state->allocated_stack, but not below it. In other words, if the stack was already large enough, the access was permitted, but otherwise the access was rejected instead of being allowed to grow the stack. This undesired rejection was happening in two places: - in check_stack_slot_within_bounds() - in check_stack_range_initialized() This patch arranges for these accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of them were changed to add also run unprivileged, in which case the old behavior persists. One tests couldn’t be updated - global_func16 - because it can’t run unprivileged for other reasons. This patch also fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same commit as the first one because they’re inter-related. Before this patch, writes to the stack using registers containing a variable offset (as opposed to registers with fixed, known values) were not properly contributing to the function’s needed stack size. As a result, it was possible for a program to verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been allocated for it. Each function tracks the size of the stack it needs in bpf_subprog_info.stack_depth, which is maintained by update_stack_depth(). For regular memory accesses, check_mem_access() was calling update_state_depth() but it was passing in only the fixed part of the offset register, ignoring the variable offset. This was incorrect; the minimum possible value of that register should be used instead.
This tracking is now fixed by centralizing the tracking of stack size in grow_stack_state(), and by lifting the calls to grow_stack_state() to check_stack_access_within_bounds() as suggested by Andrii. The code is now simpler and more convincingly tracks the correct maximum stack size.
check_stack_range_initialized() can now rely on enough stack having been allocated for the access; this helps with the fix for the first issue. A few tests were changed to also check the stack depth computation. The one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.
(CVE-2023-52452)
In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Resolves SECS reclaim vs.
page fault for EAUG race The SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an enclave and set secs.epc_page to NULL. The SECS page is used for EAUG and ELDU in the SGX page fault handler. However, the NULL check for secs.epc_page is only done for ELDU, not EAUG before being used. Fix this by doing the same NULL check and reloading of the SECS page as needed for both EAUG and ELDU. The SECS page holds global enclave metadata. It can only be reclaimed when there are no other enclave pages remaining. At that point, virtually nothing can be done with the enclave until the SECS page is paged back in. An enclave can not run nor generate page faults without a resident SECS page. But it is still possible for a #PF for a non-SECS page to race with paging out the SECS page: when the last resident non-SECS page A triggers a #PF in a non-resident page B, and then page A and the SECS both are paged out before the #PF on B is handled.
Hitting this bug requires that race triggered with a #PF for EAUG. Following is a trace when it happens.
BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:sgx_encl_eaug_page+0xc7/0x210 Call Trace: ? __kmem_cache_alloc_node+0x16a/0x440 ? xa_load+0x6e/0xa0 sgx_vma_fault+0x119/0x230
__do_fault+0x36/0x140 do_fault+0x12f/0x400 __handle_mm_fault+0x728/0x1110 handle_mm_fault+0x105/0x310 do_user_addr_fault+0x1ee/0x750 ? __this_cpu_preempt_check+0x13/0x20 exc_page_fault+0x76/0x180 asm_exc_page_fault+0x27/0x30 (CVE-2023-52568)
In the Linux kernel, the following vulnerability has been resolved: powerpc/mm: Fix null-pointer dereference in pgtable_cache_add kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity.
(CVE-2023-52607)
A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free. (CVE-2024-0775)
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked The SEV platform device can be shutdown with a null psp_master, e.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN: [ 137.148210] ccp 0000:23:00.1:
enabling device (0000 -> 0002) [ 137.162647] ccp 0000:23:00.1: no command queues available [ 137.170598] ccp 0000:23:00.1: sev enabled [ 137.174645] ccp 0000:23:00.1: psp enabled [ 137.178890] general protection fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI [ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7] [ 137.182693] CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311 [ 137.182693] RIP:
0010:__sev_platform_shutdown_locked+0x51/0x180 [ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b 1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c [ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216 [ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e [ 137.182693] RDX:
0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0 [ 137.182693] RBP: ffffc900000cf9c8 R08:
0000000000000000 R09: fffffbfff58f5a66 [ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12:
ffff8881e5052c28 [ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8 [ 137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000 [ 137.182693] CS:
0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000 CR4: 0000000000350ef0 [ 137.182693] Call Trace: [ 137.182693] <TASK> [ 137.182693] ? show_regs+0x6c/0x80 [ 137.182693] ? __die_body+0x24/0x70 [ 137.182693] ? die_addr+0x4b/0x80 [ 137.182693] ? exc_general_protection+0x126/0x230 [ 137.182693] ? asm_exc_general_protection+0x2b/0x30 [ 137.182693] ?
__sev_platform_shutdown_locked+0x51/0x180 [ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80 [ 137.182693] sev_dev_destroy+0x49/0x100 [ 137.182693] psp_dev_destroy+0x47/0xb0 [ 137.182693] sp_destroy+0xbb/0x240 [ 137.182693] sp_pci_remove+0x45/0x60 [ 137.182693] pci_device_remove+0xaa/0x1d0 [ 137.182693] device_remove+0xc7/0x170 [ 137.182693] really_probe+0x374/0xbe0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] __driver_probe_device+0x199/0x460 [ 137.182693] driver_probe_device+0x4e/0xd0 [ 137.182693] __driver_attach+0x191/0x3d0 [ 137.182693] ?
__pfx___driver_attach+0x10/0x10 [ 137.182693] bus_for_each_dev+0x100/0x190 [ 137.182693] ?
__pfx_bus_for_each_dev+0x10/0x10 [ 137.182693] ? __kasan_check_read+0x15/0x20 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? _raw_spin_unlock+0x27/0x50 [ 137.182693] driver_attach+0x41/0x60 [ 137.182693] bus_add_driver+0x2a8/0x580 [ 137.182693] driver_register+0x141/0x480 [ 137.182693] __pci_register_driver+0x1d6/0x2a0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? esrt_sysfs_init+0x1cd/0x5d0 [ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 [ 137.182693] sp_pci_init+0x22/0x30 [ 137.182693] sp_mod_init+0x14/0x30 [ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 [ 137.182693] do_one_initcall+0xd1/0x470 [ 137.182693] ? __pfx_do_one_initcall+0x10/0x10 [ 137.182693] ? parameq+0x80/0xf0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? __kmalloc+0x3b0/0x4e0 [ 137.182693] ? kernel_init_freeable+0x92d/0x1050 [ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] kernel_init_freeable+0xa64/0x1050 [ 137.182693] ?
__pfx_kernel_init+0x10/0x10 [ 137.182693] kernel_init+0x24/0x160 [ 137.182693] ? __switch_to_asm+0x3e/0x70 [ 137.182693] ret_from_fork+0x40/0x80 [ 137.182693] ? __pfx_kernel_init+0x1 —truncated— (CVE-2024-26695)
Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory kernel. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(195667);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");
script_cve_id(
"CVE-2019-16089",
"CVE-2021-3714",
"CVE-2021-3892",
"CVE-2021-4202",
"CVE-2021-45402",
"CVE-2022-0500",
"CVE-2022-1247",
"CVE-2022-2785",
"CVE-2022-2905",
"CVE-2022-3534",
"CVE-2022-3606",
"CVE-2022-3629",
"CVE-2022-3633",
"CVE-2022-24959",
"CVE-2022-26878",
"CVE-2022-26966",
"CVE-2023-0045",
"CVE-2023-2019",
"CVE-2023-2156",
"CVE-2023-52447",
"CVE-2023-52452",
"CVE-2023-52568",
"CVE-2023-52607",
"CVE-2024-0775",
"CVE-2024-26695"
);
script_name(english:"RHEL 9 : kernel (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 9 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 9 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- kernel: Linux ebpf logic vulnerability leads to critical memory read and write gaining root privileges
(CVE-2022-0500)
- Kernel: use-after-free in btf_dump_name_dups in tools/lib/bpf/btf_dump.c (CVE-2022-3534)
- An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does
not check the nla_nest_start_noflag return value. (CVE-2019-16089)
- A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory
deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an
attacker can upload page sized files and detect the change in access time from a networked service to
determine if the page has been merged. (CVE-2021-3714)
- Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-18198. Reason: This candidate is a
reservation duplicate of CVE-2019-18198. Notes: All CVE users should reference CVE-2019-18198 instead of
this candidate. All references and descriptions in this candidate have been removed to prevent accidental
usage (CVE-2021-3892)
- A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in
the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem
while the device is getting removed, leading to a privilege escalation problem. (CVE-2021-4202)
- The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not
properly update bounds while handling the mov32 instruction, which allows local users to obtain
potentially sensitive address information, aka a pointer leak. (CVE-2021-45402)
- An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses
rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a
rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their
count and use are zero. (CVE-2022-1247)
- An issue was discovered in the Linux kernel before 5.16.5. There is a memory leak in yam_siocdevprivate in
drivers/net/hamradio/yam.c. (CVE-2022-24959)
- drivers/bluetooth/virtio_bt.c in the Linux kernel before 5.16.3 has a memory leak (socket buffers have
memory allocated but not freed). (CVE-2022-26878)
- An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to
obtain sensitive information from heap memory via crafted frame lengths from a device. (CVE-2022-26966)
- There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in
structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by
BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend
upgrading past commit 86f44fcec22c (CVE-2022-2785)
- An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the
bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to
gain unauthorized access to data. (CVE-2022-2905)
- A vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the
function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF. The manipulation
leads to null pointer dereference. It is recommended to apply a patch to fix this issue. The identifier
VDB-211749 was assigned to this vulnerability. (CVE-2022-3606)
- A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects
the function vsock_connect of the file net/vmw_vsock/af_vsock.c. The manipulation leads to memory leak.
The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to
apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.
(CVE-2022-3629)
- A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function
j1939_session_destroy of the file net/can/j1939/transport.c. The manipulation leads to memory leak. It is
recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211932.
(CVE-2022-3633)
- The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The
ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL
MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the
TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to
the prctl syscall. The patch that added the support for the conditional mitigation via prctl
(ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit
a664ec9158eeddd75121d39c9a0758016097fa96 (CVE-2023-0045)
- A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events. This
issue results from the improper management of a reference count. This may allow an attacker to create a
denial of service condition on the system. (CVE-2023-2019)
- A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol.
This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion
failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the
system. (CVE-2023-2156)
- In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when
necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed
by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of
the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most
cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free()
callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so
after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may
incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one
RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map
before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the
last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with
work field to reduce the size of bpf_map. (CVE-2023-52447)
- In the Linux kernel, the following vulnerability has been resolved: bpf: Fix accesses to uninit stack
slots Privileged programs are supposed to be able to read uninitialized stack memory (ever since
6715df8d5) but, before this patch, these accesses were permitted inconsistently. In particular, accesses
were permitted above state->allocated_stack, but not below it. In other words, if the stack was already
large enough, the access was permitted, but otherwise the access was rejected instead of being allowed
to grow the stack. This undesired rejection was happening in two places: - in
check_stack_slot_within_bounds() - in check_stack_range_initialized() This patch arranges for these
accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of
them were changed to add also run unprivileged, in which case the old behavior persists. One tests
couldn't be updated - global_func16 - because it can't run unprivileged for other reasons. This patch also
fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same
commit as the first one because they're inter-related. Before this patch, writes to the stack using
registers containing a variable offset (as opposed to registers with fixed, known values) were not
properly contributing to the function's needed stack size. As a result, it was possible for a program to
verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been
allocated for it. Each function tracks the size of the stack it needs in bpf_subprog_info.stack_depth,
which is maintained by update_stack_depth(). For regular memory accesses, check_mem_access() was calling
update_state_depth() but it was passing in only the fixed part of the offset register, ignoring the
variable offset. This was incorrect; the minimum possible value of that register should be used instead.
This tracking is now fixed by centralizing the tracking of stack size in grow_stack_state(), and by
lifting the calls to grow_stack_state() to check_stack_access_within_bounds() as suggested by Andrii. The
code is now simpler and more convincingly tracks the correct maximum stack size.
check_stack_range_initialized() can now rely on enough stack having been allocated for the access; this
helps with the fix for the first issue. A few tests were changed to also check the stack depth
computation. The one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.
(CVE-2023-52452)
- In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Resolves SECS reclaim vs.
page fault for EAUG race The SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an enclave and
set secs.epc_page to NULL. The SECS page is used for EAUG and ELDU in the SGX page fault handler. However,
the NULL check for secs.epc_page is only done for ELDU, not EAUG before being used. Fix this by doing the
same NULL check and reloading of the SECS page as needed for both EAUG and ELDU. The SECS page holds
global enclave metadata. It can only be reclaimed when there are no other enclave pages remaining. At that
point, virtually nothing can be done with the enclave until the SECS page is paged back in. An enclave can
not run nor generate page faults without a resident SECS page. But it is still possible for a #PF for a
non-SECS page to race with paging out the SECS page: when the last resident non-SECS page A triggers a #PF
in a non-resident page B, and then page A and the SECS both are paged out before the #PF on B is handled.
Hitting this bug requires that race triggered with a #PF for EAUG. Following is a trace when it happens.
BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:sgx_encl_eaug_page+0xc7/0x210
Call Trace: ? __kmem_cache_alloc_node+0x16a/0x440 ? xa_load+0x6e/0xa0 sgx_vma_fault+0x119/0x230
__do_fault+0x36/0x140 do_fault+0x12f/0x400 __handle_mm_fault+0x728/0x1110 handle_mm_fault+0x105/0x310
do_user_addr_fault+0x1ee/0x750 ? __this_cpu_preempt_check+0x13/0x20 exc_page_fault+0x76/0x180
asm_exc_page_fault+0x27/0x30 (CVE-2023-52568)
- In the Linux kernel, the following vulnerability has been resolved: powerpc/mm: Fix null-pointer
dereference in pgtable_cache_add kasprintf() returns a pointer to dynamically allocated memory which can
be NULL upon failure. Ensure the allocation was successful by checking the pointer validity.
(CVE-2023-52607)
- A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This
flaw allows a local user to cause an information leak problem while freeing the old quota file names
before a potential failure, leading to a use-after-free. (CVE-2024-0775)
- In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix null pointer
dereference in __sev_platform_shutdown_locked The SEV platform device can be shutdown with a null
psp_master, e.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN: [ 137.148210] ccp 0000:23:00.1:
enabling device (0000 -> 0002) [ 137.162647] ccp 0000:23:00.1: no command queues available [ 137.170598]
ccp 0000:23:00.1: sev enabled [ 137.174645] ccp 0000:23:00.1: psp enabled [ 137.178890] general protection
fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
NOPTI [ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7] [ 137.182693]
CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311 [ 137.182693] RIP:
0010:__sev_platform_shutdown_locked+0x51/0x180 [ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b
1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85
fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c [ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216
[ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e [ 137.182693] RDX:
0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0 [ 137.182693] RBP: ffffc900000cf9c8 R08:
0000000000000000 R09: fffffbfff58f5a66 [ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12:
ffff8881e5052c28 [ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8 [
137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000 [ 137.182693] CS:
0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000
CR4: 0000000000350ef0 [ 137.182693] Call Trace: [ 137.182693] <TASK> [ 137.182693] ? show_regs+0x6c/0x80 [
137.182693] ? __die_body+0x24/0x70 [ 137.182693] ? die_addr+0x4b/0x80 [ 137.182693] ?
exc_general_protection+0x126/0x230 [ 137.182693] ? asm_exc_general_protection+0x2b/0x30 [ 137.182693] ?
__sev_platform_shutdown_locked+0x51/0x180 [ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80 [
137.182693] sev_dev_destroy+0x49/0x100 [ 137.182693] psp_dev_destroy+0x47/0xb0 [ 137.182693]
sp_destroy+0xbb/0x240 [ 137.182693] sp_pci_remove+0x45/0x60 [ 137.182693] pci_device_remove+0xaa/0x1d0 [
137.182693] device_remove+0xc7/0x170 [ 137.182693] really_probe+0x374/0xbe0 [ 137.182693] ?
srso_return_thunk+0x5/0x5f [ 137.182693] __driver_probe_device+0x199/0x460 [ 137.182693]
driver_probe_device+0x4e/0xd0 [ 137.182693] __driver_attach+0x191/0x3d0 [ 137.182693] ?
__pfx___driver_attach+0x10/0x10 [ 137.182693] bus_for_each_dev+0x100/0x190 [ 137.182693] ?
__pfx_bus_for_each_dev+0x10/0x10 [ 137.182693] ? __kasan_check_read+0x15/0x20 [ 137.182693] ?
srso_return_thunk+0x5/0x5f [ 137.182693] ? _raw_spin_unlock+0x27/0x50 [ 137.182693]
driver_attach+0x41/0x60 [ 137.182693] bus_add_driver+0x2a8/0x580 [ 137.182693] driver_register+0x141/0x480
[ 137.182693] __pci_register_driver+0x1d6/0x2a0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ?
esrt_sysfs_init+0x1cd/0x5d0 [ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 [ 137.182693]
sp_pci_init+0x22/0x30 [ 137.182693] sp_mod_init+0x14/0x30 [ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 [
137.182693] do_one_initcall+0xd1/0x470 [ 137.182693] ? __pfx_do_one_initcall+0x10/0x10 [ 137.182693] ?
parameq+0x80/0xf0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? __kmalloc+0x3b0/0x4e0 [
137.182693] ? kernel_init_freeable+0x92d/0x1050 [ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190 [
137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] kernel_init_freeable+0xa64/0x1050 [ 137.182693] ?
__pfx_kernel_init+0x10/0x10 [ 137.182693] kernel_init+0x24/0x160 [ 137.182693] ? __switch_to_asm+0x3e/0x70
[ 137.182693] ret_from_fork+0x40/0x80 [ 137.182693] ? __pfx_kernel_init+0x1 ---truncated---
(CVE-2024-26695)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-0500");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-3534");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:9");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libbpf");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
include('ksplice.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '9')) audit(AUDIT_OS_NOT, 'Red Hat 9.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'kernel', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'kernel', 'cves':['CVE-2019-16089', 'CVE-2021-3714', 'CVE-2021-3892', 'CVE-2021-4202', 'CVE-2021-45402', 'CVE-2022-0500', 'CVE-2022-1247', 'CVE-2022-2785', 'CVE-2022-2905', 'CVE-2022-3534', 'CVE-2022-3606', 'CVE-2022-3629', 'CVE-2022-3633', 'CVE-2022-24959', 'CVE-2022-26878', 'CVE-2022-26966', 'CVE-2023-0045', 'CVE-2023-2019', 'CVE-2023-2156', 'CVE-2023-52447', 'CVE-2023-52452', 'CVE-2023-52568', 'CVE-2024-0775', 'CVE-2024-26695']},
{'reference':'kernel-rt', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'kernel-rt', 'cves':['CVE-2021-3714', 'CVE-2021-45402', 'CVE-2022-0500', 'CVE-2022-1247', 'CVE-2022-2785', 'CVE-2022-2905', 'CVE-2022-3534', 'CVE-2022-3606', 'CVE-2022-3633', 'CVE-2022-24959', 'CVE-2022-26878', 'CVE-2022-26966', 'CVE-2023-2019', 'CVE-2023-2156', 'CVE-2023-52447', 'CVE-2023-52452', 'CVE-2023-52607', 'CVE-2024-0775', 'CVE-2024-26695']},
{'reference':'libbpf', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'libbpf', 'cves':['CVE-2022-3606']}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kernel-rt / libbpf');
}
Vendor | Product | Version | CPE |
---|---|---|---|
redhat | enterprise_linux | kernel | p-cpe:/a:redhat:enterprise_linux:kernel |
redhat | enterprise_linux | kernel-rt | p-cpe:/a:redhat:enterprise_linux:kernel-rt |
redhat | enterprise_linux | 8 | cpe:/o:redhat:enterprise_linux:8 |
redhat | enterprise_linux | 7 | cpe:/o:redhat:enterprise_linux:7 |
redhat | enterprise_linux | 9 | cpe:/o:redhat:enterprise_linux:9 |
redhat | enterprise_linux | libbpf | p-cpe:/a:redhat:enterprise_linux:libbpf |
redhat | enterprise_linux | 6 | cpe:/o:redhat:enterprise_linux:6 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16089
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3714
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3892
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4202
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45402
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0500
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1247
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24959
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26878
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26966
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2785
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2905
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3534
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3606
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3629
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3633
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0045
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2019
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2156
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52447
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52452
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52568
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52607
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0775
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26695